Title of Regulation: 1VAC20-20. Records Administration (adding 1VAC20-20-10, 1VAC20-20-20).

Statutory Authority: § 24.2-103 of the Code of Virginia.

Public Hearing Information:

September 14, 2010 - 10 a.m. - General Assembly Building, 910 Capitol Street, House Room D, Richmond, VA

Public Comment Deadline: October 14, 2010.

Agency Contact: Martha Brissette, Policy Analyst, State Board of Elections, 1100 Bank St., Richmond, VA 23219, telephone (804) 864-8925, or email martha.brissette@sbe.virginia.gov.

Summary:

Federal and state laws require Virginia election administrators to maintain the security and confidentiality of personal voter information, including social security number and full date of birth. The proposed regulation provides a standard for encryption technology that localities may provide as an alternative to redacting personal information from applications and other documents before transmitting them electronically.

CHAPTER 20
RECORDS ADMINISTRATION

1VAC20-20-10. (Reserved.)

1VAC20-20-20. Electronic transmission of records containing sensitive personal information; encryption or redaction required.

State and local election staff shall use encryption technology meeting the Security Requirements for Cryptographic Modules, FIPS PUB 140-2, issued May 25, 2001, with change notices through December 3, 2002, of the National Institute of Technology (NIST) of the United States Department of Commerce (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) to transmit electronically any records containing sensitive personal information. Electronic transmission includes email or facsimile transmission. For purposes of this regulation, sensitive personal information means: (i) more than four digits of a social security number or other unique identifier other than voter identification number; (ii) day and month of birth; or (iii) the residence address of voters qualified for protection under § 24.2-418 of the Code of Virginia. If encryption is not used, then all sensitive personal information must be redacted from the record before the record is transmitted electronically. "Redact" means alteration or truncation of data so that no sensitive personal information is accessible.

DOCUMENTS INCORPORATED BY REFERENCE (1VAC20-20)

Security Requirements for Cryptographic Modules, FIPS PUB 140-2, issued May 25, 2001, including change notices through December 3, 2002, National Institute of Standards and Technology, U.S. Department of Commerce; http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.