| Record agencies are confronted with information and | | | | for a Pennsylvania vital record, a government issued |
| data security issues as important concerns in today's | | | | photo-ID (such as a copy of his or her Pennsylvania |
| technology-enabled world. Companies and government | | | | driver's license or non-drivers license photo-ID) is also |
| agencies nationwide strive to ensure that only | | | | required for comparison with the license on file at the |
| authorized people receive sensitive data. Still, fraud | | | | Pennsylvania Department of Transportation |
| involving documents such as birth certificates occurs. | | | | (PennDOT). Once the Division of Vital Records |
| The U.S. passport offices and Immigration and | | | | ensures that certain information matches the copy of |
| Naturalization Services report that 85 percent and 90 | | | | the applicant's license, the applicant's identity is verified. |
| percent respectively of fraud cases involve use of | | | | In addition, walk-in, or counter, applications can be |
| bona fide birth certificates. | | | | immediately verified with the JNET system. |
| This article discusses how ChoicePoint and VitalChek | | | | To ensure security throughout its infrastructure, the |
| recognized that information and technology can help | | | | JNET program relies upon policy, secure connectivity |
| manage the risks facing government agencies. It is | | | | and role-based entitlements. Access to JNET is limited |
| important for Vital Record agencies to strengthen | | | | and requires signed confidentiality agreements and |
| privacy protection and security programs through the | | | | mandatory training seminars. JNET is also a secured |
| implementation of policy and technology. | | | | system, with managed public key infrastructure (PKI) |
| Vital Record Industry Data Security and Information | | | | for both data encryption and digital certification. |
| Privacy Programs: | | | | The Pennsylvania JNET system is an example of |
| Several best practices have emerged in the Vital | | | | strong cooperation among public safety partners |
| Record Industry. Taking the top-down approach has | | | | covering more than 85 percent of Pennsylvania's |
| been the strategy of ChoicePoint. The company limits | | | | population, and successfully connects the criminal |
| both internal and external access to sensitive data in | | | | justice information of all 67 counties, 54 state agencies |
| addition to truncating or masking personally identifiable | | | | and 39 federal agencies. The JNET approach to |
| information such as individual Social Security numbers | | | | sharing information was even cited as a national model |
| or dates of birth in all but a limited set of | | | | by the National Governor's Association for Best |
| circumstances. To stay ahead, leading technology is | | | | Practices. |
| required. | | | | The Pennsylvania JNET system requires mutual |
| Maintaining updated technology is another way | | | | support of local, county, and state agencies, yet |
| ChoicePoint and VitalChek help provide current | | | | Pennsylvania has seen great results from this |
| security measures for their employees and customers. | | | | cooperation. Mr. Yeropoli feels extending this approach |
| For example, ChoicePoint utilizes intrusion detection | | | | to other states, including inter-connectivity of motor |
| software to prevent hackers from stealing information, | | | | vehicle files, could be beneficial for identity verification |
| application scanning services to detect for system | | | | of applicants no longer residing in the state where they |
| vulnerabilities, e-mail detection software to detect | | | | were born. |
| outgoing e-mails containing sensitive personally | | | | State of Virginia - a Case for Stronger Vital Record |
| identifiable information, and a knowledge-based | | | | Applicant Identity Verification and Authentication: |
| authentication tool used to verify applicants' identities. | | | | The Virginia Office of Vital Records realized that |
| Importance of Privacy Education with Customers and | | | | knowing their customers and understanding the reason |
| Employees: | | | | they are requesting sensitive data may help detect |
| Educating customers and employees is an important | | | | any suspicious or potentially fraudulent activity and |
| component of a vital record agency privacy and | | | | may even help reduce the potential risk of fraud or |
| information security. Privacy policies and procedures | | | | identity theft. |
| should be designed to protect consumer information | | | | During the aftermath of 9/11, Virginia discovered that |
| from misuse. Such policies and procedures should be | | | | they were receiving Virginia online birth certificate |
| audited on a regular basis to ensure they are working | | | | requests from victims who had died during the |
| properly. Below are customer and employee privacy | | | | terrorists' attacks. Since decedents could not apply for |
| education best practices for vital record agencies. | | | | their own records, the state was instantly alerted to |
| Customer education and support efforts include: | | | | the fact that some individuals were attempting to |
| - Providing a consumer hotline to report suspected | | | | fraudulently obtain birth certificate copies. |
| fraud | | | | At the time, Virginia had several options for customers |
| - Obtaining on-line privacy seals for consumer oriented | | | | to obtain certified birth records: mail-in, walk-in (or |
| web sites | | | | counter) and expedited online applications. Both the |
| - Establishing a dedicated privacy Web Site with | | | | mail-in and walk-in requests required a driver's license |
| privacy practices, principles and policies information | | | | to prove identity; however, online requests did not |
| Employee education efforts include: | | | | require the applicant to send in proof of identity. |
| - Requiring all employees to successfully complete | | | | Recognizing stronger online customer security was |
| mandatory privacy and information security training | | | | needed, Virginia looked for a simple solution that could |
| each year | | | | streamline customer authentication with the easy online |
| - Providing social engineering training to certain | | | | order process. In addition, Virginia wanted to offer |
| employees as part of mandatory information security | | | | telephone ordering as another option for its customers |
| awareness training | | | | and needed a way to verify the identity of these |
| - Requiring password reviews and forced password | | | | applicants. The agency found its answer by using |
| changes to ensure passwords meet minimum security | | | | ChoicePoint’s ProCheck and ProID |
| standards | | | | knowledge-based authentication solution. Virginia |
| - Establishing an employee and fraud hotline for | | | | became the first state to use this technology for |
| reporting suspicious incidents | | | | applicant authentication and verification. |
| State of Pennsylvania - a Case for Statewide | | | | The Virginia Office of Vital Records now has strong |
| Information Connectivity: | | | | applicant identity controls to help protect against credit |
| Portal to Aid in Applicant Identity Verification In 1995, a | | | | card fraud and identity theft, using technology to |
| Pennsylvania special legislative session resulted in new | | | | authenticate the applicant's identity with an online |
| laws providing innovative tools to help law | | | | knowledge-based authentication quiz to which only an |
| enforcement officers combat crime. One of these | | | | applicant should know the answers. |
| new laws brought about the creation of Pennsylvania's | | | | According to Janet Rainey, the current Virginia state |
| Justice Network (JNET), an integrated justice portal | | | | registrar, since the implementation of ProCheck and |
| that provides a common online environment for | | | | ProID, Virginia has had no major incidents of issuing |
| authorized users to access public safety and criminal | | | | fraudulently obtained vital records. For the 12 month |
| justice information. The Pennsylvania Division of Vital | | | | period of March 2006 to March 2007, Virginia has |
| Records utilizes The JNET system to help verify the | | | | experienced a 90 percent passing rate on the |
| identity of their vital record applicants. | | | | ProCheck identity verification and a 95 percent passing |
| When a Pennsylvania resident mails in an application | | | | rate on the ProID authentication quiz. |