HARRISBURG, Pa -- For years, the Pennsylvania Department of Transportation has been selling drivers information.
That information is bought by seven different companies.
"Under the law, PennDOT is allowed to charge $9 for each record that is accessed. This is a way Pennsylvania pays for critical transportation services," says Rich Kirkpatrick, a PennDOT Spokesperson.
Last year, the state made more than $40 million dollars selling DMV records.
That money goes to public transportation around the state and PennDOT says it relies on those funds each year.
The companies that buy those records could be using it to get background checks on you.
"How will people be rated for insurance, whether or not the judgments will be made allowing them to have credit or whether or not employers will be willing to employ them. It`s a very integrated effort," said Kirkpatrick.
Those records are usually secure.
PennDOT makes vendors sign contracts to make sure of that.
Then those seven vendors sell information to other businesses like insurance companies.
That's when it's harder to keep track of security.
For about six years, PennDOT has had a contact with a company called Sterlingbackcheck which does background checks and employment screenings.
Recently, the Pennsylvania bureau of audits looked back at documents from sterling for the past four years.
Kirkpatrick said, "PennDOT, through these audits, is doing due diligence to ensure these records are not misused in any way and as a result of this audit, there is no evidence of any misuse of these records."
The PennDOT spokesman says the audit showed "procedural shortcomings" with Sterlingbackcheck's data, but that there is no proof anyone's information was leaked.
The audit shows the company couldn't provide certain documents and didn't appear to be operating under the same security standards as PennDOT.
"We take this very seriously and we`re working hard to in fact make sure everyone is following the rules," said Kirkpatrick.
We reached out to Sterlingbackcheck and got this response, "These types of audits are typical and part of the ordinary course of business. Due to the ongoing nature of the audit, SterlingBackcheck cannot comment further at this time."
Andrew Hacker, a cyber security expert at Harrisburg University, says although it may seem jarring that the state can sell your personal information, it's really no different than you posting pictures on facebook.
"There`s more information that companies are pulling about me from my cellphone than from my DMV records."
Things like driver's license or social security numbers are referred to as Personally identifiable information or PII.
Hacker says it takes more than one of those items to hack into your personal life.
"With a driver's` license number by itself, it doesn`t really do anything, but if you link that with someone`s name, or a social security number, then it`s PII. An attacker can use that to do damage."
We asked the security expert if he or anyone else should find the PennDOT audit to be a red flag when it comes to information sharing.
"I do feel it`s safe. Certainly it`s an on-going process, it always is," said Hacker.
To be safe, PennDOT terminated its contract with Sterlingbackcheck.
"Because they were not following the rules, Sterling, in particular, has been cut off from access to these records," said Kirkpatrick.
PennDOT says it is working with the company to improve security procedures for the future.
Also important to note, there is no way in the state for drivers to opt out of having their information sold unless that law in changed.