Commercial Requester Information Handbook (2)


Customer Information Security Requirements
(Updated February 2012)


Part I — General Provisions

By signing the Commercial Requester Account Application (INF 1106) and/or Commercial Requester Account Service Provider Application (INF 1106V), Requester agrees to comply with these Security Requirements and any additional requirements deemed necessary by the Department of Motor Vehicles (DMV).

DMV reserves the right to amend or enhance its requirements and continuance of a Commercial Requester Account is contingent upon Requester’s compliance with the updated criteria.

A PowerPoint presentation “Confidentiality of DMV Information” is available upon request. If additional information is required or you would like a copy of the presentation, please contact the DMV’s Electronic Access Administration Unit at (916) 657-5582.

California Vehicle Code (CVC), Division 1, Article 3, Sections 1800-1825, “Records of the Department” is available at WWW.LEGINFO.CA.GOV/CALAW.HTML.

CVC §1808.45. The willful, unauthorized disclosure of information from any department record to any person, or the use of any false representation to obtain information from a department record or any use of information obtained from any department record for a purpose person or organization for purposes not disclosed in the request is a misdemeanor, punishable by a fine not exceeding five thousand dollars ($5,000) or by imprisonment in the county jail not exceeding one year, or both fine and imprisonment.

CVC §1808.46. No person or agent shall directly or indirectly obtain information from the department files using false representations or distribute restricted or confidential information to any person or use the information for a reason not authorized or specified in a requester code application. Any person who violates this section, in addition to any other penalty provided in this code, is liable to the department for civil penalties up to one hundred thousand dollars ($100,000) and shall have its requester code privileges suspended for a period of up to five (5) years, or revoked. The regulatory agencies having jurisdiction over any licensed person receiving information pursuant to this chapter shall implement procedures to review the procedures of any license which receives information to ensure compliance with the limitations on the use of information as part of the agency’s regular oversight of the licensees. The agency shall report noncompliance to the department.

CVC §1808.47. Any person who has access to confidential or restricted information from the department shall establish procedures to protect the confidentiality of those records. If any confidential or restricted information is released to any agent of a person authorized to obtain information, the person shall require the agent to take all steps necessary to ensure confidentiality and prevent the release of any information to a third party. No agent shall obtain or use any confidential or restricted records for any purpose other than the reason the information was requested.

California Code of Regulations (CCR), Title 13, Division 1, Chapter 1, Article 5, "Requesting Information From the Department" is available at: WWW.CALREGS.COM.

California Civil Code (CCC), Section 1798.80-1798.84, inclusive.

United States Code (USC), Title 18, Part I, Chapter 123, Driver’s Privacy Protection Act of 1994, Section 2724. (a) Cause of Action. – A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court. (b) Remedies – The court may award – (1) actual damages, but not less than liquidated damages in the amount of $2,500; (2) punitive damages upon proof of willful or reckless disregard of the law; (3) reasonable attorney’s fees and other litigation costs reasonably incurred; and (4) such other preliminary and equitable relief as the court determines to be appropriate.

Part II— Security Requirements

  1. A “Requester” is any person issued a requester code. Part II is applicable to all Requesters.
  2. Requester shall maintain the security and integrity of any information it receives and shall maintain records and documents to justify and support proper use of requested information. All Requesters are required to establish and maintain daily logs and source document that track the receipt, use and dissemination of DMV information.
  3. Requester shall notify DMV’s Information Services Branch, Policy and Information Privacy Section, by telephone, at (916) 657-5583 within one (1) business day if fraud or abuse is suspected or confirmed, or the security of the requester code is compromised
  4. A written notification containing all facts shall be prepared by the Requester within three (3) business days and mailed to the Policy and Information Privacy Section. (See Part IV)
  5. Requester shall require every employee and/or the system administrator, having direct or incidental access to DMV records, to sign a copy of the Information Security Statement, (INF 1128), upon initial authorization for access and annually thereafter.
  6. Requester shall maintain signed Information Security Statement, (INF 1128), forms at the Requester’s worksite for at least two (2) years following the deactivation or termination of the authorization and shall be available to the DMV upon demand.
  7. Requester shall restrict the use and knowledge of requester codes and operational manuals to persons who have signed an Information Security Statement, (INF 1128).
  8. Requester shall maintain and make available to DMV upon demand, a current list of names of persons authorized to access DMV records, terminal identifiers (i.e., termid/ netname), and the number of users for each terminal, if applicable.
  9. Requester shall ensure that video terminals, printers, hard copy printouts, or any other form of duplication of DMV information that is located in public access areas shall be placed so that the public or other unauthorized persons cannot view the information.
  10. Access terminals displaying DMV data shall display a "sign-on banner" containing some variation of the admonishment:
    "WARNING: Unauthorized access or misuse of data may result in adverse action/or criminal prosecution".
  11. Requester shall ensure that DMV information is not electronically transmitted to anyone unless the file is protected from disclosure during transport. Encryption for this purpose shall use algorithms in compliance with published National Institute of Standards and Technology (NIST), American National Standards Institute (ANSI) and Internet Engineering Task Force (IETF).
  12. Requester shall ensure that all information received from DMV files is destroyed once its legitimate use has ended. The method of destruction shall be in a manner that it cannot be reproduced or identified in any physical or electronic form.
  13. Requester shall not disclose its DMV assigned requester code, orally, in writing or electronically, to anyone that is not in the direct employment of Requester or has not signed the Information Security Statement, (INF 1128) other than a DMV approved Service Provider.
  14. Requesters are required to implement and maintain adequate physical security for DMV information received (in any format), equipment, and systems that access DMV information.
  15. Requester shall prevent unauthorized access administratively and/or electronically, including developing policies, procedures, and training of users on all information security including compliance with California Civil Code §1798.82.
  16. Requester shall ensure that systems and DMV data transmitted or stored off-site, regardless of format, must be physically protected from unauthorized access or use during transit and in storage. Physical access to network components, servers and data storage devices must be restricted to authorized and identified staff.

Part III — Additional Security Requirements for:

A. Confidential Residence Address Access

  1. Any Requester who is authorized to access and use confidential residence address information shall protect the confidentiality of any residence address received from DMV records pursuant to CVC §1808.47 and shall comply with additional security requirements contained in this section.
  2. Prior to being approved to access and use confidential residence address information, a Requester shall provide the state or federal statute that authorizes or requires DMV to release confidential residence address information and the use of any confidential information obtained shall be limited as provided in the identified statute.
  3. Requester shall not use confidential residence address information obtained for any direct marketing purpose.
  4. Requester shall maintain a log of each request for two (2) years from the date of the request. The log shall be immediately available to DMV upon demand. The log format shall provide the following in the order presented:

    a. Requester code used to make the request.
    b. Date of request. .
    c. Type of information requested.
    d. Points of identification used for the request (e.g., license # and DOB).
    e. Business reason for the request.

  5. NOTE: An Information Requester Log (INF 2115) is available for your use on DMV's website at www.dmv.ca.gov.

  6. Requester shall not obtain or use any confidential or restricted information for any purpose other than the purpose approved by the DMV.

B. Service Providers

  1. A “Service Provider” is any Requester who is performing a service to another pre-approved Requester as identified in 2 or 3 below:
  2. Service Providers who are performing a contracted service (Agent) on behalf of another pre-approved Requester shall maintain a log of each request for information for a period of two (2) years from the date of the request. The log shall be immediately available to DMV upon demand. The log format shall provide the following in the order presented:
    a. Date of request.
    a. Type of information requested.
    b. Whether residence address information was provided.
    c. Identity of whom the information was provided.
  3. Service Providers who are providing a Pass Through/Reformat Service (Vendor/Reseller) for DMV pre-approved Requesters shall maintain a log of the request for a period of five(5) years from the date of the request. The log shall be immediately available to DMV upon demand. The log format shall provide the following in the order presented:
    a. Date of request .
    b. Type of information requested.
    c. Whether residence address information was provided (including “intermediate vendors”).
    d. Proposed use of information as approved by DMV.
  4. Service Provider shall provide DMV information only to other pre-approved Requesters and shall include its assigned requester code as part of each inquiry submitted, in a format specified by DMV, in additional to the assigned requester code of the pre-approved requester.
  5. Service Provider (Agent) may retain information only as required to fulfill its contractual agreement with the pre-approved requester as indicated on Agent Authorization Form(s), INF 03 or Parking/Toll Road Violation Agency Notification on file with the Department.
  6. Service Provider shall make available to the DMV upon demand a copy of the contract between the Service Provider and the pre-approved requester.
  7. Service Provider (Agent) shall notify DMV of any changes, additions and/or deletions regarding your Agent Authorization.
  8. Service Providers (Agents) who are authorized to update DMV information shall comply with the following Update Security Requirements, which may include, but are not limited to:
    a. Non-repudiation program application for the electronic update to DMV’s database(s).
    b. On-Line Security Administration and electronic validation programs.
    c. Restrict transaction types as necessary to ensure the user is authorized for updates.
    d. Encryption, a Virtual Private Network, and use of Special Carriers transporting hardcopy or cartridge/reel computer tapes.
    e. Use is restricted to an assigned device identifier that is electronically verified and validated against DMV’s security table. Special Permit Holder acting as an Agent for approved government Requesters who are processing update transactions to DMV’s driver license and vehicle/vessel registration database(s) is restricted to an assigned device identifier that is electronically verified and validated against DMV’s security table.

C. On-line (Direct) Access — Direct Requester

  1. A “Special Permit” is a signed agreement between DMV and a Requester authorizing online (direct) access to the DMV’s electronic database. In addition to any other applicable section, a Special Permit Holder shall comply with all additional on-line security requirements contained herein.
  2. Special Permit Holder shall maintain the security and integrity of DMV information and the on-line information service system.
  3. Special Permit Holder’s computer system shall be capable of identifying all terminals and controlling access to Special Permit Holder’s computer system at all times.
  4. Each terminal accessing Special Permit Holder’s computer system shall be a termination point in the communications network as approved by the DMV.
  5. No terminal or system shall act as an intermediate communications node for other remote systems.
  6. Special Permit Holder shall submit, for DMV approval, the current Special Permit Holder’s and all terminals (if applicable) Network Topology containing functional system descriptions, and a security narrative that describes how each security requirement is to be met by the Special Permit Holder. If employing more than one type of system, documentation shall be supplied for each type. A Network Topology and the security narrative shall be supplied:
    a. Upon Special Permit Holder’s initial on-line information service request.
    b. A minimum of thirty (30) days, in advance, for DMV’s review of any changes being made in hardware or software systems that affect Special Permit Holder/End User communication access to DMV’s database(s).
    c. Upon request by DMV. Special Permit Holder may be required to submit accreditation documentation for DMV’s approval of an original/renewal application. DMV will consider the information required by this paragraph to be proprietary and confidential.
  7. Special Permit Holder shall automatically terminate a session logon once it commences and nothing is entered into the computer system or no data record is received in any continuous ten (10) minute time period. Upon automatic termination, any data on the screen will be removed and not restored without initiation of a new session logon. This termination shall be obvious to the user.
  8. Special Permit Holder shall maintain an electronic file of the User ID, requester code, date and time of every occurrence where Special Permit Holder has automatically terminated an access due to non-use within a ten minute time period. These records shall be kept for two (2) years from the date of the access termination and shall be available to DMV upon request.
  9. Special Permit Holder shall secure, control, and monitor all devices and software that contain or produce unique identification codes used by Special Permit Holder or DMV for verification of authorized access.
  10. Special Permit Holder shall secure, control, and monitor all systems, equipment, circuits, business related communication software and application software on storage media, etc., that may allow unlawful and/or unauthorized access to DMV information.
  11. Special Permit Holder shall terminate access to Requester and shall notify DMV’s Electronic Access Administration Unit (see Part IV) within one (1) working day when Requester refuses compliance with, or violates any security requirement.
  12. Special Permit Holder shall electronically log each transaction transmitted to Requester. Information electronically logged shall include:
    a. Transaction code.
    b. Information code.
    c. Requester’s requester code.
    d. Record identifiers (e.g., driver license number, vehicle license number, vehicle identification number).
    e. Individual User ID.
    f. The date and time of the transaction.
    g. Date record received from DMV.
    h. Requester’s terminal location.
    i. Residence address information code (to be established to indicate whether or not address was received).

    This log requirement is in addition to Part III, B.2. and B.3. but may be combined if retention is consistent. Log records shall be kept for two (2) years from the date of the transaction. Special Permit Holder shall be capable of selectively listing inquiry transactions based on specific criteria, defined by DMV, including, but not limited to, Requester’s requester code and User ID. A printed report or electronic file shall be submitted to DMV upon request. Special Permit Holder is solely responsible for the accuracy of information so stored and for meeting all audit trail requirements.
  13. Access to any logged data, required under this addendum, shall be restricted to Special Permit Holder’s Security Administrator and DMV approved audit personnel. Access to the logged data by any other user or application must be prevented by an active access control system performing the functuality defined in Part II Section D. Any deviations must have advanced written approval by DMV.
  14. Special Permit Holder shall not change approved system configuration, and shall not allow End Users to make changes or modifications which would alter the approved system configuration, without prior written approval from DMV.
  15. Special Permit Holder shall not have a compiler or an assembler connected to the production computer accessing DMV information.
  16. Special Permit Holder shall maintain a current list of Special Permit Holder employees’ authorized direct or incidental record access. The list shall be available to DMV upon request.
  17. DMV’s production records shall not be accessed for testing. DMV maintains test database(s) that can be utilized by Special Permit Holder. Additional test records will be created for Special Permit Holder upon written request. Requests to use the test database(s) must be approved in advance by contacting the DMV’s Electronic Access Administration Unit (see Part IV).
  18. Special Permit Holder shall install and maintain cost for establishing on-line access between DMV and the Special Permit Holder and costs for any other equipment or software needed for installation and maintenance, shall be the sole responsibility of the Special Permit Holder. Upon thirty (30) days notice, the Special Permit Holder agrees that DMV may move the Special Permit Holder’s connection located at DMV as required. Costs for any DMV required movement will be borne by DMV.
  19. If service to the Special Permit Holder is terminated, any modem or other equipment furnished by the Special Permit Holder to DMV shall be returned to the Special Permit Holder at the Special Permit Holder’s expense.
  20. The Special Permit Holder shall obtain DMV information on-line according to the type of connection approved by DMV. Data flow between the Special Permit Holder and Requester must comply with DMV’s established technical and security requirements to prevent unauthorized access to DMV information. Approved connectivity will be documented and will specify the type of connectivity approved and the security requirements associated with that connectivity.
  21. The Special Permit Holder shall use electronic time-of-day and day-of-week blocks to restrict system access by the Requester to the Requester’s days and hours of inquiry as approved by DMV.
  22. The Special Permit Holder shall include its assigned requester code as part of each inquiry submitted, in a format specified by DMV and shall use the appropriate requester code(s) as required by the DMV transaction being processed.
  23. On-line information service may be affected by ongoing maintenance requirements that result in unannounced shutdowns of the communication network and database files. These may be planned or unplanned depending upon the problem and type of maintenance required.
  24. A Special Permit Holder provides on-line access or access and update to DMV files for an authorized Requester. Special Permit Holder may act as a Service Provider to themselves and function as a Requester for the purposes of this section, with prior written approval of DMV, provided that:
    a. An organizational chart is submitted that identifies a clear separation of the Service Provider and the Requester functions.
    b. Service Provider and the Requester utilize separate requester codes on all transactions.
    c. All Service Provider and Requester requirements specified apply to the respective functions.
    d. Security administration configurations and system design for combined Service Provider/Requester systems are approved by DMV.
    e. Establish independent system hardware for the Service Provider and Requester functions.
    f. Company owners, partners, or corporate principal officers shall not serve as Access Control or Review Administrator.
    g. Access Control Administrator duties and Review Administrator duties are performed by a different individual.
  25. The Special Permit Holder may be required to have Access Control and Review Administrators individually bonded.

D. On-line Security Administrator

1. Security Administration

Security administration is the responsibility of the Special Permit Holder or Internet Host. This function includes both Access Control Administrator and Review Security Administrator. The Special Permit Holder or Internet Host shall ensure that all requirements of security administration are met. The Special Permit Holder or Internet Host will provide the name and title of the individual responsible for the Access Control Administrator and Review Security Administrator’s functions on the Commercial Requester Account Service Provider Application.

2. Security Administrator

The Security Administrator functions may not be delegated to the Requester without prior written approval from DMV. If these functions are delegated to Requester, the following required steps must be completed.

a. A Special Permit Holder shall submit a written request for approval to DMV’s Electronic Access Administration Unit (see Part IV) prior to delegating Access Control Administration to a pre-approved requester. The written request shall include:

i. A statement that the Requester will be responsible for the Access Control Administration functions instead of the named Reseller.
ii. A description of the applicable business purpose for the request.
iii. The name and title of the individual designated as the Access Control Administrator.
iv. The name and title of the individual designated as the Review Security Administrator.
v. Signature of Requester authorized to sign for the Commercial Requester Account.
vi. An approval line for the signature of the Reseller and the signature of the Information Services Branch Chief for concurrence and approval.
vii. A Network Topology, security narrative that complies with all of the security, technical, and programming requirements.
viii. An On-line Special Permit Personal History Questionnaire completed by the Requester who signed the written request, the Access Control and Review Security Administrators.

3. Access Control Administrator

a. Verification of a unique individual identity and access authority shall be performed prior to forwarding any inquiry transaction to DMV. The Access Control Administrator shall administer this function, hereinafter referred to as “session logon”. Individuals working with DMV information shall be subjected to the following basic three-step process known as “access control”:

Step 1.Identification: Each individual must have a unique User ID authorized by the Access Control Administrator.
Step 2. Authentication: Each individual must be asked to provide a type of confidential or personal information, such as a password, voice recognition, retinal scan, etc., that will verify the identification of the person seeking access to DMV’s files.
Step 3.Authorization: The first two steps in the access control process are tests for the user to prove their identity. Authorization shall be controlled by software that limits the functions a particular user can perform.

b. If an individual is not authorized for the type of transaction requested, the Access Control Administrator shall terminate the transaction and notify the Requester and the Review Administrator. If the Access Control Administrator receives a transaction from an unauthorized individual, the Access Control Administrator shall terminate the transaction and attempt to identify the unauthorized individual.
c. The Access Control Administrator shall require a user authentication method. This method shall be no less secure than a manually entered User ID and password validated by the security administration system. The security administration system shall electronically enforce the user authentication method utilized. (See Section D.3. – User ID/Password Standards)
d.Passwords used to perform authentication service, shall be stored on the security administration system in an encoded format. The encoded format shall be achieved using a Data Encryption Standard (DES) algorithm. The encryption shall be one way only (i.e., the encryption cannot be removed from the password.)
e. An electronic file containing User ID, date, and time for each occurrence of a password change shall be maintained.
f. Assignment by the Access Control Administrator of an electronically enforced unique default user authentication to each individual upon initial access. The default user authentication shall be utilized in cases where an authorized individual has forgotten their password or where an authorized individual has incorrectly attempted a session logon five (5) times and has had their access revoked. Access Control Administrator shall ensure that the default user authentication shall not be capable of being utilized for subsequent access by an individual.
g. Any alternative process for individual access control requires prior written approval from DMV and must be at least as secure as the user authentication method required in this section.
h. Access to the user authentication data by any other user or application must be prevented by an active access control system performing the functionality defined in this section. Any deviations must be approved, in advance, by DMV.
i. The Access Control Administrator shall revoke a User ID, and notify the Review Administrator, within 24 hours of becoming aware of any of the following circumstances.

i.The holder of the User ID no longer requires access to DMV information.
Ii The holder of the User ID authorized for DMV record information access leaves the employ of Special Permit Holder or Requester.
IiiThe holder of the User ID is guilty of unauthorized disclosure or misuse of DMV information.
Iv The holder of the User ID does not comply with DMV’s information security requirements.
v. Requester access is terminated. Access Control Administrator shall revoke the User ID of all Requester employees utilizing the On-line Information Service.

j. The Access Control Administrator shall be responsible for appropriate training of general security issues regarding User ID and password management of each individual accessing information under this addendum.
k. Individual’s User ID will be assigned and controlled by Access Control Administrator. Access Control Administrator shall require each individual to utilize the user authentication method to initiate each session logon as defined in Section D.1. Before an inquiry transaction may be initiated, the individual’s User ID must be validated and accepted by the security administration computer system.
l. The Access Control Administrator shall maintain an electronic file of all individuals accessing DMV information. Each electronic file shall include:

i. The date access was initially granted.
Ii Business name, address, and phone number.
Iii Requester code.
Iv Individual’s name and User ID.
v. The date and reason access was revoked (if appropriate).

This information shall be updated as changes occur and shall be provided to DMV upon request. A two (2) year history of any and all changes to the information shall be kept for all Individuals with current on-line information access. For inactive users, this information shall be retained for two (2) years from the date on-line information access was terminated.

4. Review Security Administration

a. A Review Security Administrator, hereinafter referred to as the “Review Administrator”, reporting to a different manager within the organization than the Access Control Administrator, shall administer the review responsibilities identified in this section.
b. All logon attempts, whether successful or unsuccessful, shall be electronically logged and monitored by the Review Administrator on a daily basis. An unsuccessful logon attempt is any attempt to log on to the computer system that is rejected because of an incorrect User ID and/or user authentication method. The Requester’s access shall be revoked after five (5) consecutive unsuccessful logon attempts.
c. The Review Administrator shall notify DMV in writing within three (3) working days of any individual who submits three (3) consecutive unauthorized transactions. Mail the notification to the DMV’s Policy and Information Privacy Section (see Part IV).
d. The Review Administrator shall notify the Special Permit Holder within one (1) working day of any of the occurrences noted by the Access Control Administrator defined in Section D.1. The Review Administrator shall set up a report using criteria to ensure the above requirements are being met. These criteria shall include, but are not limited to, date, time, location of attempted access, and reason revoked. This report shall be submitted to DMV upon request, in the media agreed upon.
e. The Review Administrator shall monitor the on-line information access activities of all individual users having DMV record access. Sufficient information shall be electronically logged so that the following checks and actions can be performed. The Review Administrator shall date and initial (or electronically key) an acknowledgement of logged records indicating the following checks have been performed on a monthly basis.

i. Complete log information has been kept for each unauthorized inquiry transaction attempt.
Ii Complete access control information has been kept for each completed transaction.
Iii Complete log information has been kept for each transaction attempt for every occurrence of an invalid requester code being entered. An invalid requester code is defined as any requester code that is:

1) not authorized by DMV,
2) not valid for the user initiating the transaction,
3) not valid for a particular transaction, or
4) not valid for a particular Requester device identifier (wrong terminal/communication line.)

f. The Review Administrator shall check for patterns that might indicate unauthorized attempts to gain access to DMV files. Review Administrator shall investigate suspected unauthorized access attempts. Should unauthorized access attempts be confirmed. Review Administrator shall immediately alert DMV by telephone at (916) 657-5583, with a written follow-up to DMV Electronic Access Administration Unit within one (1) working day (See Part IV).

g. The Review Administrator shall keep a record of all active terminals, the addresses of all terminal locations, the names of all authorized persons for each terminal location, and the names of any deleted or inactivated users for each location. A report of the above information shall be provided to DMV upon request, in the media agreed upon.

5. User ID/Password Standards

a. Password authentication requires a unique identification component (User ID) assigned by Requester and a confidential password component. Both components are required for authentication.
b. Assignment of User ID’s and default passwords must be accomplished using a secure process, for example, do not e-mail in clear text.
c. DMV User ID requirements:

i. User ID must be unique to each individual and not assigned to groups or job locations.
Ii User ID’s shall be revoked after five (5) consecutive unsuccessful logon attempts. Re-authorizing the User ID requires verification of the user’s identity.
Iii“Default” passwords, known only to the user, may be used for the purpose of resetting the account. Default passwords may not be used to conduct business.

d. Password requirements:

i. Passwords must be validated by the system against the User ID for each logon to the system.
ii The owner of the User ID shall choose passwords.
iii The user must manually enter passwords. Programming function keys or use of other automated means to enter passwords shall be prohibited. Application programs shall not allow the password to be saved.
iv Passwords must contain six (6) or more characters
v. Passwords must consist of both alpha and numeric characters.
vi Passwords shall not utilize symbols or punctuation marks (#, %, !, etc.).
vii. Passwords must expire in 90 days or less.
viii Passwords shall not be displayed in a readable manner on the screen when keyed.
ix. After a password has been changed, the system must prevent the user from changing it again within two (2) days. (An administrator may re-authorize the user, if necessary, during this time.)
x. The system shall prevent the user from re-using the password within twelve (12) password history iterations.
xi. Passwords stored in the program must be encrypted using DES, or equal/better, one-way-only encryption.
xii. Passwords must never be written down or displayed in plain text. This requirement can be enforced by written policy.

E. On-line (Direct) Access — Indirect Requester

  1. Any Requester who obtains on-line (direct) access to DMV information from a Special Permit Holder shall, in addition to any other applicable sections, comply with all security requirements contained in this section.
  2. Logon access to the Special Permit Holder’s computer from all the Requester terminals shall require a unique user authentication method controlled by the Special Permit Holder. This method shall be no less secure than a manually entered password validated against user’s ID for each authorized user (person) at the Requester’s site. Passwords shall be unique to the individual and shall be held in confidence. Passwords shall be a minimum of six (6) characters in length, shall be made up of a combination of alphabetic and numeric characters, but cannot be all alphabetic or all numeric, and shall be chosen so that they cannot be readily identified with the person using them (i.e., their name/initials, family members, etc.).
  3. Passwords shall be changed at least every 90 days. Passwords shall be changed immediately if it is suspected another individual has knowledge of an individual’s password. The same person shall not use a password more than once within a twelve-iteration period. Passwords shall not be written down or otherwise kept in a location where they can be seen or easily obtained by anyone other than the person to whom they belong.
  4. The Requester shall manually key the unique assigned individual user ID and the unique individual password to initiate each access session. Each user ID shall only be assigned to one person for their exclusive use and shall not be shared.
  5. The Requester shall notify the Special Permit Holder immediately upon terminating authorization for an individual’s access to DMV records. The Requester shall maintain a list of individuals whose authorization has been terminated, containing the reason for and the date of access termination. Names contained in the list shall not be purged for at least two (2) years from the date the individual’s status becomes inactive.
  6. The Requester’s communications network shall be the termination point of any record information received from DMV. No terminal or system shall act as an intermediate communications node for other remote systems outside of the Requester’s organization.
  7. Data flow between the Requester and the Special Permit Holder must include the appropriate security measures and technical requirements to prevent unauthorized access to DMV information.
  8. The Requester shall control access to their system and prevent unauthorized user access to the Special Permit Holder’s system.
  9. The Requester shall submit a written request to DMV for review and approval for special inquiry transactions that release specific data elements for statistical purposes or require a specific criteria to effect a yes or no business response, or release only the record status information. A special addendum may be required to specify the purpose and use of the information, applicable statutory authority, restrictions on use of the data, security requirements, and payment of fees if due, for programming or for records to be paid by the Requester.

F. Internet

When use of Internet-based technologies is included in any portion of the information-processing environment, all DMV-approved (1) special permit holders, (2) access control administrators and (3) government entities, are required to comply with the security requirements and procedures for systems and networks specified in the California DVM Security Requirements for the Internet handbook. These requirements will apply upon initial on-line implementation and for any changes proposed to networks or systems whenever the Internet will be utilized in any portion of the information-processing environment. Additional security measures may be required by DMV after your documentation is reviewed. If you are an approved special permit holder, access control administrator or government entity that utilizes Internet-based technologies, please contact the DMV’s Electronic Access Administration Unit at (916) 6575582 for further information.

G. Batch Processing by:

  1. When use of Virtual Private Network (VPN) or File Transfer Protocol (FTP) based technologies is included in any portion of the information-processing environment, all Requesters shall comply with any requirements specified in VPN Services Offerings Manual (PDF)and the VPN Client Manual. The VPN Services Offerings Manual(PDF) is available by clicking on the link above or you can contact the DMV Electronic Access Administration Unit at (916) 657-5582 to have a copy of either manual sent to you.
  2. All data transferred to/from DMV must terminate behind an internal firewall and the system must be protected and on a trusted network. DMZ configurations do not meet this requirement.
  3. VPN batch customers must change their Resource Access Control Facility (RACF) password at least every 35 days.
  4. Addition RACF password standards include:

    a. Passwords must be at least 5 characters long.
    b. Passwords can be any combination of alphabetic, numeric or special characters.
    c. Passwords cannot be reused for 32 iterations.
    d. Passwords will be locked out of the system after 5 erroneous password attempts.
    e. Passwords can be changed any time.

  5. Minimum hardware/software requirements are identified in the VPN Services Offerings Manual (PDF)
  6. Security requirements require 3DES encryption for Router-to-Router customers.
  7. Firewall and network configuration changes may affect your VPN connections. DMV’s technical staff will assist when possible.
  8. As technology improves/changes, additional security concerns and changes may be required.
  9. Requesters will be required to submit a completed VPN Questionnaire and VPN Customer Information Listing prior to conversion of batch program(s) output.
  10. Output data set names are emptied and reallocated recurrently. Therefore, requesters must retrieve their output files prior to sending their input files.
  11. There is a maximum limit of 50,000 records that a customer can send for each process, per day. Anything larger must be coordinated in advance.
  12. Input files are processed Monday through Friday, excluding DMV non-business days (holidays, weekends, etc.). The DMV holiday schedule is available by clicking on the link or contacting the Electronic Access Administration Unit at (916) 657-5582.
  13. The daily production schedule begins at 4:30 p.m. (Pacific Time). Input files sent by this time will be available the next business day, by 7:00 a.m. (Pacific Time).
  14. All VPN connections must at a minimum meet the following requirements in order to protect the integrity and confidentiality of DMV data. These requirements apply to ALL VPN connections, including router-to-router, lan-to-lan, and client connections.
    a. At least one firewall system must be located between any server that hosts applications, provides access to or stores DMV information and each external network entry point.
    b. Firewalls must include, at a minimum, provisions for packet filtering, application gateway security mechanisms, and circuit-level gateways.
    c. If a server is accessed through the same Internet access point used to access the Internet from internal workstations, the firewall implementation must also include proxy services and/or address translation.
    d. When a server is used to store, transmit, or process DMV information, the firewall systems employed must be located so that all communications with the Internet must pass through two differently-authored firewall systems separated by an isolated network.

PART IV

For further information or assistance with:
Processing FormsAccount Processing Unit – H221
PO Box 944231
Sacramento, CA 94244-2310
(916) 657-5564
Electronic Access MethodsElectronic Access Administration Unit – H225
PO Box 942890
Sacramento, CA 94290-0890
(916) 657-5582
Policy/Information PrivacyPolicy and Information Privacy Section – H225
PO Box 942890
Sacramento, CA 94290-0890
(916) 657-5583


1. What are the available methods to receive information from DMV?IInformation can be received either directly from DMV (i.e., hardcopy,magnetic tape, on-line) or indirectly from a department-approved reseller/service provider. For a current list of approved resellers/service providers, contact the Account Processing Unit at (916) 657-5564.
2. Can I use the information received from DMV for any purpose?Information obtained from DMV can only be used for the legitimate business purpose approved by the department. The department’s approval letter will contain the business purpose for which you were approved. (See page 6.001 for a definition of legitimate business need.)
3. Can I retain, combine, link or store the information I receive from DMV?Information received from DMV cannot be retained, stored, combined,and/or linked with any other data on any database for any subsequent reproduction, distribution, or resale. The individual record may be stored and maintained either manually or electronically for the purpose for which it was requested and for as long as your legitimate business use requires. (See IMPORTANT NOTE below).
4. If I am a “consumer reporting agency” as defined in 15 USCS 1681a (f) of the Fair Credit Reporting Act (FCRA) and must retain information to comply with FCRA requirements, how long can I keep this information?As a “consumer reporting agency”, records obtained from DMV can be stored exclusively to respond to inquiries for information contained in consumer reports and verification of that information if disputed. You may retain the information for a “reasonable” period of time to respond to customer inquiries. DMV interprets “reasonable” as 60 days from the date the information was received. If the information is undisputed, it must be destroyed after the 60-day retention period. If the information is disputed, the records must be destroyed upon the resolution of the dispute.
5. What do I do with the record information when it is no longer needed? Commercial requesters are responsible for destroying DMV record information containing personal information, such as, name, driver license or identification number, or physical characteristics, etc., by shredding, erasing or modifying the personal information to make it unreadable or undecipherable as provided in Civil Code Sections 1798.80,1798.81, and 1798.82.
IMPORTANT NOTE Residence addresses received from department records shall not be used for any direct marketing or solicitation for the purchase of any consumer product or service. [CVC§ 1808.23]
6. If I have someone acting as my agent, can I release confidential information to that person?If confidential or restricted information is released to any agent of a person authorized by the department, the person shall require the agent to take all steps necessary to ensure confidentiality of this information. No agent shall obtain or use any confidential or restricted records from requester code holders for any purpose other than the reason the information was requested. Reasons for requesting information are limited to those stated on the approved account application.
7. Are there any DMV forms that must be signed by someone acting as my agent or by my employees?Yes, an “Information Security Statement”, form INF 1128, must be main-tained on file for each agent, performing work on behalf of the requester.The INF 1128, is also required for all employees authorized to accessDMV information. These forms must be maintained at the worksite and be available to the DMV auditors upon request.
8. Do I need to have any written procedures in place for information security?You are required to establish written procedures to protect the confidentiality of the information received from DMV. CVC §1808.47 states: Any person who has access to confidential or restricted information from DMV shall establish procedures to protect the confidentiality of those records.
9. Where must these procedures be kept?The established security procedures must be maintained on site and available to the department’s auditors.
10. Do I need to have anyone in charge of securing this information?Yes. You should appoint someone to be in charge of maintaining the security of DMV information. Please be able to provide the name, title, and telephone number of that person upon request.
11. Are there any other security requirements I or my employees must be aware of if accessing DMV information by computer?

The following has been prepared to assist in complying with the security requirements:

  • Remember, account holders are personally responsible for all activity occurring under their user identification while signed on to the DMV computer.
  • Do not write passwords down or tell your password to anyone. Passwords are not to be shared among individuals or groups.
  • Always log off the terminal each time the terminal is left unattended.
  • Passwords should be changed at least every 90 days or less, to help prevent illegal access.
  • DMV information should only be requested and used for the legitimate business need for which it was approved.
  • Do not have your terminal screen visible to anyone that is not authorized to view the information.
  • DMV information must be properly destroyed when it is no longer needed for the reason for which it was originally requested.
  • Any terminals accessing DMV information must not be in areas open to the public. Video screens containing DMV information must be facing away from the public.
  • Printed records, microfilmed records, and any records stored to any electronic media (diskette, hard drive etc.), must be protected from unauthorized access and viewing.
  • Requester code(s) and any personal identification numbers used by employees must be protected from unauthorized use.
12. Do I need to keep any logs of the information I request?Yes. You must establish and maintain daily logs and source documents which track the receipt, use, and dissemination of DMV information. These logs and documents must be available to DMV auditors upon request.
13. What information must the log contain?

The log must contain the following information for every transaction:

  • Requester code
  • Date of request
  • Name of the subject of request
  • Information requested (Driver License, Vin/Hin #, Vehicle/Vessel Plate #)
  • Reason or purpose for the request and supporting documentation as necessary
  • Cross-reference to the corresponding supporting documentation, e.g., file/case #, account #, inventory/control #, etc.
  • NOTE: An Information Requester Log (INF 2115) is available for your use on DMV's website at www.dmv.ca.gov.

14. How long must the log be retained?The log and required documentation must be kept for two years from the date of the request by any requester who requests or receives confidential information not for resale in accordance with California Code of Regulations 350.48(c).
15. Who should I notify if I suspect fraud or misuse of DMV record information?

If fraud or misuse is suspected or confirmed, you must notify DMV’s Information Services Branch, Policy and Information Privacy Section at: (916) 657-5583, within one (1) business day of discovery. A written notification containing all facts must be prepared by the requester within three (3) business days and mailed to:

Department of Motor Vehicles
Policy and Information Privacy Section, MS H225
P.O. Box 942890
Sacramento, CA 94290-0890