In January of this year, news broke about a security breach at the Minnesota Department of Natural Resources. Forty eight-year-old DNR employee John Hunt had made over 19,000 unauthorized queries into the state's Driver and Vehicle Services database in the past five years, accessing the records of approximately 5,000 people, mostly women. Hunt not only accessed the database storing names, addresses, birthdays, height and weight as well as driver's license photos, but he also stored photos of 172 women in a file on his computer. Being the data security guy that he was (Hunt's responsibilities at the DNR included training other employees on data security), Hunt had encrypted the file and stealthily named it "Mug Shot."
After the DNR got wind of Hunt's shenanigans, it took steps to remedy the issue. The DNR fired Hunt and sent letters to the people whose records had been inappropriately accessed informing them of the breach. It also asked the Minnesota Bureau of Criminal Apprehension to conduct an investigation into the matter.
On February 7th, Hunt was charged with several misdemeanors and gross misdemeanors, including misconduct of a public officer, unauthorized computer access, using encryption to conceal a crime and unlawful use of private data.
Several civil suits have also already been filed against Hunt. A law suit filed in January in the name of Jeffrey Ness is seeking class action status. Another class action law suit was filed in federal court on February 4th against Hunt and a number of other DNR and Department of Public Safety officials on behalf of four women seeking at least $10 million in damages. The suit alleges that Hunt violated the victims' privacy under the federal Driver's Privacy Protection Act (DPPA).
Section 2724 of DPPA provides for a civil action in federal court against "[a] person who knowingly obtains, discloses or uses personal information, from a
motor vehicle record, for a purpose not permitted under this chapter." Assuming that the plaintiffs can show that Hunt's use was for a non-permissible purpose, they would still have to prove either actual damages or "willful or reckless disregard of the law" in order to be awarded punitive damages. Showing actual damages may be difficult if Hunt only used the information for his own pleasure, which seems more likely, given that he mostly viewed and stored records and photos of women rather than indiscriminately copied information for the purpose of selling it to a third party.
On the other hand, proving the case against the other DNR and Department of Public Safety officials may turn out to be much more challenging. Although section 2721 of DPPA creates a duty for the State department of motor vehicles to not "knowingly disclose or otherwise make available" personal information, it is not clear that the civil cause of action extends to the department, except maybe for persons knowingly disclosing personal information for non-permissible purposes. By allowing Hunt practically unlimited access, did the other officials, in effect, knowingly disclose personal information to him for non-job-related uses? In practice, limiting Hunt's access may have been impractical since he needed to access the data to perform his job. Showing that not limiting his access went so far as to constitute willful or reckless disregard of the law (to get punitive damages) will probably be difficult.
No comments:
Post a Comment