Data Security & Privacy

Identity Theft – At What Point Do I Lose My Right To Sue

 
A data breach has occured, and you received a "notification letter" in the mail, from the organization who was storing your personal identifiable information, stating that your private information may have been exposed in the breach, and that if necessary, the organization will pay for 1 year credit monitoring services.  What happens after that?  What if 2 years ago, you recieved that same letter, but only recently discovered that your identity had been stolen as a result of the breach, would you be able to bring a lawsuit against the organization?
 
J. Douglas Cuthbertson, an attorney with Miles & Stockbridge, P.C., of McLean, VA, wrote an article entitled "FACTA May Not Bar Later Fair Credit Suits."  The article talks about the wide discrepancy in federal court rulings related to the amount of time in which a person may bring a cause of action when their personal information is disclosed in an unauthorized manner.  The article specifically addresses the Fair Credit Reporting Act (FCRA) and its amended version, the Fair and Accurate Credit Transaction Act of 2003 (FACTA).  The amended statute requires FCRA lawsuits to be filed within 2 years after a consumer discovers a violation, or 5 years after a violation occurs, whichever is earlier.  A Virginia federal court held that the statute of limitations, under the FCRA, would begin to toll each time the credit card issuer "failed to act."  This holding merely limited the number of disputes the plaintiff could bring in that case.  The judge in that case based his decision on an earlier case which found that each time an organization failed to conduct a reasonable investigation in response to a dispute, a separate violation of the FCRA occured (thus starting the "clock" – or so goes the judge’s and plaintiff’s rationale).  However, other U.S. District Courts draw a totally different conclusion that the Virginia federal court.  The general consensus is that, by following the Virginia court’s ruling, the statute of limitations would never expire, and thus be rendered a nullity, and had that been the intention of the legislators, they would have said so.
 
The current reality, which we don’t have to accept, is that statistics show only a marginal amount of individuals actually experience any sort of actual damage resulting from a major data breach.  Those who do experience identity theft should be allowed to bring a cause of action in a reasonable amount of time, but trying to find that balance is extremely difficult.  This is most likely the reason why some courts’ (who disagreed with the VA court) punted the issue back onto the legislative branch.  Much like mesothelioma, identity theft can strike long after the actual exposure ever occured, but there in lies another legal issue that most likely will be addressed in the coming years – computer trojans and viruses can be planted in a database and lay dormant for an extended periods until such time as they are released to cause a data breach.  Everyone would agree that trojans, worms, and viruses, are bad for protecting information, but if the damage is only done once they are released, has a "violation occured"?  People storing personal information may argue this in order to push the statute of limitations back, thus possibly rendering a lawsuit void or improper.  
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.