The Driver’s Privacy Protection Act ("DPPA"), 18 U.S.C. Section 2721, et seq, was enacted by Congress in 1994 after the highly-publicized murder of actress Rebecca Schaeffer by a stalker who obtained her unlisted address from the California Department of Motor Vehicles. ("DMV"). The Act restricts state DMVs from disclosing personal information contained in motor vehicle records except for specific governmental and business purposes. In addition, the statute provides that is "unlawful for an person knowingly to obtain or disclose personal information from a motor vehicle record" for any use not permitted under 18 U.S.C. Section 2722(a).
In January of this year, the Minnesota Department of Natural Resources ("DNR") sent a letter to more than 5,000 individuals stating that it had discovered that one of its former employees, John Hunt, had improperly accessed their motor vehicle record data approximately nineteen thousand times. Hunt is no longer employed by the Minnesota DNR.
Attorneys for some of the recipients of the breach notification letter filed a total of five class action lawsuits under the DPPA, which were consolidated in U.S. District Court for the District of Minnesota under the caption Kiminski, et al v. Hunt, et al, No. 13-185. Plaintiffs named a number of supervisors and commissioners of the DNR and the Minnesota Department of Public Safety as defendants in their personal capacities, along with Hunt. In addition to claims under the DPPA, plaintiffs asserted claims under 42 U.S.C. Section 1983, a catch-all cause of action allowing claims against state actors for denying someone their rights under a law or the Constitution.
On September 20, 2013, District Judge Joan N. Ericksen issued an order granting a motion to dismiss all of the state-affiliated employees, leaving only Hunt himself as a defendant. Judge Ericksen held that plaintiffs had not stated a cause of action as to the dismissed defendants because none of them obtained or disclosed information for improper purposes, even though Hunt allegedly did so under their watch. The court dismissed the Section 1983 claim because she interpreted the DPPA as including an express private means of redress that precludes a more expansive remedy under Section 1983.
Minnesota has been the land of 10,000 privacy leaks lately, as the State grapples with negative publicity from the disclosure that an employee of the state’s new on-line health insurance exchange, MNsure, accidentally distributed confidential information, including Social Security numbers, of insurance agents who had participated in training on the system. State officials are concerned that the leak will erode the public’s confidence in the system which is scheduled to go live in October. Minnesota’s Legislative Auditor is currently investigating MNsure’s data security practices.