Legislation in Virginia will create uniform standards for strengthening and authenticating digital identities. The Commonwealth of Virginia is taking the lead on this issue, as the first in the nation attempting to codify their way out of weak passwords, data breaches and identity theft. The bill has been approved by the General Assembly and was signed into law by Gov. Terry McAuliffe.
The proposal is not a political reaction to recent newspaper headlines. It has undergone significant study – four years’ worth – by the Legislature’s Joint Commission on Technology and Science. The main sticking point was how to handle liability for identity providers.
To learn more, we spoke with the main authors of the bill. Jeff Nigriny is president and founder of CertiPath, a trust framework provider that certifies authentication and access control devices with a focus on high assurance for aerospace and defense industries. Timothy Reiniger is director of the digital services group at Future Law, a law firm and government relations firm based in Richmond, Va.
Q: Data breaches are becoming a weekly headline. How is identity an important part of solving or stopping this problem?
NIGRINY: If we look at virtually every data breach and system hack over the past few years, weak identity mechanisms online are to blame. If we can fortify identity online with the same investment that the industry has put into the network security solution side, we will have taken away the primary mechanism that most every sophisticated hacker has used.
Cyberspace is new, and the Internet on which it is largely based was created without regard to identity. It’s my belief that until we fix online identity, data breaches and system hacks are going to be commonplace.
Q: What does the Virginia bill do?
REINIGER: First of all, both the National Strategy for Trusted Identities in Cyberspace and committees in the American Bar Association exploring these issues have identified a major barrier to the creation of a third party identity credentialing market in the unpredictability of liability for identity providers and the lack of a common legal framework.
The bill addresses the creation of a common legal framework by providing a series of definitions to be enacted in statute – definitions that have been used in the contract world by trust frameworks and identify providers.
Second, the bill addresses the unpredictability of liability for identity providers by providing significant limitations to that liability in order to incentivize private sector players to be identity providers and trust framework operators.
Finally, the bill creates an actual standards body that is public-private. It is overseen by the state, in this case the Commonwealth of Virginia in the form of the Secretary of Technology. Because technology is shifting so quickly, there cannot be a one-size-fits-all approach and there cannot be one set of standards that is fixed for all time. This advisory council will be creating a minimum set of guidelines to be followed by trust framework operators. This would change over time, and this council would be looking to integrate and update its standards with the larger international community.