Buyers Abused DMV Data, California DMV Says

The California DMV has terminated accounts of people or companies that buy DMV data for both findings uncovered during audits and after investigations into misuse of the data, according to a letter obtained by Motherboard.

DMVs around the country are legally obligated to provide such information. But with its use by a wide range of different industries, lawmakers are repeatedly calling for changes in the legislation that govern such data distribution.

"On the whole, driver’s license data ends up in too many hands which increases the risk of personal information being abused," Representative Anna G. Eshoo said in a statement. The letter with the findings is a response from the DMV to Eshoo, who asked questions about the DMV's data sharing practices.

"However, I do not fault the DMV because it is obligated to follow state and federal laws that govern driver’s license data, a responsibility it seems to take seriously. In my view, the oversharing of DMV data is a result of dated laws. In particular, it’s time for Congress to revisit the Driver's Privacy Protection Act, which was enacted in 1994," Eshoo added.

The California DMV is generally stricter than other states with what data it releases, and has extra protections around information such as photos, addresses, and Social Security Numbers (SSNs). Other states are much more lax, however: Motherboard recently reported that the Arizona DMV sells drivers' photos and SSNs to private investigators. Motherboard also found the California DMV has provided some data to investigators, and that requesters have paid the California DMV a total of around $50 million a year to access the information, too.

The California DMV said in its letter that it audits purchasers of the data, with an audit being triggered "based upon an evaluation of risk factors," or as the result of complaints or investigations. The DMV said in its letter it has completed 101 account audits since 2017, and projects it will perform 60 audits this financial year. Audits include "verifying data is used for the purpose for which the account was approved, examining the chain of custody of data, verifying the adequacy of required logs and documentation," and whether security protocols are being observed, the DMV letter adds.

"The DMV has terminated or suspended accounts pursuant to findings uncovered during an audit," the letter reads. "In addition, accounts have also been revoked following investigations of misuse."

When asked if the DMV informs victims of data abuse, the DMV told Motherboard in an email, "If information is improperly accessed, customers are notified as required by law."

"Generally, the DMV investigates by contacting the requester, pulling the data requests and application, then reviews the logs that substantiate the inquiry.  If misuse is determined, the DMV will take the appropriate action and let the customer know the issue has been addressed," it added. "If it is a misuse complaint regarding law enforcement, it is referred to the DOJ and the complainant is notified. If a misuse complaint is made by a customer regarding a request for their information, the DMV investigates. If the request is determined to be legitimate, the customer is notified of the laws that allow for the request and the legitimate use of the information."