“We have a real problem,” said Legislative Auditor Jim Nobles in releasing much-anticipated report.
Eighty-eight law enforcement personnel misused their access to driver’s license records in the last fiscal year, state auditors said Wednesday in a wide-ranging report pushing for better oversight of the database.
The review by the state’s legislative auditor — highly anticipated by legislators and privacy advocates — said officers need better training in allowed uses of the protected data, and local and state agencies should do more to monitor use. Beyond 88 incidents of misuse documented in state records last year, auditors found even more suspicious activity buried in audit trails.
More than half of the 11,000 law enforcement users of the Driver and Vehicle Services (DVS) website in that time frame queried themselves or people with the same last name, for example, or disproportionately searched for people of one sex. Auditors forwarded 78 names to DVS for further review.
“We have a real problem. And we have to face it. And we have to address it,” Legislative Auditor Jim Nobles said. “Because this is really eroding people’s confidence [in the] willingness and ability of state government and local government to protect private data.”
The report follows a number of high-profile breaches of the state’s DVS database, which contains photographs, addresses and driving records on Minnesotans with a license. That data is protected by state and federal law against unauthorized use.
“I commit to strengthening our efforts in increased oversight and user training,” said public safety commissioner Mona Dohman. “It is important I think, however, for us to recognize that no amount of oversight or training ... is a substitute for an individual honoring his or her professional and ethical obligation as an officer of the law.”
Wednesday’s findings are likely to shape legislation already winding through the Legislature that would increase transparency and penalties surrounding data breaches. Many of the recommendations from the auditor do not rely on state law changes, however.
The legislation came on the heels of news that a former employee at the Department of Natural Resources had viewed thousands of drivers license records — almost exclusively of women — without a permissible use. That employee, John Hunt, is now facing criminal charges, and his actions have spurred five federal lawsuits against the state.
Nobles noted that DVS misuse comes at a price for taxpayers. Local governments have paid out more than $1 million in settlements to former police officer Anne Marie Rasmusson after she alleged in a lawsuit that her data was repeatedly breached.
Auditors said access need not be malicious to constitute misuse. The incidents they documented included one employee searching for a friend’s address, others looking up co-workers and relatives, and several who continued to use their access after they no longer worked there. Attention to one record can also indicate misuse, such as 158 queries auditors discovered on a murder victim by 110 users over the span of a month.
In their findings, auditors said sworn officers are not required to complete training in appropriate use of the DVS website. They recommended that the Department of Public Safety (DPS), which oversees the database, find ways to make permissible use information more widely available, and advised local agencies to require their employees complete DVS training.
The report also recommended that because audits by the DPS largely detect heavy users, rather than suspicious use, local agencies should conduct more proactive monitoring. They suggested the department beef up its abilities to assist local agencies.
The department’s existing audits were not sufficient to catch Hunt, who made about 19,000 queries over nearly five years. Dohman said in an interview that the queries were so spread out that he did not emerge in their monthly review of the top 50 users. Nobles revealed during Wednesday’s presentation that a note left on a colleague’s vehicle actually prompted the investigation that uncovered Hunt’s DVS queries.
Hunt was fired, but auditors found that punishments for misuse varied widely because they are left to the local jurisdictions.
The legislation to address data misuse will get an initial hearing next Wednesday, according to its Senate author, Scott Dibble, DFL-Minneapolis. The bill would increase penalties and also require local agencies to post a full report of their investigation online whenever they discover a data misuse.
House author Rep. Mary Liz Holberg, R-Lakeville, said she has already met resistance from some law enforcement entities.
“If you have bad actors in your bunch, then why shouldn’t the public know about it?” Holberg said. “It seems like nobody wants any sunshine around this issue. And I think it would do a lot to rebuild the public trust if there was more public awareness of misuse and consequences.”
Holberg said the Hunt breach, which included lookups on legislators and other high-profile women, could help bring about “some culture change.”
Auditors did find that publicity around DVS misuse appeared to have an impact on how people use the system. Queries of the DVS website dropped dramatically in August 2011 when local agencies were warned about misuse of the information. The warning was likely related to Rasmusson’s allegations.
“The steep drop in use was likely a reaction to alleged misuse of the Web site that came to light around that time,” auditors concluded. “That drop may reflect users correcting their misuse, growing reluctance to use the DVS Web site even for allowed purposes, or both.”