Vital Records Agency Information And Data Security Best Practices
By: Lan Lin, eSecurity Assistant Editor, Internet Journal
Vital Record agencies are confronted with information and data security
issues as important concerns in today's technology-enabled world. Companies and government agencies nationwide strive to ensure that only authorized people receive sensitive data. Still, fraud involving documents such
as birth certificates occurs. The U.S. passport offices and Immigration and Naturalization Services report that 85 percent and 90 percent respectively of fraud cases involve use of bona fide birth certificates.
This article discusses how ChoicePoint and VitalChek recognized that information and technology can help manage the risks facing government agencies. It is important for Vital Record agencies to strengthen privacy
protection and security programs through the implementation of policy and technology.
Vital Record Industry Data Security and Information Privacy Programs:
Several best practices have emerged in the
Vital Record Industry. Taking the top-down approach has been the strategy of ChoicePoint. The company limits both internal and external access to sensitive data in addition to truncating or masking personally
identifiable information such as individual Social Security numbers or dates of birth in all but a limited set of circumstances. To stay ahead, leading technology is required.
Maintaining updated technology is
another way ChoicePoint and VitalChek help provide current security measures for their employees and customers. For example, ChoicePoint utilizes intrusion detection software to prevent hackers from stealing
information, application scanning services to detect for system vulnerabilities, e-mail detection software to detect outgoing e-mails containing sensitive personally identifiable information, and a knowledge-based
authentication tool used to verify applicants' identities.
Importance of Privacy Education with Customers and Employees:
Educating customers and employees is an important component of a vital record
agency privacy and information security. Privacy policies and procedures should be designed to protect consumer information from misuse. Such policies and procedures should be audited on a regular basis to ensure they
are working properly. Below are customer and employee privacy education best practices for vital record agencies.
Customer education and support efforts include:
- Providing a consumer hotline to report suspected fraud
- Obtaining on-line privacy seals for consumer oriented web sites
- Establishing a dedicated privacy Web Site with privacy practices, principles and policies information
Employee education efforts include:
- Requiring all employees to successfully complete mandatory privacy and information security training each year
- Providing social engineering training to certain employees as part of mandatory information security awareness training
- Requiring password reviews and forced password changes to ensure passwords meet minimum security standards
- Establishing an employee and fraud hotline for reporting suspicious incidents
State of Pennsylvania - a Case for Statewide Information Connectivity:
Portal to Aid in Applicant Identity Verification In 1995, a Pennsylvania special legislative session resulted in new laws providing
innovative tools to help law enforcement officers combat crime. One of these new laws brought about the creation of Pennsylvania's Justice Network (JNET), an integrated justice portal that provides a common online
environment for authorized users to access public safety and criminal justice information. The Pennsylvania Division of Vital Records utilizes The JNET system to help verify the identity of their vital record
When a Pennsylvania resident mails in an application for a Pennsylvania vital record, a government issued photo-ID (such as a copy of his or her Pennsylvania driver's license or non-drivers license
photo-ID) is also required for comparison with the license on file at the Pennsylvania Department of Transportation (PennDOT). Once the Division of Vital Records ensures that certain information matches the copy of the
applicant's license, the applicant's identity is verified. In addition, walk-in, or counter, applications can be immediately verified with the JNET system.
To ensure security throughout its infrastructure, the
JNET program relies upon policy, secure connectivity and role-based entitlements. Access to JNET is limited and requires signed confidentiality agreements and mandatory training seminars. JNET is also a secured system,
with managed public key infrastructure (PKI) for both data encryption and digital certification.
The Pennsylvania JNET system is an example of strong cooperation among public safety partners covering more than
85 percent of Pennsylvania's population, and successfully connects the criminal justice information of all 67 counties, 54 state agencies and 39 federal agencies. The JNET approach to sharing information was even cited
as a national model by the National Governor's Association for Best Practices.
The Pennsylvania JNET system requires mutual support of local, county, and state agencies, yet Pennsylvania has seen great results
from this cooperation. Mr. Yeropoli feels extending this approach to other states, including inter-connectivity of motor vehicle files, could be beneficial for identity verification of applicants no longer residing in
the state where they were born.
State of Virginia - a Case for Stronger Vital Record Applicant Identity Verification and Authentication:
The Virginia Office of Vital Records realized that knowing their
customers and understanding the reason they are requesting sensitive data may help detect any suspicious or potentially fraudulent activity and may even help reduce the potential risk of fraud or identity theft.
During the aftermath of 9/11, Virginia discovered that they were receiving Virginia online birth certificate requests from victims who had died during the terrorists' attacks. Since decedents could not apply for their
own records, the state was instantly alerted to the fact that some individuals were attempting to fraudulently obtain birth certificate copies.
At the time, Virginia had several options for customers to obtain
certified birth records: mail-in, walk-in (or counter) and expedited online applications. Both the mail-in and walk-in requests required a driver's license to prove identity; however, online requests did not require the
applicant to send in proof of identity.
Recognizing stronger online customer security was needed, Virginia looked for a simple solution that could streamline customer authentication with the easy online order
process. In addition, Virginia wanted to offer telephone ordering as another option for its customers and needed a way to verify the identity of these applicants. The agency found its answer by using ChoicePoint's
ProCheck and ProID knowledge-based authentication solution. Virginia became the first state to use this technology for applicant authentication and verification.
The Virginia Office of Vital Records now has
strong applicant identity controls to help protect against credit card fraud and identity theft, using technology to authenticate the applicant's identity with an online knowledge-based authentication quiz to which only
an applicant should know the answers.
According to Janet Rainey, the current Virginia state registrar, since the implementation of ProCheck and ProID, Virginia has had no major incidents of issuing fraudulently
obtained vital records. For the 12 month period of March 2006 to March 2007, Virginia has experienced a 90 percent passing rate on the ProCheck identity verification and a 95 percent passing rate on the ProID
About The Author
Lan Lin is the Assistant Editor of the Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any
comments about Internet Journal, please send email to firstname.lastname@example.org.