(a) (1) In this section the following words have the meanings indicated.
(2) “Covered employee” means an employee of the Administration or a contractor for the Administration who is involved in the manufacture or production of identification cards, moped operators’ permits, or licenses to drive or who has the ability to affect the identity information that appears on an identification card, a moped operator’s permit, or a license to drive.
(3) “Personally identifiable information” means any information that can be used to distinguish or trace an individual’s identity as specified in regulations adopted by the Secretary of the United States Department of Homeland Security, whether the information is stored in a database, on an identification card, a moped operator’s permit, or a license to drive, or in the machine–readable zone on an identification card, a moped operator’s permit, or a license to drive.
(b) The Administration shall have a security plan for identification cards, moped operators’ permits and licenses to drive issued or renewed for the purposes of complying with the provisions of this article.
(c) At a minimum, the security plan shall address:
(1) Physical security of the facilities used and storage areas for card stock and other materials used in production; and
(2) Security of personally identifiable information maintained at locations of the Administration involved in the enrollment, issuance, manufacture, or production, including the following protections:
(i) Reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the personally identifiable information collected, stored, and maintained in Administration records and information systems, including procedures to prevent unauthorized access, use, or dissemination of applicant information and images of source documents retained and standards and procedures for document retention and destruction;
(ii) A privacy policy regarding the personally identifiable information collected and maintained by the Administration;
(iii) Requiring that release or use of personal information collected and maintained by the Administration comply with the requirements of the federal Driver’s Privacy Protection Act;
(iv) Document and physical security features for identification cards, moped operators’ permits, and licenses to drive issued by the Administration;
(v) Access control, including:
1. Employee identification and credentialing, including access badges;
2. Employee background checks, including a name–based and fingerprint–based criminal history records check, for each covered employee and current employee who will be assigned to the position of a covered employee; and
3. Controlled access systems;
(vi) Periodic training requirements in:
1. Fraudulent document recognition training for all covered employees handling source documents or engaged in the issuance of identification cards, moped operators’ permits, or licenses to drive; and
2. Security awareness training, including threat identification and handling of sensitive security information as necessary;
(vii) Emergency and incident response plan;
(viii) Internal audit controls; and
(ix) An affirmation that the Administration possesses the authority and means to produce, revise, expunge, and protect the confidentiality of identification cards, moped operators’ permits, and licenses to drive issued in support of federal, State, or local criminal justice agencies or similar programs that require special licensing or identification to safeguard persons or support their official duties.
(d) The security plan required by this section contains sensitive security information and shall be handled and protected in accordance with 49 Code of Federal Regulations Part 1520.