Case: 21-20404 Document: 00516235197 Page: 1 Date Filed: 03/11/2022
United States Court of Appeals for the Fifth Circuit United States Court of Appeals Fifth Circuit
FILED March 11, 2022 No. 21-20404 Lyle W. Cayce Clerk Derek Allen; Leandre Bishop; John Burns,
Plaintiffs—Appellants,
versus
Vertafore, Incorporated,
Defendant—Appellee.
Appeal from the United States District Court for the Southern District of Texas USDC No. 4:20-CV-4139
Before Southwick, Haynes, and Higginson, Circuit Judges. Stephen A. Higginson, Circuit Judge: Plaintiffs, Texas driver’s license holders, brought this action against Vertafore, Inc., for a violation of the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq., after Vertafore announced that unauthorized users had gained access to personal information protected by the statute that Vertafore had stored on unsecured external servers. The district court granted Vertafore’s motion to dismiss. We AFFIRM. Case: 21-20404 Document: 00516235197 Page: 2 Date Filed: 03/11/2022
No. 21-20404
I. On November 10, 2020, Vertafore, an insurance software company, announced that three data files that it had “stored in an unsecured external storage service” had been accessed without authorization sometime between March and August 2020. Those files contained the driver information of approximately 27.7 million people holding Texas driver’s licenses issued before February 2019. As of November 2020, Vertafore’s investigation had not turned up any evidence that the information accessed without authorization had been misused. On December 4, 2020, Plaintiffs filed a putative class action complaint against Vertafore for a violation of the Driver’s Privacy Protection Act. Plaintiffs alleged that “Vertafore knowingly disclosed the Driver’s License Information of Plaintiffs and approximately 27.7 million other Class members by storing that information on unsecured external servers.” On January 29, 2021, Vertafore filed a motion to dismiss under Federal Rule of Civil Procedure 12(b)(1), arguing that Plaintiffs lacked standing, and under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted. The magistrate judge held a hearing on the motion on April 27, 2021 and subsequently recommended that the district court find that Plaintiffs had standing but that they failed to state a claim. The magistrate judge noted that “absent from [Plaintiffs’ complaint] is any factual allegation describing how [Vertafore’s] purported mismanagement of information amounts to a knowing disclosure of personal information for an improper purpose.” Therefore, he concluded that “Plaintiffs’ allegation that Vertafore knowingly disclosed their personal information for an improper purpose is nothing more than a conclusory allegation or legal conclusion masquerading as a factual conclusion.”
2 Case: 21-20404 Document: 00516235197 Page: 3 Date Filed: 03/11/2022
Plaintiffs objected to the magistrate judge’s Memorandum and Recommendation and asked for an opportunity to amend their complaint if the district judge was not inclined to deny Vertafore’s motion. 1 On July 23, 2021, the district court adopted the magistrate judge’s Memorandum and Recommendation in its entirety and granted Vertafore’s motion to dismiss. Plaintiffs timely filed this appeal. II. We review de novo the district court’s grant of a motion to dismiss for failure to state a claim. Kennedy v. Chase Manhattan Bank USA, NA, 369 F.3d 833, 839 (5th Cir. 2004). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In reviewing a motion to dismiss, we “accept[] all well-pleaded facts as true and view[] those facts in the light most favorable to the plaintiff.” Cummings v. Premier Rehab Keller, P.L.L.C., 948 F.3d 673, 675 (5th Cir. 2020) (internal citation omitted). But “a complaint’s allegations must make relief plausible, not merely conceivable, when taken as true.” Inclusive Communities Project, Inc. v. Lincoln Prop. Co., 920 F.3d 890, 899 (5th Cir. 2019) (internal citation omitted). “The court’s review is limited to the complaint, any documents attached to the complaint, and any documents attached to the motion to dismiss that are central to the claim and referenced by the complaint.” Lone Star Fund V (U.S.), L.P. v. Barclays Bank PLC, 594 F.3d 383, 387 (5th Cir. 2010).
1 Plaintiffs have not renewed this request in their briefs on appeal.
3 Case: 21-20404 Document: 00516235197 Page: 4 Date Filed: 03/11/2022
III. A. The Driver’s Privacy Protection Act (DPPA) “regulates the disclosure of personal information contained in the records of state motor vehicle departments.” Reno v. Condon, 528 U.S. 141, 143 (2000). The DPPA was enacted in 1994 to respond to at least two concerns: “The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs. The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.” Maracich v. Spears, 570 U.S. 48, 57 (2013). The DPPA makes it “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” 18 U.S.C. § 2722(a). “A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under [the DPPA] shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). “The court may award . . . actual damages, but not less than liquidated damages in the amount of $2,500 . . . .” § 2724(b). To state a claim for a violation of the DPPA, the complaint must adequately allege that “(1) the defendant knowingly obtain[ed], disclose[d] or use[d] personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.” Taylor v. Acxiom Corp., 612 F.3d 325, 335 (5th Cir. 2010). B. Plaintiffs’ complaint alleges that Vertafore knowingly disclosed Plaintiffs’ personal information “by storing that information on unsecured external servers.” The complaint further states that “the unsecure servers
4 Case: 21-20404 Document: 00516235197 Page: 5 Date Filed: 03/11/2022
Free access — add to your briefcase to read the full text and ask questions with AI
Case: 21-20404 Document: 00516235197 Page: 1 Date Filed: 03/11/2022
United States Court of Appeals for the Fifth Circuit United States Court of Appeals Fifth Circuit
FILED March 11, 2022 No. 21-20404 Lyle W. Cayce Clerk Derek Allen; Leandre Bishop; John Burns,
Plaintiffs—Appellants,
versus
Vertafore, Incorporated,
Defendant—Appellee.
Appeal from the United States District Court for the Southern District of Texas USDC No. 4:20-CV-4139
Before Southwick, Haynes, and Higginson, Circuit Judges. Stephen A. Higginson, Circuit Judge: Plaintiffs, Texas driver’s license holders, brought this action against Vertafore, Inc., for a violation of the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq., after Vertafore announced that unauthorized users had gained access to personal information protected by the statute that Vertafore had stored on unsecured external servers. The district court granted Vertafore’s motion to dismiss. We AFFIRM. Case: 21-20404 Document: 00516235197 Page: 2 Date Filed: 03/11/2022
No. 21-20404
I. On November 10, 2020, Vertafore, an insurance software company, announced that three data files that it had “stored in an unsecured external storage service” had been accessed without authorization sometime between March and August 2020. Those files contained the driver information of approximately 27.7 million people holding Texas driver’s licenses issued before February 2019. As of November 2020, Vertafore’s investigation had not turned up any evidence that the information accessed without authorization had been misused. On December 4, 2020, Plaintiffs filed a putative class action complaint against Vertafore for a violation of the Driver’s Privacy Protection Act. Plaintiffs alleged that “Vertafore knowingly disclosed the Driver’s License Information of Plaintiffs and approximately 27.7 million other Class members by storing that information on unsecured external servers.” On January 29, 2021, Vertafore filed a motion to dismiss under Federal Rule of Civil Procedure 12(b)(1), arguing that Plaintiffs lacked standing, and under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted. The magistrate judge held a hearing on the motion on April 27, 2021 and subsequently recommended that the district court find that Plaintiffs had standing but that they failed to state a claim. The magistrate judge noted that “absent from [Plaintiffs’ complaint] is any factual allegation describing how [Vertafore’s] purported mismanagement of information amounts to a knowing disclosure of personal information for an improper purpose.” Therefore, he concluded that “Plaintiffs’ allegation that Vertafore knowingly disclosed their personal information for an improper purpose is nothing more than a conclusory allegation or legal conclusion masquerading as a factual conclusion.”
2 Case: 21-20404 Document: 00516235197 Page: 3 Date Filed: 03/11/2022
Plaintiffs objected to the magistrate judge’s Memorandum and Recommendation and asked for an opportunity to amend their complaint if the district judge was not inclined to deny Vertafore’s motion. 1 On July 23, 2021, the district court adopted the magistrate judge’s Memorandum and Recommendation in its entirety and granted Vertafore’s motion to dismiss. Plaintiffs timely filed this appeal. II. We review de novo the district court’s grant of a motion to dismiss for failure to state a claim. Kennedy v. Chase Manhattan Bank USA, NA, 369 F.3d 833, 839 (5th Cir. 2004). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In reviewing a motion to dismiss, we “accept[] all well-pleaded facts as true and view[] those facts in the light most favorable to the plaintiff.” Cummings v. Premier Rehab Keller, P.L.L.C., 948 F.3d 673, 675 (5th Cir. 2020) (internal citation omitted). But “a complaint’s allegations must make relief plausible, not merely conceivable, when taken as true.” Inclusive Communities Project, Inc. v. Lincoln Prop. Co., 920 F.3d 890, 899 (5th Cir. 2019) (internal citation omitted). “The court’s review is limited to the complaint, any documents attached to the complaint, and any documents attached to the motion to dismiss that are central to the claim and referenced by the complaint.” Lone Star Fund V (U.S.), L.P. v. Barclays Bank PLC, 594 F.3d 383, 387 (5th Cir. 2010).
1 Plaintiffs have not renewed this request in their briefs on appeal.
3 Case: 21-20404 Document: 00516235197 Page: 4 Date Filed: 03/11/2022
III. A. The Driver’s Privacy Protection Act (DPPA) “regulates the disclosure of personal information contained in the records of state motor vehicle departments.” Reno v. Condon, 528 U.S. 141, 143 (2000). The DPPA was enacted in 1994 to respond to at least two concerns: “The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs. The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.” Maracich v. Spears, 570 U.S. 48, 57 (2013). The DPPA makes it “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” 18 U.S.C. § 2722(a). “A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under [the DPPA] shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). “The court may award . . . actual damages, but not less than liquidated damages in the amount of $2,500 . . . .” § 2724(b). To state a claim for a violation of the DPPA, the complaint must adequately allege that “(1) the defendant knowingly obtain[ed], disclose[d] or use[d] personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.” Taylor v. Acxiom Corp., 612 F.3d 325, 335 (5th Cir. 2010). B. Plaintiffs’ complaint alleges that Vertafore knowingly disclosed Plaintiffs’ personal information “by storing that information on unsecured external servers.” The complaint further states that “the unsecure servers
4 Case: 21-20404 Document: 00516235197 Page: 5 Date Filed: 03/11/2022
disclosed” Plaintiffs’ personal information “[i]n response to the commands of unauthorized individuals and consistent with the manner in which they were programmed and configured by Vertafore.” In their motion to dismiss and before us, Vertafore has argued that Plaintiffs failed to allege both that the company acted with an impermissible purpose and that the company made a knowing disclosure. Because we conclude that Plaintiffs have not alleged a “disclosure” within the meaning of the DPPA, we need not reach whether Plaintiffs sufficiently alleged that Vertafore acted knowingly and with an impermissible purpose. We turn, then, to whether any of the allegations in Plaintiffs’ complaint amount to a disclosure, as that word is used in the DPPA. When interpreting statutes, we begin with the text’s plain meaning, “ascertained by reference to ‘the particular statutory language at issue, as well as the language and design of the statute as a whole.’” United States v. Renda, 709 F.3d 472, 481 (5th Cir. 2013) (quoting Frame v. City of Arlington, 657 F.3d 215, 224 (5th Cir. 2011)). The DPPA makes it unlawful to “obtain or disclose personal information,” and Plaintiffs’ complaint alleges that Vertafore “disclose[d]” Plaintiffs’ personal information. § 2722(a). The statute does not define “disclose,” see 18 U.S.C. § 2725, but Black’s Law Dictionary defines the word as “[t]o bring into view by uncovering; to expose; to make known; to lay bare; to reveal to knowledge; to free from secrecy or ignorance, or make known.” Black’s Law Dictionary (6th ed. 1990). The Plaintiffs argue in their briefs to us that Vertafore’s disclosure was the act of “plac[ing] the information onto a server that was readily accessible to the public,” but this assertion is nowhere in Plaintiffs’ complaint, nor is it supported by the facts alleged in Plaintiffs’ complaint. The complaint does not allege, for example, that Vertafore published Plaintiffs’ personal information on a public website or otherwise placed the information in plain view of any digital “passer-by.” See Senne v. Village of Palatine, Ill.,
5 Case: 21-20404 Document: 00516235197 Page: 6 Date Filed: 03/11/2022
695 F.3d 597, 603 (7th Cir. 2012) (en banc) (holding that a police officer’s placement of a parking ticket on a car windshield was a disclosure within the meaning of the DPPA because “[t]he real effect of the placement of the ticket was to make available Mr. Senne’s motor vehicle record to any passer-by”). Instead, the only facts alleged in Plaintiffs’ complaint are that Vertafore stored personal information on “unsecured external servers” and that unauthorized users accessed that information. Without more, these facts do not plausibly state a “disclosure” consistent with the plain meaning of that word. Nothing about the words “unsecured” or “external” implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access. After all, we would hardly say that personal information was “disclosed” if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility. See Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654, 658-59, 671 (E.D. Pa. 2015) (concluding that “privately holding [personal information], even in an unsecured manner, does not constitute a ‘voluntary disclosure’ under the DPPA” where personal information was stored unencrypted on laptops that were stolen from company property by an employee), aff’d, 739 F. App’x 91 (3d Cir. 2018). Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs’ favor, the inference Plaintiffs ask us to draw—from “stored on unsecured external servers” to “disclosed”—is not reasonable. See Iqbal, 556 U.S. at 678. 2 Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.
2 Plaintiffs cite no case in which insufficiently secure data storage constituted a “disclosure” within the meaning of the DPPA.
6 Case: 21-20404 Document: 00516235197 Page: 7 Date Filed: 03/11/2022
IV. For the foregoing reasons, the judgment of the district court is AFFIRMED.