Gordon v. Softech International Inc.

Concerning Reseller Liability of an Alleged But Undisclosed Impermissible Use of Driver Information Under the DPPA

Outcome

The Court of Appeals for the Second Circuit ruled in Gordon v. Softech that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. “Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records,” the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said It is not enough for a reseller to simply provide a “drop down list” of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision and the position urged by EPIC.

Background

The facts of Gordon v. Softech Int’l, Inc., 828 F. Supp. 2d 665 (S.D.N.Y. 2011), appeal docketed, No. 12-661 (2d Cir. Feb. 22, 2012), arise out of an “unusual and unfortunate incident that occurred on October 10, 2009 on East 61st Street in Manhattan, New York (between the hours of 11:00 p.m. and 1:30 a.m.).” Id. at 1 n.2. After a hotly disputed exchange between Plaintiff Gordon’s driver and Defendant Leifer, various Defendants were paid to conduct an “investigation” of Plaintiff Gordon using his license plate number. Id. at 3. Defendant Arcanum is a licensed “private investigation firm” that runs a website, Docusearch.com, that was used by Leifer. Id. After receiving a license plate information request from Leifer, Arcanum submitted the request to Defendant Softech, which is “in the business of information gathering and obtaining information from the department of motor vehicles.” Id. at 4. Plaintiff filed suit against various defendants after receiving harrassing and threatening phone calls and messages from Leifer.

Plaintiff Gordon alleges that Defendant Leifer violated the Driver’s Privacy Protection Act of 1994 (“DPPA”), 18 U.S.C. §§ 2721-2725, when he obtained Gordon’s personal information from the New York Department of Motor Vehicles for the impermissible use of “placing a series of phone calls designed to harass, threaten and annoy.” Id. at 1. Plaintiff Gordon also alleges that the “Reseller Defendants” (Arcanum, Softech, and others) violated the DPPA by providing his personal information to Leifer, even though Leifer “represented and certified to the Reseller Defendants that he was ‘requesting the information pursuant to a [DPPA] permissible use.'” Id. The DPPA generally prohibits “obtaining and disclosing personal information from motor vehicle records,” subject to various mandatory and permissive exceptions. Id. at 5.

The District Court for the Sothern District of New York ruled that summary judgment was not available to either Gordon or Leifer because “[m]aterial questions of fact appear to exist regarding Leifer’s obtainment and use of Gordon’s DMV information,” specifically whether a car accident involving Leifer and Gordon’s driver occurred on the night in question. Id. at 6. The District Court found that the question of “[w]hether a reseller may be liable under the DPPA for an alleged but undisclosed impermissible use of driver information by an end user where a permissible use has been asserted and certified by the end user appears to be a question of first impression in [the Second Circuit].” Id. at 7 (emphasis added). The District Court granted the Reseller Defendants’ motion for summary judgment against Gordon and ruled that “the DPPA cannot, on the facts presented here, be considered ‘essentially a strict liability statute.'” Id. at 8. Gordon appealed this ruling to the United States Court of Appeals for the Second Circuit on February 22, 2012.

On July 31, 2013, The Court of Appeals for the Second Circuit ruled in Gordon v. Softech, that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. “Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records,” the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said “It is not enough for a reseller to simply provide a “drop down list” of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision (which held that the requester could not be liable if the requester represented that they had a permitted use for the information) and the position urged by EPIC (strict liability) by adopting the reasonable care standard.

EPIC’s Interest in Gordon v. Softech Int’l, Inc.

EPIC has an interest in maintaining strong DPPA protections for drivers’ personal information. The DPPA is an important tool that provides an effective punishment against those who traffic in personal information. The civil damages provision of the DPPA could be diluted, and its effectivenss reduced, if “resellers” are allowed to profit from bad-faith requests made by private parties who may be difficult to locate or hold financially accountable for violations of the Act.

Legal Documents

United States Court of Appeals for the Second Circuit

• Second Circuit Opinion, 726 F.3d 42 (2d Cir. July 31, 2013)
• Appellant Gordon’s Opening Brief, Gordon v. Softech Int’l, Inc., No. 12-0661-cv (2d Cir. June 8, 2012)
• EPIC’s “Friend of the Court” Brief, Gordon v. Softech Int’l, Inc., No. 12-0661-cv (2d Cir. June 15, 2012)
• ITRC’s “Friend of the Court” Brief, Gordon v. Softech Int’l, Inc., No. 12-0661-cv (2d Cir. June 13, 2012)

United States District Court for the Southern District of New York

• Decision & Order, Gordon v. Softech Int’l, Inc., 828 F. Supp. 2d 665 (S.D.N.Y. 2011).

Resources

Relevant Cases

• Reno v. Condon, 528 U.S. 141 (2000)
• Roth v. Guzman, 650 F.3d 603 (6th Cir 2011)
• Best v. Berard, ___ F. Supp. 2d ____, 2011 WL 5554021 (N.D. Ill. 2011)
• Pinchler v. UNITE, 228 F.R.D. 230 (E.D. Pa. 2005), aff’d, 542 F.3d 380 (3d Cir. 2008)
• Schuchart v. La Tabema Del Albardero, Inc., 365 F.3d 33 (D.C. Cir. 2004)
• Margan v. Niles, 250 F. Supp. 2d 63 (N.D.N.Y. 2003)
• Remsburg v. Docusearch, Inc., 816 A.2d 1001 (N.H. 2003)

Relevant Law Review Articles and Books

• Alessandro Acquisti & Sasha Romanosky, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives, 24 Berkeley Tech. L.J. 1061 (2009)
• Candice L. Kline, Security Theater and Database-Driven Information Markets: A Case for an Omnibus U.S. Data Statute, 39 U. Tol. L. Rev. 443 (2008)
• Sarah Ludington, Reining in the Data Traders: A Tort for the Misuse of Personal Information, 66 Md. L. Rev. 140 (2006)
• Lawrence Friedman, Establishing Information Privacy Violations: The New York Experience, 31 Hofstra L. Rev. 651 (2003)

News Reports

• Katie W. Johnson, Second Circuit Sets Reasonable Care Duty For Driver Privacy Act Reseller Disclosures, Bloomberg BNA (Aug. 5, 2013)