Miller v. Image Data LLC

F I L E D United States Court of Appeals Tenth Circuit UNITED STATES COURT OF APPEALS FEB 23 2004 TENTH CIRCUIT PATRICK FISHER Clerk MARY HELEN MILLER, on behalf of herself and all others similarly situated, Plaintiff - Appellant/Cross- Nos. 02-1007 and 02-1031 Appellee, (Colorado) (D.Ct. No. 99-S-481) v. IMAGE DATA LLC, Defendant - Appellee/Cross- Appellant, and ROBERT C. HOUVENER, individually and in his official capacity, Defendant. ORDER AND JUDGMENT * Before EBEL, Circuit Judge, PORFILIO, Senior Circuit Judge, and O’BRIEN, Circuit Judge. * This order and judgment is not binding precedent except under the doctrines of law of the case, res judicata and collateral estoppel. The court generally disfavors the citation of orders and judgments; nevertheless, an order and judgment may be cited under the terms and conditions of 10th Cir. R. 36.3. Mary Helen Miller brought suit against Image Data LLC alleging violations of the Driver’s Privacy Protection Act (“Driver’s Privacy Act”), 18 U.S.C. §§ 2721-2725, and Colo. Rev. Stat. § 42-1-206. 1 Both Miller and Image Data filed motions for summary judgment. The court granted Image Data’s motion, denied Miller’s, and, in a separate judgment, ordered each party to pay its own fees and costs. Miller appeals the district court’s grant of summary judgment to Image Data and the denial of her motion, while Image Data cross-appeals the court’s determination of costs. Exercising jurisdiction under 28 U.S.C. § 1291, we AFFIRM the district court’s ruling on summary judgment and REVERSE and REMAND its ruling on costs. I. Background Image Data is a high tech start-up company formed to commercially develop its True ID® system technology. The technology allows an individual’s digitized photographic image to be displayed on a small monitor at the point of a transaction, enabling identity verification. Soon after the company’s formation, its principals engaged in discussions with federal and state government officials, including Colorado, to tout the potential of their technology in preventing identity fraud. These discussions culminated in several contracts relevant to this case. 1 Colo. Rev. Stat. § 42-1-206 was repealed by Laws 1999, Ch. 298, § 4, eff. Aug. 4, 1999; deleted by Laws 1999, Ch. 118, § 3, eff. April 16, 1999) after a public outcry regarding the security and potential use of the information sold to Image Data. -2- One contract involved Image Data and the United States Secret Service, the federal agency primarily responsible for combating identity-based crimes. After Image Data spoke with several federal legislators regarding the scope of identity fraud and potential solutions to the problem, Congress earmarked $1.46 million dollars in October 1997 (federal fiscal year 1998) to fund a pilot project testing the possible technological approach to the problem. The funds were appropriated to the Secret Service, who in turn, contracted with Image Data in late 1997 to implement a pilot project. The project was designed with two objectives: (1) to “show the technical and financial feasibility of using remotely stored digital portrait images to securely perform positive identification of patrons putting forth financial instruments for negotiation or identity documents for access to services[,]” and (2) to “demonstrate how the technology can be used to prevent the issuance and use of counterfeit driver licenses at the state level . . . . ” (App. Vol. I, p. 136.) The parties disagree whether Image Data informed the Colorado officials of the ongoing negotiations for the Secret Service pilot project. While Image Data was cultivating the federal contract, it was also in discussions with Colorado officials regarding the purchase of the data found on Colorado drivers’ licenses. Because the Colorado officials wanted to be sure the purchase was legally valid, they proposed legislation which was passed in 1997, Colo. Rev. Stat. § 42-1-206. Subsection (3)(a) of that statute allowed the sale of -3- driver’s license information “if such items are to be used solely for the prevention of fraud, including, but not limited to, use in mechanisms intended to prevent the fraudulent use of credit cards, debit cards, checks, or other forms of financial transactions.” Following passage of the legislation, on November 14, 1997, Image Data and the State of Colorado entered into a contract to allow Image Data to purchase from the Colorado Department of Motor Vehicles (DMV), “copies of photographs, electronically stored photographs, or digitized images from driver’s license records and to sell the companion demographic data for identity verification to prevent fraud . . . .” 2 (App. Vol. I, p. 82.) The contract echoed the language found in Colo. Rev. Stat. 42-1-206(3)(a) to establish the parameters of the sale. Miller, a Colorado resident with a valid driver’s license and whose DMV information was presumably sold to Image Data, brought suit alleging Image Data: 1) procured information from the DMV for purposes other than the prevention of financial fraud in violation of the Driver’s Privacy Act, 18 U.S.C. § 2 The two types of data identified in the contract include “image data” and “demographic data.” (App. Vol. I, p. 83.) Image data is defined as “all images possessed by the state or its agents of the holders of Colorado drivers licenses and state identification cards . . .” (Id.) “Demographic data” is defined as the data appearing on the face of the card, including “the holder’s name, address, . . . card number, social security number, date of birth, sex, height, weight, hair color and eye color . . . .” (Id.) -4- 2722(a), and Colo. Rev. Stat. § 42-1-206 (3)(a); and 2) obtained the DMV information without disclosing its involvement with the Secret Service in violation of § 2722(b). 3 The district court concluded Image Data’s proposed use of the DMV information was permitted under § 2722(a), and Miller could not assert a private cause of action under § 2722(b). This appeal and cross appeal followed. II. Standard of Review We review rulings on summary judgment de novo applying well-settled standards. Koch v. Koch Indus., Inc., 203 F.3d 1202, 1212 (10th Cir.), cert. denied, 531 U.S. 926 (2000). Summary judgment is appropriate "if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law." Fed. R. Civ. P. 56(c). III. Driver’s Protection Privacy Act “The DPPA [Driver’s Privacy Act] regulates the disclosure and resale of personal information contained in the records of state DMV’s by limiting the 3 Miller also filed suit against Robert Houvener, former president of Image Data, in his individual and official capacities. The district court dismissed her claim against Houvener with prejudice. This ruling is not challenged on appeal. -5- state’s ability to disclose a driver’s personal information without her consent. 4 Reno v. Condon, 528 U.S. 141, 143-44 (2000). This prohibition extends to the state and to persons who have obtained the information from the state. Id. at 146 (citing 18 U.S.C. § 2721(c)). However, the restricted disclosure of personal information is subject to a number of mandatory and permissive statutory exceptions. 5 18 U.S.C. § 2721(b)(1)-(14). Section 2722 defines unlawful acts as follows: (a) Procurement for unlawful purpose. – It shall be unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title. (b) False representation. – It shall be unlawful for any person to make false representation to obtain any personal information from an individual’s motor vehicle record. The Driver’s Privacy Act authorizes a private right of action in federal court when “[a] person . . . knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter” and the Such consent cannot be implied, but must be affirmatively obtained. Reno v. 4 Condon, 528 U.S. 141, 144-45 (2000). 5 The Driver’s Privacy Act mandates certain information regarding various matters in connection with motor vehicles shall be disclosed “to carry out the purposes of [T]itles I and IV of the Anti-Car Theft Act of 1992, the Automobile Information Disclosure Act (15 U.S.C. 1231 et seq.), the Clean Air Act (42 U.S.C. 7401 et seq.), and chapters 301, 305, and 321331 of [T]itle 49. . . .” 18 U.S.C. § 2721(b). -6- information pertains to the individual bringing suit. 18 U.S.C. § 2724. A. 18 U.S.C. § 2722(a) & Colo. Rev. Stat § 42-1-206 Miller maintains Image Data violated Colo. Rev. Stat. § 42-1-206 (and as a result, the Driver’s Privacy Act) because the Colorado statute limits the sale of personal information solely for use in preventing financial fraud. She contends the contract between Image Data and the Secret Service regarding the True ID® technology could and would be used for purposes beyond preventing financial fraud, 6 and therefore, the data was procured for a purpose not permitted under the Driver’s Privacy Act. We disagree. Image Data admits its True ID® technology could be utilized for any number of purposes, including purposes beyond those raised by Miller. However, the record indicates no reasonable factual dispute as to Image Data’s purpose in procuring the DMV information. Image Data’s application for the pilot project and the contractually-required reports to the Secret Service establish the technology was used to prevent financial fraud. Even considering the potential uses of the technology, Image Data did not violate either state or federal statute. Colorado law provides DMV information may be sold “solely for the prevention of fraud, including, but not limited to, use in mechanisms intended to prevent 6 Miller identifies purposes such as “insurance and medicaid fraud; terrorism; underage drinking; drug crimes; government payments fraud; border-jumping . . . airlines and [] gun control.” (Appellant Br., p. 22.) -7- the fraudulent use of credit cards, debit cards, checks, or other forms of financial transactions.” Colo. Rev. Stat. § 42-1-206 (emphasis added). The term “fraud” as used in the statute is not limited by context or express definition and thus takes on its “generic meaning that includes virtually any kind of deception or unfair way of inducing another to surrender rights or property.” In re Attorney D., 57 P.3d 395, 402 (Colo. 2002); see also Black’s Law Dictionary (7th Ed. 1999) (Fraud is “[a] knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment . . . . [a] misrepresentation made recklessly without belief in its truth to induce another person to act.”). Image Data’s “identity verification” or “identity fraud” applications were ultimately intended to prevent fraud, financial and otherwise, by preventing the deceptive use of a false identity. Consequently, Image Data did not procure the Colorado DMV information in violation of Colorado law. Moreover, the permissive disclosure exceptions found in 18 U.S.C. § 2721(b) include a broad range of purposes aimed at preventing fraud generally. The various types of “identity-verification” or “identity-fraud” objected to by Miller fall squarely within several of the Driver’s Privacy Act’s fourteen permissive disclosure exceptions. Driver’s license information may be sold for “use by any government agency . . . or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions . . . .” 18 -8- U.S.C. § 2721(b)(1). The information may also be sold for use in the normal course of business by a business, or its agents, employees or contractors to verify the accuracy of personal information submitted by the individual to the business. 18 U.S.C. § 2721(b)(3)(A). Further, this section specifically allows “[a]n authorized recipient of personal information [with certain exceptions not applicable here to] resell or redisclose the information only for a use permitted under subsection (b) . . . .” 18 U.S.C. § 2721(c). Because the permitted uses of DMV information are not limited to the prevention of financial fraud, but include the present and potential applications of Image Data’s True ID® technology, Image Data did not violate § 2272(a) or Colo. Rev. Stat. § 42-1-206. We therefore affirm the district court’s grant of summary judgment on this claim. B. 18 U.S.C. § 2722(b) Miller also appeals the district court’s determination that no express or implied private cause of action exists under § 2722(b), contending one may be implied because of the nature and purpose of the Privacy Act in protecting individual privacy. We disagree. Whether “a statute creates a cause of action, either expressly or by implication, is basically a matter of statutory construction, such that what must ultimately be determined is whether Congress intended to create the private -9- remedy asserted.” Southwest Air Ambulance, Inc. v. City of Las Cruces, 268 F.3d 1162, 1169 (10th Cir. 2001) (quoting Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 16 (1979)). The “construction and applicability of a federal statute is a question of law, which we review de novo." Allison v. Bank One- Denver, 289 F.3d 1223, 1235 n.2 (10th Cir. 2002). Even assuming Miller was harmed by a § 2722(b) violation, this “does not automatically give rise to a private cause of action in favor of that person.” Southwest Air, 268 F.3d at 1169, (quoting Transamerica Mortgage Advisors, 444 U.S. at 16). The Driver’s Protection Act separates unlawful activity into two distinct categories. Section 2722(a) identifies securing or disclosing personal information for an impermissible use. In contrast, § 2722(b) prohibits the use of false representations to obtain the information. The private right of action created under 18 U.S.C. § 2724(a) reiterates the statutory language found in § 2722(a), but contains no similar reference to the false representation language in § 2722(b). Thus, the logical inference from the structure and express language of the Driver’s Privacy Act reveals Congress’ intent to create a private right of action under § 2722(a), but to leave the enforcement of a violation of § 2722(b) to the United States Department of Justice. IV. Cross Appeal--Costs Image Data appeals the district court’s separate order requiring each party -10- to pay their own fees and costs. We review an award of costs for an abuse of discretion. Munoz v. St. Mary-Corwin Hosp., 221 F.3d 1160, 1170 (10th Cir. 2000). “[C]osts other than attorney’s fees shall be allowed as of course to the prevailing party unless the court otherwise directs . . . .” Fed. R. Civ. P. 54(d)(2003). This rule “creates a presumption that the prevailing party shall recover costs [and]. . . the district court must provide a valid reason for not awarding costs to a prevailing party.” Cantrell v. International Bhd. of Elec. Workers, AFL-CIO, Local 2021, 69 F.3d 456, 459 (10th Cir.1995). The district court refused to award costs to Image Data, the prevailing party, without explanation. Therefore, we have no record on which to base our review and must remand this issue to the district court. Munoz, 221 F.3d at 1170. Consequently, the portion of the district court’s December 6, 2002 judgment ordering each party to pay its own fees and costs is REVERSED and REMANDED in accordance with Munoz, supra. V. Conclusion The district court’s determination granting summary judgment in favor of Image Data, and denying Miller’s motion for summary judgment is AFFIRMED. The court’s denial of costs is REVERSED, and the matter is REMANDED for -11- further proceedings consistent with this order and judgment. Entered by the Court: Terrence L. O’Brien United States Circuit Judge -12-