As reported in Law360, last week the Fifth Circuit Court of Appeals in a published decision affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022.  In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded $69.9 billion USD in liquidated damages.

CPW is proud to highlight Squire Patton Boggs (US) LLP’s representation of defendant Vertafore in this high-stakes data privacy case, including in particular the leadership of SPB Senior Partner Damond Mace and Partners (and regular CPW contributors) Kristin Bryan and Rafael Langer-Osuna.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals.  The first three cases were filed in the District of Colorado, Northern District of Texas and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than US$69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.  On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit.   The Fifth Circuit, however, affirmed the district court’s dismissal.

In its ruling, the Fifth Circuit commented that “[t]he [DPPA] ‘regulates the disclosure of personal information contained in the records of state motor vehicle departments.’”  (quotation omitted).  The statute “was enacted in 1994 to respond to at least two concerns: ‘The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs.  The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.’”  To put it otherwise, the DPPA predated modern developments concerning data events and cyberattacks—notwithstanding its frequent use by plaintiffs in data breach-type litigations.

The Fifth Circuit affirmed dismissal of the Complaint for Plaintiffs’ failure to allege a “disclosure” of their information as required to state a cognizable DPPA claim.  As the Court reasoned:

[T]he only facts alleged in Plaintiffs’ complaint are that Vertafore stored personal information on “unsecured external servers” and that unauthorized users accessed that information.  Without more, these facts do not plausibly state a “disclosure” consistent with the plain meaning of that word.  Nothing about the words “unsecured” or “external” implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access.  After all, we would hardly say that personal information was “disclosed” if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility.

Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs’ favor, the inference Plaintiffs ask us to draw—from “stored on unsecured external servers” to “disclosed”—is not reasonable. Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.

(citations omitted).  Additionally, the Fifth Circuit also noted in a footnote that “Plaintiffs cite no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.”

Moving forward, the Fifth Circuit’s ruling will have a significant impact on cases brought under the DPPA and similar statutes.  Simply put, such statutes, with their large statutory damages provisions, are not meant to support claims for data breaches.  The Court’s definition of “disclosure”—that it requires that the defendant take action to expose the data to the public—will materially undermine future data breach-based DPPA claims.  This is a significant win for defendants as the DPPA claims carry a minimum of $2,500 in statutory liquidated damages per plaintiff and therefore have become attractive claims for plaintiffs’ attorneys bringing putative class actions in data privacy litigations.

The SPB Vertafore team consists of partners Damond Mace, Rafael Langer-Osuna, Kristin Bryan, and Brent Owen, of-counsel Bobby Hawkins, principal Amanda Dodds Price, and associate Marissa Black.