Inquirer editorial: PennDot puts drivers at risk of identity theft

With identity theft ranking among the most common consumer frauds today, one might think Pennsylvania is working hard to protect residents from that crime. Instead, one state agency may be enabling thieves by selling driver's license information to vendors who aren't being responsibly monitored.

That fact came out in a recent state Budget Office audit of how the Pennsylvania Department of Transportation handles driver's license information, which showed that a vendor that had purchased records containing drivers' personal information could not prove how well it was safeguarding the data.

Sterling Infosystems sold the information that it bought from the state - including drivers' names, addresses, license numbers, dates of birth, and traffic citation histories - to insurance companies, car dealers, lending agencies, and other entities. Armed with that treasure trove of data, identity thieves could easily skip joyfully to their laptops to make purchases in someone else's name.

The audit said Sterling Infosystems was unable to provide a complete and accurate listing of its customers, which "increases the risk that the responsible party would not be identified if there was a security breach." Details outlining required safeguards by Sterling Infosystems were missing for each year from 2011 to 2014, which suggested that PennDot was lax in insisting on verifiable security measures.

That's unconscionable. It's bad enough that the state can sell personal information. At the very least, it has an obligation to licensed drivers to ensure basic security protocols are followed to prevent identity theft.

State officials say they don't believe any identity thefts have occurred. If so, that's likely because Pennsylvania has been lucky. But it's also possible that undetected thefts have occurred. The federal Bureau of Justice Statistics says 68 percent of identity theft victims have no idea how their critical personal information got into the hands of criminals. The typical identity theft victim doesn't find out he is a victim until a financial institution asks why he hasn't been making payments on a loan, mortgage, or credit card taken out in his name.

Every year, 7 percent of U.S. residents over age 16 report identity theft, according to U.S. Justice Department statistics. But the actual number of victims could be many times that because less than 10 percent of victims ever report the crime to law enforcement.

PennDot made about $41 million last year selling driver's license information, which it used to pay for various transportation needs. Rep. Robert Matzie (D., Beaver) has authored legislation to stop sales of the data to wholesalers and instead allow it to be sold directly to approved vendors that have had background checks. That sounds better, but any added security measure will only be as strong as the state's monitoring.

Meanwhile, Gov. Wolf's administration says it wants to hire more auditors to help protect drivers' identities. Taking stronger steps to safeguard information collected by PennDot makes sense. But in doing that, state officials should consider whether it makes sense to continue selling personal information at all when it could fall into the wrong hands so easily.