[DPS Director Steve] McCraw said DPS officials kept the news under wraps to avoid jeopardizing the agency’s investigation, including efforts to arrest the fraudsters who organized the scheme.
The explanation came in response to questioning from state Rep. Mary González, D-El Paso, who expressed bewilderment over the delay.
“So, hold on,” González said. “It could be my driver’s license, and somebody could be going around as Mary González right now for two months, and nobody has been notified.”
González also queried McCraw and one of his top deputies, Jeoff Williams, about whether the state could face fines for possibly running afoul of federal regulations requiring timely notice of certain security breaches.
Williams, DPS’ deputy director of law enforcement services, said that was not the case. He added that the criminal investigation — which includes at least four states — “has taken priority at this point.”
“We recognize that there’s a requirement to notify people, and we want to do that more than anyone, believe me,” Williams said. “ — We’re going to handle each one of those (affected Texans) with the individual care that’s required, given what occurred to them.”
On Tuesday, DPS confirmed that it had begun sending letters informing victims of “fraudulent activity that resulted in your driver license card being sent to an unauthorized party.” The agency reportedly told the victims they would be issued a new replacement license at no charge.
Under state law, anyone who “conducts business” in Texas and owns or licenses data that includes “sensitive personal information” is required to notify people within 60 days if their information is compromised in a breach. The law provides an exception, however, if a law enforcement agency “determines that the notification will impede a criminal investigation.”
“The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation,” the law states.
In 2021, state lawmakers tacked on a requirement to notify the state attorney general about any breach that involves at least 250 Texans. The attorney general’s office is required to post a publicly accessible list of the breaches on its website, updated within 30 days of each breach notice.
The attorney general’s office has tallied 468 such breaches since the law took effect in September 2021 — an average of 26 per month.
See here for the background. I get the reason for the delay, though perhaps there should be some limit to that, and the earlier stories mentioned that the FBI and Homeland Security were also involved, so that’s good. I just don’t trust Steve McCraw. But unless there’s some other nuance to this, I’ll have to get over it.
Of more interest to me is what DPS and the Texas Department of Information Resources will learn from this. Will they take proactive steps to notify their customers whose passwords are known to have been compromised? How about doing a better job of screening where these logons come from, and put in extra verifications to filter out unwanted foreign actors? McCraw specifically said there weren’t adequate controls in place. What controls does he have in mind, and who is responsible for implementing them? Put the cybersecurity stuff aside for a second, was this an unusual number of license requests, was there a way to detect that, and what if anything was supposed to be done if so? And if there wasn’t any way to flag that as suspicious, is there now? This is the kind of review process that an enterprise has to undertake when there is a successful attack like this. All of us drivers license holders need to know that this is happening. Please keep the pressure on them, legislators.