IRS says states must encrypt electronic tax records; Governor Haley attempts to extricate her feet from her mouth (UPDATED)
UPDATE: See comment by Don Moffett below this post who notes that the Governor was actually correct and the IRS’s statement is incorrect.
Governor Nikki Haley of South Carolina should stop talking about the massive databreach at the Department of Revenue and let someone who actually knows something about data security speak for the state.
First, she claimed that there was no industry standard to encrypt Social Security numbers. That claim was roundly dismissed by, well, everyone, except, perhaps, by the state’s Inspector General Patrick Maley who had found the department “in substantial compliance with sound computer security practices.”
The Governor had also claimed that the breach probably couldn’t have been prevented. Yet more scorn was heaped upon her head, particularly after Mandiant’s forensic investigation indicated that the compromise likely occurred because an employee fell for a phishing attempt.
Still in “I really don’t know what I’m talking about but maybe this will help deflect blame” mode, the Governor then tried to blame the IRS for their lax standards, claiming that they don’t require states to encrypt data.
The IRS was having none of that, though. Jody Barr reports:
The IRS responded early Wednesday, refuting the governor’s claim.
In an e-mail, an IRS spokeswoman wrote: “We have many different systems with a variety of safeguards–including encryption–to protect taxpayer data. The IRS has in place a robust cyber security of technology, people and processes to monitor IRS systems and networks. We have a long list of requirements for states to handle and protect federal tax information.”
What was that quote about how it’s better to remain silent and be thought a fool than to speak out and remove all doubt? Enough said, Governor. Really.
Photo credit: 12/20/10 Columbia, SC: Gov. Nikki Haley official portrait. Photo by Renee Ittner-McManus/rimphotography.com
Post corrected for typo on Mandiant’s name – thanks to the reader who caught that error.