UPDATE: See comment by Don Moffett below this post who notes that the Governor was actually correct and the IRS’s statement is incorrect.
Governor Nikki Haley of South Carolina should stop talking about the massive databreach at the Department of Revenue and let someone who actually knows something about data security speak for the state.
First, she claimed that there was no industry standard to encrypt Social Security numbers. That claim was roundly dismissed by, well, everyone, except, perhaps, by the state’s Inspector General Patrick Maley who had found the department “in substantial compliance with sound computer security practices.”
The Governor had also claimed that the breach probably couldn’t have been prevented. Yet more scorn was heaped upon her head, particularly after Mandiant’s forensic investigation indicated that the compromise likely occurred because an employee fell for a phishing attempt.
Still in “I really don’t know what I’m talking about but maybe this will help deflect blame” mode, the Governor then tried to blame the IRS for their lax standards, claiming that they don’t require states to encrypt data.
The IRS was having none of that, though. Jody Barr reports:
The IRS responded early Wednesday, refuting the governor’s claim.
In an e-mail, an IRS spokeswoman wrote: “We have many different systems with a variety of safeguards–including encryption–to protect taxpayer data. The IRS has in place a robust cyber security of technology, people and processes to monitor IRS systems and networks. We have a long list of requirements for states to handle and protect federal tax information.”
What was that quote about how it’s better to remain silent and be thought a fool than to speak out and remove all doubt? Enough said, Governor. Really.
Photo credit: 12/20/10 Columbia, SC: Gov. Nikki Haley official portrait. Photo by Renee Ittner-McManus/rimphotography.com
Post corrected for typo on Mandiant’s name – thanks to the reader who caught that error.
I know better than to ask in this situations, but with all the cybercrime threats around the world, taking any ADDITIONAL precautions is just out of the question? Just becuase someone doesn’t “require” it means that feds mandate it as a minimum standard. But the Feds DO require them to protect the data. Geesh. NO WONDER this country is in the shape it is in. Looks will get you a job; having a barin will get you double the amount of work.
If this is what is at the top of the heap, it only damages whats trying to make it better. Knowledge is power, and knowing alittle more than the person who interviews you is key. ANYTHING you say to someone – even off the cuff can come back and knock you upside the head with the sledgehammer of stupidity.
Technology isn’t brain surgery; it doesn’t take much to sit down and pay attention to the required annual security training – ummm if there is such a thing, unless it is gun decked and deemed unnecessary….
States have public relation people who are more armored to respond to questions and the press. It keeps the simple minded, clueless people safe from bombardment.
According to IRS publication 1075 FEDERAL tax information (FTI)must be protected — was this federal or STATE income tax records? I find it hard to believe that if it were FTI that the state would have still been receiving it – We have to do an annual review, and every 3 years a procedures review and periodic on-site reviews. There is no way that SC would have been able to bluff for that long and still receive FTI.
So, actually the Governor is Correct: Encryption Requirements of IRS Publication 1075
Applicability of Encryption Requirements: FTI Data at Rest
While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers. This type of encryption is being evaluated by the IRS as a potential policy update in the next revision of the Publication 1075.
Cound the IRS be any more ambiguous: receiving, processing, storing or transmitting FTI? They are dead wrong on their assertion that there is an encryption requirement. Read it for yourself: http://www.irs.gov/uac/Encryption-Requirements-of-IRS-Publication-1075
This is why I love my site’s readers. Thanks so much for digging into that and sharing it with us.