State Rep. Robert F. “Rob” Matzie
It’s a yearly occurrence for drivers in Pennsylvania. You fill out your vehicle registration card, include payment, and wait to receive your sticker. Or maybe you need to renew a license or transfer a vehicle title. These are straightforward PennDOT transactions that number in the millions annually, but each requiring varying levels of personal information.
Now what if I told you that some or all of that personal information that you provide to PennDOT is sold to third parties, who then can turn around and resell that information at a profit? And you’re powerless to stop it?
What would your reaction be? Concern? Outrage? Disbelief? All of the above? If one or all applies to you, then we’re of the same mindset. But it’s true and, sadly, it’s legal.
PennDOT sells personal data such as information on drivers, registrations, and titles to other individuals and businesses. Those third parties have the authority to resell that information for an unspecified fee and without the payment of any additional fee to PennDOT. Recently, in a published internal Office of the Budget audit, it was revealed that one of the vendors being sold information has been ignoring the security procedures laid out by the state, putting your personal information in jeopardy.
Specifically, the vendor in question was “unable to provide assurance that their customers and data centers have implemented controls adequate to ensure that personal driver record information is safeguarded.” Under the current law, I believe it’s only a matter of time before a major data breach occurs.
In 2013, I raised concerns over this very issue, but the selling of data to third parties continues. This problem needs fixed, and it needs fixed now. I’ve recently re-introduced legislation, House Bill 2039, which would prohibit third parties from being able to sell personal driver and vehicle information for profit. This practice simply needs to stop. Selling data when consumers are paying for services from the government is simply bad policy.
In fairness, there are appropriate situations where PennDOT should, and in fact is required by federal law, to provide information — at the request of an insurance provider, for example. My legislation allows for this necessary sharing of information. But, in my judgment, it is unacceptable for PennDOT to become a clearinghouse of personal data for anyone willing to pay the right price.