Virginia digital identity law takes centre stage


To read and receive similar articles to this, subscribe to the Security Document World newsletter.

By Timothy Reiniger

The Commonwealth of Virginia has become the first common law jurisdiction to enact a digital identity management law. The law aims to facilitate electronic commerce by arming citizens with an affordable means of strong multi-factor authentication by which to fight cybercriminals and identity thieves in the online environment.

Reflecting the overall decentralized and market-based approach of the United States government as set forth in the National Strategy for Trusted Identities in Cyberspace, the law enables and incentivizes market choices for citizens to obtain trusted digital identities for use in e-commerce, social media, and e-government services. Virginia’s model rejects a centralized database approach in favor of citizen-controlled identity.  

At the upcoming United Nations Commission on International Trade (UNCITRAL) Commission meeting this month in Vienna, the governments of Austria, Belgium, France, and Poland, joined by the American Bar Association Identity Management Legal Issues Task Force, will be proposing that UNCITRAL begin formal work on identity management and trust services.

Citing the 2014 European Regulation on electronic identification and trust services, the 2015 Virginia law, and a host of ongoing public and private sector initiatives, UNICTRAL will be asked to consider developing model legislation along the lines of previous such efforts around electronic commerce and electronic signatures.

 At a minimum, the online economy will need methods to deal with legal cross-border recognition issues posed by the use of digital identities now being issued under statutory authority in civil law and common law jurisdictions. Last week in Washington, D.C., the United Department of State conducted a public hearing on the proposal with speakers from the EC, the ABA, and Virginia.

A comprehensive study of identity system participant risks and potential liabilities by the American Bar Association’s Identity Management Legal Issues Task Force has revealed the existence of significant legal barriers to the creation of a digital identity credential market. First, there is a lack of a common legal framework.  Second, liability allocation is unpredictable.  As a result, risks associated with the commercial digital identity credential are currently treated as uninsurable.

The Virginia law resolves this uncertainty by providing a legal foundation for identity trust frameworks as an approach to implementing federated identity along the lines of that which is afforded in other industries such as credit cards.  Identity trust frameworks represent a decentralized and flexible source of information governance and policy rules with respect to implementing digital identity for the private and public sectors.  The law is not designed to remove liability, but rather to make liability predictable and manageable for digital identity credential providers.

Enabling the development of an digital identity policy through identity trust frameworks has several advantages over a centralised model in that it: 1) helps to avoid cross-jurisdictional authority and choice of law challenges, 2) provides greater flexibility and customization to suit the wide variety of network and participant situations, 3) enables greater ease in adapting information policies to rapidly changing technology, and 3) is easier to enforce against rule violators.

By promoting a citizen-focused strategy of making available strong multifactor means by citizens can prove their identities online, the Virginia law represents a new direction in overall cybersecurity strategy that will supplement the current enterprise and network focus.

The law builds on Virginia’s extensive digital legal framework for e-commerce and related trust services, including the first cybernotary statute (online notarization using two-way audio video means) in the United States.

And Virginia already has a large commercial base of digital identity-related companies such as CertiPath (for the defense industry), Exostar, and the Kantara Initiative (for the healthcare industry).

Timothy Reiniger consults on cybersecurity and information privacy policy with FutureLaw, LLC in Richmond, Virginia including service as Special Advisor on Digital Identity to the Commonwealth of Virginia.

To read and receive similar articles to this, subscribe to the Security Document World newsletter.

Subscribe to our free newsletter
Follow us on Twitter
Join us on LinkedIn

Latest Features & Interviews

Entrust on the importance of identity

Angus McDougall, Entrust regional vice president, Asia Pacific & Japan, took time out to speak to Security Document World about the company’s new identity, ahead of the groundbreaking virtual event, Identity Week Asia 2020.

White Paper: Secunet on kiosk systems in border control

Why do kiosks play a key role in the launch of the European Entry/Exit System? A new whitepaper summarises the key advantages and long-term benefits that arise for border control and the authorities tasked with border control operations through the use of kiosks.

Interview: Experian on biometrics and digital ID

In this interview, Planet Biometrics caught up with Mike Gross, Head of Global Fraud & ID Production Innovation at Experian, to hear his views on the evolution of identity in 2020 and beyond.

More articles >>
Share |