In a lengthy opinion that closely examined the legislative history of the Driver’s Privacy Protection Act (DPPA), the Second Circuit refused to impose strict liability on data brokers and resellers of personal information sourced from motor vehicle records. Eric Gordon v. Softech, et al., 12-661-cv (2d Circuit July 31, 2013). The court did hold, however, that the DPPA imposes a reasonable duty of care before personal information can released.
In 2009, defendant Aron Leifer engaged in a verbal altercation with the driver of Gordon’s car. Leifer claimed that there had been a collision between his car and Gordon’s, but Gordon denied that. Leifer wrote down Gordon’s license plate number, and the next day, he entered it on a website called Docusearch.com. Leifer clicked “OK” after a popup window asked him to confirm that his use of the information would comply with DPPA. Leifer then chose “Insurance Other” from a drop down menu of permissible uses of the data. He input his name as “Jack Loren” and indicated that he worked for a company called Bodyguards.com, which was defunct. Leifer paid the $39 fee with a credit card issued to him under his correct name, and he received Gordon’s name and home address a few hours later. Armed with that information, Leifer was able to find other information about Gordon online. Leifer then allegedly embarked on a campaign of harassing and threatening calls to Gordon, his family and others. Leifer admitted making the calls, but claimed that he was simply trying to obtain Gordon’s insurance information following the alleged collision.
Gordon filed suit against Leifer and the data broker and investigation company that provided his personal information to Leifer. Defendant Softech International Inc. (Softech) is a data broker that provides access to motor vehicle records of all 50 states, the District of Columbia, Puerto Rico and six provinces in Canada. Defendant Arcanum Investigations (Arcanum) is a private investigation service. Softech and Arcanum (collectively, Resellers) have an agreement by which Softech provides requested information to Arcanum, but Arcanum must represent that the end user to whom it resells the information will use it in a manner permitted by law. Arcanum owns the website from which Leifer purchased Gordon’s information. Gordon alleged that the Resellers were strictly liable for violating the DPPA or that they unreasonably provided his information to Leifer.
Gordon and the Resellers all moved for summary judgment. The district court denied Gordon’s motion but granted in part and denied in part the motion by the Resellers and Leifer, holding that the Resellers could not be strictly liable under the DPPA. Gordon then settled with Leifer, but Gordon continued to pursue his claims against the Resellers.
On appeal, the Second Circuit traced the history of the DPPA, noting that personal information drawn from motor vehicle records may not be disclosed unless permitted by the statute. The default rule is non-disclosure, but the statute contains 14 exceptions, called “permissible uses,” including “use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting” and “use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.” An authorized recipient of personal information may resell it “only for a use permitted” under the DPPA. The DPPA creates a private right of action for those whose information was improperly used or disclosed. Civil remedies may be imposed against any “person who knowingly obtains, discloses or uses personal information . . . for a purpose not permitted” by the DPPA.
In response to Gordon’s argument that the Resellers should be strictly liable for Leifer’s misuse of Gordon’s personal information, the court held that “a strict liability standard is inconsistent with the DPPA as a whole and would frustrate its legislative aims.” The court was “loathe to write strict liability into the DPPA absent a clear indication in the text or the legislative history that strict liability applies.”
Liability Based on Reasonableness of Conduct
With regard to Gordon’s alternative argument that the disclosure was unreasonable, the court decided that “the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records.” Although it acknowledged that the DPPA was silent as to the degree of fault necessary to award damages, the legislative history emphasized that DPPA would protect individuals’ “fundamental right to privacy and safety” and held that the “DPPA’s purpose would be severely undermined if resellers’ disclosures were not subject to a duty of reasonable inquiry.” Applying that standard, the court held that there was a material issue of fact concerning the propriety of Arcanum’s disclosure to Leifer.
The court held that the term “Insurance Other,” which Leifer selected from a dropdown menu on Arcanum’s Docusearch.com website, does not track the language of the DPPA exception and that a disclosure pursuant to that description could be outside the limited insurance uses described in the statute. In addition, the insurance exception may be claimed only by an insurer, insurance support organization or self-insured entity, and Arcanum could not show that Leifer was eligible to request information pursuant to that exception. The court further noted that Leifer used an alias that did not match up with the credit card he used. The company he listed was not operational, and he provided no proof that he could invoke the insurance exception. Consequently, the court held that “[a]lthough Arcanum did ask Leifer to represent that he was seeking the information for a lawful purpose, a reasonable jury could find on these facts that Arcanum failed to use reasonable care, and that, had it been reasonably diligent, Arcanum would have discovered that Leifer was seeking the information for an improper purpose. …. Accordingly, the district court erred in granting summary judgment to Arcanum.”
Summary judgment as to Softech, however, was affirmed. Softech’s disclosure of information to Arcanum was authorized because Arcanum was entitled to claim an exception to the DPPA as a licensed private investigative agency and it provided Softech with an “Affidavit of Intended Use” that identified three authorized intended uses of the requested records.
One judge dissented on the ground that the majority “superimposes a negligence duty of care on the civil damages remedy” of the DPPA.
Both the majority opinion and dissent demonstrate that in the absence of a clear statutory mandate, courts must struggle to find ways to protect private information while avoiding undue burdens on people and entities that must handle such information.