Last fall, South Carolina was hit with a huge data breach that affected millions of its citizens. The breach was at the Department of Revenue and, as of this writing, at least 6.4 million customers and businesses had information such as Social Security numbers, and credit and debit cards numbers compromised.
It may turn out that South Carolina becomes the poster child on how not to handle a data breach. The breach itself hit the news in late October, but according to a South Carolina newspaper, notifications to state residents began hitting the mail the week of Christmas, while out-of-state people who were affected were notified earlier in December (the records breached go back as far as 1998). The state government is reviewing the cybersecurity efforts in its agencies while the legislature pulls together cybersecurity legislation (what type of legislation appears vague).
What we do know is that the people of South Carolina are not happy about the breach or the way it has been handled. The anger becomes quickly obvious reading the comments to the articles I’ve linked, but admittedly, comments on articles like these tend to bring out the most outspoken and angry readers.
More interesting is a survey of South Carolina residents done by Coalfire, which found that, while citizens realize they are not experts on data security, they fully expect agencies such as state governments to safeguard their personal information. However, the survey also found that most respondents don’t fully understand requirements for securing data or what actions they need to take if their personal information is compromised. Rick Dakin, CEO and co-founder of Coalfire, said in a release:
This data breach helps to highlight the need for strong cybersecurity plans and for the modernization of compliance rules in both the public and private sectors. Perhaps most telling from our survey is the fact that affected individuals do not understand what they need to do in order to ensure their personal information is safe or what steps to take if it has been compromised.
These findings are reflected in some of the article comments I read – they don’t really understand how cybersecurity works or the processes in the aftermath of a breach, but they are also not happy about being kept in the dark or that more isn’t being done to protect this information. In fact, one of the findings of the study showed that more than 60 percent of those surveyed will use the credit-monitoring service that the state is offering as compensation. However, they feel that the service is less than a fully acceptable resolution and want to know why their data was not better protected.
The results of this survey should be noted by any entity entrusted with personal information, whether they are community residents or customers. We all have a stake in the cybersecurity of a government or a business, so it is better to be upfront from the get-go, rather than let things linger unanswered.