Driver's license information is a mixed bag in terms of risks. Depending on the state in which the license was issued, it may contain not only a person's name, address and birthday, but also his or her Social Security number (SSN) as well. This lethal combination, which I call the identity theft quartet, can be used to steal someone's identity and fraudulently open lines of credit in a person's name.
The risk is caused by data in the aggregate and not individual pieces of customer information. For example, a person's name, address and phone number are considered public information--they can be obtained from a phone book. Today, most states have removed SSNs from driver's licenses, but that still leaves a person's name, address, birthday and license number. It's conceivable that a determined identity thief, armed only with three of the four pieces of the quartet, could get the last piece elsewhere and go on a spending spree in the person's name.
So a driver's license information is something in need of protection, since it can be used maliciously to hijack someone's identity. The proper way to handle this data would be the same as for any other sensitive data. It should always be encrypted -- whether at rest, in a database, on a file server or transmitted electronically/online. Access to servers with driver's license images should be strictly controlled by an access management system. Access should only be granted to company employees on a least privilege or need-to-know basis.
As for programming decisions, the same rules administered for any other sensitive customer information should apply. Make sure business logic in code checks for images of driver's licenses and handles them appropriately by encrypting the data and storing it on hardened databases and file servers that have been approved for customer data storage.
Another question to ask, on a higher level, is why do driver's license images need to be stored in the first place? Is this information necessary to identify customers? Are there other unique and more innocuous identifiers that can be used? Are there regulations in your industry -- such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (GLBA) or HIPAA -- that might prohibit this or offer guidelines on best practices?
A good non-technical resource for handling driver's license numbers is the Electronic Privacy Information Center (EPIC). EPIC has information and suggestions about policies for the proper handling of sensitive customer information that you might find useful.
For more information:
This was first published in October 2007