Second Circuit Imposes A Duty Of Inquiry On Data Resellers

In Gordon v. Softech International, decided on July 31, 2013, the Court of Appeals for the Second Circuit tacked the issue of whether someone who discloses information obtained from the department of motor vehicles should be responsible when the information is misused by the person who received the information. In this case, one defendant, Softech, obtained and disclosed the plaintiff's personal information, which it obtained from the New York Department of Motor Vehicles. Softech sold the information to defendant Arcanum, which then disclosed it to a man named Leifer, who used the contact information to allegedly threaten the plaintiff and his family. (Leifer sought out the information after the plaintiff allegedly hit Leifer's vehicle and Leifer was able to copy down the license plate number).

The use of the information obtained from a motor vehicle department is governed by a federal statute, the Driver's Privacy Protection Act (18 U.S.C. §§ 2721- 2725, "DPPA").

The DPPA creates a civil cause of action for those whose information has been improperly used or disclosed. See 18 U.S.C. 2724(a). Certain civil remedies may be imposed against any "person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted" by the DPPA. The Second Circuit assumed Leifer used the information for improper purposes.

Although he reached a settlement with Leifer, the plaintiff contended the data resellers, Softech and Arcanum, should be strictly liable for misuses of his information by downstream recipients (Leifer). The plaintiff further argued that even without a strict liability standard, the resellers did not exercise due care when releasing his personal information.

The Second Circuit refused to establish a strict liability standard, ruling "We are loathe to write strict liability into the DPPA absent a clear indication in the text or the legislative history that strict liability applies." However, the Second Circuit also concluded that the DPPA imposes a duty on data resellers to exercise reasonable care when providing personal information drawn from motor vehicle records. Since resellers may not disclose personal information except as permitted by the DPPA statute, the court held that resellers are obliged to make some inquiry before concluding that disclosure is permitted. It would make no sense that this obligation could be met simply by accepting an end user's mere "say-so" that it wanted the information for a proper purpose.

The most appropriate standard, according to the Second Circuit, was one of reasonableness after an inquiry into the intended use of the data. A reasonableness standard best harmonizes the wording, the structure and the purpose behind the DPPA. Accordingly, the Second Circuit concluded that a reseller is liable for damages when it fails to use reasonable care to ensure that personal information is being obtained for a permissible purpose. Because of this decision, data resellers have a duty to inquire into their customers' intended use of the data. The prudent course of action is to refuse to resell data when it is clear the intended use is an improper one.

Add a comment

Type the following characters: tango, foxtrot, hotel, november, tango

* Indicates a required field.

Subscribe

Recent Posts

Contributors

Archives

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.