S.C. governor's post-breach data encryption claims are off-base, analysts say

Gov. Haley calls encryption a cumbersome practice that's not followed even by many banks

Security analysts this week challenged South Carolina Governor Nikki Haley's defense of the state's information security practices in the wake of a data breach at the S.C. Department of Revenue that exposed the Social Security Numbers (SSNs) of 3.6 million people.

In a news conference Monday, Haley insisted that the state was following industry practices when it decided not to encrypt SSNs and other personal taxpayer information stored on state computers.

[ FREE DOWNLOAD: 68 great ideas for running a security department ]

South Carolina Governor Nikki Haley on Monday discussed the data breach at the S.C. Department of Revenue.

"The industry standard is that most SSNs are not encrypted," Haley said in response to a question from a reporter. "A lot of banks don't encrypt, a lot of those agencies that you think might encrypt Social Security Numbers actually don't, because it is very complicated. It is cumbersome and there's a lot of numbers involved with it."

Haley went on to add that the encryption issue affected not just the South Carolina Department of Revenue but other organizations across all industries.

The state followed the same security standards as other organizations and there's little it could have done to fend off the attack, she said. "If the CIA can be hacked, anybody can be hacked."

Haley's news conference, and one held earlier today, came after the state disclosed Friday that unknown hackers from overseas had broken into a Department of Revenue database and accessed SSNs and other personal data belonging to 3.6 million people.

Another 387,000 credit and debit card numbers belonging to taxpayers were also exposed in the September attack. According to state officials, the SSNs weren't encrypted, though all but 16,000 of the credit and debit cards that were compromised had been encrypted. State officials first discovered the breach on Oct. 10, but did not disclose it until Friday on the advice of state and federal investigators. Anyone who has filed a South Carolina tax return since 1998 has likely been affected.

The state has agreed to offer free credit monitoring services and up to $1 million in identity theft insurance coverage for victims of the breach. More than 287,000 people have already signed up for the service, Haley said.

Avivah Litan, an analyst with Gartner, called the governor's defense of the state's security practices shaky. "It's true that most banks don't encrypt customer data, largely because of performance hits and management overhead," Litan said.

"But most banks do a decent job of instituting strong protections around sensitive customer data at rest," she said, noting that encryption is only one method for protecting data. "There are many other methods that are viable and, when used together, offer more protection than just encryption alone.

"The governor's comments reflect unawareness of data security practices and are not at all reassuring," Litan added.

Pointing to weak data security practices at banks as a defense for the state's ineptness isn't a good strategy, said Richard Stiennon, a principal at IT-Harvest.

"Critical data, especially personally identifiable information, must be protected and Social Security numbers linked to names, ranks at the top" of the list of items that need to be protected, he said. "Encryption technology is readily available for data stores. It is not cumbersome to encrypt data. To the contrary, it is easy to do and most retailers and payment processors do it regularly."

Some security vendors also took the governor to task for her claims about encryption technology being cumbersome to implement. "Anyone remotely familiar with security best practices knows that all sensitive data should be encrypted," said Torsten George, vice president of worldwide marketing and products for risk management vendor Agiliance.

Typically, the decision not to encrypt sensitive information is driven by budget limitations rather than by industry standards or best practices, George said.

Haley's comments are based on outdated assumptions, said Todd Thiemann, senior director of product marketing at data encryption vendor Vormetric. While encryption technologies used to be somewhat difficult to deploy, these days the technology is not all that complicated, he said.

"Most state data breach laws, including California, Massachusetts and Nevada, call out Social Security numbers as a category of information requiring protection," Thiemann said.

Under most state data breach laws -- including South Carolina's -- encryption provides businesses with safe harbor from notification in the event of a data breach, he noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon