Florida knew releasing driver data was risky, kept doing it anyway

The state of Florida has been selling private information about its drivers in bulk for years, despite records that show state officials have been aware the practice is fraught with risks and could run afoul of federal law, a FOX 13 investigation has found.

The state Department of Highway Safety and Motor Vehicles – Florida’s DMV – has publicly denied they may be exposing the private details of more than 15 million drivers to third parties who had no legitimate right to the information.

Yet, according to annual reports the DMV has submitted to Gov. Rick Scott’s office for each of the past four years, the state admits they lack the staff, system and technology needed to track the “appropriateness” of how commercial buyers are using private information about Floridians.

DMV also lacks the staff needed to ensure the data exchanges aren’t violating the federal Driver Privacy Protection Act, according to the report. In the past two years alone, the DMV generated more than $150 million in revenue by selling the federally-protected information.

Documents obtained through Florida’s sunshine laws also show the state’s contracts with commercial buyers contain lax security provisions, and do not specifically require the third parties to encrypt the private driver data. 

The new findings come days after Florida Sen. Bill Nelson asked the U.S. Department of Justice to investigate the DMV’s sales practices, pointing to evidence found in FOX 13’s ongoing investigations into the DMV, which have raised red flags about the states sales practices. 

“You definitely don't want the bad guys to know where you live, where you bank, where your children go to school,” Nelson said at a Friday news conference.

Scott’s office referred questions to the DMV, as did a spokesperson for Attorney General Pam Bondi. DMV executive director Terry Rhodes and her staffers have ignored FOX 13’s questions about the risks to Floridians’ private information ever since the announcement of the DOJ investigation.

Rhodes issued an emailed statement on Friday saying the DMV “does not sell” data, insisting it is simply “released” under state and federal law.

She did not respond to a follow-up question about the misleading nature of the statement, given the substantial revenue generated by her department’s practice. Records show the department has used the terms “sell” or “sales” to describe the transfer of money that takes place when the DMV collects fees in exchange for releasing driver records to buyers.

Federal law does not require the state to expose entire databases of driver information, nor does it require the state to allow commercial buyers to re-sell it – both of which the Florida DMV allows.   

Nelson said the DMV’s practices could be putting the private information of high-level military personnel at risk.

"Those soldiers, sailors, airmen, marines and Coast Guardsmen -- they all need to be protected. And just because they got a Florida driver’s license doesn't mean it should be out there in the public domain for potential terrorists to get a hold of,” he said.

Security experts who reviewed FOX 13’s findings said the state’s lax security measures put the data at a huge risk for a breach.

John Black, a cyber security expert with SecureSet Academy, was alarmed by the lack of a specific encryption requirement in the state’s agreements with bulk data buyers.

"Modern password attackers these days can try every single combination of upper and lower case and digit, up to length six, in less than a second,” he said. “My personal view is that personal information like driver data shouldn’t be shared with for-profit organizations. I think the motives are just all in the wrong place.”