12-661-cv
Gordon v. Softech Int'l, Inc.
U NITED S TATES C OURT OF A PPEALS
F OR THE S ECOND C IRCUIT
August Term 2012
(Argued: January 7, 2013 Decided: July 31, 2013
Corrected: August 1, 2013)
Docket No. 12-661-cv
E RIK H. G ORDON ,
Plaintiff-Appellant,
V.
S OFTECH I NTERNATIONAL , I NC ., R EID R ODRIGUEZ , A RCANUM
I NVESTIGATIONS , I NC ., D AN C OHN ,
Defendants-Cross-Claimants-
Cross-Defendants-Appellees,
A RON L EIFER , AKA J ACK L OREN , B ODYGUARDS . COM ,
Defendants-Cross-Defendants-
Cross-Claimants.
Before:
J ACOBS , Chief Judge, and
P OOLER and C HIN , Circuit Judges.
The Clerk of the Court is instructed to amend the
caption to conform to the above.
� Appeal from a judgment of the United States
District Court for the Southern District of New York
(Berman, J.) dismissing plaintiff-appellant's claim that
his personal information was wrongfully disclosed in
violation of the Driver's Privacy Protect ion Act, 18 U.S.C.
§§ 2721-2725, and granting summary judgment in favor of
defendants-cross-claimants-cross-defendants-appellees. We
conclude that questions of material fact preclude summary
judgment as to certain claims.
A FFIRMED IN P ART AND V ACATED AND R EMANDED IN P ART .
Judge J ACOBS concurs in part and dissents in part
in a separate opinion.
J USTIN M. S HER (Yuriko Tada, on the brief),
Sher Tremonte LLP, New York, New
York, for Plaintiff-Appellant.
C OLEEN F. M IDDLETON , Wilson Elser Moskowitz
Edelman & Dicker LLP, New York, New
York (Gregory Saracino, on the
brief), Milber, Makris, Plousadis &
Seiden, LLP, White Plains, New York,
for Defendants-Cross-Claimants-
Cross-Defendants-Appellees.
Joseph V. DeMarco, DeVore & DeMarco LLP,
New York, New York, for Amicus
Curiae Identity Theft Resource
-2-
� Center and The Federal Law
Enforcement Officers Association.
Marc Rotenberg, Alan Butler, David
Jacobs, Washington, District of
Columbia, for Amicus Curiae
Electronic Privacy Information
Center.
Ronald I. Raether, Jr., Faruki Ireland &
Cox P.L.L., Dayton, Ohio, for Amicus
Curiae The Coalition for Sensible
Public Records Access and The
Consumer Data Industry Association.
C HIN , Circuit Judge.
In 1994, Congress enacted the Driver's Privacy
Protection Act (the "DPPA"). As its name suggests, the
DPPA, with limited exceptions, protects drivers' privacy by
prohibiting state motor vehicle departments and others from
disclosing "personal information" drawn from motor vehicle
records.
In this case, defendant Aron Leifer, a private
citizen, engaged in a verbal altercation with the driver of
a motor vehicle. Miffed, he wrote down the license plate
number of the car. Using an online private investigative
service and paying a fee of just $39.00, Leifer was later
able to use the license plate number to obtain the name and
-3-
�home address of the vehicle's owner, plaintiff-appellant
Erik H. Gordon. Leifer then embarked on a campaign to
harass Gordon and his family.
Gordon commenced this action below against Leifer
and the entities and individuals who obtained the
information from the New York State Department of Motor
Vehicles and released it, ultimately, to Leifer. Gordon
asserted claims under the DPPA and state law. Gordon
eventually settled his claims against Leifer, but the
district court (Berman, J.) dismissed his claims against
the remaining defendants on summary judgment. Gordon
appeals. We affirm in part and vacate and remand in part.
BACKGROUND
A. Statutory Framework
Congress passed the DPPA in 1994. See Pub. L. No.
103-322, tit. XXX (codified as amended at 18 U.S.C.
§§ 2721-2725). The DPPA generally restricts state
departments of motor vehicles ("DMVs") from disclosing
personal information drawn from motor vehicle records. 18
U.S.C. § 2721(a); see also Reno v. Condon, 528 U.S. 141,
149-50 (2000) (upholding constitutionality of DPPA).
-4-
�Similarly, private citizens or entities ordinarily may not
obtain, disclose, or resell personal information unless
permitted by statute. 18 U.S.C. §§ 2722(a), 2721(c).
Notwithstanding these default rules of non-disclosure, the
DPPA identifies fourteen "permissible uses" -- exceptions
from the default rule -- for which personal information may
be obtained, disclosed, used, or resold. Id. § 2721(b)-
(c). Penalties, both civil and criminal, enforce "the
rights of private citizens to be left alone." 139 Cong.
Rec. S15766 (daily ed. Nov. 16, 1993) (statement of Sen.
Harkin), available at 1993 WL 470986; id. at S15765
(statement of Sen. Robb) (noting that DPPA "would place
safeguards on the privacy of the driver and vehicle
owners"); see also 18 U.S.C. §§ 2723-2724.
The DPPA was enacted following the highly
publicized murder of an actress, whose stalker-cum-
assailant had received her home address through an
information request at a local DMV. Andrea Ford, "Fan
Convicted of Murder in Actress' Slaying," L.A. Times, Oct.
30, 1991; see also, e.g., 139 Cong. Rec. E2747 (daily ed.
Nov. 3, 1993) (statement of Rep. Moran), available at 1993
-5-
�WL 448643. During the floor debate, members of Congress
emphasized that personal information accessed from state
DMVs was often used in connection with criminal or
threatening behavior. See, e.g., 139 Cong. Rec. E2747
(daily ed. Nov. 3, 1993) (statement of Rep. Moran),
available at 1993 WL 448643; 139 Cong. Rec. S15762, S15766
(daily ed. Nov. 16, 1993) (statements of Sen. Boxer and
Sen. Harkin), available at 1993 WL 470986. The DPPA was
therefore enacted to limit the disclosure of personal
information drawn from motor vehicle records and to prevent
its misuse.
B. Data Brokers & Resellers
Defendant-appellee Reid Rodriguez is the co-owner
and Chief Operating Officer of defendant-appellee Softech
International, Inc. (together, "Softech"). Softech acts as
a "gateway," providing access to motor vehicle records of
all fifty states, the District of Columbia, Puerto Rico,
and six provinces in Canada. See "MVR (Driving Records),"
Softech International Inc., http://www.softechinternational
.com/products_mvrdr.html (last visited July 29, 2013). A
data broker, Softech "collect[s] information, including
-6-
�personal information about consumers, from a wide variety
of sources for the purpose of reselling such information to
their consumers for various purposes." Fed. Trade Comm'n,
Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers, at 68
(Mar. 2012), available at http://www.ftc.gov/os/2012/03/
120326privacyreport.pdf. Information aggregated by entities
such as Softech can aid law enforcement actions.
Disclosures, however, may also be made to private citizens
or entities, and individuals are often unaware that their
personal information is being aggregated and sold. See id.
Defendant-appellee Dan Cohn owns and operates
defendant-appellee Arcanum Investigations (together,
"Arcanum"), a private investigation service. By agreement,
Softech provides Arcanum with access to its motor vehicle
records; Arcanum represents that it and, to the extent it
resells this information, any end user will use the
information in a manner permitted by law.
Arcanum owns and operates Docusearch.com. For a
small fee, Docusearch.com provides its users with the
personal information associated with, for example, a
-7-
�license plate number. When a Docusearch.com user inputs a
New York State license plate number, Arcanum provides that
number to Softech and requests the associated motor vehicle
record for private investigative purposes . Arcanum cannot
access New York State motor vehicle records directly from
the state DMV, and hence it requests this information from
Softech. Then, pursuant to their agreement, Softech relays
the motor vehicle record for that license plate number to
Arcanum. Arcanum, through the Docusearch.com website, then
provides that information to its customer.
Thus, Arcanum and Softech are both resellers
(together, the "Resellers") of personal information drawn
from motor vehicle records.
C. The Facts
Except as noted below, we construe the facts in
the light most favorable to Gordon, the party opposing
summary judgment. On the evening of October 10, 2009,
Gordon was dining at a restaurant in New York City. His
driver waited outside in Gordon's car, a vintage London
taxicab. Its New York State license plate was registered
in Gordon's name.
-8-
� Leifer was parked across the street in an SUV. He
and Gordon's driver engaged in a brief verbal altercation.
Gordon's driver drove away, but Leifer gave chase.
Gordon's driver then drove to a police precinct on East
67th Street and waited for Leifer to leave the area. The
driver then returned to wait for Gordon outside the
restaurant.
The parties dispute whether the two cars collided
that evening. Leifer claimed that they did, but he never
contacted the police or filed an insurance claim. At some
point that night, Leifer wrote down the license plate
number of Gordon's vehicle.
The next day, on October 11, 2009, Leifer input
Gordon's license plate number on Docusearch.com. From a
dropdown menu of purposes deemed by Docusearch.com to be
permissible under the DPPA, Leifer selected "Insurance
Other." A popup window noted:
You are required to select a DPPA Permissible
Purpose. By imputting [sic] your response, you
hereby certify that you are in, and assume fu ll
responsibility for, compliance with the Driver's
Privacy Protection Act of 1994 (DPPA) and you
agree to indemnify, defend and hold Docusearch
harmless from any breach of the DPPA by you, your
-9-
� agents or contractors and any damages, fees and
costs associated therewith.
Leifer clicked "OK." To finalize the purchase,
Docusearch.com requested his personal information. Leifer
provided an alias -- "Jack Loren" -- and stated that he
worked for a business, later discovered to be defunct,
called Bodyguards.com. He also provided a credit card
number, which he represented was issued to "Jack Loren"
when, in fact, it was issued in Leifer's own name.
Finally, mere hours after making a $39.00 payment, Leifer
received Gordon's name and home address.
Using this information, Leifer executed a series
of Internet searches and identified Gordon's phone number,
the members of Gordon's family and acquaintances, and their
contact information. Leifer then called Gordon's
assistant, his mother, and his father's secretary. During
these calls, Leifer made threatening comments, which
included, to Gordon's mother, the false allegation that
Gordon had sexually assaulted a woman. Leifer does not
deny making phone calls, but asserts that, due to the
-10-
�alleged collision, he merely tried to contact Gordon to
request his insurance information.
D. Procedural History
Gordon's amended complaint dated January 5, 2011
alleged that Leifer and the Resellers had violated the
DPPA. 1 Specifically, Gordon contended that Leifer had
misused his personal information and that the Resellers
either unreasonably disclosed it or were strictly liable
for Leifer's misdeeds. Defendants jointly filed a motion
to dismiss in March 2011, which the district court denied.
See Gordon v. Softech Int'l Inc., No. 10 Civ. 5162, 2011 WL
1795300 (S.D.N.Y. Apr. 28, 2011).
After discovery, the parties cross-moved for
summary judgment. In a November 30, 2011 Decision & Order,
the district court denied Gordon's motion for summary
judgment, but granted in part and denied in part the motion
1
The complaint also asserted claims for prima facie
tort and intentional infliction of emotional harm against Leifer
and other unnamed defendants (but not the Resellers). Gordon's
brief is silent as to these claims, and we conclude Gordon
abandoned any challenge to the dismissal of these claims.
Jackler v. Byrne, 658 F.3d 225, 233 (2d Cir. 2011) (claims for
which "brief on appeal contains no argument" are deemed
abandoned).
-11-
�filed jointly by Resellers and Leifer. Without addressing
Gordon's alternative theory that Resellers were subject to
a duty of reasonable inquiry, the court concluded that, as
a matter of law, Resellers could not be strictly liable for
Leifer's alleged DPPA violation and granted summary
judgment in favor of the Resellers. Gordon v. Softech
Int'l, Inc., 828 F. Supp. 2d 665, 675-76 (S.D.N.Y. 2011).
As to Leifer, however, the district court concluded that
material questions of fact precluded summary judgment
regarding his liability under the DPPA. 2 Id. at 673-74.
On December 8, 2011, Gordon filed a letter seeking
a conference to request reconsideration of the district
court's decision. Gordon argued that "a genuine issue of
material fact exist[ed] as to whether the Resellers'
conduct in relying on the end-user's representations . . .
constitute[d] a willful or reckless violation" of the DPPA.
The district court subsequently set a trial date for
2
The district court's Decision & Order also granted
summary judgment in favor of Leifer as to the intentional
infliction of emotional distress claim, but allowed the prima
facie tort claim to proceed. Gordon v. Softech Int'l, Inc.,
828 F. Supp. 2d 665, 679 (S.D.N.Y. 2011). Neither claim is
relevant to this appeal.
-12-
�Gordon's claim against Leifer while also noting that "the
trial date of course is without prejudice to your
application for reconsideration." Before trial, Gordon and
Leifer settled their dispute.
By a January 17, 2012 order, the district court
discontinued the "above-entitled action." On February 15,
2012, in response to an inquiry from Gordon, the district
court issued a Decision & Order stating that the motion for
reconsideration had been discontinued by its prior order
"as it was rendered moot when the parties settled." It
further noted that, even if the motion were not moot, it
"would have been denied for substantially the same reasons
set forth" in the court's earlier decision.
On February 16, 2012, Gordon appealed from the
district court's (1) grant of summary judgment to
Resellers, (2) order of discontinuance, and (3) denial of
the motion of reconsideration.
DISCUSSION
Undisputedly, Softech disclosed Gordon's personal
information, drawn from a motor vehicle record, to Arcanum,
which then disclosed it to Leifer. Assuming Leifer used
-13-
�the information for improper purposes, we now consider
whether Resellers may be liable to Gordon under the DPPA,
and, if so, the circumstances under which liability may
arise. 3
A. Applicable Law
1. Standard of Review
Summary judgment is appropriate when "there is no
genuine dispute as to any material fact and the movant is
entitled to judgment as a matter of law." Fed. R. Civ. P.
56(a). We review de novo a district court's grant of
summary judgment after construing all evidence, and drawing
all reasonable inferences, in favor of the non-moving
party. See, e.g., McElwee v. Cnty. of Orange, 700 F.3d
3
Resellers argue that this appeal is untimely because
Gordon did not file his notice of appeal until February 16,
2012, more than thirty days after the district court's November
30, 2011 Decision & Order. See Fed. R. App. P. 4(a). The
argument is frivolous. The November 30 Decision & Order was a
non-appealable order because it did not dispose of all claims.
See Fed. R. Civ. P. 54(b). An appealable order was not entered
until January 17, 2012, and Gordon's February 16, 2012 notice of
appeal was thus filed within thirty days. In addition, even
assuming the November 30 Decision & Order was a final order, the
district court clearly treated Gordon's December 8, 2011 letter
as a motion for reconsideration, and thus, the motion tolled
Gordon's time to appeal. Fed. R. App. P. 4(a)(4). Hence,
despite Resellers' arguments to the contrary, we have
jurisdiction to hear this appeal.
-14-
�635, 640 (2d Cir. 2012). Furthermore, our review of a
district court's interpretation of a federal statute is
also de novo. See, e.g., Muller v. Costello, 187 F.3d 298,
307 (2d Cir. 1999).
2. Rules of Construction
When construing a statute, we begin with the plain
meaning and give all undefined terms their ordinary
construction. See Schindler Elevator Corp. v. United
States ex rel. Kirk, 131 S. Ct. 1885, 1891 (2011); United
States v. Desposito, 704 F.3d 221, 226 (2d Cir. 2013). We
are mindful, of course, that "[a]n exception to a general
statement of policy is usually read narrowly in or der to
preserve the primary operation of the provision." Maracich
v. Spears, 133 S. Ct. 2191, 2200 (2013) (omission,
quotation, and internal quotation marks omitted). Our
analysis, "absent ambiguity, will generally end there."
Collazos v. United States, 368 F.3d 190, 196 (2d Cir.
2004).
If, however, the statute is ambiguous, "we focus
upon the broader context and primary purpose of the
statute." Castellano v. City of N.Y., 142 F.3d 58, 67 (2d
-15-
�Cir. 1998) (internal quotation marks omitted). In so
doing, we may turn to the legislative history as a
reflection of congressional intent. See Puello v. Bureau
of Citizenship & Immigration Servs., 511 F.3d 324, 327 (2d
Cir. 2007). In all events, however, we must construe the
statute "so that no part will be inoperative or
superfluous, void or insignificant." Corley v. United
States, 556 U.S. 303, 314 (2009) (quotation omitted).
3. The DPPA
Under the DPPA, state DMVs, individuals,
organizations, and entities may not disclose "personal
information" drawn from motor vehicle records unless
permitted by statute. 4 18 U.S.C. §§ 2721(a) (state
entities), 2722(a) (private individuals and entities); see
also Reno, 528 U.S. at 149-50 (upholding constitutionality
of DPPA). The default rule is one of non-disclosure, but
the statute also identifies fourteen exceptions --
4
"Personal information" includes "an individual's
photograph, social security number, driver identification
number, name, address (but not the 5-digit zip code), telephone
number, and medical or disability information." 18 U.S.C.
§ 2725(3).
-16-
�"permissible uses" -- for which disclosure is allowed. See
18 U.S.C. § 2721(b). In relevant part,
Personal information [protected by the DPPA] . . .
may be disclosed as follows:
. . .
(6) For use by any insurer or insurance
support organization, or by a self-insured
entity, or its agents, employees, or
contractors, in connection with claims
investigation activities, antifraud
activities, rating or underwriting.
. . .
(8) For use by any licensed private
investigative agency or licensed security
service for any purpose permitted under this
subsection.
Id. § 2721(b)(6), (8).
The DPPA also regulates the resale and
redisclosure of protected personal information:
An authorized recipient of personal information
(except a recipient under subsection (b)(11) or
(12)) may resell or redisclose the information
only for a use permitted under subsection (b) (but
not for uses under subsection (b)(11) or (12)).
-17-
�Id. § 2721(c). 5 "Authorized recipient" is not defined by
statute. But see Reno, 528 U.S. at 146 (citing section
2721(c) and declaring that DPPA regulates resale and
redisclosure by "private persons who have obtained
[drivers' personal] information from a state DMV").
The DPPA creates a civil cause of action for those
whose information has been improperly used or disclosed.
See 18 U.S.C. § 2724(a). Certain civil remedies may be
imposed against any "person who knowingly obtains,
discloses or uses personal information , from a motor
vehicle record, for a purpose not permitted" by the DPPA .
Id. These remedies vary; the court may award:
(1) actual damages, but not less than liquidated
damages in the amount of $2,500;
(2) punitive damages upon proof of willful or
reckless disregard of the law;
(3) reasonable attorneys' fees and other
litigation costs reasonably incurred; and
5
Individuals may consent to disclosure of their
personal information, see id. § 2721(b)(13), and subsections
(b)(11) and (b)(12) of section 2721 capture those scenarios.
Gordon never consented to the release of his personal
information.
-18-
� (4) such other preliminary and equitable relief a s
the court determines to be appropriate.
Id. § 2724(b).
B. Application
Gordon argues that the Resellers are subject to
civil penalties under the DPPA. First, Gordon contends
that the Resellers should be strictly liable for misuses of
his information by downstream recipients. Second, in the
alternative, Gordon asserts that Resellers are liable
because of their own actions: (a) Resellers disclosed his
information for a use that was not expressly permitted by
the DPPA, and (b) Resellers did not exercise due care when
releasing his personal information. We address each
argument in turn.
1. Strict Liability for Downstream Acts
Gordon primarily argues that Resellers should be
held strictly liable for civil penalties based on Leifer's
improper use of Gordon's personal information. We conclude
that a strict liability standard is inconsistent with the
DPPA as a whole and would frustrate its legislative aims.
-19-
� The text of the DPPA does not support -- either
explicitly or implicitly -- a strict liability standard.
Although, as described below, the text and structure of the
DPPA can be read to support a duty of reasonable inquiry,
nothing in the DPPA suggests that a reseller is
responsible, regardless of whether it is at fault, for an
end user's misuse of personal information. Moreover, no
case law interpreting the DPPA suggests that a reseller
could be strictly liable for downstream violations by
another party. But cf. Pichler v. UNITE, 542 F.3d 380,
396-97 (3d Cir. 2008) (end user liable for own actions,
even if it did not know those actions would violate DPPA).
We note, moreover, that strict liability offenses,
while "not unknown to the criminal law ," are "generally
disfavored." United States v. U.S. Gypsum Co., 438 U.S.
422, 437-38 (1978); see also United States v. Burwell, 690
F.3d 500, 505 (D.C. Cir. 2012); Am.-Arab Anti-
Discrimination Comm. v. City of Dearborn, 418 F.3d 600, 610
(6th Cir. 2005). Gordon's appeal, of course, arises in the
civil context, but the provision describing a criminal
offense under the DPPA mirrors the language describing a
-20-
�civil cause of action. 6 This similarity suggests that
"knowingly" is read the same way in both provisions. See
Dep't of Revenue of Or. v. ACF Indus., Inc., 510 U.S. 332,
342 (1994) ("normal rule of statutory construction" is that
"identical words used in different parts of the same act
are intended to have the same meaning" (quotation and
internal quotation marks omitted)). But see Kirtsaeng v.
John Wiley & Sons, Inc., 133 S. Ct. 1351, 1362 (2013)
(acknowledging general rule, but applying different canon
of interpretation). We are loathe to write strict
liability into the DPPA absent a clear indication in the
text or the legislative history that strict liability
applies.
The notion of strict liability is also
inconsistent with at least some of the congressional
concerns that prompted the DPPA. The DPPA sought to
6
Compare id. § 2722(a) ("It shall be unlawful for any
person knowingly to obtain or disclose personal information,
from a motor vehicle record, for any use not permitted under
section 2721(b) of this title." (emphasis added)), with id. §
2724(a) ("A person who knowingly obtains, discloses or uses
personal information, from a motor vehicle record, for a purpose
not permitted under this chapter" may be liable in a civil
action (emphasis added)).
-21-
�"strike[] a critical balance between an individual's
fundamental right to privacy and safety and the legitimate
governmental and business needs for this information." 145
Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of
Rep. Moran), available at 1994 WL 140035; see also id. at
H2527 (statement of Rep. Goss). Congress knew that
legitimate businesses used information derived from motor
vehicle records and ensured continued access to it through
the DPPA. See, e.g., 139 Cong. Rec. S15762-63 (daily ed.
Nov. 16, 1993) (statement of Sen. Hatch), available at 1993
WL 470986; Driver's Privacy Protection Act: Hearings on
H.R. 3365 Before the Subcomm. on Civil & Constitutional
Rights of the House of Rep. Comm. on the Judiciary , 103rd
Cong. (Feb. 3-4, 1994). In fact, Congress was cognizant of
the concerns raised by the business community, and
consequently it broadened the exceptions to non-disclosure
in the law. See 140 Cong. Rec. H2523 (daily ed. Apr. 20,
1994) (statement of Rep. Moran) (noting that revised DPPA
addressed commercial concerns raised during subcommittee
hearings), available at 1994 WL 140035.
-22-
� "[W]e will not interpret a statute in a way 'that
apparently frustrates the statute's goals, in the absence
of a specific congressional intention otherwise.'" United
States v. Livecchi, 711 F.3d 345, 351 (2d Cir. 2013)
(quoting New York v. Shore Realty Corp., 759 F.2d 1032,
1045 (2d Cir. 1985)). Thus, because we conclude that
neither the text nor the legislative history of the DPPA
supports reading a strict liability standard into the DPPA,
we hold that Resellers are not strictly liable for Leifer's
improper use of Gordon's personal information.
2. Resellers' Liability Due to Their Own Actions
a. Disclosure for an Impermissible Use
Gordon contends that the Resellers disclosed his
personal information for a use that was not specifically
identified in the DPPA's list of fourteen exceptions. See
18 U.S.C. § 2721(b). We review the disclosure of each
Reseller separately and conclude that, while Softech
disclosed Gordon's personal information for a permitted
use, a material question of fact exists as to the propriety
of Arcanum's disclosure.
-23-
� i. Softech
Gordon alleges that Softech disclosed his personal
information to Arcanum even though Arcanum did not identify
a permissible use; this argument is meritless. When
Arcanum, a private investigative agency, requested Gordon's
personal information from Softech, it selected "DPPA
Purpose No. 8." Rodriguez Dep. 49:8-11, Feb. 16, 2011;
Cohn Dep. 29:3-10, Apr. 13, 2011. This corresponds to the
exception in section 2721(b)(8), "[f]or use by any licensed
private investigative agency . . . for any purpose
permitted under this subsection." 18 U.S.C. § 2721(b)(8);
see also Rodriguez Dep. 49:12-16.
Hence, this exception includes two limiting
factors: (1) the entities that may claim the exception,
and (2) the purposes for which information may be
requested. Arcanum's request satisfied both requirements.
First, as discussed above, Arcanum was a licensed private
investigative agency and therefore eligible to claim the
exception. Second, Arcanum had provided Softech with an
Affidavit of Intended Use that specifically identified
-24-
�three intended uses for the records requested, all of which
complied with exceptions in section 2721(b). 7
When Softech accessed the New York State DMV
database and provided Arcanum with Gordon's name, address,
and additional information pertaining to his car , it
disclosed that information pursuant to an exception in
section 2721(b), to an entity eligible to invoke the
exception, for three purposes permitted by the DPPA. See
18 U.S.C. § 2721(b)(8). Therefore, the district court
correctly concluded as a matter of law that Softech had
disclosed Gordon's personal information for a use expressly
permitted by statute. 8
7
Specifically, the affidavit indicated that Arcanum
would use information only for the purposes outlined in section
2721(b)(3) (for limited purposes in the normal course of
business), section 2721(b)(7) (to provide notice to owners of
towed or impounded vehicles), and section 2721(b)(13) (when the
party in interest had consented in writing).
8
Gordon also argues that Softech's disclosure under
the private investigative agency exception violated the terms of
an agreement between Softech and Arcanum. Under either Florida
or New York law, Gordon, because he is a non-party who was not
an intended third-party beneficiary of the agreement, cannot
allege a DPPA violation on breach of contract grounds. See,
e.g., Bochese v. Town of Ponce Inlet, 405 F.3d 964, 981-83 (11th
Cir. 2005) (discussing Florida law); State of Cal. Pub. Emps.'
Retirement Sys. v. Shearman & Sterling, 95 N.Y.2d 427, 434-35
(2000) (discussing New York law).
-25-
� ii. Arcanum
Arcanum disclosed Gordon's personal information to
Leifer based on Leifer's selection of "Insurance Other "
from the Docusearch.com dropdown menu. Gordon contends
that "Insurance Other" did not correspond to a permitted
use. 9
Although Resellers insist that Gordon waived this
argument by failing to raise it below, we disagree.
Gordon's amended complaint noted that Arcanum "disclosed .
. . Gordon's personal information without a permissible use
under the DPPA." Amended Complaint, ¶¶ 79, 81. This
necessarily implied that Gordon challenged whether the
stated use -- "Insurance Other" -- fell within the section
2721(b) exceptions. 10 Furthermore, Gordon argued below that
9
Although Resellers further argue that Leifer wanted
Gordon's personal information in preparation for litigation,
pursuant to the exception in section 2721(b)(4), Leifer only
claimed one exception -- "Insurance Other." Section 2722(a)
prohibits disclosure "for any use not permitted" by statute, and
Arcanum did not know that Leifer's use might later qualify for
this exception. A reseller's ex post decision about a
recipient's intended use of information cannot justify its
decision to disclose the information in the first place.
10
When cross-moving for summary judgment, Gordon
explicitly argued that "Insurance Other" was not a permitted
use, but made that argument only with respect to Softech.
-26-
�"to qualify under [the insurance exception] you have to
either be an insurance company or a self-insured entity."
Nov. 22, 2011 Tr., at 17:21-23. Counsel for Arcanum was
present, but did not object. Accordingly, we determine
that the issue was not waived.
Under a textual approach, "Insurance Other" does
not track the language of the insurance exception, which
allows a person to disclose or use DPPA-protected personal
information "in connection with claims investigation
activities, antifraud activities, rating or underwriting ."
18 U.S.C. § 2721(b)(6). Thus, a disclosure for "Insurance
Other" could be outside the scope of the statute , as the
generic phrase encompasses many insurance-related
activities beyond the stated activities of section
2721(b)(6). See Maracich, 133 S. Ct. at 2199-2200
(examining DPPA's litigation exception and noting that
"[u]nless commanded by the text . . . these exceptions
ought not operate to the farthest reach of their linguistic
possibilities if that result would contravene the statutory
design").
-27-
� The insurance exception, moreover, may only be
claimed by certain entities: an "insurer or insurance
support organization, or [] a self-insured entity." Id.
§ 2721(b)(6). When deposed, Leifer conceded that he did
not work at an insurance company, and could not identify
what a self-insured entity or an insurance support
organization was. Leifer Dep. 81:22 to 82:19, July 12,
2011. Arcanum has pointed to nothing in the record to
suggest that Leifer was, in fact, eligible to request
information pursuant to that exception. Thus, even if we
were to assume that a collision had occurred, an insurance
claim had accrued, and "Insurance Other" was coterminous
with section 2721(b)(6), a reasonable jury could easily
find that Leifer was not eligible to request information
pursuant to the insurance exception.
The Resellers insist that "Insurance Other"
covered all insurance-related uses, but only to the extent
contemplated by the exception in section 2721(b)(6). This
argument relies on the fact that each Docusearch.com
customer certified that it was "in, and assume[d] full
responsibility for, compliance with the Driver's Privacy
-28-
�Protection Act of 1994" by clicking "OK" on a pop-up
window. Furthermore, the customer also check ed a box,
thereby consenting to the terms of a "Client Agreement," in
which the customer "represent[ed] and warrant[ed] that it
will provide Docusearch with accurate and complete
information regarding the searches requested, and that
search results will not be used for any purpose other than
the purpose stated to Docusearch."
We need not decide whether these representations
sufficiently narrowed the scope of "Insurance Other" ;
Resellers' argument still ignores the fact that only
certain entities are eligible to claim the insurance
exception. Whether Leifer is one of them is determinative
of Arcanum's liability. If Leifer was not eligible to
claim that exception, Arcanum's disclosure would have been
for a use not permitted by section 2721(b). Hence, with
respect to Arcanum, we conclude that the district court
erred by granting summary judgment without having first
considered (1) whether Leifer was eligible to request
information pursuant to the insurance exception, (2) if so,
whether a collision had occurred, and (3) if so, whether an
-29-
�insurance claim had accrued. These material questions of
fact preclude summary judgment as to Arcanum's liability.
b. Resellers' Duty of Reasonable Care: Legal
Framework
Gordon further contends that, even if Resellers
disclosed his personal information for what they believed
to be a permitted use, they are still liable because they
violated a duty of reasonable care imposed by the DPPA.
Resellers contend that the DPPA imposes no such duty.
Based on the language of the statute, its structure, and
its legislative history, we conclude that the DPPA imposes
a duty on resellers to exercise reasonable care in
responding to requests for personal information drawn from
motor vehicle records.
i. The Statutory Language
The default rule under the DPPA is non -disclosure.
It is unlawful for a state DMV or any employee or officer
thereof to "knowingly disclose or otherwise make available
to any person or entity . . . personal information"
obtained from a motor vehicle record, except as provided i n
section 2721(b). 18 U.S.C. § 2721(a). Resellers are
-30-
�subject to the same general rule of non-disclosure; with
limited exceptions not relevant here, resellers "may resell
or redisclose the information only for a use permitted
under subsection (b)." Id. § 2721(c) (emphasis added); see
also Taylor v. Acxiom Corp., 612 F.3d 325, 338 (5th Cir.
2010).
Moreover, the DPPA creates a civil cause of action
for unauthorized disclosure: section 2724(a) provides that
a "person who knowingly obtains, discloses or uses personal
information, from a motor vehicle record, for a purpose not
permitted under this chapter shall be liable to the
individual to whom the information pertains, who may bring
a civil action in a United States district court." 18
U.S.C. § 2724(a). Logically, the language makes clear,
albeit implicitly, that resellers are obliged to use some
care in disclosing personal information obtained from motor
vehicle records. If resellers may not disclose personal
information except as permitted by the DPPA, they must be
obliged to make some inquiry before concluding that
disclosure is permitted. See also Roth v. Guzman, 650 F.3d
603, 618 (6th Cir. 2011) (Clay, J., dissenting) (rejecting
-31-
�notion that upstream source had "no actual duty . . . other
than the ministerial task of soliciting rote
representations from prospective requesters" of DPPA-
protected personal information). It would make no sense
that this obligation could be met simply by accepting an
end user's mere "say-so" in the presence of red flags
suggesting the requested information was being sought for
an improper purpose. Under this theory, advocated by
Resellers, an upstream source could always avoid liability
by securing a representation that the recipient of personal
information had a permissible use or by hiding behind one
or more dropdown menus so that a user would always -- and
could only -- select a permitted use. The civil remedies
provision would be rendered toothless if resellers could
insulate themselves from liability based solely on the
conclusory representations of end users, with out being
required to exercise due care themselves.
We note also that the statute's use of the word
"knowingly" is not inconsistent with the notion that some
duty of care exists. Cf. id. Case law is replete with
situations where knowledge contemplates what a party "knew
-32-
�or should have known." 11 Negligence law in particular
frequently invokes the concept of constructive knowledge
when deciding whether a particular outcome was
foreseeable, 12 and criminal law applies a similar concept
when imposing criminal liability under a theory of
conscious avoidance. 13
11
See, e.g., Farmer v. Brennan, 511 U.S. 825, 843 n.8
(1994) (inferences not conclusive but prison official in Bivens
suit "would not escape liability if the evidence showed that he
merely refused to verify underlying facts that he strongly
suspected to be true, or declined to confirm inferences of risk
that he strongly suspected to exist"); In re Potomac Transp.,
Inc., 909 F.2d 42, 46 (2d Cir. 1990) (construing privity and
knowledge under provision of maritime law to mean ship owner
knew or should have known that particular condition existed).
12
See, e.g., Ehrens v. Lutheran Church, 385 F.3d 232,
235 (2d Cir. 2004) (to state claim of negligent supervision,
plaintiff must allege, inter alia, that employer knew or should
have known of employee's propensity for injury-causing conduct);
Williams v. Long Island R.R. Co., 196 F.3d 402, 406 (2d Cir.
1999) (employer may breach liability under Federal Employers
Liability Act, 45 U.S.C. § 51 et seq., if it knew or should have
known of workplace hazard but did not inform or protect its
employees).
13
See, e.g., United States v. Beech-Nut Nutrition Corp.,
871 F.2d 1181, 1195 (2d Cir. 1989) (finding conscious avoidance
applies when "defendant claims to lack some specific aspect of
knowledge necessary to conviction but where the evidence may be
construed as deliberate ignorance" (citation and internal
quotation marks omitted)); United States v. Finkelstein, 229
F.3d 90, 95-96 (2d Cir. 2000) (distinguishing conscious
avoidance from negligence but holding it is relevant when
considering sentencing enhancements).
-33-
� ii. The Structure of the Civil Penalties
Provision
The structure of the DPPA also supports the
conclusion that resellers owe a duty of reasonable care.
The DPPA provides that a court may award "punitive damages
upon proof of willful or reckless disregard of the law."
18 U.S.C. § 2724(b)(2); see also Pichler, 542 F.3d at 397
(willful or reckless disregard is when "a party appre ciated
it was engaging in wrongful conduct" (internal quotation
marks omitted)). In contrast, the preceding subdivision
provides that the court may award "actual damages, but not
less than liquidated damages in the amount of $2,500." 18
U.S.C. § 2724(b)(1). The actual damages provision is
silent as to the degree of fault necessary to trigger
liability for actual damages. If, however, as the statute
suggests, punitive damages are available only for willful
and reckless violations of the DPPA, then actual damages
must require something less -- that is, conduct that is
neither willful nor reckless.
As we have rejected a theory of strict liability,
the most appropriate standard, in our view, is
-34-
�reasonableness: a reasonableness standard best harmonizes
the wording, the structure, and, as discussed below, the
purpose of the DPPA. Accordingly, we conclude that a
reseller is liable for actual (or liquidated) damages when
it fails to use reasonable care to ensure that personal
information is being obtained for a permissible purpose.
We note too that the Department of Justice ("DOJ")
has reached a similar conclusion. In a non-binding
advisory opinion, DOJ concluded that a state DMV could
release personal information to resellers "upon reasonably
concluding that the information [requested by the
commercial distributor] will be used for authorized
purposes only." Letter from Robert C. McFetridge, Special
Counsel to the Assistant Att'y Gen., Civil Div., Dep't of
Justice, to Peter Sacks, Office of the Att'y Gen., The
Commonwealth of Mass. (Oct. 9, 1998) (on file with the
Court) [hereinafter "DOJ Letter"], at 2 (emphasis added);
see also, e.g., Graczyk v. W. Publ'g Co., 660 F.3d 275,
280-81 (7th Cir. 2011) (discussing DOJ Letter), cert.
denied, 132 S. Ct. 2391 (2012); Taylor, 612 F.3d at 339
(same). An entity cannot reasonably conclude that a person
-35-
�or entity may access DPPA-protected personal information if
it does not exercise some modicum of care. See Cook v. ACS
State & Local Solutions, Inc., 663 F.3d 989, 997 (8th Cir.
2011) (summarizing DOJ letter as stating that states must
"reasonably conclude that the information would be used
only for authorized purposes").
iii. The Legislative History
We acknowledge that there is some ambiguity in the
statute. The DPPA does not explicitly provide for a duty
of reasonable care, and it is silent as to the degree of
fault necessary for an award of actual or liquidated
damages.
Moreover, the word "knowingly," as used in
sections 2722(a) and 2724(a), is ambiguous: depending on
one's reading of the statute, civil liability could attach
(1) to any act committed intentionally, or (2) only for an
act undertaken with knowledge of an improper purpose . For
example, in Pichler v. UNITE, 542 F.3d 380 (3d Cir. 2008),
the Third Circuit concluded that the end user -- a union --
could be civilly liable for using DPPA -protected personal
information for an improper purpose even though, at the
-36-
�time, the union did not know that its purpose would be
deemed improper. Id. at 396-97. By contrast, in Roth v.
Guzman, 650 F.3d 603 (6th Cir. 2011), the Sixth Circuit
concluded that a state DMV was not subject to civil
liability under the DPPA unless it actually knew that the
recipient, who had represented that it had a permissible
use for the requested DPPA-protected personal information,
would use it for an improper purpose. Id. at 611-12. We
need not resolve the disagreement, however, as both Pichler
(addressing use by an end user) and Roth (addressing
disclosure by the state) are distinguishable from this
case, which addresses disclosure by resellers .
In light of the ambiguity in the statute, we look
to its legislative history, and the legislative history
supports the conclusion that resellers must exercise some
degree of care. The legislative history emphasized that
the DPPA would protect "an individual's fundamental right
to privacy and safety." 145 Cong. Rec. H2522 (daily ed.
Apr. 20, 1994) (statement of Rep. Moran), available at 1994
WL 140035; see also id. at H2527 (statement of Rep. Goss).
Protecting this right was particularly important in light
-37-
�of two mandates associated with driving: all drivers must
register with the state, and no drivers may obscure the
license plate number on their cars. See 139 Cong. Rec.
S15764 (daily ed. Nov. 16, 1993) (statement of Sen. Boxer),
available at 1993 WL 470986; 140 Cong. Rec. H2523 (daily
ed. Apr. 20, 1994) (statement of Rep. Moran), available at
1994 WL 144035; 139 Cong. Rec. S14436 (daily ed. Oct. 26,
1993) (statement of Sen. Warner), available at 1993 WL
470986 (drivers that register with the DMV "should do so
with full confidence that the information they provide will
not be disclosed indiscriminately"). Because disclosures,
such as the one made by Softech to Arcanum to Leifer, are
often "totally incompatible with the purpose for which the
information was collected," regulating the circumstanc es of
disclosure was of paramount importance to Congress. See
139 Cong. Rec. S15764 (daily ed. Oct. 26, 1993) (statement
of Sen. Boxer), available at 1993 WL 470986.
Concerns that state actions had undermined public
safety also catalyzed the enactment of the DPPA, which was
passed as part of the Violent Crime Control and La w
Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat.
-38-
�1796. Congress perceived a need to better regulate
disclosure of personal information because such disclosures
had been used to stalk, rob, and even kill private
citizens. See, e.g., 139 Cong. Rec. E2747 (daily ed. Nov.
3, 1993) (statement of Rep. Moran), available at 1993 WL
448643; 139 Cong. Rec. S15762, S15766 (daily ed. Nov. 16,
1993) (statements of Sen. Boxer and Sen. Harkin). Assuming
Gordon's allegations are true, Leifer's threats to Gordon's
family and friends were precisely the sort of acts that
Congress sought to curtail.
Given the nature of information available through
motor vehicle records -- e.g., social security number,
medical or disability information, and home address -- the
DPPA's purpose would be severely undermined if resellers'
disclosures were not subject to a duty of reasonable
inquiry. See Reno, 528 U.S. at 151 ("The DPPA regulates
the universe of entities that participate as suppliers to
the market for motor vehicle information -- the States as
initial suppliers of the information in interstate commerce
and private resellers or redisclosers of that information
in commerce." (emphasis added)). And, in light of the
-39-
�clear congressional intent to safeguard the privacy and
safety of drivers, it is inconceivable that a dropdown
menu, a check box, and a representation that no laws would
be violated could satisfy any reasonable diligence floor.
See 139 Cong. Rec. S15765 (daily ed. Nov. 16, 1993)
(statement of Sen. Robb), available at 1993 WL 470986; see
also Roth, 650 F.3d at 619 (Clay, J., dissenting) ("[T]he
DPPA compels the conclusion that the Act imposes . . . a
duty of reasonable inquiry."); Welch v. Jones, 770 F. Supp.
2d 1253, 1260 (N.D. Fla. 2011) (no DPPA violation in
reseller's disclosure where recipient identified its
permissible use under penalties of perjury, and reseller
verified recipient's identity, even though the recipient
ultimately used the information impermissibly).
In light of the text, structure, and legislative
history of the DPPA, we hold that resellers are subject to
a duty of reasonable care before disclosing DPPA -protected
personal information. 14 See 18 U.S.C. § 2721(b)-(c).
14
Notwithstanding the similarities among upstream
sources of DPPA-protected personal information, as this case
does not require us to consider the effect on state DMVs, we
limit our holding to private resellers under the statute.
-40-
� c. Resellers' Duty of Reasonable Care: As
Applied to Softech and Arcanum
i. Softech
Softech released Gordon's personal information per
Arcanum's request for "use by any licensed private
investigative agency." Rodriguez Dep. 49:15-16. Moreover,
Softech and Arcanum had an ongoing business relationship
through which Softech knew Arcanum was a licensed private
investigative agency, and Arcanum had contractually agreed
that it would only use information for three purposes
permitted by the DPPA. Hence, at a minimum, Softech's
disclosures to Arcanum were permitted by the private
investigative agency exception. See 18 U.S.C.
§ 2721(b)(8). Nothing in the record suggests that, in
complying with the information request , Softech acted
unreasonably.
Gordon contends that Softech's disclosure was
still unreasonable because Arcanum's Affidavit of Intended
Use affirmed that Arcanum would only use information for
three stated purposes -- none of which were for public
-41-
�investigative services. 15 Furthermore, the agreement
provided that Arcanum was required to "strictly abide" by
the terms of the affidavit. Softech contends that its
automated system would "check[] that the DPPA [permissible
use] selected is the one that they actually, upon signin g
up with us, was the one that they selected on the Affidavit
of Intended Use," and reject the request if it were not.
Rodriguez Dep. 46:11-14, 16-20. Yet when Arcanum requested
information pursuant to an exception not listed on its
Affidavit of Intended Use, Softech did not reject Arcanum's
request; instead, it released Gordon's personal
information.
We do not believe that these circumstances create
a genuine issue of fact for trial. Although, when it
initially entered into a relationship with Softech, Arcanum
agreed that it would seek information only for three
permissible purposes, no legal obstacles prevented Arcanum
from requesting information from Softech (or precluded
Softech from giving information to Arcanum) for other
15
See supra note 7.
-42-
�permissible purposes in the future. Moreover, Arcanum was,
in fact, a licensed private investigative agency , and
Arcanum had provided Softech with an Affidavit of Intended
Use that promised that Arcanum would use the information
only in accordance with the requirements in section
2721(b)(8). Further, as a reseller, Softech's disclosure,
to a user for an apparently permissible use, was permitted
under section 2721(c). 16 Finally, even assuming that
Softech had inquired further, nothing in the record
suggests that Softech would have uncovered any red flags
suggesting the information was being sought for an improper
purpose. Hence, we conclude that the district court
properly granted summary judgment in favor of Softech.
ii. Arcanum
By contrast, we conclude that a reasonable jury
could find that Arcanum failed to exercise reasonable care
16
We further note that each of the four Courts of
Appeals to have considered the issue has concluded that
resellers (like Softech and Arcanum) need not themselves use the
information before disclosing it in a manner permitted by the
DPPA. See Cook v. ACS State & Local Solutions, Inc., 663 F.3d
989, 997 (9th Cir. 2011); Graczyk v. W. Publ'g Co., 660 F.3d
275, 279-80 (7th Cir. 2011); Howard v. Criminal Info. Servs.,
Inc., 654 F.3d 887, 891-92 (9th Cir. 2011); Taylor v. Acxiom
Corp., 612 F.3d 325 (5th Cir. 2010).
-43-
�when it disclosed Gordon's personal information to Leifer.
In seeking the information, Leifer used the alias "Jack
Loren." He used a credit card number that did not match
the name "Jack Loren." He claimed he worked for a
business, "Bodyguards.com," that was not operational. He
selected a purpose, "Insurance Other," that, at least
arguably, is not a permitted purpose. He did not provide
any information or proof relating to his status as an
insurance company, a self-insured entity, or an insurance
support organization, to verify his eligibility to invoke
the insurance exception.
Arcanum failed to inquire as to Leifer's
eligibility to invoke the insurance exception, and it never
checked the accuracy of the purported "Jack Loren" identity
or the purported business affiliation. Arcanum apparently
did not even bother to verify whether the name associated
with the credit card number provided by "Jack Loren"
matched the name associated with the Docusearch.com
account.
Moreover, the Docusearch.com dropdown menu offered
a selection of fourteen purportedly "Permissible
-44-
�Purpose[s]," and instructed the customer that he "Must
Select One" of the purportedly permissible purposes. Thus,
the Docusearch.com website was designed -- as a reasonable
jury could so find -- to ensure that end users selected one
of fourteen purportedly permissible purposes, without
providing them with an opportunity to articulate the true
purpose -- permissible or not -- behind a particular
records request. Although Arcanum did ask Leifer to
represent that he was seeking the information for a lawful
purpose, a reasonable jury could find on these facts that
Arcanum failed to use reasonable care, and that, had it
been reasonably diligent, Arcanum would have discovered
that Leifer was seeking the information for an improper
purpose. See King v. Crossland Sav. Bank, 111 F.3d 251,
259 (2d Cir. 1997) ("[T]he assessment of reasonableness
generally is a factual question to be addressed by the
jury."). Accordingly, the district court erred in granting
summary judgment to Arcanum.
CONCLUSION
For the reasons set forth above, we AFFIRM the
judgment of the district court to the extent it granted
-45-
�summary judgment in favor of Softech International, Inc.
and Rodriguez, and we VACATE the judgment to the extent it
granted summary judgment in favor of Arcanum
Investigations, Inc. and Cohn on Gordon's claims under the
DPPA. We REMAND for further proceedings not inconsistent
with this opinion.
-46-
� 1 DENNIS JACOBS, Chief Judge, concurring in part and
2 dissenting in part:
3
4 Insofar as the majority opinion superimposes a
5 negligence duty of care on the civil damages remedy of the
6 Driver’s Privacy Protection Act (“the Act”), I respectfully
7 dissent.
8 I
9 An industry of “resellers” has arisen to facilitate
10 acquisition by legitimate end-users of information collected
11 by state motor vehicle bureaus. The Act is designed to
12 reduce abuses of the information and invasions of privacy.
13 At the same time, Congress was careful to craft remedies for
14 such abuse that would not impair the useful industry. See,
15 e.g., Protecting Driver Privacy: Hearing on H.R. 3365 Before
16 the Subcomm. on Civil and Const. Rights of the H. Comm. On
17 the Judiciary, 103d Cong. 4 (1994) (statement of bill
18 sponsor Rep. James P. Moran) (“Careful consideration was
19 given to the common uses now made of this information and
20 great efforts were made to ensure that those uses were
21 allowed under this bill.”), available at 1994 WL 212698; 145
22 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of
23 Rep. Moran) (“[The Act] strikes a critical balance between
� 1 an individual’s fundamental right to privacy and safety and
2 the legitimate governmental and business needs for this
3 information.”). The civil cause of action is worded in a
4 way well-calculated to target abuses without inflicting
5 collateral damage on the industry itself: “[a] person who
6 knowingly obtains, discloses or uses personal information,
7 from a motor vehicle record, for a purpose not permitted
8 under this chapter shall be liable to the individual to whom
9 the information pertains, who may bring a civil action in a
10 United States district court.” 18 U.S.C. § 2724 (emphasis
11 added).
12 The majority opinion states that this language imposes
13 a duty upon resellers to “to make some inquiry before
14 concluding that disclosure is permitted.” Maj. Op. at 31
15 (emphasis removed). I agree to the extent that resellers
16 should require end-users to specify a legitimate use and
17 give them notice that misuse subjects them to liability.
18 But it is undisputed that Arcanum, the reseller here, did
19 make such inquiry and provide such notice: it required the
20 customer to represent which legitimate purpose was being
21 pursued; it referenced the Act; and it elicited an
22 indemnification in the event of a statutory violation--all
23 of which served to warn the customer that violation of the
24 Act would entail consequences.
2
� 1 So the real holding of the majority opinion is that
2 these measures are not enough, and that resellers have a
3 duty of inquiry to verify the identity of the customer, and
4 to perform related investigations, as though selling a
5 firearm or dispensing a narcotic. That is a negligence
6 standard, and it is a judicial invention that alters the
7 nature of the industry’s service and its economics, and
8 thereby upsets the balance of the Act.
9
10 II
11 The facts of this case arrange themselves into a law
12 school exam question. Defendant Aron Leifer had some run-in
13 with the driver of a car owned by plaintiff Erik Gordon.
14 Leifer jotted down the license plate number, used
15 Docusearch.com to get information associated with the
16 license plate number, and then harassed Gordon.
17 Docusearch.com is a website of defendant Arcanum
18 Investigations, which is owned and operated by defendant Dan
19 Cohn.
20 As the Docusearch.com website required, Leifer
21 certified that he had a permissible purpose for the
22 information under the Act, and warranted that he would
23 indemnify Arcanum against any breach. But he used an alias
24 (Jack Loren) to submit his request, and falsely selected
3
� 1 “Insurance Other” as his permissible purpose from a drop-
2 down menu. Arcanum forwarded the request to defendant
3 Softech International, Inc., for processing. The master
4 services agreement between the companies included a
5 certification from Arcanum that it would only request
6 records for certain purposes permissible under the Act, that
7 it would require its end users to certify compliance, and
8 that it would indemnify Softech against any violation.
9 Gordon brought a damages action against Leifer under
10 the Act. Leifer had no permissible reason for procuring the
11 license information, got it by false statements (using a
12 false name that did not match his credit card, and a false
13 affiliation with Bodyguards.com, a defunct website), and
14 used the information to violate Gordon’s privacy. Leifer
15 settled the claim. That settlement fulfilled the purposes
16 of the Act. The district court dismissed the claims against
17 all the remaining defendants. I would affirm. The majority
18 vacates the dismissal as to Arcanum and Mr. Cohn.
19
20 III
21 “[O]ur inquiry begins with the statutory text, and ends
22 there as well if the text is unambiguous.” BedRoc Ltd., LLC
23 v. United States, 541 U.S. 176, 183 (2004). The Act as a
24 whole could be clearer than it is, but Congress made the
4
� 1 civil remedy clear enough, given the ends in view: imposing
2 damages on those who abuse the information, while preserving
3 the industry that facilitates its use for fair purposes.
4 The only mental-state requirement in the civil cause of
5 action is the adverb “knowingly,” which modifies the verbs
6 “obtains, discloses or uses,” which are further modified by
7 the adverbial phrase, “for a purpose not permitted under
8 this chapter . . . .” 18 U.S.C. § 2724. Civil liability is
9 therefore imposed only on a person who obtains, discloses,
10 or uses personal information knowing that it is for a
11 purpose--such as peddling goods or harassment--that is not
12 legitimate. Leifer is such a person. Arcanum and Softech
13 are not, in my view, because they made disclosure only after
14 eliciting an affirmation of proper purpose, advising as to
15 statutory requirements, and exacting a warranty of
16 indemnification, which made the warning ominous.
17 The majority opinion superimposes on the statutory
18 wording a duty of (variously) “reasonable inquiry” (Maj. Op.
19 at 20, 39, 40), “due care” (32), “reasonable care” (30, 34-
20 36, 40), “some inquiry” (31), “reasonableness” (35), and
21 “reasonable diligence” (40). These amount to “negligence”
22 (33), and, as applied to this case, they mean that there is
23 a duty of a reseller to make inquiries of the end-user, at
24 least when there are “red flags” (32, 43). The flags here
5
� 1 are said to be: use of an alias; use of a credit card in a
2 different name (Leifer’s own); use of an entity
3 (Bodyguards.com) that was defunct; and selection of
4 “Insurance Other” from the drop-down menu, which is not a
5 term expressly listed in the statute as a permitted use
6 (though insurance is, see 18 U.S.C. § 2721(b)(6) and (9)).
7 The standard adopted by the majority opinion therefore
8 requires at least that a reseller make inquiry and
9 investigation into: the user’s identity, the match between
10 the user’s name and the credit card used, and the current
11 status and activity of the employing entity. Without those
12 inquiries, there would be no red flags; they wave here only
13 by reason of the inquiries made via discovery in litigation.
14 Yet the majority subjects Arcanum and Mr. Cohn to a jury
15 trial because they failed to look for these red flags before
16 releasing Gordon’s driver information. Implicit in that
17 ruling is a requirement that resellers conduct inquiries
18 looking for red flags in every application. And that
19 presupposes personnel who can identify anomalies, and
20 evaluate responses to inquiries (e.g., “I’m using my
21 employer’s credit card”; “Oh, Bodyguards.com is doing
22 business under another name”; etc.). Although the majority
23 opinion persuasively demonstrates that Congress did not
24 intend to impose strict liability, see Maj. Op. at 19-23,
6
� 1 the burden imposed by the majority opinion is, in effect,
2 not all that much less.
3 The standard expressed in the statutory wording, a
4 “knowing” misuse, is straightforward and easy to apply to
5 transactions that are (like these) numerous and fleeting.
6 By contrast, the duty of reasonable inquiry imposed by the
7 majority opinion has no clear boundaries. See, e.g.,
8 Catharine Pierce Wells, A Pragmatic Approach to Improving
9 Tort Law, 54 Vand. L. Rev. 1447, 1452 (2001) (“[N]egligence
10 doctrine has never consisted of the kind of rules that can
11 make outcomes seem predictable and certain.”). It was
12 reasonable for Congress to draw the line at a knowing
13 violation, especially in view of its intent to preserve the
14 industry of resellers (a goal acknowledged in the majority’s
15 rejection of strict liability, see Maj. Op. at 21-22). With
16
17 a clear, logical interpretation of the text available, there
18 is no need to look any further. BedRoc, 541 U.S. at 183.
19
20 IV
21 The majority adduces three arguments in support of
22 imposing a “duty of reasonable care” that would require
23 measures beyond those that Arcanum employed. None of these
24 reasons is convincing.
7
� 1 First, the majority opinion cites legislative history,
2 suggesting that it “supports the conclusion that resellers
3 must exercise some degree of care.” Maj. Op. at 37. But
4 the citations reflect only an intent to protect the privacy
5 of drivers’ personal information--a broad objective that
6 does not impose a duty of inquiry and that is compatible
7 with a standard that protects resellers that commit no
8 knowing wrong. The majority opinion thus succumbs to the
9 fallacy that all remedial legislation reflects an intent to
10 advance the remedial purpose by flattening every competing
11 consideration. The majority writes: “Leifer’s threats to
12 Gordon’s family and friends were precisely the sort of acts
13 that Congress sought to curtail.” Maj. Op. at 39. All this
14 statement tells us about the duty of care is that a culpable
15 end-user such as Leifer should be liable, as he would be
16 under my reading as well.
17 Second, the majority opinion reasons that since the Act
18 allows punitive damages in cases of “willful or reckless
19 disregard of the law,” 18 U.S.C. § 2724(b)(2), the threshold
20 for generic civil liability must be lower. Maj. Op. at 34.
21 But surely the distinction between the actual and punitive
22 damages is “disregard of the law”--and a law can be
23 disregarded only by persons who are aware of it. People in
24 relevant industries will know it, but few others will have
8
� 1 sufficient awareness to disregard it when they handle driver
2 records. This Act is not the kind of law imbibed with
3 mother’s milk.
4 Under a plain text reading, liability for actual or
5 liquidated damages arises for a knowing disclosure made for
6 an impermissible purpose, while punitive damages are
7 available only when that disclosure is made in disregard of
8 restrictions that the actor knows have been implemented by
9 the Act. The punitive damages clause does not refute the
10 requirement of a “knowing” mental state.
11 Third, the majority writes that the statute only makes
12 sense “logically” if it is associated with a duty of care.1
13 Maj. Op. at 31 (“Logically, the language makes clear, albeit
14 implicitly, that resellers are obliged to use some care in
15 disclosing personal information obtained from motor vehicle
16 records.”). The thrust of the argument is that, without a
1
The Sixth Circuit managed to “logically” interpret
the statute without recognizing a duty of care. See Roth v.
Guzman, 650 F.3d 603, 611 (6th Cir. 2011) (disclosure is
permitted so long as the reseller has a permissible reason
to provide the records to the requestor). In fact, the
majority opinion in that case ignored express calls from the
dissenting opinion to identify such a duty. See id. at 618
(Clay, J., dissenting) (“The majority opinion circumvents
the legal question of what duty the DPPA imposes on
Defendants . . . . In doing so, the majority reasons that as
long as a requestor represents . . . that it will use
drivers’ personal information in accordance with a DPPA
exception, [motor bureau employees] do not violate the Act
if they then knowingly disclose that information.”).
9
� 1 duty of care requirement, “an upstream source could always
2 avoid liability by securing a representation that the
3 recipient of personal information had a permissible use,”
4 i.e., a certification or an indemnification agreement, both
5 of which were used by Arcanum here. Maj. Op. at 32. The
6 majority fears that this possibility would render the civil
7 remedy “toothless.” Id. I disagree. The civil remedy
8 works admirably in the overall scheme.
9 The Act, which regulates an activity that uses
10 middlemen, sensibly places civil damages liability on the
11 person who knowingly handles the information for an improper
12 purpose. The Act operates in a way that is reasonable and
13 effective (and thus “logical”). Liability for damages is
14 imposed at the point in the sequence of transactions where
15 there is knowing misconduct. Punitive damages are imposed
16 for wilful or reckless “disregard of the law,” that is, on
17 persons who know about this fairly obscure enactment
18 (usually by virtue of being in the business of violating
19 it). See 18 U.S.C. § 2724(b)(2). And the act also imposes
20 a criminal fine for knowing violations. See 18 U.S.C.
21 § 2723. The scheme as a whole induces prudent resellers to
22 warn end-users and to obtain representations of compliance.
23 In this case, the victim (Gordon) recovered damages
24 from the violator (Leifer). So it cannot be said that the
10
� 1 Act was “toothless” in this case. The Act doesn’t have to
2 bite everybody.
3 The Act treats on an equal footing the end-users, the
4 resellers, and the state motor vehicle bureaus. So one
5 should be able to test the soundness of a ruling on the
6 reseller’s duty by seeing if it can fairly be applied to the
7 motor vehicle bureau as well. It is therefore telling that
8 the majority opinion expressly concedes that its ruling does
9 not apply to the state motor vehicle bureaus. See Maj. Op.
10 at 40 n.14. Not that I disagree on that score: for my part,
11 I am not sure that every employee of a motor vehicle bureau
12 can be counted on to mobilize as an eager detective.
13 The measures taken by Arcanum and Softech adequately
14 assured that they would not knowingly make a disclosure for
15 an unpermitted purpose. But the majority opinion remands
16 for a negligence finding as to the website’s instruction
17 that the customer “Must Select One” of the permissible uses
18 from the drop-down menu, and does so on the theory that such
19 an instruction affords no opportunity to state the true
20 reason. In my view, there is no basis for thinking that
21 Leifer would otherwise have revealed his true need for the
22 information (that would be: “I need to harass the
23
24
11
�1 registration holder with salacious phone calls”), or that
2 the instruction (“Must Select One”) is an order to pick one
3 even if it is false. A lot of website owners should worry
4 about the implications of the majority opinion.
12
�