DMV Conducts Detailed Audit of Insurance Agent's Records

A prominent Southern California insurance agency was surprised last month to receive notice from the California Department of Motor Vehicles (DMV) that it had been randomly selected for an audit of its practices related to Motor Vehicle Record (MVR) procurement.

Like most agencies who sell personal or commercial auto policies, the agency had entered an agreement with a third-party vendor to obtain MVRs electronically for insurance underwriting purposes.  However, all insurance agencies who wish to procure such records are also required to execute a Commercial Requester Account (CRA) agreement with DMV.

That agreement requires insurance brokers and agents, or any other party signing the agreement, to comply with extensive requirements set forth in the 55-page CRA Commercial Requester Information Handbook.

The notice sent last month by DMV informed the agency that it would be subject to a “desk review” of responses the agency furnished on an eight-page questionnaire and on specific documents DMV requested in order to determine whether the agency’s “general system of policies, procedures, and guidelines […] are in compliance with the CRA Handbook, [and whether] internal controls are adequate to safeguard information obtained from DMV.” 

“Quite honestly, we were flabbergasted by this request,” the agency principal said.  “We rely on a third-party vendor to obtain MVRs, and the only use we ever make of these records is to convey them confidentially to insurers for underwriting purposes.  I was generally aware of the CRA Handbook, but had no idea we were required to do all of the things DMV apparently expects us to do.”

The questionnaire DMV sent to the agency includes such questions as:

  • What privacy policies has the organization established with respect to the collection, use, and retention of DMV information?

  • Do you have a written information security program or policy?  If yes, please provide a copy of the policy.

  • Identify the locations, systems, and methods for storing, processing, transmitting, and disposing of DMV information

  • Please describe your procedures in the event of a security breach.

  • How are employees with access to DMV information trained in privacy protection?

  • Do you maintain an Information Security Statement (DMV Form INF 1128) for each employee authorized to access DMV records (If yes, please provide us with copies of these statements).

  • Do you have a list of inactive or terminated employees that had access? (If applicable, please provide us with a copy of this listing).

  • How many computer terminals are capable of making inquiries? Where are they located?  Are the terminals secured when unattended?  Explain how they are secured.

  • Your terminals that access DMV records should display a “warning banner” containing some variation of the following admonishment:  “WARNING:  Unauthorized access or misuse of data may result in adverse action and/or criminal prosecution.”  Does this banner display?

  • Do you keep a log of all inquiries made?  If yes, provide log for April 2008.

  • Describe access controls on computer systems containing DMV information to prevent access by unauthorized staff or other individuals.

  • How often are passwords required to be changed?  How are password changes initiated?

The questionnaire further requires the agency to provide a copy of the agency’s Requesters Information Security Program or Policy, Information Security Statements for the past two years, a list of inactive or terminated employees, a list of current authorized users, a list of current user terminals, and an inquiry log for inquiries processed in April 2008.

After DMV completes its review of the completed questionnaire and supporting materials, additional interviews or even an agency visit may be required.  The results will be shared with the agency, and written recommendations (if any) to change business practices could be rendered.

A copy of the DMV’s CRA Commercial Requester Information Handbook is available by clicking HERE.