Data breach class actions: Fifth Circuit rules that unsecured storage leading to a breach does not constitute “knowing disclosure” under the Driver’s Privacy Protection Act
Takeaway: Federal and state statutes that provide minimum damages awards for each statutory violation, such as the federal Telephone Consumer Protection Act and Illinois’s Biometric Information Privacy Act, provide ideal vehicles for class action litigation. They enable class plaintiffs to recover potentially staggering liquidated damages without proof of any actual damages. One such statute, the federal Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq. (DPPA), mandates a minimum $2,500 liquidated damages award for each violation. In Allen v. Vertafore, Inc., --- F.4th ----, No. 21-20404, 2022 WL 765001, (5th Cir. Mar. 11, 2022), the Fifth Circuit recently turned back an effort to seek class damages under the DPPA by affirming the dismissal of a putative class action alleging claims on behalf of almost 28 million people.
In Allen, Vertafore, an insurance software company, announced in 2020 that data files containing the personal information of almost 28 million people holding Texas driver’s licenses had been accessed “without authorization.” 2022 WL 765001, at *1. The files had been “stored in an unsecured external storage device.” Id.
Soon after this announcement was made, three individual plaintiffs filed a putative class action against Vertafore in the Southern District of Texas. The plaintiffs alleged that by storing their and class members’ personal information on an unsecured external storage device, Vertafore had knowingly disclosed that information in violation of the DPAA. Id.
The DPPA makes it “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” Id. at *2 (quoting 18 U.S.C. § 2722(a)). The statute grants a private right of action to anyone victimized by a violation. 18 U.S.C. § 2724(a). Although a court may award actual damages, a successful DPPA plaintiff also may recover “not less than liquidated damages in the amount of $2,500 ....” Id. (quoting 18 U.S.C. § 2724(b)). The statute also entitles a winning plaintiff to reasonable attorneys’ fees, as well as punitive damages for any willful or reckless violation. 18 U.S.C. § 2724(b)(2), (3).
According to Vertafore’s initial announcement, as of November 2020 its investigation had not identified “any evidence that the information accessed without authorization had been misused.” 2022 WL 765001, at *1. Consistent with an absence of evidence of actual misuse, the plaintiffs apparently did not seek actual damages, but only the recovery of the $2,500 minimum for each violation.
Vertafore moved to dismiss the plaintiffs’ complaint for failure to state claim. The district court granted the motion and dismissed the case. Plaintiffs appealed and the Fifth Circuit affirmed.
Addressing the single question of whether the passive (although perhaps negligent) act of storing personal information on an unsecured external storage device amounted to a “knowing disclosure” under the DPPA, the Fifth Circuit ruled no disclosure had occurred. The panel stated: “After all, we would hardly say that personal information was ‘disclosed’ if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility.” Id. at *3. The panel further noted that the plaintiffs had cited “no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.” Id. at *3 n.2.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.