Data Broker On The Hook For $5 Million After Abusing Its Access To North Carolina DMV Data
The government demands a lot of data from its citizens. In exchange for the privilege of operating a car, the government wants to know a lot about you. It then takes this data and locks it up tight, ensuring only the agency demanding the info has access to it.
Oh, wait. It does exactly the opposite of that. It shares it with tons of other government agencies that might find that information useful. Then it sells this data to whoever it wants, profiting off information citizens are obligated to give to the government.
Late last year, Karl Bode covered the state of California's routine abuse of driver and vehicle data. The state's DMV raked in $50 million selling this data to data brokers like LexisNexis and a host of other private entities, like Experian and an untold number of private investigators.
A lawsuit against LexisNexis filed in North Carolina has just paid off for the plaintiffs, as Joseph Cox reports for Vice.
On Tuesday the massive data broker LexisNexis reached a settlement of over $5 million in response to a class action lawsuit that alleged the company sold DMV data to law firms, which then used it for their own business purposes.
[...]
"Defendants will make payment of the amount of service awards, attorneys' fees, and other expenses approved by the Court up to and not more than $5,150,000.00, in the aggregate, by wire transfer to the agent identified by Class Counsel," the proposed settlement agreement reads. Law360 first reported the settlement.
LexisNexis was just taking advantage of lax privacy laws in North Carolina. So were the government agencies that sold the data to LexisNexis in the first place. The lawsuit alleged LexisNexis sold motor vehicle records in a way that violated the state's Drivers' Privacy Protection Act. The Act doesn't appear to have provided much protection. LexisNexis and other customers weren't actually following the law, which supposedly requires private entities to detail their planned use of the data before obtaining it. This doesn't appear to have happened in this case.
And the law still allows private investigators to access the data, despite a private investigator's careless handling of purchased data having prompted the creation of the law.
Ironically, the permissible uses also include for private investigators; the DPPA was created in the first place after a private investigator working for a stalker obtained the address of actress Rebecca Schaeffer from the DMV. The stalker then murdered Schaeffer.
This settlement is a drop in the cash flow bucket for LexisNexis, which likely won't be deterred from misusing this information in the future. The solution isn't lawsuits. It's legislation that forbids state agencies from selling the data it forces residents to hand over in exchange for public goods and services. Until that happens, abusive uses of this data will still be a regular occurrence.