Focusing public attention on emerging privacy and civil liberties issues

Gordon v. Softech International Inc.

Concerning Reseller Liability fo an Alleged But Undisclosed Impermissible Use of Driver Information Under the DPPA

Top News

  • In Driver Privacy Case, Second Circuit Requires Data Resellers to Exercise Reasonable Care: The Court of Appeals for the Second Circuit ruled today in Gordon v. Softech that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. "Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records," the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said It is not enough for a reseller to simply provide a "drop down list" of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision and the position urged by EPIC. For more information, see EPIC: Gordon v. Softech Int'l, Inc. (Jul. 31, 2013)
  • Supreme Court to Hear Drivers' Records Privacy Case: The US Supreme Court has decided to review Marachich v. Spears, a case concerning the Drivers' Privacy Protection Act. The federal privacy law prohibits the disclosure of personal information in state motor vehicle records, except under certain narrow circumstances. In 2000, several states challenged the law. EPIC argued in an amicus brief that "the Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest." The Supreme Court upheld the law. More recently, EPIC has argued that resellers of driver records should be strictly liable for violations of the law. At issue in the Marachich case is whether records can be disclosed to facilitate attorney solicitations. The Court of Appeals for the Fourth Circuit ruled that the law permits solicitations under the "litigation" exception. For more information, see EPIC: The Drivers' Privacy Protection Act and EPIC: Gordon v. Softech. (Sep. 25, 2012)
  • EPIC Argues That Resellers of State Driver Records Should Be Strictly Liable Under Privacy Law: EPIC filed a "friend of the court" brief in Gordon v. Softech Int'l, Inc., a case concerning privacy protections for driver records. The Driver’s Privacy Protection Act is intended to prevent the misuse of personal information disclosed by state departments of motor vehicles. The Act allows the disclosure of driver record information only for "permissible uses." Some companies resell this information to others. EPIC argued in its brief that when the buyer uses this information for an impermissible purpose, the seller should be liable under the law. Strict liability, EPIC said, is necessary to incentivize resellers to limit the sale of personal information and prevent abuse. For more information, see EPIC: Gordon v. Softech International, Inc. and EPIC: Driver's Privacy. (Jun. 20, 2012)

Background

The facts of Gordon v. Softech Int'l, Inc., 828 F. Supp. 2d 665 (S.D.N.Y. 2011), appeal docketed, No. 12-661 (2d Cir. Feb. 22, 2012), arise out of an "unusual and unfortunate incident that occurred on October 10, 2009 on East 61st Street in Manhattan, New York (between the hours of 11:00 p.m. and 1:30 a.m.)." Id. at 1 n.2. After a hotly disputed exchange between Plaintiff Gordon's driver and Defendant Leifer, various Defendants were paid to conduct an "investigation" of Plaintiff Gordon using his license plate number. Id. at 3. Defendant Arcanum is a licensed "private investigation firm" that runs a website, Docusearch.com, that was used by Leifer. Id. After receiving a license plate information request from Leifer, Arcanum submitted the request to Defendant Softech, which is "in the business of information gathering and obtaining information from the department of motor vehicles." Id. at 4. Plaintiff filed suit against various defendants after receiving harrassing and threatening phone calls and messages from Leifer.

Plaintiff Gordon alleges that Defendant Leifer violated the Driver's Privacy Protection Act of 1994 ("DPPA"), 18 U.S.C. ยงยง 2721-2725, when he obtained Gordon's personal information from the New York Department of Motor Vehicles for the impermissible use of "placing a series of phone calls designed to harass, threaten and annoy." Id. at 1. Plaintiff Gordon also alleges that the "Reseller Defendants" (Arcanum, Softech, and others) violated the DPPA by providing his personal information to Leifer, even though Leifer "represented and certified to the Reseller Defendants that he was 'requesting the information pursuant to a [DPPA] permissible use.'" Id. The DPPA generally prohibits "obtaining and disclosing personal information from motor vehicle records," subject to various mandatory and permissive exceptions. Id. at 5.

The District Court for the Sothern District of New York ruled that summary judgment was not available to either Gordon or Leifer because "[m]aterial questions of fact appear to exist regarding Leifer's obtainment and use of Gordon's DMV information," specifically whether a car accident involving Leifer and Gordon's driver occurred on the night in question. Id. at 6. The District Court found that the question of "[w]hether a reseller may be liable under the DPPA for an alleged but undisclosed impermissible use of driver information by an end user where a permissible use has been asserted and certified by the end user appears to be a question of first impression in [the Second Circuit]." Id. at 7 (emphasis added). The District Court granted the Reseller Defendants' motion for summary judgment against Gordon and ruled that "the DPPA cannot, on the facts presented here, be considered 'essentially a strict liability statute.'" Id. at 8. Gordon appealed this ruling to the United States Court of Appeals for the Second Circuit on February 22, 2012.

On July 31, 2013, The Court of Appeals for the Second Circuit ruled in Gordon v. Softech, that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. "Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records," the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said "It is not enough for a reseller to simply provide a "drop down list" of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision (which held that the requester could not be liable if the requester represented that they had a permitted use for the information) and the position urged by EPIC (strict liability) by adopting the reasonable care standard.

EPIC's Interest in Gordon v. Softech Int'l, Inc.

EPIC has an interest in maintaining strong DPPA protections for drivers' personal information. The DPPA is an important tool that provides an effective punishment against those who traffic in personal information. The civil damages provision of the DPPA could be diluted, and its effectivenss reduced, if "resellers" are allowed to profit from bad-faith requests made by private parties who may be difficult to locate or hold financially accountable for violations of the Act.

Legal Documents

United States Court of Appeals for the Second Circuit

United States District Court for the Southern District of New York

  • Decision & Order, Gordon v. Softech Int'l, Inc., 828 F. Supp. 2d 665 (S.D.N.Y. 2011).

Resources

Relevant Cases

  • Reno v. Condon, 528 U.S. 141 (2000)
  • Roth v. Guzman, 650 F.3d 603 (6th Cir 2011)
  • Best v. Berard, ___ F. Supp. 2d ____, 2011 WL 5554021 (N.D. Ill. 2011)
  • Pinchler v. UNITE, 228 F.R.D. 230 (E.D. Pa. 2005), aff'd, 542 F.3d 380 (3d Cir. 2008)
  • Schuchart v. La Tabema Del Albardero, Inc., 365 F.3d 33 (D.C. Cir. 2004)
  • Margan v. Niles, 250 F. Supp. 2d 63 (N.D.N.Y. 2003)
  • Remsburg v. Docusearch, Inc., 816 A.2d 1001 (N.H. 2003)

Relevant Law Review Articles and Books

  • Alessandro Acquisti & Sasha Romanosky, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives, 24 Berkeley Tech. L.J. 1061 (2009)
  • Candice L. Kline, Security Theater and Database-Driven Information Markets: A Case for an Omnibus U.S. Data Statute, 39 U. Tol. L. Rev. 443 (2008)
  • Sarah Ludington, Reining in the Data Traders: A Tort for the Misuse of Personal Information, 66 Md. L. Rev. 140 (2006)
  • Lawrence Friedman, Establishing Information Privacy Violations: The New York Experience, 31 Hofstra L. Rev. 651 (2003)

Webpages

News Reports