Skip to main content


Getting ID Right in Virginia

By Dave Burhop

As members of IDESG, you are fully aware that a simple username and password are not sufficient to safeguard consumers’ identity. In March, Virginia took steps to address this problem and became the first state to enact legislation designed to strengthen and authenticate digital identities. The bill, issued by the Joint Commission on Technology and Science (JCOTS), has been approved by the General Assembly and was signed into law by Governor Terry McAuliffe. The bill, which was introduced by Senator John Watkins, will become effective July 1.

As is true for most of the nation, the number of data breaches or cases of identity fraud affecting Virginia residents has skyrocketed in recent years. From a legislative perspective, the primary impetus for this bill was consumer protection. I’m excited that the Commonwealth is at the forefront of shaping the future of identity and trust in online or digital transactions. We hope this legislation resonates with states across the country – and we hope to see positive and meaningful results for both consumers and businesses.

For nearly four years, JCOTS has been diligently exploring, reviewing and studying viable authentication technologies and identifying barriers related to third party reliance on identity credentials. This legislation is the culmination of many months of hard work put in by the hardworking staff of the JCOTS, working closely with identity management experts Jeff Nigriny with CertiPath (link is external) and Timothy Reiniger with Future Law (link is external).

An important component of this bill is the focus on the issue of liability as it relates to third-party identity credential providers. Other key issues that the bill addresses, includes:

  • The creation of a common legal framework by providing a series of definitions to be enacted in statute – definitions that have been used in the contract world by trust frameworks and identity providers
  • The unpredictability of liability for identity providers by providing significant limitations to that liability in order to incentivize private sector players to be identity providers and trust framework operators
  • The creation of an actual advisory council overseen by Virginia’s Secretary of Technology that includes representatives from both the private and public sectors. The council is charged with establishing a minimum set of guidelines to be followed by trust framework operators.

It is very exciting to see my home state of Virginia leading the nation in taking action and working towards a solution to combat identity theft and safeguard individuals’ identities. Weak identity mechanisms are a major reason for the growing number of data breaches and hacks. I am encouraged by the bill calling attention to the need for a trusted framework that allows users to minimize their “identity” risk profile. This is the first ever bill that formally recognizes the trustmark and basically provides a warranty – an important and major step forward for our IDESG community. When identity providers use a trustmark, in essence this signifies a warranting that it has issued the necessary credentials in compliance with state standards and adheres to the rules and policies of its trust framework. This is important legislation because the advisory council will be officially reviewing and endorsing solid trust frameworks others can use that meet specific requirements.

Because Virginia is the first state to pilot the digital identity management effort on this level, I highly anticipate all other states will be watching carefully and monitoring how this plays out. So stay tuned…

Dave is Deputy Commissioner for the Virginia Department of Motor Vehicles. He currently serves as the Management Council Delegate for U.S. State, Local, Tribal and Territorial Government.