On July 19, 2018, The Better Identity Coalition, an organization focused on developing better solutions for identity verification and authentication, published the "Better Identity in America: A Blueprint for Policymakers" (the "Report"). The report outlines a comprehensive policy agenda for improving the privacy and security of digital identity solutions.
According to the Report, $16.8 billion was lost in the United States due to identity fraud in 2017 and the same year saw a 44.7% increase in the number of data breaches. Nearly 179 million records containing personal information were exposed, illustrating the inadequacy of current identity systems. The Report puts forth a set of consensus, cross-sector, technology-agnostic policy recommendations ("Policy Blueprint") to address existing inadequacies and to improve digital identity in America. Specifically, the Policy Blueprint outlines the following five key initiatives and corresponding action plan to achieve better security and privacy in identity systems and a more convenient and confident consumer market.
1. Prioritize the development of next-generation remote identity proofing and verification systems
Governments should prioritize the development of next-generation remote identify proofing and verification systems. As the U.S. does not have a formal national identity system, the private sector has responded by creating solutions, such as Knowledge-Based Verification, which relies on a subject's ability to answer security questions to verify their identity. However, increased data breaches and identity fraud in recent years have exposed the weaknesses in privately developed systems.
The Report argues that governments are in a unique position to spearhead the modernization of identity systems. Social Security Administration and state governments – the latter of which already issues driver's licenses and identity cards, should offer new digital services to validate attributes. To finance the initiative, the Report proposes that the federal government institutes a five-year, $200 million-per-year Federal grant to support states' development of forward-looking investment strategies for continuous R&D and eventual migration to digital identity systems. In addition, governments should encourage the active partnership between public and the private sectors by addressing barriers that inhibit private sector entities from innovating around identity and creating incentives that promote innovation.
2. Change the way Americans use the Social Security Number ("SSN")
The Report argues that both public and private sectors should stop using the SSN as an authenticator and reduce its use as an identifier wherever feasible. After years of massive data breaches and millions of SSNs thefts, its value as an authenticator or identifier is largely diminished. Many members of the Better Identity Coalition also believe that using SSN beyond government-mandated applications has become a risk for companies. In response to this recommendation, the Report argues that Congress and/or the Administration should launch a task force to review and amend existing laws and regulations that require companies to collect and retain SSN. Government and industry alike need to move away from existing common practice of using the SSN as an authentication factor and migrate to alternative solutions that can more securely authenticate consumers. To ensure the government can lead the way in the movement away from SSN, the Report urges that the President should issue an Executive Order, first banning agencies from using the SSN as an authenticator. In Canada, individuals are usually under no obligation to provide the Social Insurance Number (SIN) to any private-sector organizations other than some that collect the SIN for income reporting purposes.
3. Promote and prioritize the use of strong authentication
The Federal government should continue the work already underway in promoting strong authentication in sectors such as financial services, health care, government and consumer applications. Strong authentication is an identity authentication method whose security system is stringent enough to withstand any attacks it is likely to encounter. To complement existing initiatives, governments should modernize regulations to govern digital authentication platforms and reduce barriers to adopting innovative security systems. Specifically, the Report suggests that new legislations on privacy and security should not be written so broadly that they might preclude use of promising technologies for risk-based authentication.
4. Pursue international coordination and harmonization of identity standards
The Report provides that the U.S. should coordinate with international partners to align global efforts in developing better identity solutions. This multilateral effort is especially important in the financial services industry, which hosts a substantial number of cross-border activities and require reliable identity authentication to address special requirements for managing risks associated with Customer Identification Program requirements of the Bank Secrecy Act, as well as related Know your Customer and Anti-Money Laundering rules currently in place in the U.S. market. For example, the U.S. government should develop a plan to engage EU's eIDAS office and Financial Action Task Force (FATF) to harmonize international account openings.
5. Educate consumers and businesses about better digital identity solutions
The Report encourages governments to partner with industry to educate both consumers and businesses on modern approaches and best practices in identity protection and verification. Specifically, the Report exemplifies the National Cyber Security Alliance (NCSA) as a potential partner, as NCSA already has a strong record of driving public-private partnerships to educate the public on cybersecurity.
As the topic of digital identity increasingly attracts global attention, organizations in many countries have published White Papers on this topic. The US approach mirrors Canadian developments in digital identity in many aspects. A recent white paper on Canadian digital identity also encourages governments to take a leading role in developing the infrastructure for digital identity systems. While there are notable differences in the privacy regimes between Canada and the U.S., privacy and cybersecurity have been a paramount concern in developing the better digital identity systems of both countries. As a consequence of both sets of recommendations, financial service and banking may become one of the most influenced and relevant sectors by the development in digital identity. In addition, the proposals also suggest international coordination and cooperation among governments and businesses to be necessary in the effective protection and authentication of individual identities.
In Canada, the principles underpinning privacy legislation seek to protect the autonomy of the individual to control personal information. However, how and to what extent individuals should or do control how their personal information is used is being evaluated. The broader context in Canada is the recently announced national digital and data transformation consultations initiated by the Minister of Innovation, the Honourable Navdeep Bains. These consultations seek to inform Canada's position on data given the rapid emergence of exponential technologies. See our blog post on Canada's National Cyber Security Strategy for more information. McCarthy Tétrault is playing a key role in facilitating these consultations with Canadian enterprise.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.