New England Biz Law Update
Class-action lawsuits pitting privacy advocates against an industry built on buying and selling state motor vehicle records have resulted in contradictory rulings in federal courts across the country over the last few years.
But a Woburn, Mass., law firm is involved in a case that could finally end the confusion.
Andrew P. Botti and Lawrence R. Plavnick, lawyers at McLane, Graf, Raulerson & Middleton, represent Beverly, Mass. based data collection agency Worldwide Information Inc., a subsidiary of LocatePLUS Holdings Corp.
Worldwide is one of several dozen defendants in Taylor, et al. v. Acxiom Corporation, et al. Other defendants in the suit include LexisNexis, Carfax, Southwestern Bell Telephone Co. and The Hearst Corp.
In the ever-evolving realm of data aggregation, Worldwide is known as a reseller. The company buys driver’s license information and motor vehicle records from the state and formats the data on searchable discs, which it sells. The company’s main clients are police agencies and licensed private investigators.
Direct mailing businesses are another type of reseller named in the suit. They use Department of Motor Vehicle records to build targeted mailing lists for the advertisers that send out fliers and coupons.
The second category of defendant in Taylor is the non-reseller, which could be an insurance agency or even a newspaper. These defendants purchase drivers’ records in bulk and keep the information for their own uses.
The plaintiffs in Taylor argue that both types of defendants have violated the federal Driver’s Privacy Protection Act (18 U.S.C., Chapter 123, §§ 2721-2725) by improperly obtaining or misusing the records.
The 5th U.S. Circuit Court of Appeals dismissed the case last year, upholding a ruling from a U.S. District Court in Texas that said the DPPA gives states discretion to distribute DMV records for permissible purposes under the statute.
The plaintiffs recently filed a petition for a writ of certiorari with the U.S. Supreme Court. Both sides are waiting to hear whether the court will take the case.
“They certainly should pick it up,” Botti said. “If the Supreme Court stepped in and made a final determination, it would pretty much put the brakes on several outstanding cases that are wending their way through the courts.”
Opposing views
The haze obscuring the Driver’s Privacy Protection Act and how it governs data collection agencies is illustrated in two conflicting decisions in separate class-action suits in U.S. District Court in Missouri.
In 2008, Judge Nanette K. Laughrey found in Roberts, et al. v. The Source for Public Data, et al., that the defendants did not qualify as “authorized recipients” of DMV records under the DPPA.
The statute does not define “authorized recipient.”
But Laughrey said a contextual reading of section 2721(c) of the statute shows that “an authorized recipient is one who has received the information pursuant to one of the 2721(b) exceptions,” which are silent on whether a business can buy DMV records for the purpose of resale.
“Congress would have included an additional exception in section 2721(b) to allow business entities to obtain highly restricted personal information for the purpose of re-selling or re-disclosing it to others with permissible uses; it did not do so,” Laughrey wrote.
This winter, U.S. District Court Judge Greg Kays adopted the 5th Circuit’s analysis in Taylor and found that the plaintiffs had failed to state a claim in Cook, et al. v. ACS State & Local Solutions, Inc.
In deciding the case, Kays said the language and legislative history of the DPPA does not appear to prevent data collection agencies from obtaining drivers’ records in bulk and that “it makes sense to obtain the database as opposed to submitting multiple individual requests as needed.”
Botti and Plavnick, the Woburn lawyers, also represented a defendant in Cook.
“There had been a bunch of U.S. District cases coming out in our favor with judges saying you don’t have to be an end user of the records to be an authorized recipient,” Botti said. “But Taylor finally gave us an appeals opinion, and Cook shows how significant that ruling was.”
Protecting privacy
When Dallas lawyer Thomas M. Corea first became involved with Taylor four years ago, he knew little about the world of data collection.
“I just kind of naturally assumed that you had to have some sort of legal and legitimate basis to get someone’s driver’s license information and title registration and things like that,” he said. “I found that wasn’t the case.”
Corea, an attorney for the lead plaintiff in Taylor, said businesses or individuals seeking large batches of DMV records simply check off a box on an application form to show they are authorized recipients and have a valid use for the data.
“All you have to do is check that box,” he said. “Every one of the states that sell these records operates in nearly the same identical way.”
The statute also requires resellers to maintain a five-year record of each buyer’s identity and a brief explanation of how they intend to use the information, though not all data collectors follow the law.
“As best as we’ve been able to tell,” Corea said, “not a single one of these defendants have ever done that.”
The DMV records include everything found on a driver’s license, including photos, along with vehicle registration information and sometimes the license holders’ Social Security numbers, according to Corea.
In Taylor, Texas sold records on more than 20 million license holders to data collectors of all types, from background-check companies to direct mailers and grocery stores to insurance agencies and a Houston newspaper.
“They all maintain these databases for God-knows-who to go and access,” Corea said. “Unfortunately, we have never gotten that far to see how some of these agencies are using and maintaining this information.”
Requests for records typically come in two forms: bulk and batch. Bulk requesters want the entire DMV database while batch requesters are seeking specific records, such as mailing addresses for everyone living in a specific area code or the owners of a certain type of vehicle, Corea said.
“If you and I were in the business of stealing exotic cars, we could go and get a list of all the Ferraris and Porches in Texas, and then we’d be in business,” he said. “It’s also a great target for identity thieves. … This information needs to be protected as it was originally intended.”
Corea has also represented plaintiffs in DPPA class-action suits in Arkansas, Florida, Kentucky, Oregon and Washington. After the Taylor decision, the West Coast courts dismissed his cases, but he said he has received favorable opinions in other jurisdictions.
“So far, it’s been about evenly split,” he said.
Necessary information
If the Supreme Court agrees to take Taylor and reverses the lower courts, businesses that rely on the DMV records could be crippled.
“There are some huge players in this industry, like Westlaw, which is a defendant in another case, and they would take a significant hit if the Supreme Court ruled against them,” Botti said. “It would basically just put many of them out of business.”
Chuck E. McLaughlin, president of the McLaughlin Investigative Group in Andover, Mass., said he pays about $200 for Massachusetts DMV records on two discs from Worldwide Information, the Beverly-based defendant in Taylor.
McLaughlin uses the records to help lawyers track down witnesses in cases, to serve legal papers, and to collect judgments.
“We provide legitimate services to lawyers and businesses and individuals, and we need access to this information to get our job done,” he said. “Losing access would be hurtful.”
Hundreds of police agencies in the commonwealth also use Worldwide’s so-called “crime fighting” discs to nab criminals. Detectives can plug in a partial plate number or a vehicle description and obtain legitimate leads.
The software has helped police find bank robbers, hit-and-run drivers and suspects in rapes, abductions, murders and other crimes, according to Worldwide’s website and media reports.
Seeking clarity
The Taylor courts determined that an authorized recipient of DMV records is not required to show that it is also an authorized user of the data.
“Instead, an authorized recipient is authorized to resell to individuals for one or more of the specific purposes under section 2721 (b),” Judge William L. Garwood wrote on behalf of the 5th Circuit. The interpretation allows for an “authorized recipient to mean something different than one who has a permissible actual use.”
In 1998, four years after the DPPA was enacted, the Attorney General’s Office in Massachusetts requested guidance from the U.S. Department of Justice on interpreting the statute.
The DOJ issued an advisory memo stating that a “distributor may obtain information for one authorized purpose, but redisclose that information for a different authorized purpose (or to another authorized recipient) under the statute.”
Like the courts, the DOJ did not offer a definition of “authorized recipient.”
“The statute is not a model of clarity; the language is tough,” Botti said. “This issue never would have come up if there had been a definition inserted of what an authorized recipient was. That would have ended the debate.”
Another plaintiffs’ attorney in Taylor, J. Mark Mann of Henderson, Texas, believes an authorized recipient must implicitly give the state the right to disseminate their personal records to aggregators.
“My belief is that unless you intentionally give permission to someone to receive that information, you don’t expect it to be out,” he said. “The 5th Circuit didn’t put a whole lot of credence in that, but the Supreme Court may.”
