An attack on the South Carolina Department of Revenue exposed 3.6 million social security numbers, and about 387,000 credit and debit card numbers of South Carolina residents. Data breaches like this are so common, they are barely newsworthy… and we certainly try not to cover every single data breach event on this blog.
However, today’s followup to the story is what made it interesting. Governor Nikki Haley went on the record in a press conference trying to defend their lack of good practices. I’ve embedded the video below and hopefully it will start at the good part, 12:43 into the video:
This is a really good example of sending the wrong kind of message. I understand her desire to defend the state workers that failed to foresee this type of breach, and adequately protect their citizens’ information. I also agree that she might be right – there are many situations in which social security numbers don’t get encrypted. However, I’d like to break down some specific problems with the way she made this statement.
- By saying “a lot of banks don’t encrypt” she is essentially lumping the practices of the banks in with the practices by the S.C. Department of Revenue. However, I don’t think I’m going out on a limb by saying most banks have better security controls and incident response capabilities than the S.C. Department of Revenue. Not encrypting is not the same as not protecting, and there are definitely different ways to protect information.
- Another statement she made against encryption was “because it is very complicated.” Yes, these days we are facing complex challenges and sometimes the actions we have to take in response are also complex. Encryption is meant to be complicated. You wouldn’t want just anyone to get those social security numbers, right?
- “It is cumbersome and there’s a lot of numbers involved with it.” Again, making too much of how complicated it is. Never mind the fact that encryption is actually pretty easy these days, you have a social, governmental, and fiduciary responsibility to protect that information. And “a lot of numbers”? Really? Are we channeling Teen Talk Barbie?
- “It’s not just that this was a Department of Revenue situation, this is an industry situation.” Actually, this is just a Department of Revenue situation. The industry is working to get better. The industry and government are working together to pass standards and regulations. Forward-thinking organizations are proactively assessing themselves and trying to get better. The industry is being held accountable, and so should the state of South Carolina.
Governor Haley, you sent the wrong message to the public today. You tried to deflect blame and throw other organizations and the industry under the bus. Instead, you need to take a long look at what you’re doing to protect information and promise to your citizens that you’ll work to do better.