By Timothy Reiniger, FutureLaw LLC
The Commonwealth of Virginia has become the first jurisdiction in the United States to enact a digital identity management law, effective July 1. And, in view of Re:ID’s recent revelation that only 4% of all money currently spent on cybersecurity is devoted to identity, Virginia’s timing couldn’t be better. By taking this step, along with ongoing efforts of the Virginia Cybersecurity Commission, Virginia is asserting leadership in cyber policy-making that recognizes digital identity as foundational to overall cybersecurity policy.
The Virginia law aims to facilitate electronic commerce by arming citizens with an efficient and affordable means of strong multi-factor authentication by which to fight cybercriminals and identity thieves in the online environment. Reflecting the overall decentralized and market-based approach of the United States government as set forth in the National Strategy for Trusted Identities in Cyberspace, the law enables and incentivizes market choices for citizens to obtain trusted digital identities for use in e-commerce, social media, and e-government services. And, borrowing from aspects of digital identity policy in Estonia, Virginia’s model rejects a centralized database approach in favor of citizen-controlled identity.
At the July meeting of the United Nations Commission on International Trade (UNCITRAL) Commission meeting in Vienna, the governments of Austria, Belgium, France, Italy and Poland, with support from the American Bar Association Identity Management Legal Issues Task Force, gained approval for a proposal that UNCITRAL begin formal work on identity management and trust services in 2016.
Citing the new Virginia law, 2014 European Regulation on electronic identification and trust services, and a host of ongoing public and private sector initiatives, the five governments asked UNICTRAL to consider developing model legislation along the lines of previous such efforts around electronic commerce and electronic signatures. The proposal recognized that, at a minimum, the online economy will need methods to deal with legal cross-border recognition issues posed by the use of digital identities now being issued under statutory authority in civil law and common law jurisdictions.
A comprehensive study of identity system participant risks and potential liabilities by the American Bar Association’s Identity Management Legal Issues Task Force has revealed the existence of significant legal barriers to the creation of a digital identity credential market. First, there is a lack of a common legal framework. Second, liability allocation is unpredictable. As a result, risks associated with the commercial digital identity credential are currently treated as uninsurable.
The Virginia law resolves this uncertainty by providing a legal foundation for identity trust frameworks as an approach to implementing federated identity along the lines of that which is afforded in other industries such as credit cards. Identity trust frameworks represent a decentralized and flexible source of information governance and policy rules with respect to implementing digital identity for the private and public sectors. The law is not designed to remove liability, but rather to make liability predictable and manageable for digital identity credential providers.
Enabling the development of an digital identity policy through identity trust frameworks has several advantages over a centralized model in that it: 1) helps to avoid cross-jurisdictional authority and choice of law challenges, 2) provides greater flexibility and customization to suit the wide variety of network and participant situations, 3) enables greater ease in adapting information policies to rapidly changing technology, and 3) is easier to enforce against rule violators.
By promoting a citizen-focused strategy of making available strong multifactor means by which citizens can prove their identities online, the Virginia law represents a new direction in overall cybersecurity strategy that will supplement the current enterprise and network focus. The law reflects Virginia’s extensive digital legal framework for e-commerce and related trust services, including the first cybernotary statute — online notarization using two-way audio video means — in the United States. And Virginia already has a large commercial base of digital identity-related companies such as CertiPath, for the defense industry, Exostar, and the Kantara Initiative — for the health care industry — on which to build.