Mounting data-privacy lawsuits threaten to swamp governments

Blame it on Anne Marie Rasmusson.

In 2012, the former St. Paul cop filed a lawsuit in U.S. District Court seeking damages for more than 400 instances where law enforcement officials looked up her driver’s license records without justification. That case has resulted in more than $1 million worth of settlements with local governments, including nearly $800,000 from the cities of St. Paul and Minneapolis.

But the more significant fallout from Rasmusson’s litigation has been a deluge of lawsuits alleging similar breaches of privacy by public officials. Seemingly every day, a new lawsuit drops accusing cops and other government employees of violating federal law by accessing driver’s license records without justification. A few high-profile examples:

• In February, a class-action lawsuit was filed on behalf of 5,000 individuals whose data was accessed by an employee at the Minnesota Department of Nature Resources (DNR). The employee was fired and faces criminal charges for more than 11,000 unauthorized lookups.

• Last week, Rep. Steve Drazkowski, R-Mazeppa, was among 18 plaintiffs in a lawsuit accusing public officials of looking up their private data without justification on more than 600 occasions over the last decade. The group of conservative activists alleges that the snooping was in retaliation for their political activities.

• Earlier this week, local news anchor Jessica Miles filed a lawsuit seeking damages for more than 1,300 instances when her driver’s license data was accessed. Her husband, Cory Krampschroer, is also a plaintiff in the lawsuit, alleging 92 illegal lookups. More than 100 defendants – almost all government entities – are named in the complaint.

On Wednesday, Gov. Mark Dayton expressed grave concern about the potential for damages in such cases. “It’s potentially hundreds of millions of dollars [in government liabilities],” Dayton said. He added that it will ultimately be up to a jury or judge to decide the extent of the damages, “but given the number of… individuals whose information and privacy has been violated, it’s pretty significant.”

Rasmusson case inspires copycat litigation

At issue is the federal Driver’s Privacy Protection Act (DPPA), which has been on the books for two decades and provides for a fine of at least $2,500 for each violation. In Minnesota the driver’s license database is maintained by the Minnesota Department of Public Safety (DPS). The records can include medical information and driver’s license photos dating back to when a person was first issued a license.

The federal law received little attention until the Rasmusson case highlighted potential abuses. Since then there’s been a deluge of requests by individuals seeking audits of their driver’s license files.  So far this year, roughly 700 individuals have made such a request, according to DPS.

Many of the lawsuits are being brought by Sapientia Law Group, the Minneapolis-based firm that handled the Rasmusson case. Larry Fett, an attorney with the firm, compares the effect of the Rasmusson case to learning that there’s a peeping tom in your neighborhood.

“You would be more apt to look outside your windows at night to see if somebody was peeking in your window,” Fett said, in explaining the rash of legal filings. “You’re much more likely to be sensitized to that issue. That has had a lot to do with it.”

Erick Kaardal, the attorney handling the lawsuit filed by Drazkowski and 17 other plaintiffs, credits the Rasmusson case with creating the template for other claims. “What’s unique in our case is the collective action and political retaliation,” Kaardal said. “They were trying to dig up dirt on my clients.”

It’s difficult to determine the exact number of lawsuits pending. That’s because they involve various government entities and the landscape is changing daily.

Thomas Grundhoefer, general counsel for the League of Minnesota Cities, which provides liability coverage for most municipalities in the state, says that as of this week they were handling at least a dozen lawsuits, with many more in the pipeline.

“It literally has been changing daily,” Grundhoefer said. “There are just numerous, numerous claims that have come in.”

The Minnesota Counties Intergovernmental Trust (MCIT) plays a similar role for counties, providing liability coverage for 81 out of 87 counties in the state. As of this week, MCIT had received 239 claims of illegal data searches. So far that’s resulted in 13 lawsuits.

According to Robin Sykes, executive director of MCIT, the surge in litigation is raising concerns about whether they’ll need to increase the premiums that counties pay for coverage. “MCIT is aggressively defending these claims,” Sykes wrote in an email to Capitol Report. “There are several outstanding legal issues pending before the courts. We are hopeful we will have rulings before the end of the year that will significantly reduce the number of claims and the financial burden on taxpayers.”

Hennepin County, which handles its own litigation, has so far been named in eight lawsuits alleging improper data lookups. Another 17 claims have been filed with the county that could result in litigation. The allegations involve a total of 101 alleged privacy violations, but all but 13 of those lookups are more than four years old.

Hennepin County Attorney Mike Freeman says his office will seek to have the others thrown out on the grounds that they are beyond the statute of limitations. “We all care about our privacy and we don’t like having people play with it,” Freeman said. “Now the question is, where’s the harm and who has been harmed and how have they been harmed? That is very much in question.”

Minneapolis, which also handles its own litigation, is currently facing nine lawsuits. In addition, the city has received 23 notices of claim that could eventually result in lawsuits.

Changes in state law considered 

While the federal law is at issue in the litigation, it’s also spurring discussion of possible changes to state law. Rep. Steve Simon, DFL-Hopkins, who chairs the House Data Practices Subcommittee, suggests that enhanced penalties – criminal or civil – should be considered for individuals who engage in misconduct. He thinks that adding training requirements for individuals who have access to the driver’s license database could be useful. But Simon also points to the rogue DNR employee as evidence that laws can only go so far in protecting data.

“At some point, we’re all at the mercy of individuals exercising their judgment,” Simon said. “They could pass through all the screens and filter and still choose to do a bad thing.”

Drazkowski is also interested in exploring whether changes to state law would help remedy the situation. He suggests that greater transparency about who is accessing data and harsher penalties for scofflaws should be looked at.

“Government needs to follow the law too, and obviously here they have not been,” Drazkowski said.

The rash of lawsuits is likely to afflict the state and local governments for years to come. But it’s also raised much greater awareness about the perils of accessing private data without justification. According to Grundhoefer, the League of Minnesota Cities has already provided training on the proper use of the driver’s license database to roughly 2,800 law enforcement personnel across the state.

“This is absolutely high on everybody’s radar screen,” Grundhoefer said. “The problem is we’re trying to work through all these old claims.”

Kenn Fukuda, another attorney with the Sapientia Law Group who has handled data privacy cases, insists that the firm would be happy to see the need for litigation go away. “If we do our job well, we’re going to put ourselves out of work,” Fukuda said. “My hope is that these cases dry up soon, because this is a pretty substantial breach of our privacy.”