Spring2014movemag web image Page 2 Image 0001

May 2014

Twenty years after major driver privacy legislation, DMVs are still working to streamline their privacy practices.

BY Elizabeth Millard


Before the Driver Protection Privacy Act (DPPA) was passed in 1994, Senator Chuck Robb spoke in favor of the legislation, noting that the right to privacy was seriously threatened unless the act was put in place. He said, “Even your Social Security number is available, and the chief agent giving out this kind of information is the very government that is supposed to protect its citizens.”

With the DPPA turning 20, it seems fitting to remember not only why it was developed (see “Driver Privacy Protection Act Primer” for the Act’s history), but also to examine whether those original protections are still in place, especially when large entities like Target and Neiman Marcus are being hacked, and it’s easier than ever to obtain personal information. What are DMVs doing to make sure they’re protecting driver privacy? And what can they be doing better?

Lockdown Challenges

When the DPPA was put into place, people obtained information in ways that might seem charmingly archaic to us now: phone books, DMV requests, public libraries, even calls to employers. These days, finding someone’s home address could be as simple as a 10-second Google search.

“In this day and age, our personal information exists in so many different places that it seems almost impossible to exercise control in the name of privacy,” says Geoff Slagle, director of identity management at AAMVA. “I don’t think that should lead us into taking a lackadaisical attitude toward protecting information, but we need to be realistic about what can be achieved.”

Often, it’s difficult to trace the source of information, Slagle says. For example, if someone discovers another person’s home address, it could have come from a range of sources, including real estate record databases, supermarket reward card listings or “locator” sites online. Unlike 20 years ago, the DMV is only one of a constellation of information sources. That can make it difficult to pin down whether there’s a DMV data breach.

Another challenge is the law’s built-in exceptions (See “Driver Privacy Protection Act Primer”). Even when it was first unveiled, the DPPA wasn’t as stringent as it could have been, Slagle adds, because there was concern about making the legislation too restrictive to be useful. That’s led to jurisdictions working to balance privacy protection with access to information, and going beyond the law’s protections to implement better controls.

AAMVA Steps Up

Because the vetting and verification of driver’s license data plays such a large role in the day-to-day operations of DMVs, AAMVA plays a significant role in providing direction when it comes to privacy, notes Cian Cashin, senior manager of government affairs at AAMVA.

The organization helps the federal government understand that there’s a delicate balance between protecting the privacy of drivers and facilitating governmental functions. “This does not happen in a vacuum, and requires constant and vigilant interaction at both the jurisdictional and federal level,” Cashin says.

One major effort that AAMVA makes toward that balance is encouraging collaboration among members, and information sharing. While information disclosure and practices must be handled very specifically on a jurisdiction-by-jurisdiction basis, Cashin adds that it’s very important for all jurisdictions to have a sense of what approaches others are taking. He says, “We want to make sure everyone is working from the same sheet of music.”

Sometimes, this knowledge swapping is as easy as surfing to another DMV’s website. For example, the Florida Department of Highway Safety and Motor Vehicles addresses the DPPA and privacy on its website, giving very clear information about what drivers can expect in terms of privacy controls. The webpage also includes links to the Florida Statute on DPPA, and forms that drivers can complete to withhold personal information.

Taking Control

As AAMVA works to help increase privacy protections at DMVs, those in the organization’s membership can also boost their control over privacy. Slagle notes that because the DPPA contains exceptions, it has led many agencies to apply stricter statutes or to build additional safeguards into their standard operational protocols.

He points out that jurisdictions have a responsibility to make sure they’re putting their data under digital lock and key, but they also need to ensure that there’s transparency around what’s being done with the information. Equally important, agencies need to be observant about how information is handled. “You can have laws until the cows come home, but if you have people who don’t care about those laws, you’re going to have issues,” Slagle says.

Similar to private enterprise, DMVs should take a closer look at their protections, and find areas that could use additional safeguards. Here are some tactics for making privacy a priority:

  • Perform regular data audits. Data breaches most often show up as the result of small malware programs inserted quietly into a system—that’s why they call them worms, viruses or Trojan horses. Seemingly benign, they can replicate quickly, becoming a cancer inside a system. To spot these nasties, agencies can run sophisticated data audits that detect abnormalities, especially around unauthorized access.
  • Run a fire drill occasionally. There’s never a good time to test a system, particularly when you’re dealing with an agency as busy as a DMV. But running a “fire drill” once or twice a year can save an enormous amount of time and effort if any data breaches do occur. Data fire drills are created to test employees on their knowledge of procedures, and to observe how well they might handle real-life situations. It’s not necessary to actually break your system (although some companies do just that), but it’s helpful to ask employees what they’d do if confronted with unauthorized access requests, suspected data breaches or system failures.
  • Review third-party use agreements regularly. What took down Target wasn’t an internal network issue—it was poor security procedures at a subcontractor that handled the retailer’s HVAC systems. David Poarch, vice president of security solutions at Illinois-based technology consulting firm Forsythe, says that many organizations, public and private, tend to fall down with the vendors they trust. “They don’t have much of a plan for how to treat these third-party business relationships because they’re so focused on keeping the ‘bad guys’ out,” he says.
  • Check your procedures. Most, if not all, DMVs have data security procedures in place, but some haven’t made sure that those procedures are regularly updated. Given the pace of technology, it makes sense to revisit areas like training and access control on a consistent basis. As the data environment changes, procedures are likely to change as well, so stay on top of privacy and security rather than assuming that a years-old privacy policy is protection enough.
  • Trust your instincts. Cashin notes that everyone involved in the use and collection of personal information should be extremely cautious with the release of any data. “Trust your instincts and remind yourself that it’s better to be restrictive than generous,” he says, “because once you’ve released that data, it will continue to live a life of its own.”
  • Be transparent. Much like Florida’s site, other DMVs have moved toward providing straightforward explanations of how records are handled, what protections are in place and the process involved with obtaining someone else’s records. For example, the New York DMV offers a variety of links related to record requests, and cites the DPPA as a framework for its policies. This kind of clarity can be useful not just for drivers, but also for DMV employees.

In general, the DPPA provides some level of guidance when it comes to protections and permissible exceptions, but DMVs are likely to find that they need to go beyond those basics in order to lock down privacy.

“As more and more government agencies rely on previously vetted and verified information, it will place additional risks upon our agencies to safeguard that data against those who would use the data for illegitimate or fraudulent purposes,” says Cashin. “As we’ve seen in the past, the misuse of identifying information can have drastic, serious consequences. It’s important that we, as a community, keep up with the increasing threat and remain vigilant.”