Developer Of Mobile Spyware App To Pay $500K Fine
Package Delivery Scam. How To Spot It And Not Get Duped

Class Action Proceeds About Drivers Data Sales, Privacy, And Protections For Domestic Violence Victims

Just before the Thanksgiving holiday, a Texas court ruled that a class-action lawsuit can proceed against Compact Information Systems, Inc. (CIS) and several corporate defendants for alleged violations of the Driver Privacy Protection Act (DPPA). This lawsuit is important not only because of the alleged privacy violations, but also because sales of drivers' personal information by state governments can place domestic-violence victims at risk of being victimized again.

The National Organization For Victim Assistance (NOVA) has seen:

"... an explosion in identity theft and cyber stalking victimization. These criminals thrive on access to personal information through electronic data sources, using these bits of PII or personally identifying information to continually harass and re-victimize their targets... With the increase in focus on cyber safety, more attention is being paid to how criminals access their victims’ PII."

NOVA described how drivers' data is acquired and abused:

"The DPPA protects “personal information… that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information.”  The DPPA states it is “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b)... This infers that the data will only be used for legitimate government agencies or for licensing purposes without consent of the individual. This is not the case. Many states have chosen to interpret this to mean that unless an individual “opts out” of information sharing, they have consented. States are required to determine that your data is being sold to companies with a permissible use. But recent Court rulings have determined that businesses are being allowed to purchase this aggregate data then re-sell it over and over with very little oversight."

The Doe v. CIS lawsuit was originally filed in December, 2013. At that time, the Top Class Actions site reported:

"Plaintiffs Jane Doe and Toby Cross filed the class action lawsuit on behalf of themselves and a proposed class of individuals... plaintiff Jane Doe (who is using a pseudonym to protect her identity) moved to Florida to protect herself from an abusive relationship. Like thousands of other motorists, her PII was requested in bulk, without any information about who is actually requesting the records. She is “outraged by the privacy implications” of this practice... She fears her current physical address could be acquired by her former predator, who poses a serious threat to Doe and her family. According to the class action lawsuit, the state of Texas sells 33 million motor vehicle registration records to bulk requestors each month. Although the entities that request the records claim they are requesting them for DPPA permissible purposes, the plaintiffs claim that they are “willing to ignore the legal implications of the DPPA by providing false and misleading information to the State Motor Vehicle Departments..."

On November 20, 2014, a Magistrate Judge in U.S. District Court in Northern Texas/Dallas Division ruled (Adobe PDF) that the class-action should proceed against CIS, Data Solutions of America, Inc., KMB Statistics LLc, and others. The judge also allowed the plaintiffs to proceed with a motion filed in July to amend their complaint and add AccuData Integrated Marketing, Inc. as a defendant.

During 2014, a third plaintiff, Arthur Lopez, was added to the suit. During the process, the defendants argued that Jane Doe's real identity should be disclosed. A decision about that is pending. In September 2014, a judge dismissed defendant Endurance Warranty Services (EWS) from the suit.

While reading the latest court documents, I noticed that plaintiffs are represented by the Law Office of Joseph H. Malley, P.C. I recognize that name, since Malley has often been referred to as the "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, the plaintiffs have experienced, knowledgeable, and relentless representation. Maybe, "Privacy Pitbull" is a better nickname.

Top Class Actions also provided background information about the DPPA:

"The DPPA was enacted by Congress to protect the personal identifying information (PII) citizens are required to provide to their state Department of Motor Vehicles when acquiring or renewing a drivers’ license. The protection of consumers’ PII is essential to limit the risk of identity theft. For victims of domestic violence, the protection of PII is even more critical. Before the enactment of the DPPA, anyone was able to access public motor vehicle records and could use that information for any purpose. Even with the protections offered by the DPPA, most states sell motor vehicle records."

Additional background information about the DPPA is available at The Electronic Privacy Information Center (EPIC) site:

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

The problem isn't new. There have been lawsuits as far back as 2010 about alleged DPPA violations. If companies (and executives) are providing false information in order to buy drivers' information, or are using drivers' data for impermissible purposes, then there has to be verification and enforcement. Otherwise, chaos results.

There is a possible solution. The credit reporting industry developed a secure method for consumers to maintain control of their information and prevent their credit reports from being resold. The states' motor vehicle registries could, and should, adopt a similar system, so domestic violence victims and other at-risk consumers can maintain control of their personal data and prevent their drivers' data from being resold.

Does your state sell drivers' personal information? Probably, because it's a revenue generation source. Florida made $63 million in 2010, and Texas made in 2012 probably far more than the $2.1 million known. It can be difficult to determine because most states seem not to want to discuss the matter. You'd think that states' motor vehicle registry websites would clearly display this information, but few seem to and the information is often buried and hard to find.

What are your opinions of the DPPA? Of states' selling of drivers' data? Of the businesses that buy drivers data?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

What Mr. Malley is doing has greater importance that even enforcing the privacy protections of the DPPA and helping to protect victims of domestic violence. Several of the claims in Mr. Malley's complaint are property claims, such as breach of bailment; conversion; and trespass to personal property/chattels. If the Federal District Court were to find for plaintiffs on any of those claims, it would at least by implication establish that PII is personal property.

Each of those claims involves the violation of one's right in one's personal property. Breach of Bailment lies only where the bailor transfers personal property to the bailee for the bailee to hold under an agreement of bailment, and the bailee has breached that bailment by failing to preserve the property according to the terms of the bailment so that, as a result of that breach, except for normal wear and tear, the property is no longer intact or has otherwise loss value. Conversion is were one wrongfully takes another's personal property and converts it for his own use. An action for conversion entitles the plaintiff either to the return of his property and/or damages for it use or loss. Trespass on personal property is a violation of one's rights and/or interest in his personal property, which entitles the property's owner both to equitable orders preventing further trespass and to damages resulting from the trespass. Indeed, all of these are claims for the violation of the owner's rights in his personal property, which in this case is his PII. And all of these claims or any of them would entitle the owner of the property to equitable relief or money damages or both for violation of his rights in his personal property, his PII.

So we may finally be seeing the painfully slow evolution of the law to recognize and acknowledge that PII is personal property, and once so recognized, an owner of PII would be entitled to and enjoy all of the constitutional and other legal protections that an owner of all other personal property enjoys, including the exclusive right to use, dispose of, and control his PII.

Ellen Gordon

OH, my god, this is absolutely shocking! The ramifications of technology get more complex by the day. I had NO IDEA that state DMVs were selling our personal info - what a goldmine for them. Really incredible. It seems that justice is inched towards by brave folks like the ones filing this suit, and Mr. Malley, and the rest of us live in ignorance (or at least I do!) until something like this crosses our paths. Thanks for keeping the information flowing . . . We never know when we are going to be victimized by this electronic world we've created.

Kaz

There is a hell of a lot more than just your DMV information being sold get a clue anything about you is for sale. Every time you sign up for a store card your shopping and spending habits are sold along with any personal information. Every time you sign up an account online that is sold. Court records, news paper records, satellite radio, you get an oil change or car repair...that is sold too. It goes on and on you as the consumer need to inquire every time you give out information ask for the ability to opt out. I am sure it is in the fine print on your DMV stuff but most of us are too lazy to read what we are signing. Might as well get a clue unless you live COMPLETELY off the grid someone has data about you and it is being sold. It it the price most of us will pay for selling our sole to the devil.

The comments to this entry are closed.