A trail-blazer in the area of electronic signatures, Virginia has once again demonstrated its willingness to tackle electronic fraud and identity theft that far too often impacts consumers. The VA House Bill 1562/Senate Bill 814 passed on March 23rd and will go into effect on July 01, 2015 as the Electronic Identity Management Act.
GlobalSign endorses this effort to tackle the main culprit behind identity fraud, the use of passwords. Virginia Governor Terry McAuliffe is spot on to tie control of digital identity to Executive Directive 5, that aims to strengthen cybersecurity around personal information involved in online service delivery between citizens and VA agencies.
With reduced reliance on passwords that are often times weak, seldom refreshed, and proliferated across many ecommerce sites (knowingly and unknowingly), hackers will quickly learn their opportunities to perform man in the middle attacks or brute force attacks will be virtually eliminated. Without strong authentication as a foundation of cybersecurity, mere network-level security leaves consumers, government, and organizations with very little protection against cyber related fraud.
The Electronic Identity Management Act calls for a common set of identity proofing and provider standards, and liability to those 3rd party providers. This law aligns perfectly with GlobalSign’s mission to issue and manage trusted identities for the Internet of Everything. We endorse the creation of standards that support a range of assurance levels so that appropriate credentials can be used according to the level of risk associated with a given transaction. Understanding that how identities are verified is the foundation to safe and trusted electronic commerce, we welcome the approach taken by VA legislatures.
We expect to see significant market adoption based on three main factors: a public-private advisory board to oversee standard development, the creation of a common set of definitions, and rules around how the law will be implemented with careful consideration around national and international IDP frameworks. By drawing in the private sector, best practices and competition will provide consumers, businesses, and relying parties a consistent set of ecommerce experiences through a competitive marketplace -all working within a common framework.
By granting limited liability protection to identity providers who followed the identity trust framework specifications, this common legal framework at the State level could be the model for national legislation, especially given the momentum behind National Strategies for Trusted Identities in CyberSpace (NSTIC.)
Limited liability will incentivize provider participation given the clear distinction between the issuance of a negligent credential, and the misuse of a credential that was issued in compliance by an authorized provider. As a certificate authority since 1996, GlobalSign has been issuing identities to consumers, organizations, domains, and now “things” operating under the strict controls of the CA/B Forum guidelines and Web Trust audited practices. GlobalSign believes further standardization around Identity providers will lead to safer ecommerce.
Notaries have been serving as “identity proofers” for centuries and, with newly established limited liability protection under this rule, are expected to play a greater role in providing identity providers a method to vet identities.
Timothy S. Reiniger, consultant at Future Law LCC, was instrumental in writing the legislation. Given his passion and years of experience around eNotarization and digital identity policy, he anticipates this ground-breaking legislation will jumpstart a national movement around trusted identities that are issued under a common legal framework.
This policy and technology driven approach is consistent with the NSTIC principals of standards-based, cost-effective, secure, risk-based, and user-mindful experience. GlobalSign welcomes this legislation, and we hope to see more of it in the near future!
