Just before the Thanksgiving holiday, a Texas court ruled that a class-action lawsuit can proceed against Compact Information Systems, Inc. (CIS) and several corporate defendants for alleged violations of the Driver Privacy Protection Act (DPPA). This lawsuit is important not only because of the alleged privacy violations, but also because sales of drivers' personal information by state governments can place domestic-violence victims at risk of being victimized again.
The National Organization For Victim Assistance (NOVA) has seen:
"... an explosion in identity theft and cyber stalking victimization. These criminals thrive on access to personal information through electronic data sources, using these bits of PII or personally identifying information to continually harass and re-victimize their targets... With the increase in focus on cyber safety, more attention is being paid to how criminals access their victims’ PII."
NOVA described how drivers' data is acquired and abused:
"The DPPA protects “personal information… that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information.” The DPPA states it is “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b)... This infers that the data will only be used for legitimate government agencies or for licensing purposes without consent of the individual. This is not the case. Many states have chosen to interpret this to mean that unless an individual “opts out” of information sharing, they have consented. States are required to determine that your data is being sold to companies with a permissible use. But recent Court rulings have determined that businesses are being allowed to purchase this aggregate data then re-sell it over and over with very little oversight."
The Doe v. CIS lawsuit was originally filed in December, 2013. At that time, the Top Class Actions site reported:
"Plaintiffs Jane Doe and Toby Cross filed the class action lawsuit on behalf of themselves and a proposed class of individuals... plaintiff Jane Doe (who is using a pseudonym to protect her identity) moved to Florida to protect herself from an abusive relationship. Like thousands of other motorists, her PII was requested in bulk, without any information about who is actually requesting the records. She is “outraged by the privacy implications” of this practice... She fears her current physical address could be acquired by her former predator, who poses a serious threat to Doe and her family. According to the class action lawsuit, the state of Texas sells 33 million motor vehicle registration records to bulk requestors each month. Although the entities that request the records claim they are requesting them for DPPA permissible purposes, the plaintiffs claim that they are “willing to ignore the legal implications of the DPPA by providing false and misleading information to the State Motor Vehicle Departments..."
On November 20, 2014, a Magistrate Judge in U.S. District Court in Northern Texas/Dallas Division ruled (Adobe PDF) that the class-action should proceed against CIS, Data Solutions of America, Inc., KMB Statistics LLc, and others. The judge also allowed the plaintiffs to proceed with a motion filed in July to amend their complaint and add AccuData Integrated Marketing, Inc. as a defendant.
During 2014, a third plaintiff, Arthur Lopez, was added to the suit. During the process, the defendants argued that Jane Doe's real identity should be disclosed. A decision about that is pending. In September 2014, a judge dismissed defendant Endurance Warranty Services (EWS) from the suit.
While reading the latest court documents, I noticed that plaintiffs are represented by the Law Office of Joseph H. Malley, P.C. I recognize that name, since Malley has often been referred to as the "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, the plaintiffs have experienced, knowledgeable, and relentless representation. Maybe, "Privacy Pitbull" is a better nickname.
Top Class Actions also provided background information about the DPPA:
"The DPPA was enacted by Congress to protect the personal identifying information (PII) citizens are required to provide to their state Department of Motor Vehicles when acquiring or renewing a drivers’ license. The protection of consumers’ PII is essential to limit the risk of identity theft. For victims of domestic violence, the protection of PII is even more critical. Before the enactment of the DPPA, anyone was able to access public motor vehicle records and could use that information for any purpose. Even with the protections offered by the DPPA, most states sell motor vehicle records."
Additional background information about the DPPA is available at The Electronic Privacy Information Center (EPIC) site:
"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."
The problem isn't new. There have been lawsuits as far back as 2010 about alleged DPPA violations. If companies (and executives) are providing false information in order to buy drivers' information, or are using drivers' data for impermissible purposes, then there has to be verification and enforcement. Otherwise, chaos results.
There is a possible solution. The credit reporting industry developed a secure method for consumers to maintain control of their information and prevent their credit reports from being resold. The states' motor vehicle registries could, and should, adopt a similar system, so domestic violence victims and other at-risk consumers can maintain control of their personal data and prevent their drivers' data from being resold.
Does your state sell drivers' personal information? Probably, because it's a revenue generation source. Florida made $63 million in 2010, and Texas made in 2012 probably far more than the $2.1 million known. It can be difficult to determine because most states seem not to want to discuss the matter. You'd think that states' motor vehicle registry websites would clearly display this information, but few seem to and the information is often buried and hard to find.
What are your opinions of the DPPA? Of states' selling of drivers' data? Of the businesses that buy drivers data?