Vital Record agencies are confronted with information and data security issues as important concerns in today's technology-enabled world. Companies and government agencies nationwide strive to ensure that only authorized people receive sensitive data. Still, fraud involving documents such as birth certificates occurs. The U.S. passport offices and Immigration and Naturalization Services report that 85 percent and 90 percent respectively of fraud cases involve use of bona fide birth certificates.

This article discusses how ChoicePoint and VitalChek recognized that information and technology can help manage the risks facing government agencies. It is important for Vital Record agencies to strengthen privacy protection and security programs through the implementation of policy and technology.

Vital Record Industry Data Security and Information Privacy Programs:

Several best practices have emerged in the Vital Record Industry. Taking the top-down approach has been the strategy of ChoicePoint. The company limits both internal and external access to sensitive data in addition to truncating or masking personally identifiable information such as individual Social Security numbers or dates of birth in all but a limited set of circumstances. To stay ahead, leading technology is required.

Maintaining updated technology is another way ChoicePoint and VitalChek help provide current security measures for their employees and customers. For example, ChoicePoint utilizes intrusion detection software to prevent hackers from stealing information, application scanning services to detect for system vulnerabilities, e-mail detection software to detect outgoing e-mails containing sensitive personally identifiable information, and a knowledge-based authentication tool used to verify applicants' identities.

Importance of Privacy Education with Customers and Employees:

Educating customers and employees is an important component of a vital record agency privacy and information security. Privacy policies and procedures should be designed to protect consumer information from misuse. Such policies and procedures should be audited on a regular basis to ensure they are working properly. Below are customer and employee privacy education best practices for vital record agencies.

Customer education and support efforts include:

- Providing a consumer hotline to report suspected fraud
- Obtaining on-line privacy seals for consumer oriented web sites
- Establishing a dedicated privacy Web Site with privacy practices, principles and policies information

Employee education efforts include:

- Requiring all employees to successfully complete mandatory privacy and information security training each year
- Providing social engineering training to certain employees as part of mandatory information security awareness training
- Requiring password reviews and forced password changes to ensure passwords meet minimum security standards
- Establishing an employee and fraud hotline for reporting suspicious incidents

State of Pennsylvania - a Case for Statewide Information Connectivity:

Portal to Aid in Applicant Identity Verification In 1995, a Pennsylvania special legislative session resulted in new laws providing innovative tools to help law enforcement officers combat crime. One of these new laws brought about the creation of Pennsylvania's Justice Network (JNET), an integrated justice portal that provides a common online environment for authorized users to access public safety and criminal justice information. The Pennsylvania Division of Vital Records utilizes The JNET system to help verify the identity of their vital record applicants.

When a Pennsylvania resident mails in an application for a Pennsylvania vital record, a government issued photo-ID (such as a copy of his or her Pennsylvania driver's license or non-drivers license photo-ID) is also required for comparison with the license on file at the Pennsylvania Department of Transportation (PennDOT). Once the Division of Vital Records ensures that certain information matches the copy of the applicant's license, the applicant's identity is verified. In addition, walk-in, or counter, applications can be immediately verified with the JNET system.

To ensure security throughout its infrastructure, the JNET program relies upon policy, secure connectivity and role-based entitlements. Access to JNET is limited and requires signed confidentiality agreements and mandatory training seminars. JNET is also a secured system, with managed public key infrastructure (PKI) for both data encryption and digital certification.

The Pennsylvania JNET system is an example of strong cooperation among public safety partners covering more than 85 percent of Pennsylvania's population, and successfully connects the criminal justice information of all 67 counties, 54 state agencies and 39 federal agencies. The JNET approach to sharing information was even cited as a national model by the National Governor's Association for Best Practices.

The Pennsylvania JNET system requires mutual support of local, county, and state agencies, yet Pennsylvania has seen great results from this cooperation. Mr. Yeropoli feels extending this approach to other states, including inter-connectivity of motor vehicle files, could be beneficial for identity verification of applicants no longer residing in the state where they were born.

State of Virginia - a Case for Stronger Vital Record Applicant Identity Verification and Authentication:

The Virginia Office of Vital Records realized that knowing their customers and understanding the reason they are requesting sensitive data may help detect any suspicious or potentially fraudulent activity and may even help reduce the potential risk of fraud or identity theft.

During the aftermath of 9/11, Virginia discovered that they were receiving Virginia online birth certificate requests from victims who had died during the terrorists' attacks. Since decedents could not apply for their own records, the state was instantly alerted to the fact that some individuals were attempting to fraudulently obtain birth certificate copies.

At the time, Virginia had several options for customers to obtain certified birth records: mail-in, walk-in (or counter) and expedited online applications. Both the mail-in and walk-in requests required a driver's license to prove identity; however, online requests did not require the applicant to send in proof of identity.

Recognizing stronger online customer security was needed, Virginia looked for a simple solution that could streamline customer authentication with the easy online order process. In addition, Virginia wanted to offer telephone ordering as another option for its customers and needed a way to verify the identity of these applicants. The agency found its answer by using ChoicePoint’s ProCheck and ProID knowledge-based authentication solution. Virginia became the first state to use this technology for applicant authentication and verification.

The Virginia Office of Vital Records now has strong applicant identity controls to help protect against credit card fraud and identity theft, using technology to authenticate the applicant's identity with an online knowledge-based authentication quiz to which only an applicant should know the answers.

According to Janet Rainey, the current Virginia state registrar, since the implementation of ProCheck and ProID, Virginia has had no major incidents of issuing fraudulently obtained vital records. For the 12 month period of March 2006 to March 2007, Virginia has experienced a 90 percent passing rate on the ProCheck identity verification and a 95 percent passing rate on the ProID authentication quiz.