The Virginia Digital Identity Law:
Legal and Policy Foundations for the Identity Trust Framework Model
Timothy S. Reiniger, Jeff Nigriny, and Kyle Matthew Oliver
In the physical world, we typically rely on government entities and employers to manage the identity credentialing process. DMVs, Passport offices, and human resource departments are the norm. The digital world, though, is serviced almost exclusively through commercial entities, often at the behest of government entities that would see the privatization of the internet upheld. This paper explores the practical effect of Virginia’s liability safe harbor law approach on participant claims in both federated and user-centric identity management systems in the United States. The law seeks to provide a common legal foundation for identity providers, identity trust frameworks, and the use of trustmarks as emerging approaches to addressing the risk of being held legally responsible for the losses incurred by others based on faulty third party assertions of identity.
In an open environment, identity trust framework providers and identity providers face an exorbitant amount of risk based on their central position. They are not currently compensated for this risk, and it would be difficult to alter models to adequately address this through solely commercial means. As such, the system inadvertently incentivizes trust framework providers to push participating identity providers to lower assurance levels and regardless of their compliance capability – as a means of reducing the trust framework operator’s own risk exposure.
Click here to read the article.