Consumers will find it harder to bring federal Driver’s Privacy Protection Act lawsuits against businesses that experience data security incidents, after a federal appeals court narrowed the circumstances in which those claims can survive dismissal.
The ruling from the U.S. Court of Appeals for the Fifth Circuit offers a reprieve for companies that face a bevy of lawsuits stemming from data events and data breaches, but attorneys say it doesn’t absolve them of responsibility.
Businesses must still guard driver’s license information carefully and ensure that it’s not disclosed because breaches or accidental disclosures can trigger common law claims as well as claims involving other privacy statutes, lawyers say.
The New Orleans-based Fifth Circuit last month affirmed the dismissal of a proposed class action seeking over $69 billion in damages from insurance software company Vertafore Inc., which allegedly stored customer driver’s license information online in an unsecure manner. The court said the plaintiffs’ complaint failed to sufficiently allege that the company knowingly disclosed the personal information, as required by the Driver’s Privacy Protection Act.
The Fifth Circuit has appellate jurisdiction over district courts in Texas, Louisiana, and Mississippi, but attorneys say the decision is likely to have an impact on similar litigation in courts across the country.
The law has been attractive to plaintiffs because of the potential for high fees, said Rafael Langer-Osuna, a partner at Squire Patton Boggs in San Francisco who represented Vertafore in the litigation. It provides for liquidated damages of at least $2,500 per violation.
“Plaintiffs have been making this reach for a long time,” Langer-Osuna said. “Now they’ll be forced to rely on statutes that actually relate to the data breach context.”
Attorneys representing the customers who sued Vertafore didn’t respond to requests for comment.
The Driver’s Privacy Protection Act, enacted in 1994, prohibits the disclosure of personal information without consent, with some exceptions. It was passed to safeguard people’s privacy and safety and to regulate the disclosure of personal information by state Departments of Motor Vehicles—not to penalize companies in the wake of a data event, as is the case here, said Kristin Bryan, a Squire Patton Boggs partner in Cleveland who also represented Vertafore.
To successfully bring claims under the statute, plaintiffs must allege a knowing disclosure. The Fifth Circuit rightly recognized that a purported mismanagement of information—such as storing driver’s license data on unprotected servers—doesn’t clear that bar, Bryan said.
“Although the DPPA isn’t a statute litigated as frequently as a law like the Biometric Information Privacy Act,” she added, referring to an Illinois privacy law, “a wave of DPPA cases has been gradually building. This decision is a watershed moment in data privacy litigation, and it puts a stop to overreach by attorneys broadly relying on the DPPA as an appropriate theory of liability.”
The Fifth Circuit’s ruling makes it harder for plaintiffs to bring lawsuits in a data event or data breach context, but companies should take the opinion as a reminder to properly protect personal information, whether it’s home addresses or driver’s license numbers, said Michael Bahar, a partner at Eversheds Sutherland in Washington.
“As a general rule, only collect personal information that you really need and keep it no longer than necessary,” he said. “It’s worth cleaning out the attic—extra data is a liability if you get hacked or it’s misplaced.”
Plus, even if a particular fumbling of driver’s license data isn’t eligible for class action litigation under the DPPA, it can still trigger states’ breach reporting requirements and leave businesses open to regulatory scrutiny and other types of lawsuits, Bahar said.
Common law claims such as negligence may also abound in the wake of data falling into the hands of the wrong people, said David Straite, a partner at DiCello Levitt Gutzler in New York who primarily represents consumers.
While the Fifth Circuit found that storage on an unsecure server doesn’t equal a knowing disclosure, it’s not unreasonable to assume that if the facts had been changed slightly, it may have decided differently, Straite said.
“Perhaps a more liberal court would disagree—courts other than the Fifth Circuit might be more sympathetic at the pleading stage,” he said. “This is something that’s still being tested, and courts will look to other statutes for guidance.”
Class action litigation under the DPPA is likely a result of the United States’ patchwork, with few privacy laws providing for limited private rights of action, said Cynthia Cole, a partner at Baker Botts LLP in Palo Alto, Calif.
“If what legislators are trying to do is protect information, then statutes need to include an obligation to protect data and not just the issue of intentional disclosure,” Cole said. “In most data breach cases, it’s not like a company is trying to purposely disclose that information—they’re just trying to safely store it.”
And while bad actors may be able to do little with a driver’s license number alone, that information in combination with an individual’s Social Security number and other personal information can be exploited for identity theft and other forms of fraud, Bahar said.
“Companies might say, one day this driver’s license information could be valuable,” he said. “But they should also recognize that one day it may turn out to be incredibly costly if it’s mishandled or breached.”