Invasion of Privacy: Data Breach of MN Drivers’ Information

The Department of Natural Resources (DNR) recently disclosed that a manager of its enforcement division, Captain John Hunt, accessed drivers license data of thousands of people. The revelation of this data breach by the DNR is a good example of how accessing private information constitutes an invasion of privacy, and Hunt’s alleged actions represent the latest in a number of cases where government actors illegally accessed private information. In a similar case, plaintiff Anne Rasmusson, a former police officer, recently settled part of her lawsuit with numerous defendants-individual law enforcement officers and government entities-for approximately $1,000,000.00 after her private information from her drivers license was accessed hundreds of times over many years. As the Rasmusson case illustrates, a data breach in and of itself, i.e., access to the data without dissemination of the data, can be costly for the wrongdoers and their employers.

According to reports, Hunt accessed the confidential data while off duty through the use of the state’s driver and vehicle services database. He purportedly targeted specific people, including certain professionals, celebrities, politicians, coworkers and neighbors. Hunt-who was a manager with data training responsibility-did not have a business purpose for accessing the information, according to reports.

Hunt’s alleged viewing of drivers license information could violate state and federal privacy laws. The information in the database includes driving records, photographs, addresses, and the individual’s height, weight, and eye color. To access the personal information without a legitimate government purpose constitutes a violation of the Driver’s Privacy Protection Act (DPPA), a federal law embodied in 18 U.S.C. §§ 2721 to 2725. Under the DPPA, a victim whose data was illegally accessed is entitled to bring a civil lawsuit and recover “actual damages, but not less than liquidated damages in the amount of $2,500.00.” 18 U.S.C. § 2725, subd. (b)(1). Punitive damages may be available for “willful or reckless disregard of the law.” 18 U.S.C. § 2725, subd. (b)(2). A plaintiff is also entitled to recovery reasonable attorneys’ fees and litigation costs under the DPPA. 18 U.S.C. § 2725, subd. (b)(3). Because the DPPA allows recovery for the data breach alone-solely for accessing records-it is a powerful statute to promote the protection of privacy interests.

Accessing private information from the driver and vehicle services database can also constitute the common law tort of invasion of privacy. In 1998, the Minnesota Supreme Court formally recognized the right of citizens to sue for invasion of privacy, recognizing three types of claims: intrusion upon seclusion, appropriation of a name or likeness of another, and publication of private facts. Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231, 236 (Minn. 1998). The court noted the importance of privacy in our lives:

The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.

Lake, 582 N.W.2d at 235. Part of our historic rights in the privacy arena is the “right to be let alone.” Id.

Accessing confidential information may constitute the invasion of privacy tort of “intrusion upon seclusion.” That type of invasion of privacy claim deals with wrongfully intruding into an individual’s private life. Minnesota courts recognize that claim has three elements: (a) an intrusion; (b) that is highly offensive; and (c) into some matter in which a person has a legitimate expectation of privacy. Swarthout v. Mut. Serv. Life Ins. Co., 632 N.W.2d 741, 744 (Minn. App. 2001). Certainly, our citizens have a legitimate expectation of privacy in their personal information stored on the driver and vehicle services database. That information is protected by state and federal laws, and can not be accessed except for specific governmental purposes. Accessing the information to research personal information about people should be considered highly offensive conduct.

Captain John Hunt’s alleged conduct is just the most recent example of how our personal information can be compromised in today’s informational age. His conduct, if proven, would form the basis to assert claims for violations of the DPPA, invasion of privacy, as well as other laws.

For over 20 years, attorney James Sheehy has effectively served his clients as lawyer advocate, trusted adviser and counselor. James Sheehy specializes in personal injury, product liability and wrongful death cases. View James’ profile.