Gordon v. Softech Int'l, Inc.

12-661-cv
Gordon v. Softech Int'l, Inc.

U NITED S TATES C OURT OF A PPEALS
F OR THE S ECOND C IRCUIT

August Term 2012

(Argued: January 7, 2013 Decided: July 31, 2013
Corrected: August 1, 2013)

Docket No. 12-661-cv

E RIK H. G ORDON ,

Plaintiff-Appellant,

V.

S OFTECH I NTERNATIONAL , I NC ., R EID R ODRIGUEZ , A RCANUM
I NVESTIGATIONS , I NC ., D AN C OHN ,

Defendants-Cross-Claimants-
Cross-Defendants-Appellees,

A RON L EIFER , AKA J ACK L OREN , B ODYGUARDS . COM ,

Defendants-Cross-Defendants-
Cross-Claimants.

Before:
J ACOBS , Chief Judge, and
P OOLER and C HIN , Circuit Judges.

The Clerk of the Court is instructed to amend the
caption to conform to the above.
 Appeal from a judgment of the United States

District Court for the Southern District of New York

(Berman, J.) dismissing plaintiff-appellant's claim that

his personal information was wrongfully disclosed in

violation of the Driver's Privacy Protect ion Act, 18 U.S.C.

§§ 2721-2725, and granting summary judgment in favor of

defendants-cross-claimants-cross-defendants-appellees. We

conclude that questions of material fact preclude summary

judgment as to certain claims.

A FFIRMED IN P ART AND V ACATED AND R EMANDED IN P ART .

Judge J ACOBS concurs in part and dissents in part

in a separate opinion.

J USTIN M. S HER (Yuriko Tada, on the brief),
Sher Tremonte LLP, New York, New
York, for Plaintiff-Appellant.

C OLEEN F. M IDDLETON , Wilson Elser Moskowitz
Edelman & Dicker LLP, New York, New
York (Gregory Saracino, on the
brief), Milber, Makris, Plousadis &
Seiden, LLP, White Plains, New York,
for Defendants-Cross-Claimants-
Cross-Defendants-Appellees.

Joseph V. DeMarco, DeVore & DeMarco LLP,
New York, New York, for Amicus
Curiae Identity Theft Resource

-2-
 Center and The Federal Law
Enforcement Officers Association.

Marc Rotenberg, Alan Butler, David
Jacobs, Washington, District of
Columbia, for Amicus Curiae
Electronic Privacy Information
Center.

Ronald I. Raether, Jr., Faruki Ireland &
Cox P.L.L., Dayton, Ohio, for Amicus
Curiae The Coalition for Sensible
Public Records Access and The
Consumer Data Industry Association.

C HIN , Circuit Judge.

In 1994, Congress enacted the Driver's Privacy

Protection Act (the "DPPA"). As its name suggests, the

DPPA, with limited exceptions, protects drivers' privacy by

prohibiting state motor vehicle departments and others from

disclosing "personal information" drawn from motor vehicle

records.

In this case, defendant Aron Leifer, a private

citizen, engaged in a verbal altercation with the driver of

a motor vehicle. Miffed, he wrote down the license plate

number of the car. Using an online private investigative

service and paying a fee of just $39.00, Leifer was later

able to use the license plate number to obtain the name and

-3-
home address of the vehicle's owner, plaintiff-appellant

Erik H. Gordon. Leifer then embarked on a campaign to

harass Gordon and his family.

Gordon commenced this action below against Leifer

and the entities and individuals who obtained the

information from the New York State Department of Motor

Vehicles and released it, ultimately, to Leifer. Gordon

asserted claims under the DPPA and state law. Gordon

eventually settled his claims against Leifer, but the

district court (Berman, J.) dismissed his claims against

the remaining defendants on summary judgment. Gordon

appeals. We affirm in part and vacate and remand in part.

BACKGROUND

A. Statutory Framework

Congress passed the DPPA in 1994. See Pub. L. No.

103-322, tit. XXX (codified as amended at 18 U.S.C.

§§ 2721-2725). The DPPA generally restricts state

departments of motor vehicles ("DMVs") from disclosing

personal information drawn from motor vehicle records. 18

U.S.C. § 2721(a); see also Reno v. Condon, 528 U.S. 141,

149-50 (2000) (upholding constitutionality of DPPA).

-4-
Similarly, private citizens or entities ordinarily may not

obtain, disclose, or resell personal information unless

permitted by statute. 18 U.S.C. §§ 2722(a), 2721(c).

Notwithstanding these default rules of non-disclosure, the

DPPA identifies fourteen "permissible uses" -- exceptions

from the default rule -- for which personal information may

be obtained, disclosed, used, or resold. Id. § 2721(b)-

(c). Penalties, both civil and criminal, enforce "the

rights of private citizens to be left alone." 139 Cong.

Rec. S15766 (daily ed. Nov. 16, 1993) (statement of Sen.

Harkin), available at 1993 WL 470986; id. at S15765

(statement of Sen. Robb) (noting that DPPA "would place

safeguards on the privacy of the driver and vehicle

owners"); see also 18 U.S.C. §§ 2723-2724.

The DPPA was enacted following the highly

publicized murder of an actress, whose stalker-cum-

assailant had received her home address through an

information request at a local DMV. Andrea Ford, "Fan

Convicted of Murder in Actress' Slaying," L.A. Times, Oct.

30, 1991; see also, e.g., 139 Cong. Rec. E2747 (daily ed.

Nov. 3, 1993) (statement of Rep. Moran), available at 1993

-5-
WL 448643. During the floor debate, members of Congress

emphasized that personal information accessed from state

DMVs was often used in connection with criminal or

threatening behavior. See, e.g., 139 Cong. Rec. E2747

(daily ed. Nov. 3, 1993) (statement of Rep. Moran),

available at 1993 WL 448643; 139 Cong. Rec. S15762, S15766

(daily ed. Nov. 16, 1993) (statements of Sen. Boxer and

Sen. Harkin), available at 1993 WL 470986. The DPPA was

therefore enacted to limit the disclosure of personal

information drawn from motor vehicle records and to prevent

its misuse.

B. Data Brokers & Resellers

Defendant-appellee Reid Rodriguez is the co-owner

and Chief Operating Officer of defendant-appellee Softech

International, Inc. (together, "Softech"). Softech acts as

a "gateway," providing access to motor vehicle records of

all fifty states, the District of Columbia, Puerto Rico,

and six provinces in Canada. See "MVR (Driving Records),"

Softech International Inc., http://www.softechinternational

.com/products_mvrdr.html (last visited July 29, 2013). A

data broker, Softech "collect[s] information, including

-6-
personal information about consumers, from a wide variety

of sources for the purpose of reselling such information to

their consumers for various purposes." Fed. Trade Comm'n,

Protecting Consumer Privacy in an Era of Rapid Change:

Recommendations for Businesses and Policymakers, at 68

(Mar. 2012), available at http://www.ftc.gov/os/2012/03/

120326privacyreport.pdf. Information aggregated by entities

such as Softech can aid law enforcement actions.

Disclosures, however, may also be made to private citizens

or entities, and individuals are often unaware that their

personal information is being aggregated and sold. See id.

Defendant-appellee Dan Cohn owns and operates

defendant-appellee Arcanum Investigations (together,

"Arcanum"), a private investigation service. By agreement,

Softech provides Arcanum with access to its motor vehicle

records; Arcanum represents that it and, to the extent it

resells this information, any end user will use the

information in a manner permitted by law.

Arcanum owns and operates Docusearch.com. For a

small fee, Docusearch.com provides its users with the

personal information associated with, for example, a

-7-
license plate number. When a Docusearch.com user inputs a

New York State license plate number, Arcanum provides that

number to Softech and requests the associated motor vehicle

record for private investigative purposes . Arcanum cannot

access New York State motor vehicle records directly from

the state DMV, and hence it requests this information from

Softech. Then, pursuant to their agreement, Softech relays

the motor vehicle record for that license plate number to

Arcanum. Arcanum, through the Docusearch.com website, then

provides that information to its customer.

Thus, Arcanum and Softech are both resellers

(together, the "Resellers") of personal information drawn

from motor vehicle records.

C. The Facts

Except as noted below, we construe the facts in

the light most favorable to Gordon, the party opposing

summary judgment. On the evening of October 10, 2009,

Gordon was dining at a restaurant in New York City. His

driver waited outside in Gordon's car, a vintage London

taxicab. Its New York State license plate was registered

in Gordon's name.

-8-
 Leifer was parked across the street in an SUV. He

and Gordon's driver engaged in a brief verbal altercation.

Gordon's driver drove away, but Leifer gave chase.

Gordon's driver then drove to a police precinct on East

67th Street and waited for Leifer to leave the area. The

driver then returned to wait for Gordon outside the

restaurant.

The parties dispute whether the two cars collided

that evening. Leifer claimed that they did, but he never

contacted the police or filed an insurance claim. At some

point that night, Leifer wrote down the license plate

number of Gordon's vehicle.

The next day, on October 11, 2009, Leifer input

Gordon's license plate number on Docusearch.com. From a

dropdown menu of purposes deemed by Docusearch.com to be

permissible under the DPPA, Leifer selected "Insurance

Other." A popup window noted:

You are required to select a DPPA Permissible
Purpose. By imputting [sic] your response, you
hereby certify that you are in, and assume fu ll
responsibility for, compliance with the Driver's
Privacy Protection Act of 1994 (DPPA) and you
agree to indemnify, defend and hold Docusearch
harmless from any breach of the DPPA by you, your

-9-
 agents or contractors and any damages, fees and
costs associated therewith.

Leifer clicked "OK." To finalize the purchase,

Docusearch.com requested his personal information. Leifer

provided an alias -- "Jack Loren" -- and stated that he

worked for a business, later discovered to be defunct,

called Bodyguards.com. He also provided a credit card

number, which he represented was issued to "Jack Loren"

when, in fact, it was issued in Leifer's own name.

Finally, mere hours after making a $39.00 payment, Leifer

received Gordon's name and home address.

Using this information, Leifer executed a series

of Internet searches and identified Gordon's phone number,

the members of Gordon's family and acquaintances, and their

contact information. Leifer then called Gordon's

assistant, his mother, and his father's secretary. During

these calls, Leifer made threatening comments, which

included, to Gordon's mother, the false allegation that

Gordon had sexually assaulted a woman. Leifer does not

deny making phone calls, but asserts that, due to the

-10-
alleged collision, he merely tried to contact Gordon to

request his insurance information.

D. Procedural History

Gordon's amended complaint dated January 5, 2011

alleged that Leifer and the Resellers had violated the

DPPA. 1 Specifically, Gordon contended that Leifer had

misused his personal information and that the Resellers

either unreasonably disclosed it or were strictly liable

for Leifer's misdeeds. Defendants jointly filed a motion

to dismiss in March 2011, which the district court denied.

See Gordon v. Softech Int'l Inc., No. 10 Civ. 5162, 2011 WL

1795300 (S.D.N.Y. Apr. 28, 2011).

After discovery, the parties cross-moved for

summary judgment. In a November 30, 2011 Decision & Order,

the district court denied Gordon's motion for summary

judgment, but granted in part and denied in part the motion

1
The complaint also asserted claims for prima facie
tort and intentional infliction of emotional harm against Leifer
and other unnamed defendants (but not the Resellers). Gordon's
brief is silent as to these claims, and we conclude Gordon
abandoned any challenge to the dismissal of these claims.
Jackler v. Byrne, 658 F.3d 225, 233 (2d Cir. 2011) (claims for
which "brief on appeal contains no argument" are deemed
abandoned).

-11-
filed jointly by Resellers and Leifer. Without addressing

Gordon's alternative theory that Resellers were subject to

a duty of reasonable inquiry, the court concluded that, as

a matter of law, Resellers could not be strictly liable for

Leifer's alleged DPPA violation and granted summary

judgment in favor of the Resellers. Gordon v. Softech

Int'l, Inc., 828 F. Supp. 2d 665, 675-76 (S.D.N.Y. 2011).

As to Leifer, however, the district court concluded that

material questions of fact precluded summary judgment

regarding his liability under the DPPA. 2 Id. at 673-74.

On December 8, 2011, Gordon filed a letter seeking

a conference to request reconsideration of the district

court's decision. Gordon argued that "a genuine issue of

material fact exist[ed] as to whether the Resellers'

conduct in relying on the end-user's representations . . .

constitute[d] a willful or reckless violation" of the DPPA.

The district court subsequently set a trial date for

2
The district court's Decision & Order also granted
summary judgment in favor of Leifer as to the intentional
infliction of emotional distress claim, but allowed the prima
facie tort claim to proceed. Gordon v. Softech Int'l, Inc.,
828 F. Supp. 2d 665, 679 (S.D.N.Y. 2011). Neither claim is
relevant to this appeal.

-12-
Gordon's claim against Leifer while also noting that "the

trial date of course is without prejudice to your

application for reconsideration." Before trial, Gordon and

Leifer settled their dispute.

By a January 17, 2012 order, the district court

discontinued the "above-entitled action." On February 15,

2012, in response to an inquiry from Gordon, the district

court issued a Decision & Order stating that the motion for

reconsideration had been discontinued by its prior order

"as it was rendered moot when the parties settled." It

further noted that, even if the motion were not moot, it

"would have been denied for substantially the same reasons

set forth" in the court's earlier decision.

On February 16, 2012, Gordon appealed from the

district court's (1) grant of summary judgment to

Resellers, (2) order of discontinuance, and (3) denial of

the motion of reconsideration.

DISCUSSION

Undisputedly, Softech disclosed Gordon's personal

information, drawn from a motor vehicle record, to Arcanum,

which then disclosed it to Leifer. Assuming Leifer used

-13-
the information for improper purposes, we now consider

whether Resellers may be liable to Gordon under the DPPA,

and, if so, the circumstances under which liability may

arise. 3

A. Applicable Law

1. Standard of Review

Summary judgment is appropriate when "there is no

genuine dispute as to any material fact and the movant is

entitled to judgment as a matter of law." Fed. R. Civ. P.

56(a). We review de novo a district court's grant of

summary judgment after construing all evidence, and drawing

all reasonable inferences, in favor of the non-moving

party. See, e.g., McElwee v. Cnty. of Orange, 700 F.3d

3
Resellers argue that this appeal is untimely because
Gordon did not file his notice of appeal until February 16,
2012, more than thirty days after the district court's November
30, 2011 Decision & Order. See Fed. R. App. P. 4(a). The
argument is frivolous. The November 30 Decision & Order was a
non-appealable order because it did not dispose of all claims.
See Fed. R. Civ. P. 54(b). An appealable order was not entered
until January 17, 2012, and Gordon's February 16, 2012 notice of
appeal was thus filed within thirty days. In addition, even
assuming the November 30 Decision & Order was a final order, the
district court clearly treated Gordon's December 8, 2011 letter
as a motion for reconsideration, and thus, the motion tolled
Gordon's time to appeal. Fed. R. App. P. 4(a)(4). Hence,
despite Resellers' arguments to the contrary, we have
jurisdiction to hear this appeal.

-14-
635, 640 (2d Cir. 2012). Furthermore, our review of a

district court's interpretation of a federal statute is

also de novo. See, e.g., Muller v. Costello, 187 F.3d 298,

307 (2d Cir. 1999).

2. Rules of Construction

When construing a statute, we begin with the plain

meaning and give all undefined terms their ordinary

construction. See Schindler Elevator Corp. v. United

States ex rel. Kirk, 131 S. Ct. 1885, 1891 (2011); United

States v. Desposito, 704 F.3d 221, 226 (2d Cir. 2013). We

are mindful, of course, that "[a]n exception to a general

statement of policy is usually read narrowly in or der to

preserve the primary operation of the provision." Maracich

v. Spears, 133 S. Ct. 2191, 2200 (2013) (omission,

quotation, and internal quotation marks omitted). Our

analysis, "absent ambiguity, will generally end there."

Collazos v. United States, 368 F.3d 190, 196 (2d Cir.

2004).

If, however, the statute is ambiguous, "we focus

upon the broader context and primary purpose of the

statute." Castellano v. City of N.Y., 142 F.3d 58, 67 (2d

-15-
Cir. 1998) (internal quotation marks omitted). In so

doing, we may turn to the legislative history as a

reflection of congressional intent. See Puello v. Bureau

of Citizenship & Immigration Servs., 511 F.3d 324, 327 (2d

Cir. 2007). In all events, however, we must construe the

statute "so that no part will be inoperative or

superfluous, void or insignificant." Corley v. United

States, 556 U.S. 303, 314 (2009) (quotation omitted).

3. The DPPA

Under the DPPA, state DMVs, individuals,

organizations, and entities may not disclose "personal

information" drawn from motor vehicle records unless

permitted by statute. 4 18 U.S.C. §§ 2721(a) (state

entities), 2722(a) (private individuals and entities); see

also Reno, 528 U.S. at 149-50 (upholding constitutionality

of DPPA). The default rule is one of non-disclosure, but

the statute also identifies fourteen exceptions --

4
"Personal information" includes "an individual's
photograph, social security number, driver identification
number, name, address (but not the 5-digit zip code), telephone
number, and medical or disability information." 18 U.S.C.
§ 2725(3).

-16-
"permissible uses" -- for which disclosure is allowed. See

18 U.S.C. § 2721(b). In relevant part,

Personal information [protected by the DPPA] . . .
may be disclosed as follows:

. . .

(6) For use by any insurer or insurance
support organization, or by a self-insured
entity, or its agents, employees, or
contractors, in connection with claims
investigation activities, antifraud
activities, rating or underwriting.

. . .

(8) For use by any licensed private
investigative agency or licensed security
service for any purpose permitted under this
subsection.

Id. § 2721(b)(6), (8).

The DPPA also regulates the resale and

redisclosure of protected personal information:

An authorized recipient of personal information
(except a recipient under subsection (b)(11) or
(12)) may resell or redisclose the information
only for a use permitted under subsection (b) (but
not for uses under subsection (b)(11) or (12)).

-17-
Id. § 2721(c). 5 "Authorized recipient" is not defined by

statute. But see Reno, 528 U.S. at 146 (citing section

2721(c) and declaring that DPPA regulates resale and

redisclosure by "private persons who have obtained

[drivers' personal] information from a state DMV").

The DPPA creates a civil cause of action for those

whose information has been improperly used or disclosed.

See 18 U.S.C. § 2724(a). Certain civil remedies may be

imposed against any "person who knowingly obtains,

discloses or uses personal information , from a motor

vehicle record, for a purpose not permitted" by the DPPA .

Id. These remedies vary; the court may award:

(1) actual damages, but not less than liquidated
damages in the amount of $2,500;

(2) punitive damages upon proof of willful or
reckless disregard of the law;

(3) reasonable attorneys' fees and other
litigation costs reasonably incurred; and

5
Individuals may consent to disclosure of their
personal information, see id. § 2721(b)(13), and subsections
(b)(11) and (b)(12) of section 2721 capture those scenarios.
Gordon never consented to the release of his personal
information.

-18-
 (4) such other preliminary and equitable relief a s
the court determines to be appropriate.

Id. § 2724(b).

B. Application

Gordon argues that the Resellers are subject to

civil penalties under the DPPA. First, Gordon contends

that the Resellers should be strictly liable for misuses of

his information by downstream recipients. Second, in the

alternative, Gordon asserts that Resellers are liable

because of their own actions: (a) Resellers disclosed his

information for a use that was not expressly permitted by

the DPPA, and (b) Resellers did not exercise due care when

releasing his personal information. We address each

argument in turn.

1. Strict Liability for Downstream Acts

Gordon primarily argues that Resellers should be

held strictly liable for civil penalties based on Leifer's

improper use of Gordon's personal information. We conclude

that a strict liability standard is inconsistent with the

DPPA as a whole and would frustrate its legislative aims.

-19-
 The text of the DPPA does not support -- either

explicitly or implicitly -- a strict liability standard.

Although, as described below, the text and structure of the

DPPA can be read to support a duty of reasonable inquiry,

nothing in the DPPA suggests that a reseller is

responsible, regardless of whether it is at fault, for an

end user's misuse of personal information. Moreover, no

case law interpreting the DPPA suggests that a reseller

could be strictly liable for downstream violations by

another party. But cf. Pichler v. UNITE, 542 F.3d 380,

396-97 (3d Cir. 2008) (end user liable for own actions,

even if it did not know those actions would violate DPPA).

We note, moreover, that strict liability offenses,

while "not unknown to the criminal law ," are "generally

disfavored." United States v. U.S. Gypsum Co., 438 U.S.

422, 437-38 (1978); see also United States v. Burwell, 690

F.3d 500, 505 (D.C. Cir. 2012); Am.-Arab Anti-

Discrimination Comm. v. City of Dearborn, 418 F.3d 600, 610

(6th Cir. 2005). Gordon's appeal, of course, arises in the

civil context, but the provision describing a criminal

offense under the DPPA mirrors the language describing a

-20-
civil cause of action. 6 This similarity suggests that

"knowingly" is read the same way in both provisions. See

Dep't of Revenue of Or. v. ACF Indus., Inc., 510 U.S. 332,

342 (1994) ("normal rule of statutory construction" is that

"identical words used in different parts of the same act

are intended to have the same meaning" (quotation and

internal quotation marks omitted)). But see Kirtsaeng v.

John Wiley & Sons, Inc., 133 S. Ct. 1351, 1362 (2013)

(acknowledging general rule, but applying different canon

of interpretation). We are loathe to write strict

liability into the DPPA absent a clear indication in the

text or the legislative history that strict liability

applies.

The notion of strict liability is also

inconsistent with at least some of the congressional

concerns that prompted the DPPA. The DPPA sought to

6
Compare id. § 2722(a) ("It shall be unlawful for any
person knowingly to obtain or disclose personal information,
from a motor vehicle record, for any use not permitted under
section 2721(b) of this title." (emphasis added)), with id. §
2724(a) ("A person who knowingly obtains, discloses or uses
personal information, from a motor vehicle record, for a purpose
not permitted under this chapter" may be liable in a civil
action (emphasis added)).

-21-
"strike[] a critical balance between an individual's

fundamental right to privacy and safety and the legitimate

governmental and business needs for this information." 145

Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of

Rep. Moran), available at 1994 WL 140035; see also id. at

H2527 (statement of Rep. Goss). Congress knew that

legitimate businesses used information derived from motor

vehicle records and ensured continued access to it through

the DPPA. See, e.g., 139 Cong. Rec. S15762-63 (daily ed.

Nov. 16, 1993) (statement of Sen. Hatch), available at 1993

WL 470986; Driver's Privacy Protection Act: Hearings on

H.R. 3365 Before the Subcomm. on Civil & Constitutional

Rights of the House of Rep. Comm. on the Judiciary , 103rd

Cong. (Feb. 3-4, 1994). In fact, Congress was cognizant of

the concerns raised by the business community, and

consequently it broadened the exceptions to non-disclosure

in the law. See 140 Cong. Rec. H2523 (daily ed. Apr. 20,

1994) (statement of Rep. Moran) (noting that revised DPPA

addressed commercial concerns raised during subcommittee

hearings), available at 1994 WL 140035.

-22-
 "[W]e will not interpret a statute in a way 'that

apparently frustrates the statute's goals, in the absence

of a specific congressional intention otherwise.'" United

States v. Livecchi, 711 F.3d 345, 351 (2d Cir. 2013)

(quoting New York v. Shore Realty Corp., 759 F.2d 1032,

1045 (2d Cir. 1985)). Thus, because we conclude that

neither the text nor the legislative history of the DPPA

supports reading a strict liability standard into the DPPA,

we hold that Resellers are not strictly liable for Leifer's

improper use of Gordon's personal information.

2. Resellers' Liability Due to Their Own Actions

a. Disclosure for an Impermissible Use

Gordon contends that the Resellers disclosed his

personal information for a use that was not specifically

identified in the DPPA's list of fourteen exceptions. See

18 U.S.C. § 2721(b). We review the disclosure of each

Reseller separately and conclude that, while Softech

disclosed Gordon's personal information for a permitted

use, a material question of fact exists as to the propriety

of Arcanum's disclosure.

-23-
 i. Softech

Gordon alleges that Softech disclosed his personal

information to Arcanum even though Arcanum did not identify

a permissible use; this argument is meritless. When

Arcanum, a private investigative agency, requested Gordon's

personal information from Softech, it selected "DPPA

Purpose No. 8." Rodriguez Dep. 49:8-11, Feb. 16, 2011;

Cohn Dep. 29:3-10, Apr. 13, 2011. This corresponds to the

exception in section 2721(b)(8), "[f]or use by any licensed

private investigative agency . . . for any purpose

permitted under this subsection." 18 U.S.C. § 2721(b)(8);

see also Rodriguez Dep. 49:12-16.

Hence, this exception includes two limiting

factors: (1) the entities that may claim the exception,

and (2) the purposes for which information may be

requested. Arcanum's request satisfied both requirements.

First, as discussed above, Arcanum was a licensed private

investigative agency and therefore eligible to claim the

exception. Second, Arcanum had provided Softech with an

Affidavit of Intended Use that specifically identified

-24-
three intended uses for the records requested, all of which

complied with exceptions in section 2721(b). 7

When Softech accessed the New York State DMV

database and provided Arcanum with Gordon's name, address,

and additional information pertaining to his car , it

disclosed that information pursuant to an exception in

section 2721(b), to an entity eligible to invoke the

exception, for three purposes permitted by the DPPA. See

18 U.S.C. § 2721(b)(8). Therefore, the district court

correctly concluded as a matter of law that Softech had

disclosed Gordon's personal information for a use expressly

permitted by statute. 8

7
Specifically, the affidavit indicated that Arcanum
would use information only for the purposes outlined in section
2721(b)(3) (for limited purposes in the normal course of
business), section 2721(b)(7) (to provide notice to owners of
towed or impounded vehicles), and section 2721(b)(13) (when the
party in interest had consented in writing).
8
Gordon also argues that Softech's disclosure under
the private investigative agency exception violated the terms of
an agreement between Softech and Arcanum. Under either Florida
or New York law, Gordon, because he is a non-party who was not
an intended third-party beneficiary of the agreement, cannot
allege a DPPA violation on breach of contract grounds. See,
e.g., Bochese v. Town of Ponce Inlet, 405 F.3d 964, 981-83 (11th
Cir. 2005) (discussing Florida law); State of Cal. Pub. Emps.'
Retirement Sys. v. Shearman & Sterling, 95 N.Y.2d 427, 434-35
(2000) (discussing New York law).

-25-
 ii. Arcanum

Arcanum disclosed Gordon's personal information to

Leifer based on Leifer's selection of "Insurance Other "

from the Docusearch.com dropdown menu. Gordon contends

that "Insurance Other" did not correspond to a permitted

use. 9

Although Resellers insist that Gordon waived this

argument by failing to raise it below, we disagree.

Gordon's amended complaint noted that Arcanum "disclosed .

. . Gordon's personal information without a permissible use

under the DPPA." Amended Complaint, ¶¶ 79, 81. This

necessarily implied that Gordon challenged whether the

stated use -- "Insurance Other" -- fell within the section

2721(b) exceptions. 10 Furthermore, Gordon argued below that

9
Although Resellers further argue that Leifer wanted
Gordon's personal information in preparation for litigation,
pursuant to the exception in section 2721(b)(4), Leifer only
claimed one exception -- "Insurance Other." Section 2722(a)
prohibits disclosure "for any use not permitted" by statute, and
Arcanum did not know that Leifer's use might later qualify for
this exception. A reseller's ex post decision about a
recipient's intended use of information cannot justify its
decision to disclose the information in the first place.
10
When cross-moving for summary judgment, Gordon
explicitly argued that "Insurance Other" was not a permitted
use, but made that argument only with respect to Softech.

-26-
"to qualify under [the insurance exception] you have to

either be an insurance company or a self-insured entity."

Nov. 22, 2011 Tr., at 17:21-23. Counsel for Arcanum was

present, but did not object. Accordingly, we determine

that the issue was not waived.

Under a textual approach, "Insurance Other" does

not track the language of the insurance exception, which

allows a person to disclose or use DPPA-protected personal

information "in connection with claims investigation

activities, antifraud activities, rating or underwriting ."

18 U.S.C. § 2721(b)(6). Thus, a disclosure for "Insurance

Other" could be outside the scope of the statute , as the

generic phrase encompasses many insurance-related

activities beyond the stated activities of section

2721(b)(6). See Maracich, 133 S. Ct. at 2199-2200

(examining DPPA's litigation exception and noting that

"[u]nless commanded by the text . . . these exceptions

ought not operate to the farthest reach of their linguistic

possibilities if that result would contravene the statutory

design").

-27-
 The insurance exception, moreover, may only be

claimed by certain entities: an "insurer or insurance

support organization, or [] a self-insured entity." Id.

§ 2721(b)(6). When deposed, Leifer conceded that he did

not work at an insurance company, and could not identify

what a self-insured entity or an insurance support

organization was. Leifer Dep. 81:22 to 82:19, July 12,

2011. Arcanum has pointed to nothing in the record to

suggest that Leifer was, in fact, eligible to request

information pursuant to that exception. Thus, even if we

were to assume that a collision had occurred, an insurance

claim had accrued, and "Insurance Other" was coterminous

with section 2721(b)(6), a reasonable jury could easily

find that Leifer was not eligible to request information

pursuant to the insurance exception.

The Resellers insist that "Insurance Other"

covered all insurance-related uses, but only to the extent

contemplated by the exception in section 2721(b)(6). This

argument relies on the fact that each Docusearch.com

customer certified that it was "in, and assume[d] full

responsibility for, compliance with the Driver's Privacy

-28-
Protection Act of 1994" by clicking "OK" on a pop-up

window. Furthermore, the customer also check ed a box,

thereby consenting to the terms of a "Client Agreement," in

which the customer "represent[ed] and warrant[ed] that it

will provide Docusearch with accurate and complete

information regarding the searches requested, and that

search results will not be used for any purpose other than

the purpose stated to Docusearch."

We need not decide whether these representations

sufficiently narrowed the scope of "Insurance Other" ;

Resellers' argument still ignores the fact that only

certain entities are eligible to claim the insurance

exception. Whether Leifer is one of them is determinative

of Arcanum's liability. If Leifer was not eligible to

claim that exception, Arcanum's disclosure would have been

for a use not permitted by section 2721(b). Hence, with

respect to Arcanum, we conclude that the district court

erred by granting summary judgment without having first

considered (1) whether Leifer was eligible to request

information pursuant to the insurance exception, (2) if so,

whether a collision had occurred, and (3) if so, whether an

-29-
insurance claim had accrued. These material questions of

fact preclude summary judgment as to Arcanum's liability.

b. Resellers' Duty of Reasonable Care: Legal
Framework

Gordon further contends that, even if Resellers

disclosed his personal information for what they believed

to be a permitted use, they are still liable because they

violated a duty of reasonable care imposed by the DPPA.

Resellers contend that the DPPA imposes no such duty.

Based on the language of the statute, its structure, and

its legislative history, we conclude that the DPPA imposes

a duty on resellers to exercise reasonable care in

responding to requests for personal information drawn from

motor vehicle records.

i. The Statutory Language

The default rule under the DPPA is non -disclosure.

It is unlawful for a state DMV or any employee or officer

thereof to "knowingly disclose or otherwise make available

to any person or entity . . . personal information"

obtained from a motor vehicle record, except as provided i n

section 2721(b). 18 U.S.C. § 2721(a). Resellers are

-30-
subject to the same general rule of non-disclosure; with

limited exceptions not relevant here, resellers "may resell

or redisclose the information only for a use permitted

under subsection (b)." Id. § 2721(c) (emphasis added); see

also Taylor v. Acxiom Corp., 612 F.3d 325, 338 (5th Cir.

2010).

Moreover, the DPPA creates a civil cause of action

for unauthorized disclosure: section 2724(a) provides that

a "person who knowingly obtains, discloses or uses personal

information, from a motor vehicle record, for a purpose not

permitted under this chapter shall be liable to the

individual to whom the information pertains, who may bring

a civil action in a United States district court." 18

U.S.C. § 2724(a). Logically, the language makes clear,

albeit implicitly, that resellers are obliged to use some

care in disclosing personal information obtained from motor

vehicle records. If resellers may not disclose personal

information except as permitted by the DPPA, they must be

obliged to make some inquiry before concluding that

disclosure is permitted. See also Roth v. Guzman, 650 F.3d

603, 618 (6th Cir. 2011) (Clay, J., dissenting) (rejecting

-31-
notion that upstream source had "no actual duty . . . other

than the ministerial task of soliciting rote

representations from prospective requesters" of DPPA-

protected personal information). It would make no sense

that this obligation could be met simply by accepting an

end user's mere "say-so" in the presence of red flags

suggesting the requested information was being sought for

an improper purpose. Under this theory, advocated by

Resellers, an upstream source could always avoid liability

by securing a representation that the recipient of personal

information had a permissible use or by hiding behind one

or more dropdown menus so that a user would always -- and

could only -- select a permitted use. The civil remedies

provision would be rendered toothless if resellers could

insulate themselves from liability based solely on the

conclusory representations of end users, with out being

required to exercise due care themselves.

We note also that the statute's use of the word

"knowingly" is not inconsistent with the notion that some

duty of care exists. Cf. id. Case law is replete with

situations where knowledge contemplates what a party "knew

-32-
or should have known." 11 Negligence law in particular

frequently invokes the concept of constructive knowledge

when deciding whether a particular outcome was

foreseeable, 12 and criminal law applies a similar concept

when imposing criminal liability under a theory of

conscious avoidance. 13

11
See, e.g., Farmer v. Brennan, 511 U.S. 825, 843 n.8
(1994) (inferences not conclusive but prison official in Bivens
suit "would not escape liability if the evidence showed that he
merely refused to verify underlying facts that he strongly
suspected to be true, or declined to confirm inferences of risk
that he strongly suspected to exist"); In re Potomac Transp.,
Inc., 909 F.2d 42, 46 (2d Cir. 1990) (construing privity and
knowledge under provision of maritime law to mean ship owner
knew or should have known that particular condition existed).
12
See, e.g., Ehrens v. Lutheran Church, 385 F.3d 232,
235 (2d Cir. 2004) (to state claim of negligent supervision,
plaintiff must allege, inter alia, that employer knew or should
have known of employee's propensity for injury-causing conduct);
Williams v. Long Island R.R. Co., 196 F.3d 402, 406 (2d Cir.
1999) (employer may breach liability under Federal Employers
Liability Act, 45 U.S.C. § 51 et seq., if it knew or should have
known of workplace hazard but did not inform or protect its
employees).
13
See, e.g., United States v. Beech-Nut Nutrition Corp.,
871 F.2d 1181, 1195 (2d Cir. 1989) (finding conscious avoidance
applies when "defendant claims to lack some specific aspect of
knowledge necessary to conviction but where the evidence may be
construed as deliberate ignorance" (citation and internal
quotation marks omitted)); United States v. Finkelstein, 229
F.3d 90, 95-96 (2d Cir. 2000) (distinguishing conscious
avoidance from negligence but holding it is relevant when
considering sentencing enhancements).

-33-
 ii. The Structure of the Civil Penalties
Provision

The structure of the DPPA also supports the

conclusion that resellers owe a duty of reasonable care.

The DPPA provides that a court may award "punitive damages

upon proof of willful or reckless disregard of the law."

18 U.S.C. § 2724(b)(2); see also Pichler, 542 F.3d at 397

(willful or reckless disregard is when "a party appre ciated

it was engaging in wrongful conduct" (internal quotation

marks omitted)). In contrast, the preceding subdivision

provides that the court may award "actual damages, but not

less than liquidated damages in the amount of $2,500." 18

U.S.C. § 2724(b)(1). The actual damages provision is

silent as to the degree of fault necessary to trigger

liability for actual damages. If, however, as the statute

suggests, punitive damages are available only for willful

and reckless violations of the DPPA, then actual damages

must require something less -- that is, conduct that is

neither willful nor reckless.

As we have rejected a theory of strict liability,

the most appropriate standard, in our view, is

-34-
reasonableness: a reasonableness standard best harmonizes

the wording, the structure, and, as discussed below, the

purpose of the DPPA. Accordingly, we conclude that a

reseller is liable for actual (or liquidated) damages when

it fails to use reasonable care to ensure that personal

information is being obtained for a permissible purpose.

We note too that the Department of Justice ("DOJ")

has reached a similar conclusion. In a non-binding

advisory opinion, DOJ concluded that a state DMV could

release personal information to resellers "upon reasonably

concluding that the information [requested by the

commercial distributor] will be used for authorized

purposes only." Letter from Robert C. McFetridge, Special

Counsel to the Assistant Att'y Gen., Civil Div., Dep't of

Justice, to Peter Sacks, Office of the Att'y Gen., The

Commonwealth of Mass. (Oct. 9, 1998) (on file with the

Court) [hereinafter "DOJ Letter"], at 2 (emphasis added);

see also, e.g., Graczyk v. W. Publ'g Co., 660 F.3d 275,

280-81 (7th Cir. 2011) (discussing DOJ Letter), cert.

denied, 132 S. Ct. 2391 (2012); Taylor, 612 F.3d at 339

(same). An entity cannot reasonably conclude that a person

-35-
or entity may access DPPA-protected personal information if

it does not exercise some modicum of care. See Cook v. ACS

State & Local Solutions, Inc., 663 F.3d 989, 997 (8th Cir.

2011) (summarizing DOJ letter as stating that states must

"reasonably conclude that the information would be used

only for authorized purposes").

iii. The Legislative History

We acknowledge that there is some ambiguity in the

statute. The DPPA does not explicitly provide for a duty

of reasonable care, and it is silent as to the degree of

fault necessary for an award of actual or liquidated

damages.

Moreover, the word "knowingly," as used in

sections 2722(a) and 2724(a), is ambiguous: depending on

one's reading of the statute, civil liability could attach

(1) to any act committed intentionally, or (2) only for an

act undertaken with knowledge of an improper purpose . For

example, in Pichler v. UNITE, 542 F.3d 380 (3d Cir. 2008),

the Third Circuit concluded that the end user -- a union --

could be civilly liable for using DPPA -protected personal

information for an improper purpose even though, at the

-36-
time, the union did not know that its purpose would be

deemed improper. Id. at 396-97. By contrast, in Roth v.

Guzman, 650 F.3d 603 (6th Cir. 2011), the Sixth Circuit

concluded that a state DMV was not subject to civil

liability under the DPPA unless it actually knew that the

recipient, who had represented that it had a permissible

use for the requested DPPA-protected personal information,

would use it for an improper purpose. Id. at 611-12. We

need not resolve the disagreement, however, as both Pichler

(addressing use by an end user) and Roth (addressing

disclosure by the state) are distinguishable from this

case, which addresses disclosure by resellers .

In light of the ambiguity in the statute, we look

to its legislative history, and the legislative history

supports the conclusion that resellers must exercise some

degree of care. The legislative history emphasized that

the DPPA would protect "an individual's fundamental right

to privacy and safety." 145 Cong. Rec. H2522 (daily ed.

Apr. 20, 1994) (statement of Rep. Moran), available at 1994

WL 140035; see also id. at H2527 (statement of Rep. Goss).

Protecting this right was particularly important in light

-37-
of two mandates associated with driving: all drivers must

register with the state, and no drivers may obscure the

license plate number on their cars. See 139 Cong. Rec.

S15764 (daily ed. Nov. 16, 1993) (statement of Sen. Boxer),

available at 1993 WL 470986; 140 Cong. Rec. H2523 (daily

ed. Apr. 20, 1994) (statement of Rep. Moran), available at

1994 WL 144035; 139 Cong. Rec. S14436 (daily ed. Oct. 26,

1993) (statement of Sen. Warner), available at 1993 WL

470986 (drivers that register with the DMV "should do so

with full confidence that the information they provide will

not be disclosed indiscriminately"). Because disclosures,

such as the one made by Softech to Arcanum to Leifer, are

often "totally incompatible with the purpose for which the

information was collected," regulating the circumstanc es of

disclosure was of paramount importance to Congress. See

139 Cong. Rec. S15764 (daily ed. Oct. 26, 1993) (statement

of Sen. Boxer), available at 1993 WL 470986.

Concerns that state actions had undermined public

safety also catalyzed the enactment of the DPPA, which was

passed as part of the Violent Crime Control and La w

Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat.

-38-
1796. Congress perceived a need to better regulate

disclosure of personal information because such disclosures

had been used to stalk, rob, and even kill private

citizens. See, e.g., 139 Cong. Rec. E2747 (daily ed. Nov.

3, 1993) (statement of Rep. Moran), available at 1993 WL

448643; 139 Cong. Rec. S15762, S15766 (daily ed. Nov. 16,

1993) (statements of Sen. Boxer and Sen. Harkin). Assuming

Gordon's allegations are true, Leifer's threats to Gordon's

family and friends were precisely the sort of acts that

Congress sought to curtail.

Given the nature of information available through

motor vehicle records -- e.g., social security number,

medical or disability information, and home address -- the

DPPA's purpose would be severely undermined if resellers'

disclosures were not subject to a duty of reasonable

inquiry. See Reno, 528 U.S. at 151 ("The DPPA regulates

the universe of entities that participate as suppliers to

the market for motor vehicle information -- the States as

initial suppliers of the information in interstate commerce

and private resellers or redisclosers of that information

in commerce." (emphasis added)). And, in light of the

-39-
clear congressional intent to safeguard the privacy and

safety of drivers, it is inconceivable that a dropdown

menu, a check box, and a representation that no laws would

be violated could satisfy any reasonable diligence floor.

See 139 Cong. Rec. S15765 (daily ed. Nov. 16, 1993)

(statement of Sen. Robb), available at 1993 WL 470986; see

also Roth, 650 F.3d at 619 (Clay, J., dissenting) ("[T]he

DPPA compels the conclusion that the Act imposes . . . a

duty of reasonable inquiry."); Welch v. Jones, 770 F. Supp.

2d 1253, 1260 (N.D. Fla. 2011) (no DPPA violation in

reseller's disclosure where recipient identified its

permissible use under penalties of perjury, and reseller

verified recipient's identity, even though the recipient

ultimately used the information impermissibly).

In light of the text, structure, and legislative

history of the DPPA, we hold that resellers are subject to

a duty of reasonable care before disclosing DPPA -protected

personal information. 14 See 18 U.S.C. § 2721(b)-(c).

14
Notwithstanding the similarities among upstream
sources of DPPA-protected personal information, as this case
does not require us to consider the effect on state DMVs, we
limit our holding to private resellers under the statute.

-40-
 c. Resellers' Duty of Reasonable Care: As
Applied to Softech and Arcanum

i. Softech

Softech released Gordon's personal information per

Arcanum's request for "use by any licensed private

investigative agency." Rodriguez Dep. 49:15-16. Moreover,

Softech and Arcanum had an ongoing business relationship

through which Softech knew Arcanum was a licensed private

investigative agency, and Arcanum had contractually agreed

that it would only use information for three purposes

permitted by the DPPA. Hence, at a minimum, Softech's

disclosures to Arcanum were permitted by the private

investigative agency exception. See 18 U.S.C.

§ 2721(b)(8). Nothing in the record suggests that, in

complying with the information request , Softech acted

unreasonably.

Gordon contends that Softech's disclosure was

still unreasonable because Arcanum's Affidavit of Intended

Use affirmed that Arcanum would only use information for

three stated purposes -- none of which were for public

-41-
investigative services. 15 Furthermore, the agreement

provided that Arcanum was required to "strictly abide" by

the terms of the affidavit. Softech contends that its

automated system would "check[] that the DPPA [permissible

use] selected is the one that they actually, upon signin g

up with us, was the one that they selected on the Affidavit

of Intended Use," and reject the request if it were not.

Rodriguez Dep. 46:11-14, 16-20. Yet when Arcanum requested

information pursuant to an exception not listed on its

Affidavit of Intended Use, Softech did not reject Arcanum's

request; instead, it released Gordon's personal

information.

We do not believe that these circumstances create

a genuine issue of fact for trial. Although, when it

initially entered into a relationship with Softech, Arcanum

agreed that it would seek information only for three

permissible purposes, no legal obstacles prevented Arcanum

from requesting information from Softech (or precluded

Softech from giving information to Arcanum) for other

15
See supra note 7.

-42-
permissible purposes in the future. Moreover, Arcanum was,

in fact, a licensed private investigative agency , and

Arcanum had provided Softech with an Affidavit of Intended

Use that promised that Arcanum would use the information

only in accordance with the requirements in section

2721(b)(8). Further, as a reseller, Softech's disclosure,

to a user for an apparently permissible use, was permitted

under section 2721(c). 16 Finally, even assuming that

Softech had inquired further, nothing in the record

suggests that Softech would have uncovered any red flags

suggesting the information was being sought for an improper

purpose. Hence, we conclude that the district court

properly granted summary judgment in favor of Softech.

ii. Arcanum

By contrast, we conclude that a reasonable jury

could find that Arcanum failed to exercise reasonable care

16
We further note that each of the four Courts of
Appeals to have considered the issue has concluded that
resellers (like Softech and Arcanum) need not themselves use the
information before disclosing it in a manner permitted by the
DPPA. See Cook v. ACS State & Local Solutions, Inc., 663 F.3d
989, 997 (9th Cir. 2011); Graczyk v. W. Publ'g Co., 660 F.3d
275, 279-80 (7th Cir. 2011); Howard v. Criminal Info. Servs.,
Inc., 654 F.3d 887, 891-92 (9th Cir. 2011); Taylor v. Acxiom
Corp., 612 F.3d 325 (5th Cir. 2010).

-43-
when it disclosed Gordon's personal information to Leifer.

In seeking the information, Leifer used the alias "Jack

Loren." He used a credit card number that did not match

the name "Jack Loren." He claimed he worked for a

business, "Bodyguards.com," that was not operational. He

selected a purpose, "Insurance Other," that, at least

arguably, is not a permitted purpose. He did not provide

any information or proof relating to his status as an

insurance company, a self-insured entity, or an insurance

support organization, to verify his eligibility to invoke

the insurance exception.

Arcanum failed to inquire as to Leifer's

eligibility to invoke the insurance exception, and it never

checked the accuracy of the purported "Jack Loren" identity

or the purported business affiliation. Arcanum apparently

did not even bother to verify whether the name associated

with the credit card number provided by "Jack Loren"

matched the name associated with the Docusearch.com

account.

Moreover, the Docusearch.com dropdown menu offered

a selection of fourteen purportedly "Permissible

-44-
Purpose[s]," and instructed the customer that he "Must

Select One" of the purportedly permissible purposes. Thus,

the Docusearch.com website was designed -- as a reasonable

jury could so find -- to ensure that end users selected one

of fourteen purportedly permissible purposes, without

providing them with an opportunity to articulate the true

purpose -- permissible or not -- behind a particular

records request. Although Arcanum did ask Leifer to

represent that he was seeking the information for a lawful

purpose, a reasonable jury could find on these facts that

Arcanum failed to use reasonable care, and that, had it

been reasonably diligent, Arcanum would have discovered

that Leifer was seeking the information for an improper

purpose. See King v. Crossland Sav. Bank, 111 F.3d 251,

259 (2d Cir. 1997) ("[T]he assessment of reasonableness

generally is a factual question to be addressed by the

jury."). Accordingly, the district court erred in granting

summary judgment to Arcanum.

CONCLUSION

For the reasons set forth above, we AFFIRM the

judgment of the district court to the extent it granted

-45-
summary judgment in favor of Softech International, Inc.

and Rodriguez, and we VACATE the judgment to the extent it

granted summary judgment in favor of Arcanum

Investigations, Inc. and Cohn on Gordon's claims under the

DPPA. We REMAND for further proceedings not inconsistent

with this opinion.

-46-
 1 DENNIS JACOBS, Chief Judge, concurring in part and

2 dissenting in part:

3

4 Insofar as the majority opinion superimposes a

5 negligence duty of care on the civil damages remedy of the

6 Driver’s Privacy Protection Act (“the Act”), I respectfully

7 dissent.

8 I

9 An industry of “resellers” has arisen to facilitate

10 acquisition by legitimate end-users of information collected

11 by state motor vehicle bureaus. The Act is designed to

12 reduce abuses of the information and invasions of privacy.

13 At the same time, Congress was careful to craft remedies for

14 such abuse that would not impair the useful industry. See,

15 e.g., Protecting Driver Privacy: Hearing on H.R. 3365 Before

16 the Subcomm. on Civil and Const. Rights of the H. Comm. On

17 the Judiciary, 103d Cong. 4 (1994) (statement of bill

18 sponsor Rep. James P. Moran) (“Careful consideration was

19 given to the common uses now made of this information and

20 great efforts were made to ensure that those uses were

21 allowed under this bill.”), available at 1994 WL 212698; 145

22 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of

23 Rep. Moran) (“[The Act] strikes a critical balance between
 1 an individual’s fundamental right to privacy and safety and

2 the legitimate governmental and business needs for this

3 information.”). The civil cause of action is worded in a

4 way well-calculated to target abuses without inflicting

5 collateral damage on the industry itself: “[a] person who

6 knowingly obtains, discloses or uses personal information,

7 from a motor vehicle record, for a purpose not permitted

8 under this chapter shall be liable to the individual to whom

9 the information pertains, who may bring a civil action in a

10 United States district court.” 18 U.S.C. § 2724 (emphasis

11 added).

12 The majority opinion states that this language imposes

13 a duty upon resellers to “to make some inquiry before

14 concluding that disclosure is permitted.” Maj. Op. at 31

15 (emphasis removed). I agree to the extent that resellers

16 should require end-users to specify a legitimate use and

17 give them notice that misuse subjects them to liability.

18 But it is undisputed that Arcanum, the reseller here, did

19 make such inquiry and provide such notice: it required the

20 customer to represent which legitimate purpose was being

21 pursued; it referenced the Act; and it elicited an

22 indemnification in the event of a statutory violation--all

23 of which served to warn the customer that violation of the

24 Act would entail consequences.

2
 1 So the real holding of the majority opinion is that

2 these measures are not enough, and that resellers have a

3 duty of inquiry to verify the identity of the customer, and

4 to perform related investigations, as though selling a

5 firearm or dispensing a narcotic. That is a negligence

6 standard, and it is a judicial invention that alters the

7 nature of the industry’s service and its economics, and

8 thereby upsets the balance of the Act.

9

10 II

11 The facts of this case arrange themselves into a law

12 school exam question. Defendant Aron Leifer had some run-in

13 with the driver of a car owned by plaintiff Erik Gordon.

14 Leifer jotted down the license plate number, used

15 Docusearch.com to get information associated with the

16 license plate number, and then harassed Gordon.

17 Docusearch.com is a website of defendant Arcanum

18 Investigations, which is owned and operated by defendant Dan

19 Cohn.

20 As the Docusearch.com website required, Leifer

21 certified that he had a permissible purpose for the

22 information under the Act, and warranted that he would

23 indemnify Arcanum against any breach. But he used an alias

24 (Jack Loren) to submit his request, and falsely selected

3
 1 “Insurance Other” as his permissible purpose from a drop-

2 down menu. Arcanum forwarded the request to defendant

3 Softech International, Inc., for processing. The master

4 services agreement between the companies included a

5 certification from Arcanum that it would only request

6 records for certain purposes permissible under the Act, that

7 it would require its end users to certify compliance, and

8 that it would indemnify Softech against any violation.

9 Gordon brought a damages action against Leifer under

10 the Act. Leifer had no permissible reason for procuring the

11 license information, got it by false statements (using a

12 false name that did not match his credit card, and a false

13 affiliation with Bodyguards.com, a defunct website), and

14 used the information to violate Gordon’s privacy. Leifer

15 settled the claim. That settlement fulfilled the purposes

16 of the Act. The district court dismissed the claims against

17 all the remaining defendants. I would affirm. The majority

18 vacates the dismissal as to Arcanum and Mr. Cohn.

19

20 III

21 “[O]ur inquiry begins with the statutory text, and ends

22 there as well if the text is unambiguous.” BedRoc Ltd., LLC

23 v. United States, 541 U.S. 176, 183 (2004). The Act as a

24 whole could be clearer than it is, but Congress made the

4
 1 civil remedy clear enough, given the ends in view: imposing

2 damages on those who abuse the information, while preserving

3 the industry that facilitates its use for fair purposes.

4 The only mental-state requirement in the civil cause of

5 action is the adverb “knowingly,” which modifies the verbs

6 “obtains, discloses or uses,” which are further modified by

7 the adverbial phrase, “for a purpose not permitted under

8 this chapter . . . .” 18 U.S.C. § 2724. Civil liability is

9 therefore imposed only on a person who obtains, discloses,

10 or uses personal information knowing that it is for a

11 purpose--such as peddling goods or harassment--that is not

12 legitimate. Leifer is such a person. Arcanum and Softech

13 are not, in my view, because they made disclosure only after

14 eliciting an affirmation of proper purpose, advising as to

15 statutory requirements, and exacting a warranty of

16 indemnification, which made the warning ominous.

17 The majority opinion superimposes on the statutory

18 wording a duty of (variously) “reasonable inquiry” (Maj. Op.

19 at 20, 39, 40), “due care” (32), “reasonable care” (30, 34-

20 36, 40), “some inquiry” (31), “reasonableness” (35), and

21 “reasonable diligence” (40). These amount to “negligence”

22 (33), and, as applied to this case, they mean that there is

23 a duty of a reseller to make inquiries of the end-user, at

24 least when there are “red flags” (32, 43). The flags here

5
 1 are said to be: use of an alias; use of a credit card in a

2 different name (Leifer’s own); use of an entity

3 (Bodyguards.com) that was defunct; and selection of

4 “Insurance Other” from the drop-down menu, which is not a

5 term expressly listed in the statute as a permitted use

6 (though insurance is, see 18 U.S.C. § 2721(b)(6) and (9)).

7 The standard adopted by the majority opinion therefore

8 requires at least that a reseller make inquiry and

9 investigation into: the user’s identity, the match between

10 the user’s name and the credit card used, and the current

11 status and activity of the employing entity. Without those

12 inquiries, there would be no red flags; they wave here only

13 by reason of the inquiries made via discovery in litigation.

14 Yet the majority subjects Arcanum and Mr. Cohn to a jury

15 trial because they failed to look for these red flags before

16 releasing Gordon’s driver information. Implicit in that

17 ruling is a requirement that resellers conduct inquiries

18 looking for red flags in every application. And that

19 presupposes personnel who can identify anomalies, and

20 evaluate responses to inquiries (e.g., “I’m using my

21 employer’s credit card”; “Oh, Bodyguards.com is doing

22 business under another name”; etc.). Although the majority

23 opinion persuasively demonstrates that Congress did not

24 intend to impose strict liability, see Maj. Op. at 19-23,

6
 1 the burden imposed by the majority opinion is, in effect,

2 not all that much less.

3 The standard expressed in the statutory wording, a

4 “knowing” misuse, is straightforward and easy to apply to

5 transactions that are (like these) numerous and fleeting.

6 By contrast, the duty of reasonable inquiry imposed by the

7 majority opinion has no clear boundaries. See, e.g.,

8 Catharine Pierce Wells, A Pragmatic Approach to Improving

9 Tort Law, 54 Vand. L. Rev. 1447, 1452 (2001) (“[N]egligence

10 doctrine has never consisted of the kind of rules that can

11 make outcomes seem predictable and certain.”). It was

12 reasonable for Congress to draw the line at a knowing

13 violation, especially in view of its intent to preserve the

14 industry of resellers (a goal acknowledged in the majority’s

15 rejection of strict liability, see Maj. Op. at 21-22). With

16

17 a clear, logical interpretation of the text available, there

18 is no need to look any further. BedRoc, 541 U.S. at 183.

19

20 IV

21 The majority adduces three arguments in support of

22 imposing a “duty of reasonable care” that would require

23 measures beyond those that Arcanum employed. None of these

24 reasons is convincing.
7
 1 First, the majority opinion cites legislative history,

2 suggesting that it “supports the conclusion that resellers

3 must exercise some degree of care.” Maj. Op. at 37. But

4 the citations reflect only an intent to protect the privacy

5 of drivers’ personal information--a broad objective that

6 does not impose a duty of inquiry and that is compatible

7 with a standard that protects resellers that commit no

8 knowing wrong. The majority opinion thus succumbs to the

9 fallacy that all remedial legislation reflects an intent to

10 advance the remedial purpose by flattening every competing

11 consideration. The majority writes: “Leifer’s threats to

12 Gordon’s family and friends were precisely the sort of acts

13 that Congress sought to curtail.” Maj. Op. at 39. All this

14 statement tells us about the duty of care is that a culpable

15 end-user such as Leifer should be liable, as he would be

16 under my reading as well.

17 Second, the majority opinion reasons that since the Act

18 allows punitive damages in cases of “willful or reckless

19 disregard of the law,” 18 U.S.C. § 2724(b)(2), the threshold

20 for generic civil liability must be lower. Maj. Op. at 34.

21 But surely the distinction between the actual and punitive

22 damages is “disregard of the law”--and a law can be

23 disregarded only by persons who are aware of it. People in

24 relevant industries will know it, but few others will have

8
 1 sufficient awareness to disregard it when they handle driver

2 records. This Act is not the kind of law imbibed with

3 mother’s milk.

4 Under a plain text reading, liability for actual or

5 liquidated damages arises for a knowing disclosure made for

6 an impermissible purpose, while punitive damages are

7 available only when that disclosure is made in disregard of

8 restrictions that the actor knows have been implemented by

9 the Act. The punitive damages clause does not refute the

10 requirement of a “knowing” mental state.

11 Third, the majority writes that the statute only makes

12 sense “logically” if it is associated with a duty of care.1

13 Maj. Op. at 31 (“Logically, the language makes clear, albeit

14 implicitly, that resellers are obliged to use some care in

15 disclosing personal information obtained from motor vehicle

16 records.”). The thrust of the argument is that, without a

1
The Sixth Circuit managed to “logically” interpret
the statute without recognizing a duty of care. See Roth v.
Guzman, 650 F.3d 603, 611 (6th Cir. 2011) (disclosure is
permitted so long as the reseller has a permissible reason
to provide the records to the requestor). In fact, the
majority opinion in that case ignored express calls from the
dissenting opinion to identify such a duty. See id. at 618
(Clay, J., dissenting) (“The majority opinion circumvents
the legal question of what duty the DPPA imposes on
Defendants . . . . In doing so, the majority reasons that as
long as a requestor represents . . . that it will use
drivers’ personal information in accordance with a DPPA
exception, [motor bureau employees] do not violate the Act
if they then knowingly disclose that information.”).
9
 1 duty of care requirement, “an upstream source could always

2 avoid liability by securing a representation that the

3 recipient of personal information had a permissible use,”

4 i.e., a certification or an indemnification agreement, both

5 of which were used by Arcanum here. Maj. Op. at 32. The

6 majority fears that this possibility would render the civil

7 remedy “toothless.” Id. I disagree. The civil remedy

8 works admirably in the overall scheme.

9 The Act, which regulates an activity that uses

10 middlemen, sensibly places civil damages liability on the

11 person who knowingly handles the information for an improper

12 purpose. The Act operates in a way that is reasonable and

13 effective (and thus “logical”). Liability for damages is

14 imposed at the point in the sequence of transactions where

15 there is knowing misconduct. Punitive damages are imposed

16 for wilful or reckless “disregard of the law,” that is, on

17 persons who know about this fairly obscure enactment

18 (usually by virtue of being in the business of violating

19 it). See 18 U.S.C. § 2724(b)(2). And the act also imposes

20 a criminal fine for knowing violations. See 18 U.S.C.

21 § 2723. The scheme as a whole induces prudent resellers to

22 warn end-users and to obtain representations of compliance.

23 In this case, the victim (Gordon) recovered damages

24 from the violator (Leifer). So it cannot be said that the

10
 1 Act was “toothless” in this case. The Act doesn’t have to

2 bite everybody.

3 The Act treats on an equal footing the end-users, the

4 resellers, and the state motor vehicle bureaus. So one

5 should be able to test the soundness of a ruling on the

6 reseller’s duty by seeing if it can fairly be applied to the

7 motor vehicle bureau as well. It is therefore telling that

8 the majority opinion expressly concedes that its ruling does

9 not apply to the state motor vehicle bureaus. See Maj. Op.

10 at 40 n.14. Not that I disagree on that score: for my part,

11 I am not sure that every employee of a motor vehicle bureau

12 can be counted on to mobilize as an eager detective.

13 The measures taken by Arcanum and Softech adequately

14 assured that they would not knowingly make a disclosure for

15 an unpermitted purpose. But the majority opinion remands

16 for a negligence finding as to the website’s instruction

17 that the customer “Must Select One” of the permissible uses

18 from the drop-down menu, and does so on the theory that such

19 an instruction affords no opportunity to state the true

20 reason. In my view, there is no basis for thinking that

21 Leifer would otherwise have revealed his true need for the

22 information (that would be: “I need to harass the

23

24

11
1 registration holder with salacious phone calls”), or that

2 the instruction (“Must Select One”) is an order to pick one

3 even if it is false. A lot of website owners should worry

4 about the implications of the majority opinion.

12