10/1/13. Virginia Quietly Starts Construction On Master Identity Database For State Residents. NTEB.
“Using Department of Motor Vehicles records as its core, the state government is quietly developing a master identity database of Virginia residents for use by state agencies. The state enterprise record – the master electronic ID database – would help agencies ferret out fraud and help residents do business electronically with the state more easily, officials said.
“It makes it easier to compromise your privacy,” said Claire Guthrie Gastañaga, executive director of the American Civil Liberties Union of Virginia. “They’re using DMV for some other purpose than driving.”
DMV points out that, in today’s world, state driver’s licenses are the fundamental identification documents used by most Americans.
State officials say participation in the e-ID system will be voluntary, but the reason that the state has been moving to offer “privacy-enhancing credentials” to Virginia residents is the increasing number of government services offered online.
However, “anything you make more accessible and efficient for the user, you potentially open up for opportunities for risk, for attack,” said Robby Demeria, executive director of RichTech, Richmond’s technology council.
The first state agency using the largely federally funded Commonwealth Authentication Service system will be theDepartment of Social Services, aiming to satisfy federal Medicaid requirements under the Affordable Care Act and to reduce eligibility fraud and errors. The system goes live Tuesday.
About 70 percent of Social Services’ clients are in DMV’s database, said David W. Burhop, the Department of Motor Vehicles’ deputy commissioner and chief information officer.
Four state agencies are now involved in Virginia’s e-ID initiative: DMV, the state’s “ID professionals”; the Virginia Information Technologies Agency, which runs the state’s IT systems; the Department of Social Services; and the Department of Medical Assistance Services.
DMV has the records of about 5.9 million licensed drivers and ID card holders. Some of that information – names, addresses, dates of birth, driver’s license numbers – will form the core of the state’s identity authentication system.
“To us, it is a tool that allows individuals to create online accounts,” said Craig C. Markva, communications director of the Department of Medical Assistance Services, speaking for Secretary of Health and Human Resources William A. Hazel Jr.
“When someone wants to do this, we need to be able to verify that the person trying to access the account is who he or she claims to be,” Markva said. “This requires that they provide basic demographic information … that we can compare to what is known by DMV or by DSS (Department of Social Services) already.”
So far there’s been no public discussion in Virginia of the state’s electronic personal identity initiative or the use of the Internet for increasingly more transactions with the state government.
“When we allow governments to do that,” said Virginia ACLU’s Gastañaga, “it facilitates and empowers things that we might not want to have happen if the wrong people get into power.”
Decisions based on the convenience of using information technology are often done with a short-term perspective, said Rob S. Hegedus, chief executive officer of Sera-Brynn, a cybersecurity company in Suffolk. ”The privacy aspect catches up afterwards,” he said.
The state does not plan to hold public hearings on the Commonwealth Authentication Service system, officials said, but Demeria with RichTech contends “there’s plenty of reason for us to have a public discussion, debate, (and) consideration.”
“We want to make sure all the i’s are dotted and t’s are crossed before we execute,” he said. For members of the public, Burhop said, e-ID would allow use of the Internet with security and privacy while needing only a single sign-on, providing faster service and lowering service costs.
“This is geared toward citizens who say, ‘Why do I have to fill out this again?’ ” DMV’s Burhop said. Virginia is a leader in using online transactions, DMV said. But in order to move higher-risk transactions to the Internet, a more robust authentication method is needed, officials said.
For example, if a Virginian sells a car to another state resident, the deal requires a physical exchange of the registration card and the handwritten information on the card that is often hard for DMV representatives to read when the buyer registers the vehicle at the agency, noted Pam Goheen, DMV’s assistant commissioner for communications.
“If both parties had a high-assurance credential such as an e-ID,” Goheen said, “this transaction could be done entirely online which would include the registration and title updates eliminating the need to visit the DMV and speeding up the process.”
The Virginia Information Technologies Agency and contractor Northrop Grumman are responsible for state IT infrastructure, but state agencies are responsible for their business applications and the data they hold, said Sam Nixon Jr., the state’s chief information officer.
IT security is a shared responsibility between VITA and the state agencies it serves, Nixon said.
DMV says the $4.3 million Commonwealth Authentication Service system will be safe from abuse because agencies will control individuals’ files. Those files will not all be put into a single database open to other agencies.
Agencies using the service to verify a client’s identity will get only a yes-or-no reply from the Commonwealth Authentication Service system, DMV said. And the DMV has not suffered a data breach, Burhop said. Nonetheless, cyberhackers are always trying to break into the state’s IT system.
In 2012, VITA and Northrop Grumman blocked more than 110 million cyberattacks on the state’s data networks, Nixon said. “You can do the math, but that represents hundreds of thousands of blocked attacks each day.”
More than 47,000 viruses were blocked before they affected Virginia’s government IT assets, Nixon said, and the number of security incidents VITA detects and fixes has tripled since 2011.
But in 2009, before the Northrop Grumman took over the state’s IT system, hackers got into the Virginia Department of Health Professions’ prescription-monitoring database. Though it was unclear what records were actually taken, the database contained records of more than half a million people and more than 35 million prescriptions.
Also in 2009, the Department of Education sent a thumb drive to another agency that contained more than 103,000 sensitive records. It was later determined that the thumb drive was lost. ”When you ask a government entity to keep something like this safe, they really can’t,” Sera-Brynn’s Hegedus said. “Nobody can guarantee it.”