From Casetext: Smarter Legal Research

Allen v. Vertafore, Inc.

United States Court of Appeals, Fifth Circuit
Mar 11, 2022
28 F.4th 613 (5th Cir. 2022)

Opinion

No. 21-20404

03-11-2022

Derek ALLEN ; Leandre Bishop; John Burns, Plaintiffs—Appellants, v. VERTAFORE, INCORPORATED, Defendant—Appellee.

Ben Barnow, Barnow and Associates, P.C., Chicago, IL, Cory Steven Fein, Cory S. Fein, P.C., Houston, TX, Benjamin F. Johns, Chimicles Schwartz Kriner & Donaldson-Smith, L.L.P., Haverford, PA, for Plaintiffs—Appellants. Damond R. Mace, Marissa L. Black, Kristin L. Bryan, Squire Patton Boggs, L.L.P., Cleveland, OH, Rafael Langer-Osuna, Squire Patton Boggs, L.L.P., San Francisco, CA, Amanda Dodds Price, Squire Patton Boggs (US), L.L.P., Houston, TX, for Defendant—Appellee.


Ben Barnow, Barnow and Associates, P.C., Chicago, IL, Cory Steven Fein, Cory S. Fein, P.C., Houston, TX, Benjamin F. Johns, Chimicles Schwartz Kriner & Donaldson-Smith, L.L.P., Haverford, PA, for Plaintiffs—Appellants.

Damond R. Mace, Marissa L. Black, Kristin L. Bryan, Squire Patton Boggs, L.L.P., Cleveland, OH, Rafael Langer-Osuna, Squire Patton Boggs, L.L.P., San Francisco, CA, Amanda Dodds Price, Squire Patton Boggs (US), L.L.P., Houston, TX, for Defendant—Appellee.

Before Southwick, Haynes, and Higginson, Circuit Judges.

Stephen A. Higginson, Circuit Judge: Plaintiffs, Texas driver's license holders, brought this action against Vertafore, Inc., for a violation of the Driver's Privacy Protection Act, 18 U.S.C. § 2721, et seq. , after Vertafore announced that unauthorized users had gained access to personal information protected by the statute that Vertafore had stored on unsecured external servers. The district court granted Vertafore's motion to dismiss. We AFFIRM.

I.

On November 10, 2020, Vertafore, an insurance software company, announced that three data files that it had "stored in an unsecured external storage service" had been accessed without authorization sometime between March and August 2020. Those files contained the driver information of approximately 27.7 million people holding Texas driver's licenses issued before February 2019. As of November 2020, Vertafore's investigation had not turned up any evidence that the information accessed without authorization had been misused.

On December 4, 2020, Plaintiffs filed a putative class action complaint against Vertafore for a violation of the Driver's Privacy Protection Act. Plaintiffs alleged that "Vertafore knowingly disclosed the Driver's License Information of Plaintiffs and approximately 27.7 million other Class members by storing that information on unsecured external servers." On January 29, 2021, Vertafore filed a motion to dismiss under Federal Rule of Civil Procedure 12(b)(1), arguing that Plaintiffs lacked standing, and under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted.

The magistrate judge held a hearing on the motion on April 27, 2021 and subsequently recommended that the district court find that Plaintiffs had standing but that they failed to state a claim. The magistrate judge noted that "absent from [Plaintiffs' complaint] is any factual allegation describing how [Vertafore's] purported mismanagement of information amounts to a knowing disclosure of personal information for an improper purpose." Therefore, he concluded that "Plaintiffs' allegation that Vertafore knowingly disclosed their personal information for an improper purpose is nothing more than a conclusory allegation or legal conclusion masquerading as a factual conclusion."

Plaintiffs objected to the magistrate judge's Memorandum and Recommendation and asked for an opportunity to amend their complaint if the district judge was not inclined to deny Vertafore's motion. On July 23, 2021, the district court adopted the magistrate judge's Memorandum and Recommendation in its entirety and granted Vertafore's motion to dismiss. Plaintiffs timely filed this appeal.

Plaintiffs have not renewed this request in their briefs on appeal.

II.

We review de novo the district court's grant of a motion to dismiss for failure to state a claim. Kennedy v. Chase Manhattan Bank USA, NA , 369 F.3d 833, 839 (5th Cir. 2004). "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). In reviewing a motion to dismiss, we "accept[ ] all well-pleaded facts as true and view[ ] those facts in the light most favorable to the plaintiff." Cummings v. Premier Rehab Keller, P.L.L.C. , 948 F.3d 673, 675 (5th Cir. 2020) (internal citation omitted). But "a complaint's allegations must make relief plausible, not merely conceivable, when taken as true." Inclusive Communities Project, Inc. v. Lincoln Prop. Co. , 920 F.3d 890, 899 (5th Cir. 2019) (internal citation omitted). "The court's review is limited to the complaint, any documents attached to the complaint, and any documents attached to the motion to dismiss that are central to the claim and referenced by the complaint." Lone Star Fund V (U.S.), L.P. v. Barclays Bank PLC , 594 F.3d 383, 387 (5th Cir. 2010).

III.

A.

The Driver's Privacy Protection Act (DPPA) "regulates the disclosure of personal information contained in the records of state motor vehicle departments." Reno v. Condon , 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000). The DPPA was enacted in 1994 to respond to at least two concerns: "The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs. The second concern related to the States' common practice of selling personal information to businesses engaged in direct marketing and solicitation." Maracich v. Spears , 570 U.S. 48, 57, 133 S.Ct. 2191, 186 L.Ed.2d 275 (2013).

The DPPA makes it "unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title." 18 U.S.C. § 2722(a). "A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under [the DPPA] shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court." 18 U.S.C. § 2724(a). "The court may award ... actual damages, but not less than liquidated damages in the amount of $2,500 ...." § 2724(b). To state a claim for a violation of the DPPA, the complaint must adequately allege that "(1) the defendant knowingly obtain[ed], disclose[d] or use[d] personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted." Taylor v. Acxiom Corp. , 612 F.3d 325, 335 (5th Cir. 2010).

B.

Plaintiffs' complaint alleges that Vertafore knowingly disclosed Plaintiffs' personal information "by storing that information on unsecured external servers." The complaint further states that "the unsecure servers disclosed" Plaintiffs' personal information "[i]n response to the commands of unauthorized individuals and consistent with the manner in which they were programmed and configured by Vertafore." In their motion to dismiss and before us, Vertafore has argued that Plaintiffs failed to allege both that the company acted with an impermissible purpose and that the company made a knowing disclosure. Because we conclude that Plaintiffs have not alleged a "disclosure" within the meaning of the DPPA, we need not reach whether Plaintiffs sufficiently alleged that Vertafore acted knowingly and with an impermissible purpose.

We turn, then, to whether any of the allegations in Plaintiffs' complaint amount to a disclosure, as that word is used in the DPPA. When interpreting statutes, we begin with the text's plain meaning, "ascertained by reference to ‘the particular statutory language at issue, as well as the language and design of the statute as a whole.’ " United States v. Renda , 709 F.3d 472, 481 (5th Cir. 2013) (quoting Frame v. City of Arlington , 657 F.3d 215, 224 (5th Cir. 2011) ). The DPPA makes it unlawful to "obtain or disclose personal information," and Plaintiffs' complaint alleges that Vertafore "disclose[d]" Plaintiffs' personal information. § 2722(a). The statute does not define "disclose," see 18 U.S.C. § 2725, but Black's Law Dictionary defines the word as "[t]o bring into view by uncovering; to expose; to make known; to lay bare; to reveal to knowledge; to free from secrecy or ignorance, or make known." BLACK'S LAW DICTIONARY (6th ed. 1990).

The Plaintiffs argue in their briefs to us that Vertafore's disclosure was the act of "plac[ing] the information onto a server that was readily accessible to the public ," but this assertion is nowhere in Plaintiffs' complaint, nor is it supported by the facts alleged in Plaintiffs' complaint. The complaint does not allege, for example, that Vertafore published Plaintiffs' personal information on a public website or otherwise placed the information in plain view of any digital "passer-by." See Senne v. Village of Palatine, Ill. , 695 F.3d 597, 603 (7th Cir. 2012) (en banc) (holding that a police officer's placement of a parking ticket on a car windshield was a disclosure within the meaning of the DPPA because "[t]he real effect of the placement of the ticket was to make available Mr. Senne's motor vehicle record to any passer-by").

Instead, the only facts alleged in Plaintiffs' complaint are that Vertafore stored personal information on "unsecured external servers" and that unauthorized users accessed that information. Without more, these facts do not plausibly state a "disclosure" consistent with the plain meaning of that word. Nothing about the words "unsecured" or "external" implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access. After all, we would hardly say that personal information was "disclosed" if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility. See Enslin v. Coca-Cola Co. , 136 F. Supp. 3d 654, 658-59, 671 (E.D. Pa. 2015) (concluding that "privately holding [personal information], even in an unsecured manner, does not constitute a ‘voluntary disclosure’ under the DPPA" where personal information was stored unencrypted on laptops that were stolen from company property by an employee), aff'd , 739 F. App'x 91 (3d Cir. 2018).

Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs' favor, the inference Plaintiffs ask us to draw—from "stored on unsecured external servers" to "disclosed"—is not reasonable. See Iqbal , 556 U.S. at 678, 129 S.Ct. 1937. Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.

Plaintiffs cite no case in which insufficiently secure data storage constituted a "disclosure" within the meaning of the DPPA.

IV.

For the foregoing reasons, the judgment of the district court is AFFIRMED.


Summaries of

Allen v. Vertafore, Inc.

United States Court of Appeals, Fifth Circuit
Mar 11, 2022
28 F.4th 613 (5th Cir. 2022)
Case details for

Allen v. Vertafore, Inc.

Case Details

Full title:Derek Allen; Leandre Bishop; John Burns, Plaintiffs-Appellants, v…

Court:United States Court of Appeals, Fifth Circuit

Date published: Mar 11, 2022

Citations

28 F.4th 613 (5th Cir. 2022)

Citing Cases

In re GEICO Customer Data Breach Litig.

(“[T]he facts alleged in the Complaint describe Vertafore as having stored the data on servers under…

Forteza v. Pelican Inv. Holdings Grp.

At the motion to dismiss stage, “[t]he court's review is limited to the complaint, any documents attached to…