Second Circuit Sets Reasonable Care Duty For Driver Privacy Act Reseller Disclosures

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson  


Companies that resell personal information from motor vehicle records are subject to a duty of reasonable care before disclosing such information pursuant to the Driver's Privacy Protection Act, the U.S. Court of Appeals for the Second Circuit held July 31 (Gordon v. Softech Int'l., 2d Cir., No. 12-661-cv, 7/31/13).

“Given the nature of information available through motor vehicle records--e.g., social security number, medical or disability information, and home address--the DPPA's purpose would be severely undermined if resellers' disclosures were not subject to a duty of reasonable inquiry[,]” the court said.

Threatening Calls Follow Vehicle Chase

After the driver of the plaintiff's vehicle and defendant Aron Leifer allegedly engaged in a verbal altercation and a vehicle chase, Leifer requested information on the plaintiff's license plate number from an online private investigation service, defendant Arcanum Investigations Inc. Arcanum obtains motor vehicle records from defendant Softech International Inc.

When prompted, Leifer selected “Insurance Other” as the permissible use of the information under the DPPA, 18 U.S.C. §§ 2721-2725. A pop-up window noted that Leifer indemnified the site from any breach of the DPPA. He allegedly obtained the plaintiff's contact information and used that information to make threatening phone calls to the plaintiff's family and acquaintances.

The plaintiff filed a complaint, alleging that Leifer and the resellers violated the DPPA. In November 2011, the U.S. District Court for the Southern District of New York granted summary judgment on the plaintiff's claim that the resellers violated the DPPA, holding that they could not be strictly liable for Leifer's alleged violation (10 PVLR 1824, 12/12/11).

The district court, however, denied summary judgment with regard to Leifer because material questions of fact remained concerning his acquisition and use of the information. According to the Second Circuit, the plaintiff settled his claims with Leifer.

The Second Circuit affirmed the district court's decision in part and vacated and remanded it in part

No Strict Liability

The DPPA, at 18 U.S.C. §§ 2721(c) and 2722(a), generally prohibits private citizens and entities from obtaining, disclosing, and reselling personal information from motor vehicle records. Section 2721(b), however, delineates fourteen permissible uses of such information, such as use by a “licensed private investigative agency” or specific uses by an insurer.

The Second Circuit agreed with the district court that the resellers could not be strictly liable for Leifer's alleged improper use of the plaintiff's motor vehicle record information. Neither the DPPA's text nor the statute's legislative history support a strict liability standard, the court said.

The district court properly ruled that Softech had lawfully disclosed the plaintiff's personal information under one of the DPPA's permissible use exceptions, the appellate court said. Arcanum is a licensed private investigative agency and gave Softech an affidavit that identified three authorized uses, it explained.

But material questions of fact should have precluded summary judgment concerning Arcanum's liability, the Second Circuit said. A reasonable jury could have concluded that Leifer was not eligible to take advantage of the DPPA's insurance exception, it said.

Duty of Reasonable Care

The DPPA's use of the term “knowingly” suggests that a duty of care exists, the court said. “The civil remedies provision would be rendered toothless if resellers could insulate themselves from liability based solely on the conclusory representations of end users, without being required to exercise due care themselves[,]” it added.

Given that the DPPA provides punitive damages for willful and reckless violations, actual damages must be available for lesser conduct, such as when a reseller fails to use reasonable care in disclosing data, the court concluded.

“[I]n light of the clear congressional intent to safeguard the privacy and safety of drivers, it is inconceivable that a dropdown menu, a check box, and a representation that no laws would be violated could satisfy any reasonable diligence floor[,]” the court remarked.

The Second Circuit again concluded that summary judgment was properly granted in favor of Softech. But it said that a reasonable jury might conclude that Arcanum failed to exercise reasonable care in disclosing the information to Leifer.

In addition to failing to inquire about Leifer's use of the insurance exception, Arcanum never investigated the false identity Leifer used, “Jack Loren,” or whether the name “Jack Loren” matched the name on the credit card he used, the court observed.

In a separate opinion, Chief Judge Dennis Jacobs concurred in part and dissented in part. He said that the majority, by requiring resellers to confirm the identities of customers and perform additional investigations, imposes “a negligence standard, and it is judicial invention that alters the nature of the industry's service and its economics, and thereby upsets the balance of the Act.” He found it “reasonable for Congress to draw the line at a knowing violation … .”

Justin M. Sher of Sher Tremonte LLP, in New York City, argued on behalf of the plaintiff. Coleen F. Middleton of Wilson Elser Moskowitz Edelman & Dicker LLP, in New York City, argued on behalf of the defendants.


Full text of the court's opinion is available at

Full text of the concurrence and dissent is available at

Request Bloomberg Law: Privacy & Data Security