The Texas Department of Motor Vehicles is catching heat after a state audit blasted the agency for weak safeguards around drivers’ personal information. State auditors found gaps in contracts and data-management practices that could let sensitive records travel far beyond their intended recipients. The DMV says it has launched a broad clean-up effort, but the auditor is pressing for sweeping fixes to how the agency writes contracts and governs data access.
As reported by KXAN, the audit found 22 of the DMV’s contracts did not include provisions that would prevent or punish the redisclosure of records, and 18 bulk-data contracts had similar gaps. Auditors also concluded the agency had not reestablished a data-governance steering committee or completed a biennial data-maturity assessment, both required under rules that took effect in June 2021. Those findings led the auditor to mark the DMV’s contracting practices as a priority concern.
What the auditor documented
According to a report by the Texas State Auditor’s Office, the problems went beyond sloppy legal language. Auditors said the DMV needed clearer processes for deciding who gets access to driver data and stronger oversight of how that access is used. The report recommended updating internal documentation, reestablishing a data-governance committee and tightening contract terms so that redisclosure is clearly barred and subject to penalties. Without those changes, auditors warned, drivers’ identifying information could be shared improperly under overly permissive agreements.
DMV response and immediate fixes
In a statement, the Texas Department of Motor Vehicles said it has finished a comprehensive review and conversion of all 2,002 permitted data-disclosure contracts and user access agreements and has begun re-vetting users. The agency said contracted entities were told to reapply for access and submit updated applications, photo identification, business verification and documentation of how they intend to use the data. The DMV added that it sent letters on April 17 giving any remaining entities 30 days to meet bond and insurance requirements or face termination of their agreements. The department described these steps as part of a larger push to tighten oversight and better safeguard Texans’ information.
Small vendors squeezed by the bond rule
The DMV acknowledged that small businesses told the agency a required $1.0 million performance bond is a serious and ongoing barrier to access, a complaint auditors and officials said could shrink the pool of vendors that can work with driver data. That bond requirement, along with related insurance rules, is among the immediate compliance items the department is enforcing as it rewrites contracts. Advocates say the mix of steep bond levels and weaker contractual language has put both privacy protections and vendor competition in a tough spot.
What it means for drivers
Auditors warned that contracts without firm redisclosure clauses, combined with the absence of active data governance, increase the odds that drivers' names, addresses and other identifiers could be shared improperly under otherwise permitted disclosures. The Texas State Auditor’s Office said tightening contract language, enforcing penalties and reestablishing governance would reduce that risk and strengthen accountability. Lawmakers, privacy advocates and vendors are expected to keep a close eye on how the DMV follows through.
From here, the DMV will have to prove that its fixes work in practice. Contracts must include enforceable redisclosure penalties, vendors must be fully re-vetted and the agency must show better documentation and regular assessments. With contracting practices labeled a priority issue by the auditor, state oversight is likely to continue until the recommendations are in place. For now, the department says that work is underway and that it expects to keep tightening controls on driver data.
