DMV Completes Audit of Insurance Agent's Records

A Southern California insurance agency selected at random by the California Department of Motor Vehicles (DMV) for an audit of its Motor Vehicle Record (MVR) procurement practices emerged with only minor recommendations for changes—and no fines or other penalties.

All insurance agencies who wish to obtain MVRs electronically for insurance underwriting purposes are required to execute a Commercial Requester Account (CRA) agreement with DMV, even if the agency retains a third-party vendor to actually obtain the records.

That agreement requires insurance brokers and agents, or any other party signing the agreement, to comply with extensive requirements set forth in the 55-page CRA Commercial Requester Information Handbook.

DMV notified the agency earlier this year that it would be subject to a “desk review” of responses the agency furnished on an eight-page questionnaire and on specific documents DMV requested in order to determine whether the agency’s “general system of policies, procedures, and guidelines […] are in compliance with the CRA Handbook, [and whether] internal controls are adequate to safeguard information obtained from DMV.”

The questionnaire DMV sent to the agency includes such questions as:

  • What privacy policies has the organization established with respect to the collection, use, and retention of DMV information?
  • Do you have a written information security program or policy?  If yes, please provide a copy of the policy.
  • Identify the locations, systems, and methods for storing, processing, transmitting, and disposing of DMV information
  • Please describe your procedures in the event of a security breach.
  • How are employees with access to DMV information trained in privacy protection?
  • Do you maintain an Information Security Statement (DMV Form INF 1128) for each employee authorized to access DMV records (If yes, please provide us with copies of these statements).
  • Do you have a list of inactive or terminated employees that had access? (If applicable, please provide us with a copy of this listing).
  • How many computer terminals are capable of making inquiries? Where are they located?  Are the terminals secured when unattended?  Explain how they are secured.
  • Your terminals that access DMV records should display a “warning banner” containing some variation of the following admonishment:  “WARNING:  Unauthorized access or misuse of data may result in adverse action and/or criminal prosecution.”  Does this banner display?
  • Do you keep a log of all inquiries made?  If yes, provide log for April 2008.
  • Describe access controls on computer systems containing DMV information to prevent access by unauthorized staff or other individuals.
  • How often are passwords required to be changed?  How are password changes initiated?

The questionnaire further requires the agency to provide a copy of the agency’s Requesters Information Security Program or Policy, Information Security Statements for the past two years, a list of inactive or terminated employees, a list of current authorized users, a list of current user terminals, and an inquiry log for inquiries processed in April 2008.

As a result of its review, DMV notified the agency that it had found three violations “that warrant corrective action.”

First, the agency did not maintain supporting documentation for 10 of 20 records obtained during the audit period.  DMV cited the following rule:

The Commercial Requester Information Handbook, Chapter Two, Part II, Security Requirements, Item 2 states:
"Requester shall maintain the security and integrity of any information it receives and shall maintain records and documents to justify and support proper use of requested information. All Requesters are required to establish and maintain daily logs and source documents that track the receipt, use and dissemination of DMV information." 

Second, the agency was found to have changed the password it used to access records through its electronic service provider (American Driving Records) every six months, but DMV requires the password to be change every 60 days, and cited the following rule:

The Commercial Requester Information Handbook, Chapter Two, Part III, On-line (Direct) Access -- Indirect Requester, Item 3 states:
"Password shall be changed at least every 60 days. Password shall be changed immediately if it is suspected another individual has knowledge of an individual's password. The same person shall not use a password more than once within a tweve-iteration period. Passwords shall not be writen down or othwise kept in a location where they can be seen or easily obtained by anyone other than the person to whom they belong." 

Third, the agency did not annually re-certify the Information Security Statement (DMV form INF 1128).  DMV cited the following: 

The Commercial Requester Information Handbook, Chapter Two, Part III, On-line (Direct) Access -- Indirect Requester, Item 3 states:
"Requester shall require every employee and/or the system administrator, having direct or incidental access to DMV records, to sign a copy of the Information Security Statement, (INF 1128), upon initial authorization for access and annually thereafter."

"Requester shall maintain signed Information Security Statement, (INF 1128), forms at the requester's worksite for at least two (2) years following the deactivation or termination of the authorization and shall be available to the DMV upon demand."   

In each instance, the agency has taken corrective action, and DMV has indicated no disciplinary action will be taken against the agency.

“We’re very relieved to be through with this audit, and we’re grateful that we were able to easily correct the areas where we had been out of compliance,” a principal in the agency said.  “We honestly were not even aware before this audit of the full extent of the requirements DMV imposes, and I suspect the same is true of almost every other agency and insurer.”

For more information on DMV requirements, click HERE