As CPW previously covered, the Fifth Circuit Court of Appeals, in a published decision, affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022. In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded USD $69.9 billion in liquidated damages.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals. The first three cases were filed in the District of Colorado, Northern District of Texas, and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than USD $69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed, or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted. On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit. The Fifth Circuit, however, affirmed the district court’s dismissal.

In the wake of this impressive win for Vertafore and the SPB Team, Bloomberg Law reached out to CPW’s Rafael Langer-Osuna and Kristin Bryan to get their insight on the impact this ruling will have on DPPA litigation going forward for a recently published article.

Kristin Bryan was quoted in the article as saying, “[t]he Driver’s Privacy Protection Act, enacted in 1994, prohibits the disclosure of personal information without consent, with some exceptions. It was passed to safeguard people’s privacy and safety and to regulate the disclosure of personal information by state Departments of Motor Vehicles—not to penalize companies in the wake of a data event, as is the case here. To successfully bring claims under the statute, plaintiffs must allege a knowing disclosure. The Fifth Circuit rightly recognized that a purported mismanagement of information—such as storing driver’s license data on unprotected servers—doesn’t clear that bar.”

In the article, Rafael Langer-Osuna notably states that “[t]he law has been attractive to plaintiffs because of the potential for high fees. It provides for liquidated damages of at least [USD]$2,500 per violation. Plaintiffs have been making this reach for a long time. Now they’ll be forced to rely on statutes that actually relate to the data breach context.”

For the full scoop, click here to see the news article by Bloomberg Law.

We again want to congratulate the SPB Vertafore team for successfully defeating this high-stakes data privacy case and subsequently paving the way for future DPPA litigation to come.