INDIANAPOLIS (WTTV) – Records show Indiana’s Bureau of Motor Vehicles is allegedly selling people’s personal information and has been for years.
Our sister station, WTTV, dug through public records and found the agency has made $43 million off of the practice since 2018. It has sold “enhanced access” to more than 1,400 businesses including tow companies, automotive dealers, police agencies, lawyers, private investigators, and security firms.
“You have got to be kidding,” Phyllis Torain responded, as soon as she heard. “I don’t like it. I don’t like it a bit.”
WTTV spoke with several people outside of the BMV. None of them were aware their information was being accessed by third-party companies.
“That’s a problem,” one man said. “I want my information private. If I want to give it out, it’s my responsibility to do that. Nobody else.”
WTTV asked the BMV for an on-camera interview but a spokesperson declined. Instead, she emailed the following:
“The Indiana BMV is permitted under Indiana law to authorize the permissible use of personal information by verified entities who qualify under Indiana statutory standards. (see Ind. Code 9-14-12 and 9-14-13). Any information available is based upon the requestor and the intended use of the data.
Specific qualified entities can be found in IC 9-14-13.7. Entities such as government agencies, courts and law enforcement, and researchers may qualify. Examples of business or service entities with a qualifying direct need in the consumers‘ interest would be those that provide notice for towed or impounded vehicles, recall notices, or toll transportation facilities. Depending on which qualifying exception they fall into, requestors are eligible to receive different data specific to their need.
Fees charged can vary, for example, certified records fees (as found on SF 53789) are set by statute, APRA requests typically have no fee, and others are contractual. The three examples mentioned above also represent the most common ways the BMV receive requests.
Providing data to eligible entities in this manner is a matter of statute and the revenue generated goes to various accounts within the BMV, most significantly the Tech Fund, as noted in our previous exchange. The funds support maintenance and ongoing upgrades to infrastructure, databases, and security.”
Indiana is reportedly one of 35 states that allow its motor vehicle departments to sell personal data. This also includes Ohio. While a federal law – the Driver’s Privacy Protection Law – was passed in the 1990s restricting how much information state agencies could disclose, the law has certain exceptions. It allows Indiana’s BMV to offer “enhanced access” to attorneys, auto dealers, bail bondsmen, debt collection companies, insurance agents, insurance companies, mobile home parks, private investigators, recovery agents, school corporations, security guards, sheriff and police departments and tow companies.
The same spokesperson said the BMV audits businesses with enhanced access every three years. In 2021, the agency revoked six accounts. Most were due to the company not responding to an audit request.
“It’s kind of a swiss cheese law,” Scott Shackelford, a professor at the IU Kelley School of Business and Chair of Cybersecurity Risk Management Program, said. “My guess is that most people don’t realize.”
From what WTTV has gathered, an approved company pays a fee and is given enhanced access to BMV records. A tow company, for example, can submit a person’s first and last name and driver’s license number and get back the individual’s license type and status, current points, license expiration date and more. They can also access title and registration information.
A debt collection agency could submit someone’s first and last name, date of birth and social security number and they would receive an official driver’s record, title and registration details.
WTTV reached out to dozens of companies that accessed personal information. No one was willing to go on camera to explain why they wanted enhanced access and how they used the data.
Cybersecurity expert Scott Shackelford is critical of the practice.
“It’s not like there is another alternative for folks to use instead or some more secure system,” he said. “When you go to the BMV, there is not a lot of opportunity to really be able to decide how much information we’re comfortable sharing.”
Shackelford questions how secure the system is once a person’s information is sold and what rights an individual would have if it ended up in the wrong hands.
“Based on how broadly this information is being, basically – let’s face it – commoditized, and sold, potentially to the highest bidder, there is no control the BMV has after that initial transaction,” he pointed out. “That information can be repackaged yet again and sold to another party for all different purposes.”
He and several Hoosiers feel legislators should do more to protect people’s data.
“There is a lot more, frankly, that states can be doing,” Shackelford said. “If the state of Indiana would like to, the state legislator could act on this and prohibit the sale of third party of information to third parties from the BMV. It hasn’t happened yet.”
Our investigative team reached out to three senators for comment, but no one was willing to speak publicly about the matter. Senator Todd Young, who has been vocal about cybersecurity and data protection in the past, declined. A spokesperson for Senator Michael Crider, the chair of Homeland Security and Transportation, said he has “no comment on the subject at this time.” Finally, the press secretary for Senator Chip Perfect, the chair of the Commerce and Technology Committee, said he was not available for an interview.