The Fifth Circuit Court of Appeals in a published decision affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022. In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq., refusing to revive a putative class action where Plaintiffs demanded $69.9 billion USD in liquidated damages.
A Squire Patton Boggs team consisting of partners Damond Mace, Rafael Langer-Osuna, Kristin Bryan, and Brent Owen, of-counsel Bobby Hawkins, principal Amanda Dodds Price, and associate Marissa Black successfully represented Vertafore in this high-stakes data privacy case.
Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the temporary and inadvertent unsecured online storage of Texas drivers’ license data for over 27.7 million individuals. The first three cases were filed in the District of Colorado, Northern District of Texas and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than US$69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.
Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted. On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.
Plaintiffs then filed an appeal to the Fifth Circuit. The Fifth Circuit, however, affirmed the district court’s dismissal.
In its ruling, the Fifth Circuit commented that “[t]he [DPPA] ‘regulates the disclosure of personal information contained in the records of state motor vehicle departments.’” (quotation omitted). The statute “was enacted in 1994 to respond to at least two concerns: ‘The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs. The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.’” To put it otherwise, the DPPA predated modern developments concerning data events and cyberattacks—notwithstanding its frequent use by plaintiffs in data breach-type litigations.
The Fifth Circuit affirmed dismissal of the Complaint for Plaintiffs’ failure to allege a “disclosure” of their information as required to state a cognizable DPPA claim. Additionally, the Fifth Circuit also noted in a footnote that “Plaintiffs cite no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.”
The Fifth Circuit was the first federal circuit court to squarely address these issues, making this ruling likely to impact the course of other DPPA putative class actions in the data event and cybersecurity context going forward.