American drivers should mark their calendars: On October 1, 2020, drivers who want to use their state driver’s licenses to board a plane or enter a US government building must present a license that meets the new federal identification requirements of the Real ID program.
If you haven’t heard of this program, you’re not alone. Many are just now learning that they will need a new license to fly, but what they are also learning is how much data they will have to fork over to get the new license. Real ID is one of the biggest data-gathering initiatives to take place recently and few are talking about the potential security concerns of the program.
The Process
To get a Real ID, drivers must visit a branch of their state department of motor vehicles in person and present a selection of original, personally identifying documents. While states differ somewhat in the types of documentation that they are willing to accept to verify driver identities, typical examples include passports, birth certificates, marriage licenses, and social security cards.
State DMV employees will scan and save digital copies of these documents. Drivers will then receive a regular license marked with a star in the corner to show compliance with the new program.
Doing the Math
Real ID will affect millions of Americans. There are about 225 million licensed drivers in the US: if only 100 million decide to get a Real ID, and each driver brings four or five sensitive documents in to prove their identity, then states will find themselves owning up to a half-million scanned files with very sensitive information.
If all 225 drivers eventually get a Real ID, states could find themselves managing digital copies of over one billion documents. That’s a lot of sensitive data to protect, and state agencies will be under pressure to make sure it all stays private.
Data at Risk
The Real ID Act requires each state to save and store these documents in digital format (while the Real ID program is federally mandated, there will be no national centralized database). The burden is now on each state to figure out how to safely manage and secure vast virtual libraries of identifying information gathered from numerous local department of motor vehicle offices.
Data stores containing sensitive data on drivers will be on hacker’s target lists. Insiders, including employees and contractors, with access to ID document stores, may access and copy images. Improperly secured cloud data stores could put sensitive files at risk and possible exposure to anyone who knows where to look.
To complicate matters, the rollout of the Real ID program has been less than smooth. Some states have just started issuing Real ID-compliant licenses, and at least two plan to wait until next year. Others have issued Real IDs, only to recall them. These missteps do not bode well for the security of the sensitive information states will collect.
Recent ransomware attacks targeting municipalities show that governments rely on the same data that’s putting them at risk. An attack that wipes out drivers’ digital files could mean that states fall short when it comes to following federal guidelines.
Because Real ID captures a wide range of sensitive documentation, DMVs could be subject to various US state notification laws in the event of breach or mishandling of data. New state privacy regulations, modeled after the European GDPR may grant citizens new privacy rights to data, complicating matters for state agencies.
Preparing for the Real ID Data Tidal Wave
In the rush to issue Real ID-compliant drivers’ licenses, security could well be an afterthought. State IT and security leaders should start by focusing on these four areas:
- Perform regular maintenance: System updates are a simple step to take to ensure your infrastructure is secure, but all too often these are delayed when IT teams have their hands full with countless other tasks.
- Keep an eye on data use: Curious employees have burned organizations by revealing sensitive data that they should never have been able to get their hands on. It could be tempting to look up a birth certificate or a marriage license of a local celebrity. By closely monitoring data usage, malicious or inappropriate insider access can be spotted quickly.
- Review data retention and deletion policies: States burdened by older IT infrastructure will soon find themselves holding millions of sensitive digital files. Now is the time to review current data retention processes and ensure they will meet any specifications in the Real ID federal requirements. Many organizations don’t enforce retention and disposition policies when it comes to digital files, which can end up spelling disaster. Delete what’s no longer needed and it won’t be at risk.
- Strive for least privilege: Information that can be accessed can also be viewed, captured, copied and exfiltrated. Least privilege—making sure only the right people have access to just what they’re supposed to—will help protect valuable data in the event an insider goes rogue or an attacker gets on your network because their access will be limited and you’ll limit potential damage they can do.
Real ID raises serious concerns, but it is also an opportunity for state governments to progress with IT and security initiatives centered on protecting constituent data. States must ensure their infrastructure and security is ready for Real ID or be prepared to face potential security consequences.