Guide to Keeping Sensitive, Personal Information Private and Secure

Vital Record agencies are confronted with information and data security issues as important concerns in today’s technology-enabled world. Companies and government agencies nationwide strive to ensure that only authorized people receive sensitive data. Still, fraud involving documents such as birth certificates occurs. The U.S. passport offices and Immigration and Naturalization Services report that 85 percent and 90 percent respectively of fraud cases involve use of bona fide birth certificates

This article discusses how ChoicePoint and VitalChek recognized that information and technology can help manage the risks facing government agencies. It is important for Vital Record agencies to strengthen privacy protection and security programs through the implementation of policy and technology.

Vital Record Industry Data Security and Information Privacy Programs

Several best practices have emerged in the Vital Record Industry. Taking the top-down approach has been the strategy of ChoicePoint. The company limits both internal and external access to sensitive data in addition to truncating or masking personally identifiable information such as individual Social Security numbers or dates of birth in all but a limited set of circumstances. To stay ahead, leading technology is required.

Maintaining updated technology is another way ChoicePoint and VitalChek help provide current security measures for their employees and customers. For example, ChoicePoint utilizes intrusion detection software to prevent hackers from stealing information, application scanning services to detect for system vulnerabilities, e-mail detection software to detect outgoing e-mails containing sensitive personally identifiable information, and a knowledge-based authentication tool used to verify applicants’ identities.


Importance of Privacy Education with Customers and Employees
Educating customers and employees is an important component of a vital record agency privacy and information security. Privacy policies and procedures should be designed to protect consumer information from misuse. Such policies and procedures should be audited on a regular basis to ensure they are working properly. Below are customer and employee privacy education best practices for vital record agencies.

Customer education and support efforts include:
• Providing a consumer hotline to report suspected fraud
• Obtaining on-line privacy seals for consumer oriented web sites
• Establishing a dedicated privacy Web Site with privacy practices, principles and policies information

Employee education efforts include:
• Requiring all employees to successfully complete mandatory privacy and information security training each year
• Providing social engineering training to certain employees as part of mandatory information security awareness training
• Requiring password reviews and forced password changes to ensure passwords meet minimum security standards
• Establishing an employee and fraud hotline for reporting suspicious incidents


State of Virginia – a Case for Stronger Vital Record Applicant Identity Verification and Authentication
The Virginia Office of Vital Records realized that knowing their customers and understanding the reason they are requesting sensitive data may help detect any suspicious or potentially fraudulent activity and may even help reduce the potential risk of fraud or identity theft. During the aftermath of 9/11, Virginia discovered that they were receiving Virginia online birth certificate requests from victims who had died during the terrorists’ attacks. Since decedents could not apply for their own records, the state was instantly alerted to the fact that some individuals were attempting to fraudulently obtain birth certificate copies.

At the time, Virginia had several options for customers to obtain certified birth records: mail-in, walk-in (or counter) and expedited online applications. Both the mail-in and walk-in requests required a driver’s license to prove identity; however, online requests did not require the applicant to send in proof of identity.

Recognizing stronger online customer security was needed, Virginia looked for a simple solution that could streamline customer authentication with the easy online order process. In addition, Virginia wanted to offer telephone ordering as another option for its customers and needed a way to verify the identity of these applicants. The agency found its answer by using ChoicePoint’s ProCheck and ProID knowledge-based authentication solution. Virginia became the first state to use this technology for applicant authentication and verification.

The Virginia Office of Vital Records now has strong applicant identity controls to help protect against credit card fraud and identity theft, using technology to authenticate the applicant’s identity with an online knowledge-based authentication quiz to which only an applicant should know the answers.

According to Janet Rainey, the current Virginia state registrar, since the implementation of ProCheck and ProID, Virginia has had no major incidents of issuing fraudulently obtained vital records. For the 12 month period of March 2006 to March 2007, Virginia has experienced a 90 percent passing rate on the ProCheck identity verification and a 95 percent passing rate on the ProID authentication quiz.



The official source of Keeping Sensitive, Personal Information Private and Secure is
the Online Privacy page at Business.com