The December 15, 2011 decision in Cook v. ACS State & Local Solutions, Inc. (Case No. 10-3818) from the United States Court of Appeals for the Eighth Circuit is the latest ruling permitting bulk obtainment of data under the Driver’s Privacy Protection Act (“DPPA”). Since 2002, plaintiffs have filed lawsuits against the consumer data industry in an effort to obtain damages for legitimate uses under the DPPA. All but two courts, however, have consistently rejected plaintiff’s position that the DPPA prohibits the bulk obtaining of regulated data for the sole purpose of reselling data to individual users who have a permitted use. With recent decisions from the Fifth, Sixth, Seventh, Eighth, and Ninth Circuits, the issue may be finally resolved.
Congress enacted the DPPA in 1994 in response to safety concerns about the access and disclosure of personal information and the use of this information for commercial purposes by direct marketers. The DPPA generally prohibits any state department of motor vehicles from “knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information . . . about any individual obtained by the department in connection with a motor vehicle record.” 18 U.S.C. § 2721(a). The DPPA applies not only to states; it prohibits private individuals from knowingly “obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under section 2721(b).” 18 U.S.C. § 2722(a). The DPPA also regulates the resale and redisclosure of drivers’ personal information by “authorized recipients.” 18 U.S.C. § 2721(c). The DPPA’s general prohibition on disclosure is subject to a number of exceptions, including fourteen enumerated uses for which disclosure is permissible. 18 U.S.C. § 2721(b).
The DPPA attracted the attention of plaintiffs’ counsel after a 2002 Iowa Supreme Court decision that held that pure resellers (i.e., companies that do not use the information directly) are prohibited by the DPPA. Locate.Plus.Com, Inc. v. Iowa Dept. of Transp., 650 N.W.2d 609 (Iowa 2002). Plaintiffs’ counsel was attracted to DPPA litigation because the law provides for statutory damages of $2,500 per violation, attorney’s fees, and injunctive relief.
This past week, the Supreme Court Task Force on Commercial Dockets released its final report titled Report and Recommendations of The Supreme Court of Ohio Task Force on Commercial Dockets (“Report”). The late Chief Justice Thomas J. Moyer created the Supreme Court Task Force on Commercial Dockets in 2007 to address the often time-consuming litigation of business-to business disputes. The “key goals of the commercial docket are to have knowledgeable judges readily available to meet with counsel for injunction and discovery hearings and overall case management; to produce timely decisions; and to develop a greater body of reported case law to guide business lawyers and their clients.” (Report, p. 17). Chief Justice Moyer charged the Task Force with assessing the best methods of handling commercial litigation in the Ohio courts of common pleas. In January 2009, as part of the commercial docket pilot program, the courts of common pleas in Hamilton, Franklin, Cuyahoga, and Lucas Counties implemented commercial dockets, on which two judges in each of the four counties agreed to serve as the commercial docket judges.
The Task Force Report contains 27 recommendations, including the recommendation that commercial dockets be established permanently in any eligible court of common pleas. Report, p. 5. A court of common pleas would be eligible to have a commercial docket if it “(1) has six or more general division judges or (2) is located in a county that has a population of 300,000 or more according to the latest federal decennial census.” Report, p. 6. The Task Force, however, recommends that participation be voluntary to ensure that participating judges and courts are interested and committed to the commercial docket. Report, p. 7. In addition to the four counties that participated in the commercial docket pilot program, the other counties that are currently eligible to have a commercial docket include Butler, Lorain, Montgomery, Stark, and Summit. Report, p. 7.
The Third Circuit splits with other federal courts in finding that risk of identity theft does not confer standing to bring a suit for data breach in Reilly v. Ceridian Corporation, Case No. 11-1738 (3rd Cir. Dec. 12, 2011), http://www.ca3.uscourts.gov/opinarch/111738p.pdf. The Third Circuit followed the reasoning applied in early cases, e.g., Key v. DSW, Inc., 454 F.Supp.2d 684, 690 (S.D. Ohio 2006), to find that an alleged increase in future risk of harm was insufficient. The Court apparently split however with the 1st, 7th and 9th Circuit Courts which found standing found where plaintiff alleged an increased risk of future harm, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007).
Ceridian is a payroll processing firm that collected personal and financial information about its customers’ employees. In December 2009, an unknown hacker infiltrated Ceridian’s “Powerpay” system, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. Employees of one of Ceridian’s customers brought the suit. The lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.
In its ruling, the U.S. Court of Appeals for the Third Circuit upheld a District Court decision dismissing the case, finding that these asserted injuries were too speculative to give the plaintiffs standing to bring a federal lawsuit. The Third Circuit focused on established “standing law” which requires the invasion of a legally protected interest that is both “concrete and particularized,” and “actual or imminent, not conjectural or hypothetical.” The Third Circuit wrote “Here, no evidence suggests that the data has been—or will ever be—misused.” “The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”
Next Page »
