Striking the Balance: MVR Checks and Privacy Laws
Many companies consider it a matter of course to conduct a motor vehicle record (MVR) check before handing an employee the keys to a company vehicle. Such checks provide vital insight into whether that employee is a safe driver. A MVR check reveals, among other important information, insurance lapses, traffic violations, accidents, license revocations, and most importantly, DUI charges that may not appear on criminal records.
While such checks help identify high-risk drivers before accidents occur, they also create a potential legal pitfall for companies that conduct them: violation of state and federal laws protecting employee privacy. What many companies do not realize is that when they collect MVRs about employees and applicants, they are amassing a vast store of personal information they are legally obligated to safeguard.
A host of state and federal laws restrict the ways companies obtain, use, store, share, and even discard confidential information contained in employee driving records. Companies that do not comply with these regulations face the risk of lawsuits and government penalties. Yet, understanding and complying with these laws can be tricky, especially given the fact that many states have passed new statutes concerning the protection of personal information.
Protecting Driver Privacy
The primary law governing a fleet manager’s ability to collect and use employees’ MVRs is the federal Driver’s Privacy Protection Act (DPPA) of 1994. That law restricts state DMVs from disclosing personally identifiable driver records without first obtaining the driver’s expressed written consent.
The DPPA provides a few exceptions that allow fleet managers to obtain driving records for the purposes of screening employees. For instance, the law authorizes state DMVs to disclose motor vehicle records for purposes related to "safety or the operation of a motor vehicle." State DMVs may disclose MVRs to anyone who has obtained the consent of the person whose records are sought.
However, even if a company lawfully obtains MVRs, there is a risk in doing so. The DPPA authorizes individuals to file civil lawsuits against any entity that lawfully obtains a MVR check and then re-discloses or misuses the information it contains. The statute allows a plaintiff to sue for actual and punitive damages, attorney’s fees, costs, and equitable relief — such as a court order to cease further misuse or unauthorized disclosure of driving records.
Surprisingly, the DPPA does not regulate the disclosure of information about vehicular accidents or traffic violations, but rather only "personal information," such as individual’s photograph, Social Security number, driver identification number, name, telephone number, and medical or disability information. Thus, a company does not violate the DPPA if it shares information about an employee or applicant’s driving history with supervisors, managers, or outside fleet management companies. However, the employer should take care to conceal the other personal information driving records contain.
Finally, companies need to be aware that the primary purpose of the DPPA is preventing the misuse of driver information for commercial purposes, such as telemarketing or direct mail, or criminal purposes, such as to stalk or harass an individual. Thus, the onus is on the company to carefully ensure that the personal information contained in driving records is not accessible to third parties.
Laws Also Cover Records Storage
In addition to managing their obligations under the DPPA, companies that collect driving records must also contend with a patchwork of state laws that govern how employers store and maintain personally identifiable information about their workforce.
In response to growing concern about identity theft, 39 states have recently enacted laws that require a company to notify employees when the security of personal information is breached. Ten of those state statutes — those enacted in Arkansas, Delaware, Georgia, Maryland, Massachusetts, Montana, North Carolina, North Dakota, Nebraska, and Wisconsin — specifically name driver’s license numbers as a category of personal information that, if accidentally disclosed, triggers this notice requirement. This means if any unauthorized outside party gains access to unencrypted information from employee driving records, the company must promptly notify the affected individuals.
A company can reduce the risk of such confidentiality breaches by keeping MVRs on file only as long as they are reasonably needed to screen an employee and sharing those records only with the persons who evaluate the employee’s ability to drive a company vehicle.
However, be careful about how those records are disposed — 12 different state laws govern the manner in which companies dispose of any personally identifiable information about employees, whether that information is stored electronically or in paper format. For instance, the Massachusetts Identity Theft Prevention Act, which became law in August 2007, requires employers to dispose of information in a manner that makes it irretrievable, for instance, by shredding paper records or securely erasing a hard drive on which the data was stored.
Aside from authorizing affected individuals whose information is disclosed to recover damages they sustain, these laws also often impose steep government penalties. In Texas, for example, a company can be fined $500 for every improperly disposed record containing employee information.
Create a Compliance Checklist
While conforming to the many obligations imposed by laws protecting the privacy of employee records can be difficult, companies can take several steps to promote compliance. As a starting point, companies should audit their current practices for obtaining, using, storing, and disposing of MVRs to identify any compliance lapses.
Legal counsel familiar with the privacy laws in the states in which the company does business can help create a checklist of legal obligations and evaluate current procedures against that list. Some of these issues include:
- Is the company obtaining proper consent before seeking records from the DMV?
- Is personally identifiable employee information, such as home address and telephone number, removed from the records before sharing it with third parties?
- Are records stored in a secure format not easily accessible to third parties?
- Are employees properly notified if their information is compromised?
- Are employee records disposed of properly?
Finally, if the company finds compliance problems, it should promptly create and implement sound policies to remedy those failures and prevent future slip-ups. More importantly, the company should ensure that the people who handle these records receive training about their legal obligations and the company’s policy for managing them. A policy can’t work if no one knows about it.