In researching an article published by Agency Checklists in December, 2014, “Agency’s Loyalty To Employee Results In Lawsuit”, I had occasion to read the Drivers Privacy Protection Act (“DPPA”). I was surprised by this law’s strict liability and mandatory minimum damages and decided to write this article in case any readers, whose agencies have access to Registry records, also did not know of this law’s reach.
The DPPA creates substantial potential civil liability to any persons that improperly access or use personal information from motor vehicle records held by state registries of motor vehicles. For insurance agencies and insurance companies, however, vicarious liability can arise under this law simply by an employee helping a friend or relative to get an address from a motor vehicle record at the Registry.
The DPPA, a law that insurance agencies and insurance companies need to know
Insurance agents and companies may already know of the DPPA and have taken steps to insure that their employees do not violate this law’s strict liability provisions.
The DPPA was originally spawned by the tragic murder in the late 1980’s of a television actress. A crazed fan of hers retained a private investigator who recorded the actress’ license plate number. The investigator then went to the California State Department of Motor Vehicles where, for a nominal fee, he was able to obtain the actress’ home address. Once he got the address from the private investigator the fan went to the actress’ home and murdered her. A subsequent Congressional hearing revealed a number of cases where stalkers, harassers, and criminals identified their targets’ addresses and other personal information from freely available state motor vehicle records.
As a result of these hearings, Congress included the DPPA as part of the Violent Crime Control and Law Enforcement Act of 1994.
The DPPA allows liquidated damages, punitive damages and attorney fees without fault
The civil liability provisions of the DPPA, found at 18 U.S. Code § 2724, allows for substantial recovery against any “person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not specifically permitted” under the statute. Anyone whose personal information was accessed in violation of the DPPA has the right to file a civil action against any persons who violated the law in federal court.
Once proof shows the unpermitted acquisition, disclosure or use of personal information from a motor vehicle record by the defendant, the defendant becomes liable for:
(1) actual damages, but not less than liquidated damages in the amount of $2,500;
(2) punitive damages upon proof of willful or reckless disregard of the law;
(3) reasonable attorneys’ fees and other litigation costs reasonably incurred; and
(4) such other preliminary and equitable relief as the court determines to be appropriate.
In many cases involving DPPA violations, the employer of the person who violated the DPPA become vicarious defendants if the violation occurred as a result of actions taken by the employee within his or her apparent authority.
Federal courts have found vicarious liability against employers whose employees violate DPPA
Federal courts in interpreting the DPPA have not limited liability to just persons who actually accessed or used personal information in violation of DPPA provisions. Employers, whose employees have violated the DPPA, have been held liable even though the employer did not authorize or permit the violation.
One court put the reason for this public policy as: “By imposing vicarious liability upon employers, they will have incentive to adopt appropriate policies and procedures to prevent the misuse of motor vehicle records, thereby furthering the DPPA’s goals of protecting individuals’ personal information found in motor vehicle records.” Margan v. Niles, 250 F. Supp. 2d 63, 74-75 (2003).
In entering summary judgment against an employer for a DPPA violation committed under an employee’s apparent authority, another federal judge recently stated,: “The DPPA creates a form of tort liability, and I see nothing indicating that Congress did not intend to incorporate ordinary tort-related vicarious-liability rules into the DPPA.” Schierts v. City of Brookfield, 868 F. Supp. 2d 818, 819-21 (2012).
Large verdict are possible under DPPA against employers whose employees use their apparent authority to violate the DPPA
There are apparently no reported cases yet that involve insurance agencies or insurance companies violations of the DPPA, although a Massachusetts superior court decision that involves applying the DPPA to an insurance agency is on appeal. However, other cases that have been decided under the DPPA show that an employee’s violation of this law can be costly to an employer.
In Menghi v. Hart, 745 F. Supp. 2d 89 (2010) a police officer lawfully arrested Ms. Menghi for drunken driving. Subsequent to her arrest, Ms. Menghi received, on several occasions over the course of three years, anonymous phone calls at her home of a harassing and threatening nature. After she filed complaints with the local police department, an investigation determined that the arresting officer had accessed her personal information from motor vehicle records on three occasions before the original arrest.
The officer resigned after admitting the harassing phone calls and pled guilty to aggravated harassment, computer trespass, and official misconduct.
Ms. Menghi, however, sued the former officer and the town that employed him under the DPPA. The town claimed that the officer, in accessing her personal information had not been acting in the scope of his employment. The Federal jury that heard the case disagreed and awarded Ms. Menghi $1,000,000 in compensatory damages and $2,000,000 in punitive damages. The trial judge substantially reduced these awards as excessive but still allowed the plaintiff to recover $600,000 in damages plus over $230,000 in attorney fees and costs.
Insurance agencies and companies avoiding DPPA liability by clear policies and prohibitions
As stated by the federal judge in the Menghi case, the purpose in imposing vicarious liability on employers for DPPA violation is “to adopt appropriate policies and procedures to prevent the misuse of motor vehicle records”.
One of the specified uses that the DPPA allows for obtaining and using personal information from motor vehicle records is:
[The] use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
Insurance agencies and companies may wish to review their policies and procedures applicable to employees that have access to personal information from the Registry of Motor Vehicles to minimize any risk under the DPPA.
The implementation and maintenance of such DPPA policies and procedures for insurance agencies may be especially important. Many CGL policies now carry an exclusion that denies coverage for liability arising under:
Any federal, state or local statute, ordinance or regulation…that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.
If an insurance agency’s professional liability policy has any similar exclusion, an agency’s protection will have to arise from its own procedure manual and its requiring that its employees strictly adhere to rules that prohibit any use of personal information from motor vehicle records for anything other than “claims investigation activities, antifraud activities, rating or underwriting.”