A Minnesota resident, Jeffrey Ness, has filed a potential class action lawsuit against the state’s Department of Natural Resources (DNR) and Department of Public Safety after a DNR employee exceeded authorized access and accessed about 5,000 residents’ driver’s license information. The employee was terminated but the motive for the improper access was not disclosed.
In the lawsuit filed yesterday in federal court, Ness alleges that as a result of the breach, he suffered “injuries, including but not limited to emotional distress, anxiety, and stress.”
The lawsuit alleges violations of the Drivers Privacy Protection Act and the Fourth Amendment, as well as invasion of privacy.
I certainly don’t expect the Fourth Amendment claim to be upheld because then every time a government employee snooped in a file, the government might get sued. But can Ness get a statutory award for the alleged violation of DPPA? The DPPA provides:
A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.
(b) Remedies — The court may award —
(1) actual damages, but not less than liquidated damages in the amount of $2,500;
(2) punitive damages upon proof of willful or reckless disregard of the law;
(3) reasonable attorneys’ fees and other litigation costs reasonably incurred; and
(4) such other preliminary and equitable relief as the court determines to beappropriate.
I’d normally expect a lawsuit without demonstration of actual harm to get tossed, but it sounds like Ness might have a case against the employee. As to the state defendants, if Ness can show that the state knew it had a serious and repeated problem with inappropriate access to the database (and I’ve blogged about the repeated problems/breaches on PogoWasRight.org), that might help his claims against the state defendants. Then again, if the state’s Attorney General decided to go after the state agencies for a pattern of inadequate security that resulted in repeated and substantial noncompliance with the DPPA, they could be fined $5,000 a day for each day of substantial noncompliance. As I’ve blogged on PogoWasRight.org, I do think that someone should be doing something about all of the breaches involving their driver’s license database.
Bottom line: I won’t be surprised if the lawsuit gets dismissed, but it might turn out to be interesting.
But then, I am not a lawyer. Maybe I can get a lawyer to blog about this lawsuit and offer their more informed opinion.
h/t, AP
I just stumbled upon your blog and have enjoyed it. I find this breach totally avoidable, like most; however, most companies that are not required to have Data Protection Policies in place – don’t and if they do, I have found that the training is grossly lacking. I work everyday to assist companies in learning how important a Data Protection Program and training is; however, it appears that more breaches are going to have to occur before it becomes SOP.
Great blog, I will continue to check back!
Claire G. Christison, CSDS