Erik H. Gordon, Plaintiff-Appellant,
Softech International, Inc., Reid Rodriguez, Arcanum Investigations, Inc., Dan Cohn, Defendants-Cross-Claimants-Cross -Defendants -Appellees, Aron Leifer, aka Jack Loren, Bodyguards.com, Defendants-Cross-Defendants-Cross-Claimants.
Argued: January 7, 2013
Corrected: August 1, 2013
Appeal from a judgment of the United States District Court for the Southern District of New York (Berman, J.) dismissing plaintiff-appellant's claim that his personal information was wrongfully disclosed in violation of the Driver's Privacy Protection Act, 18 U.S.C. §§ 2721-2725, and granting summary judgment in favor of defendants-cross-claimants-cross-defendants-appellees. We conclude that questions of material fact preclude summary judgment as to certain claims.
Justin M. Sher (Yuriko Tada, on the brief), Sher Tremonte LLP, New York, New York, for Plaintiff-Appellant.
Coleen F. Middleton, Wilson Elser Moskowitz Edelman & Dicker LLP, New York, New York (Gregory Saracino, on the brief), Milber, Makris, Plousadis & Seiden, LLP, White Plains, New York, for Defendants-Cross-Claimants-Cross-Defendants-Appellees.
Joseph V. DeMarco, DeVore & DeMarco LLP, New York, New York, for Amicus Curiae Identity Theft Resource Center and The Federal Law Enforcement Officers Association.
Marc Rotenberg, Alan Butler, David Jacobs, Washington, District of Columbia, for Amicus Curiae Electronic Privacy Information Center.
Ronald I. Raether, Jr., Faruki Ireland & Cox P.L.L., Dayton, Ohio, for Amicus Curiae The Coalition for Sensible Public Records Access and The Consumer Data Industry Association.
Before: Jacobs, Chief Judge, and Pooler and Chin, Circuit Judges. [*]
Chin, Circuit Judge.
In 1994, Congress enacted the Driver's Privacy Protection Act (the "DPPA"). As its name suggests, the DPPA, with limited exceptions, protects drivers' privacy by prohibiting state motor vehicle departments and others from disclosing "personal information" drawn from motor vehicle records.
In this case, defendant Aron Leifer, a private citizen, engaged in a verbal altercation with the driver of a motor vehicle. Miffed, he wrote down the license plate number of the car. Using an online private investigative service and paying a fee of just $39.00, Leifer was later able to use the license plate number to obtain the name and home address of the vehicle's owner, plaintiff-appellant Erik H. Gordon. Leifer then embarked on a campaign to harass Gordon and his family.
Gordon commenced this action below against Leifer and the entities and individuals who obtained the information from the New York State Department of Motor Vehicles and released it, ultimately, to Leifer. Gordon asserted claims under the DPPA and state law. Gordon eventually settled his claims against Leifer, but the district court (Berman, J.) dismissed his claims against the remaining defendants on summary judgment. Gordon appeals. We affirm in part and vacate and remand in part.
A. Statutory Framework
Congress passed the DPPA in 1994. See Pub. L. No. 103-322, tit. XXX (codified as amended at 18 U.S.C. §§ 2721-2725). The DPPA generally restricts state departments of motor vehicles ("DMVs") from disclosing personal information drawn from motor vehicle records. 18 U.S.C. § 2721(a); see also Reno v. Condon, 528 U.S. 141, 149-50 (2000) (upholding constitutionality of DPPA). Similarly, private citizens or entities ordinarily may not obtain, disclose, or resell personal information unless permitted by statute. 18 U.S.C. §§ 2722(a), 2721(c). Notwithstanding these default rules of non-disclosure, the DPPA identifies fourteen "permissible uses" -- exceptions from the default rule -- for which personal information may be obtained, disclosed, used, or resold. Id. § 2721(b)-(c). Penalties, both civil and criminal, enforce "the rights of private citizens to be left alone." 139 Cong. Rec. S15766 (daily ed. Nov. 16, 1993) (statement of Sen. Harkin), available at 1993 WL 470986; id. at S15765 (statement of Sen. Robb) (noting that DPPA "would place safeguards on the privacy of the driver and vehicle owners"); see also 18 U.S.C. §§ 2723-2724.
The DPPA was enacted following the highly publicized murder of an actress, whose stalker-cum-assailant had received her home address through an information request at a local DMV. Andrea Ford, "Fan Convicted of Murder in Actress' Slaying, " L.A. Times, Oct. 30, 1991; see also, e.g., 139 Cong. Rec. E2747 (daily ed. Nov. 3, 1993) (statement of Rep. Moran), available at 1993 WL 448643. During the floor debate, members of Congress emphasized that personal information accessed from state DMVs was often used in connection with criminal or threatening behavior. See, e.g., 139 Cong. Rec. E2747 (daily ed. Nov. 3, 1993) (statement of Rep. Moran), available at 1993 WL 448643; 139 Cong. Rec. S15762, S15766 (daily ed. Nov. 16, 1993) (statements of Sen. Boxer and Sen. Harkin), available at 1993 WL 470986. The DPPA was therefore enacted to limit the disclosure of personal information drawn from motor vehicle records and to prevent its misuse.
B. Data Brokers & Resellers
Defendant-appellee Reid Rodriguez is the co-owner and Chief Operating Officer of defendant-appellee Softech International, Inc. (together, "Softech"). Softech acts as a "gateway, " providing access to motor vehicle records of all fifty states, the District of Columbia, Puerto Rico, and six provinces in Canada. See "MVR (Driving Records), " Softech International Inc., http://www.softechinternational .com/products_mvrdr.html (last visited July 29, 2013). A data broker, Softech "collect[s] information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their consumers for various purposes." Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at 68 (Mar. 2012), available at http://www.ftc.gov/os/2012/03/ 120326privacyreport.pdf. Information aggregated by entities such as Softech can aid law enforcement actions. Disclosures, however, may also be made to private citizens or entities, and individuals are often unaware that their personal information is being aggregated and sold. See id.
Defendant-appellee Dan Cohn owns and operates defendant-appellee Arcanum Investigations (together, "Arcanum"), a private investigation service. By agreement, Softech provides Arcanum with access to its motor vehicle records; Arcanum represents that it and, to the extent it resells this information, any end user will use the information in a manner permitted by law.
Arcanum owns and operates Docusearch.com. For a small fee, Docusearch.com provides its users with the personal information associated with, for example, a license plate number. When a Docusearch.com user inputs a New York State license plate number, Arcanum provides that number to Softech and requests the associated motor vehicle record for private investigative purposes. Arcanum cannot access New York State motor vehicle records directly from the state DMV, and hence it requests this information from Softech. Then, pursuant to their agreement, Softech relays the motor vehicle record for that license plate number to Arcanum. Arcanum, through the Docusearch.com website, then provides that information to its customer.
Thus, Arcanum and Softech are both resellers (together, the "Resellers") of personal information drawn from motor vehicle records.
C. The Facts
Except as noted below, we construe the facts in the light most favorable to Gordon, the party opposing summary judgment. On the evening of October 10, 2009, Gordon was dining at a restaurant in New York City. His driver waited outside in Gordon's car, a vintage London taxicab. Its New York State license plate was registered in Gordon's name.
Leifer was parked across the street in an SUV. He and Gordon's driver engaged in a brief verbal altercation. Gordon's driver drove away, but Leifer gave chase. Gordon's driver then drove to a police precinct on East 67th Street and waited for Leifer to leave the area. The driver then returned to wait for Gordon outside the restaurant.
The parties dispute whether the two cars collided that evening. Leifer claimed that they did, but he never contacted the police or filed an insurance claim. At some point that night, Leifer wrote down the license plate number of Gordon's vehicle.
The next day, on October 11, 2009, Leifer input Gordon's license plate number on Docusearch.com. From a dropdown menu of purposes deemed by Docusearch.com to be permissible under the DPPA, Leifer selected "Insurance Other." A popup window noted:
You are required to select a DPPA Permissible Purpose. By imputting [sic] your response, you hereby certify that you are in, and assume full responsibility for, compliance with the Driver's Privacy Protection Act of 1994 (DPPA) and you agree to indemnify, defend and hold Docusearch harmless from any breach of the DPPA by you, your agents or contractors and any damages, fees and costs associated therewith.
Leifer clicked "OK." To finalize the purchase, Docusearch.com requested his personal information. Leifer provided an alias -- "Jack Loren" -- and stated that he worked for a business, later discovered to be defunct, called Bodyguards.com. He also provided a credit card number, which he represented was issued to "Jack Loren" when, in fact, it was issued in Leifer's own name. Finally, mere hours after making a $39.00 payment, Leifer received Gordon's name and home address.
Using this information, Leifer executed a series of Internet searches and identified Gordon's phone number, the members of Gordon's family and acquaintances, and their contact information. Leifer then called Gordon's assistant, his mother, and his father's secretary. During these calls, Leifer made threatening comments, which included, to Gordon's mother, the false allegation that Gordon had sexually assaulted a woman. Leifer does not deny making phone calls, but asserts that, due to the alleged collision, he merely tried to contact Gordon to request his insurance information.
D. Procedural History
Gordon's amended complaint dated January 5, 2011 alleged that Leifer and the Resellers had violated the DPPA. Specifically, Gordon contended that Leifer had misused his personal information and that the Resellers either unreasonably disclosed it or were strictly liable for Leifer's misdeeds. Defendants jointly filed a motion to dismiss in March 2011, which the district court denied. See Gordon v. Softech Int'l Inc., No. 10 Civ. 5162, 2011 WL 1795300 (S.D.N.Y. Apr. 28, 2011).
After discovery, the parties cross-moved for summary judgment. In a November 30, 2011 Decision & Order, the district court denied Gordon's motion for summary judgment, but granted in part and denied in part the motion filed jointly by Resellers and Leifer. Without addressing Gordon's alternative theory that Resellers were subject to a duty of reasonable inquiry, the court concluded that, as a matter of law, Resellers could not be strictly liable for Leifer's alleged DPPA violation and granted summary judgment in favor of the Resellers. Gordon v. Softech Int'l, Inc., 828 F.Supp.2d 665, 675-76 (S.D.N.Y. 2011). As to Leifer, however, the district court concluded that material questions of fact precluded summary judgment regarding his liability under the DPPA. Id. at 673-74.
On December 8, 2011, Gordon filed a letter seeking a conference to request reconsideration of the district court's decision. Gordon argued that "a genuine issue of material fact exist[ed] as to whether the Resellers' conduct in relying on the end-user's representations . . . constitute[d] a willful or reckless violation" of the DPPA. The district court subsequently set a trial date for Gordon's claim against Leifer while also noting that "the trial date of course is without prejudice to your application for reconsideration." Before trial, Gordon and Leifer settled their dispute.
By a January 17, 2012 order, the district court discontinued the "above-entitled action." On February 15, 2012, in response to an inquiry from Gordon, the district court issued a Decision & Order stating that the motion for reconsideration had been discontinued by its prior order "as it was rendered moot when the parties settled." It further noted that, even if the motion were not moot, it "would have been denied for substantially the same reasons set forth" in the court's earlier decision.
On February 16, 2012, Gordon appealed from the district court's (1) grant of summary judgment to Resellers, (2) order of discontinuance, and (3) denial of the motion of reconsideration.
Undisputedly, Softech disclosed Gordon's personal information, drawn from a motor vehicle record, to Arcanum, which then disclosed it to Leifer. Assuming Leifer used the information for improper purposes, we now consider whether Resellers may be liable to Gordon under the DPPA, and, if so, the circumstances under which liability may arise.
A. Applicable Law
1. Standard of ...