Rock County driver-data snooping settlement: $2 million

[Lee J <lee () riskbasedsecurity com>]

http://www.startribune.com/local/west/226395981.html

An insurance trust representing Minnesota counties has agreed to pay $2
million to settle a potential class action lawsuit over driver’s license
data snooping.

The proposed settlement, presented Thursday in federal court, is the
largest payout so far over misuse of driver’s license files — which has
spurred a raft of lawsuits in recent months. The impact on taxpayers will
likely be felt through governments paying higher insurance premiums to the
Minnesota Counties Insurance Trust, which provides liability coverage to
all but the state’s largest counties.

The only other major driver’s license snooping case that reached a
settlement was brought by former police officer Anne Marie Rasmusson, who
won more than $1 million in damages from local governments after alleging
her data and photo had been routinely viewed.

Thursday’s case involved a child support officer in Rock County, Janet
Patten, who allegedly made more than 4,000 photo queries of the Driver and
Vehicle Services (DVS) database in 2010 and 2011. Patten was fired and
several law firms sued on behalf of about 3,000 people who received data
breach letters.

“She looked up friends and neighbors and co-workers and workers in other
counties,” Rock County Administrator Kyle Oldre said last year. “It was
just people she knew. And she spent a ton of time doing it.”

A criminal investigation did not turn up any nefarious intent.

The DVS database, which is protected by federal law against misuse,
contains photographs, addresses and driving records on Minnesotans with a
license. A state audit last year found that it was being routinely abused
by law enforcement and other public employees.

Plaintiffs in the case are attempting to certify it as a class action,
which would cover anyone who Patten illegitimately looked up during the
specified time period. The targets of illegitimate lookups will receive a
share of the money “based on the number of times they were illegitimately
searched.”

The named plaintiffs who initially brought the suit would receive an
“incentive payment” of $500 each. The complete settlement must still be
approved by a federal judge.

The implications for other DVS cases are murky. The Patten suit was the
largest case brought against the counties insurance trust, whose members
have been named in 44 claims, and one of only two seeking class action
status.

Robyn Sykes, executive director of the counties insurance trust, said the
size of the case influenced their decision. “We talked about the facts of
the case, the size of the class; all of those kinds of things I think kind
of played into the issue of settling this one,” said Sykes, who could only
remember one other settlement of $2 million since the mid-1990s.

Rock County, one of Minnesota’s smallest counties, will pay a deductible as
a result of the settlement, but “everybody’s going to feel a little of the
tremor of this particular case and all the other [DVS] claims,” Sykes said.

Last month, a judge dismissed another major class action DVS claim against
the state, ruling that state officials could not be held liable for the
actions of one employee.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.