July 31, 2013
Erik H. Gordon, Plaintiff-Appellant,
Softech International, Inc., Reid Rodriguez, Arcanum Investigations, Inc., Dan Cohn, Defendants-Cross-Claimants-Cross -Defendants -Appellees, Aron Leifer, aka Jack Loren, Bodyguards.com, Defendants-Cross-Defendants-Cross-Claimants.
Argued: January 7, 2013
Corrected: August 1, 2013
Appeal from a judgment of the United States District Court for the Southern District of New York (Berman, J.) dismissing plaintiff-appellant's claim that his personal information was wrongfully disclosed in violation of the Driver's Privacy Protection Act, 18 U.S.C. §§ 2721-2725, and granting summary judgment in favor of defendants-cross-claimants-cross-defendants-appellees. We conclude that questions of material fact preclude summary judgment as to certain claims.
Justin M. Sher (Yuriko Tada, on the brief), Sher Tremonte LLP, New York, New York, for Plaintiff-Appellant.
Coleen F. Middleton, Wilson Elser Moskowitz Edelman & Dicker LLP, New York, New York (Gregory Saracino, on the brief), Milber, Makris, Plousadis & Seiden, LLP, White Plains, New York, for Defendants-Cross-Claimants-Cross-Defendants-Appellees.
Joseph V. DeMarco, DeVore & DeMarco LLP, New York, New York, for Amicus Curiae Identity Theft Resource Center and The Federal Law Enforcement Officers Association.
Marc Rotenberg, Alan Butler, David Jacobs, Washington, District of Columbia, for Amicus Curiae Electronic Privacy Information Center.
Ronald I. Raether, Jr., Faruki Ireland & Cox P.L.L., Dayton, Ohio, for Amicus Curiae The Coalition for Sensible Public Records Access and The Consumer Data Industry Association.
Before: Jacobs, Chief Judge, and Pooler and Chin, Circuit Judges. [*]
Chin, Circuit Judge.
In 1994, Congress enacted the Driver's Privacy Protection Act (the "DPPA"). As its name suggests, the DPPA, with limited exceptions, protects drivers' privacy by prohibiting state motor vehicle departments and others from disclosing "personal information" drawn from motor vehicle records.
In this case, defendant Aron Leifer, a private citizen, engaged in a verbal altercation with the driver of a motor vehicle. Miffed, he wrote down the license plate number of the car. Using an online private investigative service and paying a fee of just $39.00, Leifer was later able to use the license plate number to obtain the name and home address of the vehicle's owner, plaintiff-appellant Erik H. Gordon. Leifer then embarked on a campaign to harass Gordon and his family.
Gordon commenced this action below against Leifer and the entities and individuals who obtained the information from the New York State Department of Motor Vehicles and released it, ultimately, to Leifer. Gordon asserted claims under the DPPA and state law. Gordon eventually settled his claims against Leifer, but the district court (Berman, J.) dismissed his claims against the remaining defendants on summary judgment. Gordon appeals. We affirm in part and vacate and remand in part.
A. Statutory Framework
Congress passed the DPPA in 1994. See Pub. L. No. 103-322, tit. XXX (codified as amended at 18 U.S.C. §§ 2721-2725). The DPPA generally restricts state departments of motor vehicles ("DMVs") from disclosing personal information drawn from motor vehicle records. 18 U.S.C. § 2721(a); see also Reno v. Condon, 528 U.S. 141, 149-50 (2000) (upholding constitutionality of DPPA). Similarly, private citizens or entities ordinarily may not obtain, disclose, or resell personal information unless permitted by statute. 18 U.S.C. §§ 2722(a), 2721(c). Notwithstanding these default rules of non-disclosure, the DPPA identifies fourteen "permissible uses" -- exceptions from the default rule -- for which personal information may be obtained, disclosed, used, or resold. Id. § 2721(b)-(c). Penalties, both civil and criminal, enforce "the rights of private citizens to be left alone." 139 Cong. Rec. S15766 (daily ed. Nov. 16, 1993) (statement of Sen. Harkin), available at 1993 WL 470986; id. at S15765 (statement of Sen. Robb) (noting that DPPA "would place safeguards on the privacy of the driver and vehicle owners"); see also 18 U.S.C. §§ 2723-2724.
The DPPA was enacted following the highly publicized murder of an actress, whose stalker-cum-assailant had received her home address through an information request at a local DMV. Andrea Ford, "Fan Convicted of Murder in Actress' Slaying, " L.A. Times, Oct. 30, 1991; see also, e.g., 139 Cong. Rec. E2747 (daily ed. Nov. 3, 1993) (statement of Rep. Moran), available at 1993 WL 448643. During the floor debate, members of Congress emphasized that personal information accessed from state DMVs was often used in connection with criminal or threatening behavior. See, e.g., 139 Cong. Rec. E2747 (daily ed. Nov. 3, 1993) (statement of Rep. Moran), available at 1993 WL 448643; 139 Cong. Rec. S15762, S15766 (daily ed. Nov. 16, 1993) (statements of Sen. Boxer and Sen. Harkin), available at 1993 WL 470986. The DPPA was therefore enacted to limit the disclosure of personal information drawn from motor vehicle records and to prevent its misuse.
B. Data Brokers & Resellers
Defendant-appellee Reid Rodriguez is the co-owner and Chief Operating Officer of defendant-appellee Softech International, Inc. (together, "Softech"). Softech acts as a "gateway, " providing access to motor vehicle records of all fifty states, the District of Columbia, Puerto Rico, and six provinces in Canada. See "MVR (Driving Records), " Softech International Inc., http://www.softechinternational .com/products_mvrdr.html (last visited July 29, 2013). A data broker, Softech "collect[s] information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their consumers for various purposes." Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at 68 (Mar. 2012), available at http://www.ftc.gov/os/2012/03/ 120326privacyreport.pdf. Information aggregated by entities such as Softech can aid law enforcement actions. Disclosures, however, may also be made to private citizens or entities, and individuals are often unaware that their personal information is being aggregated and sold. See id.
Defendant-appellee Dan Cohn owns and operates defendant-appellee Arcanum Investigations (together, "Arcanum"), a private investigation service. By agreement, Softech provides Arcanum with access to its motor vehicle records; Arcanum represents that it and, to the extent it resells this information, any end user will use the information in a manner permitted by law.
Arcanum owns and operates Docusearch.com. For a small fee, Docusearch.com provides its users with the personal information associated with, for example, a license plate number. When a Docusearch.com user inputs a New York State license plate number, Arcanum provides that number to Softech and requests the associated motor vehicle record for private investigative purposes. Arcanum cannot access New York State motor vehicle records directly from the state DMV, and hence it requests this information from Softech. Then, pursuant to their agreement, Softech relays the motor vehicle record for that license plate number to Arcanum. Arcanum, through the Docusearch.com website, then provides that information to its customer.
Thus, Arcanum and Softech are both resellers (together, the "Resellers") of personal information drawn from motor vehicle records.
C. The Facts
Except as noted below, we construe the facts in the light most favorable to Gordon, the party opposing summary judgment. On the evening of October 10, 2009, Gordon was dining at a restaurant in New York City. His driver waited outside in Gordon's car, a vintage London taxicab. Its New York State license plate was registered in Gordon's name.
Leifer was parked across the street in an SUV. He and Gordon's driver engaged in a brief verbal altercation. Gordon's driver drove away, but Leifer gave chase. Gordon's driver then drove to a police precinct on East 67th Street and waited for Leifer to leave the area. The driver then returned to wait for Gordon outside the restaurant.
The parties dispute whether the two cars collided that evening. Leifer claimed that they did, but he never contacted the police or filed an insurance claim. At some point that night, Leifer wrote down the license plate number of Gordon's vehicle.
The next day, on October 11, 2009, Leifer input Gordon's license plate number on Docusearch.com. From a dropdown menu of purposes deemed by Docusearch.com to be permissible under the DPPA, Leifer selected "Insurance Other." A popup window noted:
You are required to select a DPPA Permissible Purpose. By imputting [sic] your response, you hereby certify that you are in, and assume full responsibility for, compliance with the Driver's Privacy Protection Act of 1994 (DPPA) and you agree to indemnify, defend and hold Docusearch harmless from any breach of the DPPA by you, your agents or contractors and any damages, fees and costs associated therewith.
Leifer clicked "OK." To finalize the purchase, Docusearch.com requested his personal information. Leifer provided an alias -- "Jack Loren" -- and stated that he worked for a business, later discovered to be defunct, called Bodyguards.com. He also provided a credit card number, which he represented was issued to "Jack Loren" when, in fact, it was issued in Leifer's own name. Finally, mere hours after making a $39.00 payment, Leifer received Gordon's name and home address.
Using this information, Leifer executed a series of Internet searches and identified Gordon's phone number, the members of Gordon's family and acquaintances, and their contact information. Leifer then called Gordon's assistant, his mother, and his father's secretary. During these calls, Leifer made threatening comments, which included, to Gordon's mother, the false allegation that Gordon had sexually assaulted a woman. Leifer does not deny making phone calls, but asserts that, due to the alleged collision, he merely tried to contact Gordon to request his insurance information.
D. Procedural History
Gordon's amended complaint dated January 5, 2011 alleged that Leifer and the Resellers had violated the DPPA. Specifically, Gordon contended that Leifer had misused his personal information and that the Resellers either unreasonably disclosed it or were strictly liable for Leifer's misdeeds. Defendants jointly filed a motion to dismiss in March 2011, which the district court denied. See Gordon v. Softech Int'l Inc., No. 10 Civ. 5162, 2011 WL 1795300 (S.D.N.Y. Apr. 28, 2011).
After discovery, the parties cross-moved for summary judgment. In a November 30, 2011 Decision & Order, the district court denied Gordon's motion for summary judgment, but granted in part and denied in part the motion filed jointly by Resellers and Leifer. Without addressing Gordon's alternative theory that Resellers were subject to a duty of reasonable inquiry, the court concluded that, as a matter of law, Resellers could not be strictly liable for Leifer's alleged DPPA violation and granted summary judgment in favor of the Resellers. Gordon v. Softech Int'l, Inc., 828 F.Supp.2d 665, 675-76 (S.D.N.Y. 2011). As to Leifer, however, the district court concluded that material questions of fact precluded summary judgment regarding his liability under the DPPA. Id. at 673-74.
On December 8, 2011, Gordon filed a letter seeking a conference to request reconsideration of the district court's decision. Gordon argued that "a genuine issue of material fact exist[ed] as to whether the Resellers' conduct in relying on the end-user's representations . . . constitute[d] a willful or reckless violation" of the DPPA. The district court subsequently set a trial date for Gordon's claim against Leifer while also noting that "the trial date of course is without prejudice to your application for reconsideration." Before trial, Gordon and Leifer settled their dispute.
By a January 17, 2012 order, the district court discontinued the "above-entitled action." On February 15, 2012, in response to an inquiry from Gordon, the district court issued a Decision & Order stating that the motion for reconsideration had been discontinued by its prior order "as it was rendered moot when the parties settled." It further noted that, even if the motion were not moot, it "would have been denied for substantially the same reasons set forth" in the court's earlier decision.
On February 16, 2012, Gordon appealed from the district court's (1) grant of summary judgment to Resellers, (2) order of discontinuance, and (3) denial of the motion of reconsideration.
Undisputedly, Softech disclosed Gordon's personal information, drawn from a motor vehicle record, to Arcanum, which then disclosed it to Leifer. Assuming Leifer used the information for improper purposes, we now consider whether Resellers may be liable to Gordon under the DPPA, and, if so, the circumstances under which liability may arise.
A. Applicable Law
1. Standard of Review
Summary judgment is appropriate when "there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). We review de novo a district court's grant of summary judgment after construing all evidence, and drawing all reasonable inferences, in favor of the non-moving party. See, e.g., McElwee v. Cnty. of Orange, 700 F.3d 635, 640 (2d Cir. 2012). Furthermore, our review of a district court's interpretation of a federal statute is also de novo. See, e.g., Muller v. Costello, 187 F.3d 298, 307 (2d Cir. 1999).
2. Rules of Construction
When construing a statute, we begin with the plain meaning and give all undefined terms their ordinary construction. See Schindler Elevator Corp. v. United States ex rel. Kirk, 131 S.Ct. 1885, 1891 (2011); United States v. Desposito, 704 F.3d 221, 226 (2d Cir. 2013). We are mindful, of course, that "[a]n exception to a general statement of policy is usually read narrowly in order to preserve the primary operation of the provision." Maracich v. Spears, 133 S.Ct. 2191, 2200 (2013) (omission, quotation, and internal quotation marks omitted). Our analysis, "absent ambiguity, will generally end there." Collazos v. United States, 368 F.3d 190, 196 (2d Cir. 2004).
If, however, the statute is ambiguous, "we focus upon the broader context and primary purpose of the statute." Castellano v. City of N.Y., 142 F.3d 58, 67 (2d Cir. 1998) (internal quotation marks omitted). In so doing, we may turn to the legislative history as a reflection of congressional intent. See Puello v. Bureau of Citizenship & Immigration Servs., 511 F.3d 324, 327 (2d Cir. 2007). In all events, however, we must construe the statute "so that no part will be inoperative or superfluous, void or insignificant." Corley v. United States, 556 U.S. 303, 314 (2009) (quotation omitted).
3. The DPPA
Under the DPPA, state DMVs, individuals, organizations, and entities may not disclose "personal information" drawn from motor vehicle records unless permitted by statute. 18 U.S.C. §§ 2721(a) (state entities), 2722(a) (private individuals and entities); see also Reno, 528 U.S. at 149-50 (upholding constitutionality of DPPA). The default rule is one of non-disclosure, but the statute also identifies fourteen exceptions -- "permissible uses" -- for which disclosure is allowed. See 18 U.S.C. § 2721(b). In relevant part,
Personal information [protected by the DPPA] . . . may be disclosed as follows:
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
Id. § 2721(b)(6), (8).
The DPPA also regulates the resale and redisclosure of protected personal information:
An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)).
Id. § 2721(c). "Authorized recipient" is not defined by statute. But see Reno, 528 U.S. at 146 (citing section 2721(c) and declaring that DPPA regulates resale and redisclosure by "private persons who have obtained [drivers' personal] information from a state DMV").
The DPPA creates a civil cause of action for those whose information has been improperly used or disclosed. See 18 U.S.C. § 2724(a). Certain civil remedies may be imposed against any "person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted" by the DPPA. Id. These remedies vary; the court may award:
(1)actual damages, but not less than liquidated damages in the amount of $2, 500;
(2)punitive damages upon proof of willful or reckless disregard of the law;
(3)reasonable attorneys' fees and other litigation costs reasonably incurred; and
(4) such other preliminary and equitable relief as the court determines to be appropriate.
Id. § 2724(b).
Gordon argues that the Resellers are subject to civil penalties under the DPPA. First, Gordon contends that the Resellers should be strictly liable for misuses of his information by downstream recipients. Second, in the alternative, Gordon asserts that Resellers are liable because of their own actions: (a) Resellers disclosed his information for a use that was not expressly permitted by the DPPA, and (b) Resellers did not exercise due care when releasing his personal information. We address each argument in turn.
1. Strict Liability for Downstream Acts
Gordon primarily argues that Resellers should be held strictly liable for civil penalties based on Leifer's improper use of Gordon's personal information. We conclude that a strict liability standard is inconsistent with the DPPA as a whole and would frustrate its legislative aims.
The text of the DPPA does not support -- either explicitly or implicitly -- a strict liability standard. Although, as described below, the text and structure of the DPPA can be read to support a duty of reasonable inquiry, nothing in the DPPA suggests that a reseller is responsible, regardless of whether it is at fault, for an end user's misuse of personal information. Moreover, no case law interpreting the DPPA suggests that a reseller could be strictly liable for downstream violations by another party. But cf. Pichler v. UNITE, 542 F.3d 380, 396-97 (3d Cir. 2008) (end user liable for own actions, even if it did not know those actions would violate DPPA).
We note, moreover, that strict liability offenses, while "not unknown to the criminal law, " are "generally disfavored." United States v. U.S. Gypsum Co., 438 U.S. 422, 437-38 (1978); see also United States v. Burwell, 690 F.3d 500, 505 (D.C. Cir. 2012); Am.-Arab AntiDiscrimination Comm. v. City of Dearborn, 418 F.3d 600, 610 (6th Cir. 2005). Gordon's appeal, of course, arises in the civil context, but the provision describing a criminal offense under the DPPA mirrors the language describing a civil cause of action. This similarity suggests that "knowingly" is read the same way in both provisions. See Dep't of Revenue of Or. v. ACF Indus., Inc., 510 U.S. 332, 342 (1994) ("normal rule of statutory construction" is that "identical words used in different parts of the same act are intended to have the same meaning" (quotation and internal quotation marks omitted)). But see Kirtsaeng v. John Wiley & Sons, Inc., 133 S.Ct. 1351, 1362 (2013) (acknowledging general rule, but applying different canon of interpretation). We are loathe to write strict liability into the DPPA absent a clear indication in the text or the legislative history that strict liability applies.
The notion of strict liability is also inconsistent with at least some of the congressional concerns that prompted the DPPA. The DPPA sought to "strike a critical balance between an individual's fundamental right to privacy and safety and the legitimate governmental and business needs for this information." 145 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran), available at 1994 WL 140035; see also id. at H2527 (statement of Rep. Goss). Congress knew that legitimate businesses used information derived from motor vehicle records and ensured continued access to it through the DPPA. See, e.g., 139 Cong. Rec. S15762-63 (daily ed. Nov. 16, 1993) (statement of Sen. Hatch), available at 1993 WL 470986; Driver's Privacy Protection Act: Hearings on H.R. 3365 Before the Subcomm. on Civil & Constitutional Rights of the House of Rep. Comm. on the Judiciary, 103rd Cong. (Feb. 3-4, 1994). In fact, Congress was cognizant of the concerns raised by the business community, and consequently it broadened the exceptions to non-disclosure in the law. See 140 Cong. Rec. H2523 (daily ed. Apr. 20, 1994) (statement of Rep. Moran) (noting that revised DPPA addressed commercial concerns raised during subcommittee hearings), available at 1994 WL 140035.
"[W]e will not interpret a statute in a way 'that apparently frustrates the statute's goals, in the absence of a specific congressional intention otherwise.'" United States v. Livecchi, 711 F.3d 345, 351 (2d Cir. 2013) (quoting New York v. Shore Realty Corp., 759 F.2d 1032, 1045 (2d Cir. 1985)). Thus, because we conclude that neither the text nor the legislative history of the DPPA supports reading a strict liability standard into the DPPA, we hold that Resellers are not strictly liable for Leifer's improper use of Gordon's personal information.
2. Resellers' Liability Due to Their Own Actions
a. Disclosure for an Impermissible Use
Gordon contends that the Resellers disclosed his personal information for a use that was not specifically identified in the DPPA's list of fourteen exceptions. See 18 U.S.C. § 2721(b). We review the disclosure of each Reseller separately and conclude that, while Softech disclosed Gordon's personal information for a permitted use, a material question of fact exists as to the propriety of Arcanum's disclosure.
Gordon alleges that Softech disclosed his personal information to Arcanum even though Arcanum did not identify a permissible use; this argument is meritless. When Arcanum, a private investigative agency, requested Gordon's personal information from Softech, it selected "DPPA Purpose No. 8." Rodriguez Dep. 49:8-11, Feb. 16, 2011; Cohn Dep. 29:3-10, Apr. 13, 2011. This corresponds to the exception in section 2721(b)(8), "[f]or use by any licensed private investigative agency . . . for any purpose permitted under this subsection." 18 U.S.C. § 2721(b)(8); see also Rodriguez Dep. 49:12-16.
Hence, this exception includes two limiting factors: (1) the entities that may claim the exception, and (2) the purposes for which information may be requested. Arcanum's request satisfied both requirements. First, as discussed above, Arcanum was a licensed private investigative agency and therefore eligible to claim the exception. Second, Arcanum had provided Softech with an Affidavit of Intended Use that specifically identified three intended uses for the records requested, all of which complied with exceptions in section 2721(b).
When Softech accessed the New York State DMV database and provided Arcanum with Gordon's name, address, and additional information pertaining to his car, it disclosed that information pursuant to an exception in section 2721(b), to an entity eligible to invoke the exception, for three purposes permitted by the DPPA. See 18 U.S.C. § 2721(b)(8). Therefore, the district court correctly concluded as a matter of law that Softech had disclosed Gordon's personal information for a use expressly permitted by statute.
Arcanum disclosed Gordon's personal information to Leifer based on Leifer's selection of "Insurance Other" from the Docusearch.com dropdown menu. Gordon contends that "Insurance Other" did not correspond to a permitted use.
Although Resellers insist that Gordon waived this argument by failing to raise it below, we disagree. Gordon's amended complaint noted that Arcanum "disclosed . . . Gordon's personal information without a permissible use under the DPPA." Amended Complaint, ¶¶ 79, 81. This necessarily implied that Gordon challenged whether the stated use -- "Insurance Other" -- fell within the section 2721(b) exceptions. Furthermore, Gordon argued below that "to qualify under [the insurance exception] you have to either be an insurance company or a self-insured entity." Nov. 22, 2011 Tr., at 17:21-23. Counsel for Arcanum was present, but did not object. Accordingly, we determine that the issue was not waived.
Under a textual approach, "Insurance Other" does not track the language of the insurance exception, which allows a person to disclose or use DPPA-protected personal information "in connection with claims investigation activities, antifraud activities, rating or underwriting." 18 U.S.C. § 2721(b)(6). Thus, a disclosure for "Insurance Other" could be outside the scope of the statute, as the generic phrase encompasses many insurance-related activities beyond the stated activities of section 2721(b)(6). See Maracich, 133 S.Ct. at 2199-2200 (examining DPPA's litigation exception and noting that "[u]nless commanded by the text . . . these exceptions ought not operate to the farthest reach of their linguistic possibilities if that result would contravene the statutory design").
The insurance exception, moreover, may only be claimed by certain entities: an "insurer or insurance support organization, or  a self-insured entity." Id. § 2721(b)(6). When deposed, Leifer conceded that he did not work at an insurance company, and could not identify what a self-insured entity or an insurance support organization was. Leifer Dep. 81:22 to 82:19, July 12, 2011. Arcanum has pointed to nothing in the record to suggest that Leifer was, in fact, eligible to request information pursuant to that exception. Thus, even if we were to assume that a collision had occurred, an insurance claim had accrued, and "Insurance Other" was coterminous with section 2721(b)(6), a reasonable jury could easily find that Leifer was not eligible to request information pursuant to the insurance exception.
The Resellers insist that "Insurance Other" covered all insurance-related uses, but only to the extent contemplated by the exception in section 2721(b)(6). This argument relies on the fact that each Docusearch.com customer certified that it was "in, and assume[d] full responsibility for, compliance with the Driver's Privacy
Protection Act of 1994" by clicking "OK" on a pop-up window. Furthermore, the customer also checked a box, thereby consenting to the terms of a "Client Agreement, " in which the customer "represent[ed] and warrant[ed] that it will provide Docusearch with accurate and complete information regarding the searches requested, and that search results will not be used for any purpose other than the purpose stated to Docusearch."
We need not decide whether these representations sufficiently narrowed the scope of "Insurance Other"; Resellers' argument still ignores the fact that only certain entities are eligible to claim the insurance exception. Whether Leifer is one of them is determinative of Arcanum's liability. If Leifer was not eligible to claim that exception, Arcanum's disclosure would have been for a use not permitted by section 2721(b). Hence, with respect to Arcanum, we conclude that the district court erred by granting summary judgment without having first considered (1) whether Leifer was eligible to request information pursuant to the insurance exception, (2) if so, whether a collision had occurred, and (3) if so, whether an insurance claim had accrued. These material questions of fact preclude summary judgment as to Arcanum's liability.
b. Resellers' Duty of Reasonable Care: Legal Framework
Gordon further contends that, even if Resellers disclosed his personal information for what they believed to be a permitted use, they are still liable because they violated a duty of reasonable care imposed by the DPPA. Resellers contend that the DPPA imposes no such duty. Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records.
i. The Statutory Language
The default rule under the DPPA is non-disclosure. It is unlawful for a state DMV or any employee or officer thereof to "knowingly disclose or otherwise make available to any person or entity . . . personal information" obtained from a motor vehicle record, except as provided in section 2721(b). 18 U.S.C. § 2721(a). Resellers are subject to the same general rule of non-disclosure; with limited exceptions not relevant here, resellers "may resell or redisclose the information only for a use permitted under subsection (b)." Id. § 2721(c) (emphasis added); see also Taylor v. Acxiom Corp., 612 F.3d 325, 338 (5th Cir. 2010).
Moreover, the DPPA creates a civil cause of action for unauthorized disclosure: section 2724(a) provides that a "person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court." 18 U.S.C. § 2724(a). Logically, the language makes clear, albeit implicitly, that resellers are obliged to use some care in disclosing personal information obtained from motor vehicle records. If resellers may not disclose personal information except as permitted by the DPPA, they must be obliged to make some inquiry before concluding that disclosure is permitted. See also Roth v. Guzman, 650 F.3d 603, 618 (6th Cir. 2011) (Clay, J., dissenting) (rejecting notion that upstream source had "no actual duty . . . other than the ministerial task of soliciting rote representations from prospective requesters" of DPPA-protected personal information). It would make no sense that this obligation could be met simply by accepting an end user's mere "say-so" in the presence of red flags suggesting the requested information was being sought for an improper purpose. Under this theory, advocated by Resellers, an upstream source could always avoid liability by securing a representation that the recipient of personal information had a permissible use or by hiding behind one or more dropdown menus so that a user would always -- and could only -- select a permitted use. The civil remedies provision would be rendered toothless if resellers could insulate themselves from liability based solely on the conclusory representations of end users, without being required to exercise due care themselves.
We note also that the statute's use of the word "knowingly" is not inconsistent with the notion that some duty of care exists. Cf. id. Case law is replete with situations where knowledge contemplates what a party "knew or should have known." Negligence law in particular frequently invokes the concept of constructive knowledge when deciding whether a particular outcome was foreseeable,  and criminal law applies a similar concept when imposing criminal liability under a theory of conscious avoidance.
ii. The Structure of the Civil Penalties Provision
The structure of the DPPA also supports the conclusion that resellers owe a duty of reasonable care. The DPPA provides that a court may award "punitive damages upon proof of willful or reckless disregard of the law." 18 U.S.C. § 2724(b)(2); see also Pichler, 542 F.3d at 397 (willful or reckless disregard is when "a party appreciated it was engaging in wrongful conduct" (internal quotation marks omitted)). In contrast, the preceding subdivision provides that the court may award "actual damages, but not less than liquidated damages in the amount of $2, 500." 18 U.S.C. § 2724(b)(1). The actual damages provision is silent as to the degree of fault necessary to trigger liability for actual damages. If, however, as the statute suggests, punitive damages are available only for willful and reckless violations of the DPPA, then actual damages must require something less -- that is, conduct that is neither willful nor reckless.
As we have rejected a theory of strict liability, the most appropriate standard, in our view, is reasonableness: a reasonableness standard best harmonizes the wording, the structure, and, as discussed below, the purpose of the DPPA. Accordingly, we conclude that a reseller is liable for actual (or liquidated) damages when it fails to use reasonable care to ensure that personal information is being obtained for a permissible purpose.
We note too that the Department of Justice ("DOJ") has reached a similar conclusion. In a non-binding advisory opinion, DOJ concluded that a state DMV could release personal information to resellers "upon reasonably concluding that the information [requested by the commercial distributor] will be used for authorized purposes only." Letter from Robert C. McFetridge, Special Counsel to the Assistant Att'y Gen., Civil Div., Dep't of Justice, to Peter Sacks, Office of the Att'y Gen., The Commonwealth of Mass. (Oct. 9, 1998) (on file with the Court) [hereinafter "DOJ Letter"], at 2 (emphasis added); see also, e.g., Graczyk v. W. Publ'g Co., 660 F.3d 275, 280-81 (7th Cir. 2011) (discussing DOJ Letter), cert. denied, 132 S.Ct. 2391 (2012); Taylor, 612 F.3d at 339 (same). An entity cannot reasonably conclude that a person or entity may access DPPA-protected personal information if it does not exercise some modicum of care. See Cook v. ACS State & Local Solutions, Inc., 663 F.3d 989, 997 (8th Cir. 2011) (summarizing DOJ letter as stating that states must "reasonably conclude that the information would be used only for authorized purposes").
iii. The Legislative History
We acknowledge that there is some ambiguity in the statute. The DPPA does not explicitly provide for a duty of reasonable care, and it is silent as to the degree of fault necessary for an award of actual or liquidated damages.
Moreover, the word "knowingly, " as used in sections 2722(a) and 2724(a), is ambiguous: depending on one's reading of the statute, civil liability could attach (1) to any act committed intentionally, or (2) only for an act undertaken with knowledge of an improper purpose. For example, in Pichler v. UNITE, 542 F.3d 380 (3d Cir. 2008), the Third Circuit concluded that the end user -- a union --could be civilly liable for using DPPA-protected personal information for an improper purpose even though, at the time, the union did not know that its purpose would be deemed improper. Id. at 396-97. By contrast, in Roth v. Guzman, 650 F.3d 603 (6th Cir. 2011), the Sixth Circuit concluded that a state DMV was not subject to civil liability under the DPPA unless it actually knew that the recipient, who had represented that it had a permissible use for the requested DPPA-protected personal information, would use it for an improper purpose. Id. at 611-12. We need not resolve the disagreement, however, as both Pichler (addressing use by an end user) and Roth (addressing disclosure by the state) are distinguishable from this case, which addresses disclosure by resellers.
In light of the ambiguity in the statute, we look to its legislative history, and the legislative history supports the conclusion that resellers must exercise some degree of care. The legislative history emphasized that the DPPA would protect "an individual's fundamental right to privacy and safety." 145 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran), available at 1994 WL 140035; see also id. at H2527 (statement of Rep. Goss). Protecting this right was particularly important in light of two mandates associated with driving: all drivers must register with the state, and no drivers may obscure the license plate number on their cars. See 139 Cong. Rec. S15764 (daily ed. Nov. 16, 1993) (statement of Sen. Boxer), available at 1993 WL 470986; 140 Cong. Rec. H2523 (daily ed. Apr. 20, 1994) (statement of Rep. Moran), available at 1994 WL 144035; 139 Cong. Rec. S14436 (daily ed. Oct. 26, 1993) (statement of Sen. Warner), available at 1993 WL 470986 (drivers that register with the DMV "should do so with full confidence that the information they provide will not be disclosed indiscriminately"). Because disclosures, such as the one made by Softech to Arcanum to Leifer, are often "totally incompatible with the purpose for which the information was collected, " regulating the circumstances of disclosure was of paramount importance to Congress. See 139 Cong. Rec. S15764 (daily ed. Oct. 26, 1993) (statement of Sen. Boxer), available at 1993 WL 470986.
Concerns that state actions had undermined public safety also catalyzed the enactment of the DPPA, which was passed as part of the Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat. 1796. Congress perceived a need to better regulate disclosure of personal information because such disclosures had been used to stalk, rob, and even kill private citizens. See, e.g., 139 Cong. Rec. E2747 (daily ed. Nov. 3, 1993) (statement of Rep. Moran), available at 1993 WL 448643; 139 Cong. Rec. S15762, S15766 (daily ed. Nov. 16, 1993) (statements of Sen. Boxer and Sen. Harkin). Assuming Gordon's allegations are true, Leifer's threats to Gordon's family and friends were precisely the sort of acts that Congress sought to curtail.
Given the nature of information available through motor vehicle records -- e.g., social security number, medical or disability information, and home address -- the DPPA's purpose would be severely undermined if resellers' disclosures were not subject to a duty of reasonable inquiry. See Reno, 528 U.S. at 151 ("The DPPA regulates the universe of entities that participate as suppliers to the market for motor vehicle information -- the States as initial suppliers of the information in interstate commerce and private resellers or redisclosers of that information in commerce." (emphasis added)). And, in light of the clear congressional intent to safeguard the privacy and safety of drivers, it is inconceivable that a dropdown menu, a check box, and a representation that no laws would be violated could satisfy any reasonable diligence floor. See 139 Cong. Rec. S15765 (daily ed. Nov. 16, 1993) (statement of Sen. Robb), available at 1993 WL 470986; see also Roth, 650 F.3d at 619 (Clay, J., dissenting) ("[T]he DPPA compels the conclusion that the Act imposes . . . a duty of reasonable inquiry."); Welch v. Jones, 770 F.Supp.2d 1253, 1260 (N.D. Fla. 2011) (no DPPA violation in reseller's disclosure where recipient identified its permissible use under penalties of perjury, and reseller verified recipient's identity, even though the recipient ultimately used the information impermissibly).
In light of the text, structure, and legislative history of the DPPA, we hold that resellers are subject to a duty of reasonable care before disclosing DPPA-protected personal information. See 18 U.S.C. § 2721(b)-(c).
c. Resellers' Duty of Reasonable Care: As Applied to Softech and Arcanum
Softech released Gordon's personal information per Arcanum's request for "use by any licensed private investigative agency." Rodriguez Dep. 49:15-16. Moreover, Softech and Arcanum had an ongoing business relationship through which Softech knew Arcanum was a licensed private investigative agency, and Arcanum had contractually agreed that it would only use information for three purposes permitted by the DPPA. Hence, at a minimum, Softech's disclosures to Arcanum were permitted by the private investigative agency exception. See 18 U.S.C. § 2721(b)(8). Nothing in the record suggests that, in complying with the information request, Softech acted unreasonably.
Gordon contends that Softech's disclosure was still unreasonable because Arcanum's Affidavit of Intended Use affirmed that Arcanum would only use information for three stated purposes -- none of which were for public investigative services. Furthermore, the agreement provided that Arcanum was required to "strictly abide" by the terms of the affidavit. Softech contends that its automated system would "check that the DPPA [permissible use] selected is the one that they actually, upon signing up with us, was the one that they selected on the Affidavit of Intended Use, " and reject the request if it were not. Rodriguez Dep. 46:11-14, 16-20. Yet when Arcanum requested information pursuant to an exception not listed on its Affidavit of Intended Use, Softech did not reject Arcanum's request; instead, it released Gordon's personal information.
We do not believe that these circumstances create a genuine issue of fact for trial. Although, when it initially entered into a relationship with Softech, Arcanum agreed that it would seek information only for three permissible purposes, no legal obstacles prevented Arcanum from requesting information from Softech (or precluded Softech from giving information to Arcanum) for other permissible purposes in the future. Moreover, Arcanum was, in fact, a licensed private investigative agency, and Arcanum had provided Softech with an Affidavit of Intended Use that promised that Arcanum would use the information only in accordance with the requirements in section 2721(b)(8). Further, as a reseller, Softech's disclosure, to a user for an apparently permissible use, was permitted under section 2721(c). Finally, even assuming that Softech had inquired further, nothing in the record suggests that Softech would have uncovered any red flags suggesting the information was being sought for an improper purpose. Hence, we conclude that the district court properly granted summary judgment in favor of Softech.
By contrast, we conclude that a reasonable jury could find that Arcanum failed to exercise reasonable care when it disclosed Gordon's personal information to Leifer. In seeking the information, Leifer used the alias "Jack Loren." He used a credit card number that did not match the name "Jack Loren." He claimed he worked for a business, "Bodyguards.com, " that was not operational. He selected a purpose, "Insurance Other, " that, at least arguably, is not a permitted purpose. He did not provide any information or proof relating to his status as an insurance company, a self-insured entity, or an insurance support organization, to verify his eligibility to invoke the insurance exception.
Arcanum failed to inquire as to Leifer's eligibility to invoke the insurance exception, and it never checked the accuracy of the purported "Jack Loren" identity or the purported business affiliation. Arcanum apparently did not even bother to verify whether the name associated with the credit card number provided by "Jack Loren" matched the name associated with the Docusearch.com account.
Moreover, the Docusearch.com dropdown menu offered a selection of fourteen purportedly "Permissible Purpose[s], " and instructed the customer that he "Must Select One" of the purportedly permissible purposes. Thus, the Docusearch.com website was designed -- as a reasonable jury could so find -- to ensure that end users selected one of fourteen purportedly permissible purposes, without providing them with an opportunity to articulate the true purpose -- permissible or not -- behind a particular records request. Although Arcanum did ask Leifer to represent that he was seeking the information for a lawful purpose, a reasonable jury could find on these facts that Arcanum failed to use reasonable care, and that, had it been reasonably diligent, Arcanum would have discovered that Leifer was seeking the information for an improper purpose. See King v. Crossland Sav. Bank, 111 F.3d 251, 259 (2d Cir. 1997) ("[T]he assessment of reasonableness generally is a factual question to be addressed by the jury."). Accordingly, the district court erred in granting summary judgment to Arcanum.
For the reasons set forth above, we AFFIRM the judgment of the district court to the extent it granted summary judgment in favor of Softech International, Inc. and Rodriguez, and we VACATE the judgment to the extent it granted summary judgment in favor of Arcanum Investigations, Inc. and Cohn on Gordon's claims under the DPPA. We REMAND for further proceedings not inconsistent with this opinion.
DENNIS JACOBS, Chief Judge, concurring in part and dissenting in part:
Insofar as the majority opinion superimposes a negligence duty of care on the civil damages remedy of the Driver's Privacy Protection Act ("the Act"), I respectfully dissent.
An industry of "resellers" has arisen to facilitate acquisition by legitimate end-users of information collected by state motor vehicle bureaus. The Act is designed to reduce abuses of the information and invasions of privacy. At the same time, Congress was careful to craft remedies for such abuse that would not impair the useful industry. See, e.g., Protecting Driver Privacy: Hearing on H.R. 3365 Before the Subcomm. on Civil and Const. Rights of the H. Comm. On the Judiciary, 103d Cong. 4 (1994) (statement of bill sponsor Rep. James P. Moran) ("Careful consideration was given to the common uses now made of this information and great efforts were made to ensure that those uses were allowed under this bill."), available at 1994 WL 212698; 145 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran) ("[The Act] strikes a critical balance between an individual's fundamental right to privacy and safety and the legitimate governmental and business needs for this information."). The civil cause of action is worded in a way well-calculated to target abuses without inflicting collateral damage on the industry itself: "[a] person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court." 18 U.S.C. § 2724 (emphasis added).
The majority opinion states that this language imposes a duty upon resellers to "to make some inquiry before concluding that disclosure is permitted." Maj. Op. at 31 (emphasis removed). I agree to the extent that resellers should require end-users to specify a legitimate use and give them notice that misuse subjects them to liability. But it is undisputed that Arcanum, the reseller here, did make such inquiry and provide such notice: it required the customer to represent which legitimate purpose was being pursued; it referenced the Act; and it elicited an indemnification in the event of a statutory violation--all of which served to warn the customer that violation of the Act would entail consequences.
So the real holding of the majority opinion is that these measures are not enough, and that resellers have a duty of inquiry to verify the identity of the customer, and to perform related investigations, as though selling a firearm or dispensing a narcotic. That is a negligence standard, and it is a judicial invention that alters the nature of the industry's service and its economics, and thereby upsets the balance of the Act.
The facts of this case arrange themselves into a law school exam question. Defendant Aron Leifer had some run-in with the driver of a car owned by plaintiff Erik Gordon. Leifer jotted down the license plate number, used Docusearch.com to get information associated with the license plate number, and then harassed Gordon. Docusearch.com is a website of defendant Arcanum Investigations, which is owned and operated by defendant Dan Cohn.
As the Docusearch.com website required, Leifer certified that he had a permissible purpose for the information under the Act, and warranted that he would indemnify Arcanum against any breach. But he used an alias (Jack Loren) to submit his request, and falsely selected "Insurance Other" as his permissible purpose from a dropdown menu. Arcanum forwarded the request to defendant Softech International, Inc., for processing. The master services agreement between the companies included a certification from Arcanum that it would only request records for certain purposes permissible under the Act, that it would require its end users to certify compliance, and that it would indemnify Softech against any violation.
Gordon brought a damages action against Leifer under the Act. Leifer had no permissible reason for procuring the license information, got it by false statements (using a false name that did not match his credit card, and a false affiliation with Bodyguards.com, a defunct website), and used the information to violate Gordon's privacy. Leifer settled the claim. That settlement fulfilled the purposes of the Act. The district court dismissed the claims against all the remaining defendants. I would affirm. The majority vacates the dismissal as to Arcanum and Mr. Cohn.
"[O]ur inquiry begins with the statutory text, and ends there as well if the text is unambiguous." BedRoc Ltd., LLC v. United States, 541 U.S. 176, 183 (2004). The Act as a whole could be clearer than it is, but Congress made the civil remedy clear enough, given the ends in view: imposing damages on those who abuse the information, while preserving the industry that facilitates its use for fair purposes.
The only mental-state requirement in the civil cause of action is the adverb "knowingly, " which modifies the verbs "obtains, discloses or uses, " which are further modified by the adverbial phrase, "for a purpose not permitted under this chapter . . . ." 18 U.S.C. § 2724. Civil liability is therefore imposed only on a person who obtains, discloses, or uses personal information knowing that it is for a purpose--such as peddling goods or harassment--that is not legitimate. Leifer is such a person. Arcanum and Softech are not, in my view, because they made disclosure only after eliciting an affirmation of proper purpose, advising as to statutory requirements, and exacting a warranty of indemnification, which made the warning ominous.
The majority opinion superimposes on the statutory wording a duty of (variously) "reasonable inquiry" (Maj. Op. at 20, 39, 40), "due care" (32), "reasonable care" (30, 34-36, 40), "some inquiry" (31), "reasonableness" (35), and "reasonable diligence" (40). These amount to "negligence" (33), and, as applied to this case, they mean that there is a duty of a reseller to make inquiries of the end-user, at least when there are "red flags" (32, 43). The flags here are said to be: use of an alias; use of a credit card in a different name (Leifer's own); use of an entity (Bodyguards.com) that was defunct; and selection of "Insurance Other" from the drop-down menu, which is not a term expressly listed in the statute as a permitted use (though insurance is, see 18 U.S.C. § 2721(b)(6) and (9)).
The standard adopted by the majority opinion therefore requires at least that a reseller make inquiry and investigation into: the user's identity, the match between the user's name and the credit card used, and the current status and activity of the employing entity. Without those inquiries, there would be no red flags; they wave here only by reason of the inquiries made via discovery in litigation. Yet the majority subjects Arcanum and Mr. Cohn to a jury trial because they failed to look for these red flags before releasing Gordon's driver information. Implicit in that ruling is a requirement that resellers conduct inquiries looking for red flags in every application. And that presupposes personnel who can identify anomalies, and evaluate responses to inquiries (e.g., "I'm using my employer's credit card"; "Oh, Bodyguards.com is doing business under another name"; etc.). Although the majority opinion persuasively demonstrates that Congress did not intend to impose strict liability, see Maj. Op. at 19-23, the burden imposed by the majority opinion is, in effect, not all that much less.
The standard expressed in the statutory wording, a "knowing" misuse, is straightforward and easy to apply to transactions that are (like these) numerous and fleeting. By contrast, the duty of reasonable inquiry imposed by the majority opinion has no clear boundaries. See, e.g., Catharine Pierce Wells, A Pragmatic Approach to Improving Tort Law, 54 Vand. L. Rev. 1447, 1452 (2001) ("[N]egligence doctrine has never consisted of the kind of rules that can make outcomes seem predictable and certain."). It was reasonable for Congress to draw the line at a knowing violation, especially in view of its intent to preserve the industry of resellers (a goal acknowledged in the majority's rejection of strict liability, see Maj. Op. at 21-22). With a clear, logical interpretation of the text available, there is no need to look any further. BedRoc, 541 U.S. at 183.
The majority adduces three arguments in support of imposing a "duty of reasonable care" that would require measures beyond those that Arcanum employed. None of these reasons is convincing.
First, the majority opinion cites legislative history, suggesting that it "supports the conclusion that resellers must exercise some degree of care." Maj. Op. at 37. But the citations reflect only an intent to protect the privacy of drivers' personal information--a broad objective that does not impose a duty of inquiry and that is compatible with a standard that protects resellers that commit no knowing wrong. The majority opinion thus succumbs to the fallacy that all remedial legislation reflects an intent to advance the remedial purpose by flattening every competing consideration. The majority writes: "Leifer's threats to Gordon's family and friends were precisely the sort of acts that Congress sought to curtail." Maj. Op. at 39. All this statement tells us about the duty of care is that a culpable end-user such as Leifer should be liable, as he would be under my reading as well.
Second, the majority opinion reasons that since the Act allows punitive damages in cases of "willful or reckless disregard of the law, " 18 U.S.C. § 2724(b)(2), the threshold for generic civil liability must be lower. Maj. Op. at 34. But surely the distinction between the actual and punitive damages is "disregard of the law"--and a law can be disregarded only by persons who are aware of it. People in relevant industries will know it, but few others will have sufficient awareness to disregard it when they handle driver records. This Act is not the kind of law imbibed with mother's milk.
Under a plain text reading, liability for actual or liquidated damages arises for a knowing disclosure made for an impermissible purpose, while punitive damages are available only when that disclosure is made in disregard of restrictions that the actor knows have been implemented by the Act. The punitive damages clause does not refute the requirement of a "knowing" mental state.
Third, the majority writes that the statute only makes sense "logically" if it is associated with a duty of care.Maj. Op. at 31 ("Logically, the language makes clear, albeit implicitly, that resellers are obliged to use some care in disclosing personal information obtained from motor vehicle records."). The thrust of the argument is that, without a duty of care requirement, "an upstream source could always avoid liability by securing a representation that the recipient of personal information had a permissible use, " i.e., a certification or an indemnification agreement, both of which were used by Arcanum here. Maj. Op. at 32. The majority fears that this possibility would render the civil remedy "toothless." Id. I disagree. The civil remedy works admirably in the overall scheme.
The Act, which regulates an activity that uses middlemen, sensibly places civil damages liability on the person who knowingly handles the information for an improper purpose. The Act operates in a way that is reasonable and effective (and thus "logical"). Liability for damages is imposed at the point in the sequence of transactions where there is knowing misconduct. Punitive damages are imposed for wilful or reckless "disregard of the law, " that is, on persons who know about this fairly obscure enactment (usually by virtue of being in the business of violating it). See 18 U.S.C. § 2724(b)(2). And the act also imposes a criminal fine for knowing violations. See 18 U.S.C. § 2723. The scheme as a whole induces prudent resellers to warn end-users and to obtain representations of compliance.
In this case, the victim (Gordon) recovered damages from the violator (Leifer). So it cannot be said that the Act was "toothless" in this case. The Act doesn't have to bite everybody.
The Act treats on an equal footing the end-users, the resellers, and the state motor vehicle bureaus. So one should be able to test the soundness of a ruling on the reseller's duty by seeing if it can fairly be applied to the motor vehicle bureau as well. It is therefore telling that the majority opinion expressly concedes that its ruling does not apply to the state motor vehicle bureaus. See Maj. Op. at 40 n.14. Not that I disagree on that score: for my part, I am not sure that every employee of a motor vehicle bureau can be counted on to mobilize as an eager detective.
The measures taken by Arcanum and Softech adequately assured that they would not knowingly make a disclosure for an unpermitted purpose. But the majority opinion remands for a negligence finding as to the website's instruction that the customer "Must Select One" of the permissible uses from the drop-down menu, and does so on the theory that such an instruction affords no opportunity to state the true reason. In my view, there is no basis for thinking that Leifer would otherwise have revealed his true need for the information (that would be: "I need to harass the registration holder with salacious phone calls"), or that the instruction ("Must Select One") is an order to pick one even if it is false. A lot of website owners should worry about the implications of the majority opinion.