Amy Boyer — stalker bought her workplace address from a data broker (New Hampshire, 1999)
Amy Boyer, 20, was shot and killed outside her dental-office workplace by a man who had stalked her since high school. He bought her Social Security number, date of birth, and workplace address from the data broker Docusearch. The broker obtained the workplace address by pretexting — calling Boyer at home and lying about who they were. The case produced the first US state supreme court ruling that data brokers owe a duty of care to the people whose information they sell.
What happened
On October 15, 1999, Liam Youens drove to the dental office in Nashua, New Hampshire, where 20-year-old Amy Boyer worked. He waited in the parking lot. When Boyer left work that afternoon, Youens shot her several times, then killed himself in the same vehicle. Boyer had no idea who Youens was. The two had attended the same high school years earlier and exchanged a handful of words. Youens had spent the intervening years building a fixation on her and maintaining a public website that documented his stalking and his plan to murder her. To find her, Youens paid the data broker Docusearch. He bought her date of birth, her Social Security number, and ultimately her workplace address. Docusearch obtained the workplace address through a technique called pretexting: a Docusearch subcontractor called Boyer at home, posed as someone else, and lied to her about the reason for the call until she disclosed where she worked. In Remsburg v. Docusearch (NH 2003), the New Hampshire Supreme Court ruled that data brokers owe a legal duty of reasonable care to the subjects of the data they sell, that selling a Social Security number without consent can constitute an invasion of privacy, and that pretext calling violates state consumer protection law. The Boyer case is widely cited as the first US case to recognize broker liability for downstream harm.
What happened
On October 15, 1999, Amy Boyer left her job at a dental office in Nashua, New Hampshire. She was 20 years old. In the parking lot, a man named Liam Youens shot her multiple times in her car, then turned the gun on himself.
Boyer did not know Youens. They had attended the same high school years earlier and exchanged barely any words. Youens, in the years since, had built a fixation on her — and kept a public website documenting his obsession and his plan to kill her. The site had been up for years.
How it started
Youens did not know where Boyer lived or worked. He paid the data broker Docusearch to find out. Over a series of purchases, he obtained her date of birth, her Social Security number, and the address of her workplace.
The workplace address was the operational piece. To get it, a Docusearch subcontractor called Boyer at home, posed as someone else, and used a lie to extract the answer from her — a technique known as pretexting. The address went to Youens. The next stop was the parking lot.
Why this case still matters
In Remsburg v. Docusearch (2003), the New Hampshire Supreme Court ruled that a data broker owes a legal duty of reasonable care to the people whose information it sells, that selling a Social Security number without the subject's consent can constitute an invasion of privacy, and that pretext calling violates state consumer protection law. It is widely cited as the first US case to recognize broker liability for downstream harm.
The ruling did not end the broker business. The pretexting technique is now restricted under federal law for some categories of information, but the rest of the business model — name in, home address and relatives and workplace and phone number out, for a small fee — is still how the people-search page works today.
What this means for you
For sworn officers, judges, prosecutors, nurses, and anyone whose job creates people who don't let it go: the broker page about you is the modern version of what Youens bought from Docusearch. The address-by-name lookup is the same lookup. The price is lower. The pretexting step is rarely needed because the public-records aggregation has gotten so good that the home address comes back without any phone calls at all.
Daniel's Law — the NJ state statute that lets covered officers, judges, and prosecutors sue data brokers when they fail to remove a home address — and the federal Lieu Act for federal judges let covered persons sue brokers themselves. Running those demands — and re-running them when the address re-lists — is what makes the law deliver.
For more on the stalking threat shape, see /laws/daniels-law.
Editorial rules: Only public, already-reported incidents. Never name a non-public victim. Always end with the prevention takeaway tied to our service. Cite at minimum one public source per claim.
What would have prevented this
The pretexting step is rarely needed today. The aggregation got better. Name in, home address out — same business, lower price, no phone call required.
Public sources
- An Online Tragedy — CBS News, 2000-02-25
- Docusearch — Wikipedia, 2026-04-01
- EPIC Amicus in Remsburg v. Docusearch (Amy Boyer Case) — Electronic Privacy Information Center, 2003-01-01
- Privacy in a Cyber World — University of New Hampshire Magazine, 2004-01-01