Agents are “investigating possible improper use of personal identifying information” of the state’s licensed drivers put online by a Department of Highway Safety and Motor Vehicles (DHSMV) vendor, a Florida Department of Law Enforcement spokeswoman confirmed to Florida Politics on Friday.
Roughly 17 million people hold a Florida driver’s license.
Spokeswoman Gretl Plessinger said FDLE agents in Tallahassee — including the agency’s Cyber Crime Squad — were working the case, which she said falls under the “active” criminal investigation exemption to the state’s public record law. Plessinger declined further comment, including how many Floridians’ personal data was misused, if any.
“Criminal investigative information shall be considered ‘active’ as long as it is related to an ongoing investigation which is continuing with a reasonable, good faith anticipation of securing an arrest or prosecution in the foreseeable future,” state law says.
The same vendor now at issue, Unisoft Communications of Miami, had previously been flagged in 2016 — about a year before the DHSMV agreed to a new contract — for posting the personal information from two individuals’ driving records, records show.
Friday’s news highlights the growing concern over the security of personal information. On the retail side alone, Business Insider reported in April that “at least 14 separate security breaches occurred (since) January 2017 … many of them caused by flaws in payment systems, either online or in stores.”
In a media availability for his U.S. Senate campaign in Jacksonville Friday, Gov. Rick Scott said the state “has to do everything we possibly can to make sure your personal information is always secure.” Scott oversees the DHSMV.
“That is my expectation of all state agencies,” added Scott, a Naples Republican. “I will do everything I can to make sure people’s information is secure.”
Later in the day, CFO Jimmy Patronis‘ spokeswoman issued a related statement, claiming he was a victim of driving info “identity theft” because of the Unisoft breach.
Florida Politics reported last month that, unknown to him at the time, Patronis had his driver’s license suspended for nearly a year because of an apparent glitch in how the DHSMV tracks and responds to changes in drivers’ insurance coverage.
“We are pleased to hear that the recent identity theft that targeted driving records of CFO Patronis is being criminally investigated,” spokeswoman Anna Alexopoulos Farrar said.
“Our department is working with all those who are investigating this matter to provide any information they may need. The CFO has already taken extra measures to secure his personal information from future criminal attempts to misuse it.”
In the context of state driver’s licenses, federal law defines “personal information” as “an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit ZIP code), telephone number, and medical or disability information.”
It “does not include information on vehicular accidents, driving violations, and driver’s status.”
Rep. Jamie Grant, a Tampa-area Republican and tech entrepreneur, tweeted Friday: “Having had my identity stolen and my identity posted online, this is no joke.
“If a company was selling or providing personally identifiable data, … we need answers. And now.”
Having had my identity stolen and having had my identity posted on line, this is no joke. If a company was selling or providing personally identifiable data with the only validation factor being “what’s the driver’s license number?”, we need answers. And now. https://t.co/7gVDQzIcJy
— James Grant (@JamesGrantFL) June 15, 2018
DHSMV records, provided through a public records request, show that what should have been otherwise private information was made available online by Unisoft, the company that had contracted with the department, which has since pulled the plug on the deal.
A call to Unisoft President Hugo Montiel Jr. has not yet been returned.
In a statement, DHSMV spokeswoman Beth Frady added that “customer safety and security is the department’s top priority.”
“At this time, the department has not granted Unisoft Communications, Inc.’s request for a corrective action plan and we are currently coordinating with (FDLE) as part of an ongoing criminal investigation,” she said. “As such, Unisoft Communications Inc.’s MOU (memorandum of agreement) for data exchange remains terminated at this time.”
Frady also downplayed concerns of a “widespread data breach,” saying the latest investigation was triggered by “a record (that) had potentially been improperly obtained.” She did not confirm that that record was Patronis’ information.
Unisoft and DHSMV inked a three-year deal last July to get “electronic access” to driver’s license and motor vehicle information, with the agreement it wouldn’t share any “unauthorized” information from the department’s database. It’s not clear for how long after that the restricted information has been available from Unisoft.
The main goal was to offer information to insurance concerns “for the purpose of underwriting and rating,” according to a May 25 letter to DHSMV from Montiel after the breach was discovered.
The day before, Stephanie Duhart — DHSMV’s chief of motorist records — had told Montiel the department was “terminating” the contract because information “contain(ing) personal identifying information protected under” the federal Driver Privacy Protection Act was found on a Unisoft website.
That info could be bought through the website by “only providing” someone’s driver’s license number, the letter said. But that would mean “someone other than themselves could easily obtain protected information,” Duhart wrote.
Duhart concluded Unisoft “does not have appropriate safeguards in place to protect and maintain the confidentiality and security of the data….”
In response, Montiel wrote back to Duhart to admit “an honest oversight on our part and we acknowledge our error.” He said he had deactivated its website, mydrivingreport.com. (Efforts to access the site received a “404 error” message on Friday.)
He also proposed several corrective measures, such as establishing an “internal control process,” all of which the department has so far turned down.
“We have been authorized … in the state for over 20 years and have had an excellent record of safeguarding sensitive data,” Montiel wrote.
But in May 2016, another DHSMV official had alerted Montiel of “personal information being displayed on the internet,” according to records released by the department. He confirmed in a letter dated the next month that “2 records were compromised” and disabled that information from appearing online.
Montiel also said his company told the affected drivers of the data breach affecting them and “secured all folders” containing drivers’ personal information to prevent it from happening again.
In another statement from DHSMV, the agency said that “customers with concerns regarding the dissemination of their information in accordance with state and federal law … may complete a complaint form and federal law allows for any injured party to sue for damages in federal court.”
The department “works with its national and state partners, including the American Association of Motor Vehicle Administrators (AAMVA) to communicate learned best practices. When appropriate, the department will report suspected misuse to other states or the Department of Justice.”
__
Jacksonville correspondent A.G. Gancarski contributed to this post.