Driver's license information is a mixed bag in terms of risks. Depending on the state in which the license was
issued, it may contain not only a person's name, address and birthday, but also his or her Social Security number (SSN) as well. This lethal combination, which I call the identity theft quartet, can be used to steal someone's identity and fraudulently open lines of credit in a person's name.
The risk is caused by data in the aggregate and not individual pieces of customer information. For example, a person's name, address and phone number are considered public information--they can be obtained from a phone book. Today, most states have removed SSNs from driver's licenses, but that still leaves a person's name, address, birthday and license number. It's conceivable that a determined identity thief, armed only with three of the four pieces of the quartet, could get the last piece elsewhere and go on a spending spree in the person's name.
So a driver's license information is something in need of protection, since it can be used maliciously to hijack someone's identity. The proper way to handle this data would be the same as for any other sensitive data. It should always be encrypted -- whether at rest, in a database, on a file server or transmitted electronically/online. Access to servers with driver's license images should be strictly controlled by an access management system. Access should only be granted to company employees on a least privilege or need-to-know basis.
As for programming decisions, the same rules administered for any other sensitive customer information should apply. Make sure business logic in code checks for images of driver's licenses and handles them appropriately by encrypting the data and storing it on hardened databases and file servers that have been approved for customer data storage.
Another question to ask, on a higher level, is why do driver's license images need to be stored in the first place? Is this information necessary to identify customers? Are there other unique and more innocuous identifiers that can be used? Are there regulations in your industry -- such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (GLBA) or HIPAA -- that might prohibit this or offer guidelines on best practices?
A good non-technical resource for handling driver's license numbers is the Electronic Privacy Information Center (EPIC). EPIC has information and suggestions about policies for the proper handling of sensitive customer information that you might find useful.
For more information:
Dig deeper on Enterprise Data Governance
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.