I spent the early part of the week in “The City” attending a conference. New York City is “the” city, isn’t it? I mean the New Yorkers think it is and after trying to navigate Penn Station at rush hour, on crutches, carrying luggage; ya, it’s THE city, it’s crowded, hot, and annoying – a real city. But I digress…
[su_note note_color=”#eaeae9″]Here’s the Big One: 4.9 million records are missing from a facility in Texas. Apparently, some backup tapes containing medical information on patients who received treatment as far back as 1992 has gone missing. The patients are apparently all current or retired military who received care at military facilities in San Antonio. Reuters is reporting that the tapes were stolen along with other items from an employee’s car. [/su_note]
Here’s the Big Question: Will the information ever resurface or be found?
There have been millions upon millions of people’s information lost or stolen this year. This happened last year, the year before that and before that, etc. Some of it does surface, but we don’t hear about those stories too often, do we?
According to various sources, including a report earlier this year by Javelin Strategy & Research (as reported by the Washington Post), over eight million Americans were the victim of identity theft last year. That’s on top of about eleven million cases of identity theft the year before.
OK, millions of records lost or stolen and millions of cases of identity theft. Are they connected?
The answer is not that simple. There is an on going trend of lawyers filing class action lawsuits on behalf of those people whose information was lost or stolen. The defendants in those suits, Sony for example, ask the question (legally) of the victims: “how were you harmed?” The courts have to find that the “victim” have standing in court in order to allow the lawsuit to proceed forward, so they ask the victims: “tell me, how were you harmed?” You see “harm” is required in order for the plaintiff to have “standing.” The answer given almost every time is: “I am afraid of becoming a victim of identity theft.” Well, sorry Charlie, (remember Charlie the tuna?) that fear is not a cognizable harm, so this lawsuit it over.
The funny thing about identity theft is that once it starts to happen, all the effort is to stop it and then undue the harm done to the unwitting victim. What about figuring out the source of the problem? How did the information to commit identity theft become available to the bad guys, who are the bad guys and how did they get the information?
Figuring out what is called the “point of compromise” can be an extreme challenge for law enforcement. They are not usually concerned with how the bad guy got the information, just that he/she used it, illegally. With resources being what they are, local law enforcement tries to simply solve the crime, not solve all society’s issues. They figure out who used the information and then charge him/her. Figuring out how they got the information in the first place is just not really in the budget.
I have had some experience at the Federal law enforcement level, which has significantly more resources. One experience involved an employee at a restaurant who was carrying a “skimmer” to work and when you paid your bill with a credit card it was also being run through the skimmer. Once the number was in the skimmer, the device was brought back to a location which was equipped with a card encoder. Basically, they were able to make duplicate copies of all the credit cards. Not great copies, but useful enough to steal money fairly easily.
Just figuring out that particular point of compromise was a challenge. First the victims had to report the crimes and if they live in different jurisdictions, the connection among the victims can be difficult to establish. Then realilzing that they all ate at the same restaurant on the same day… it just doesnt’ happen. In the above scenario, many of the victims used the same bank so the bank noticed that the common link between the fraud reports and their expenditures just prior to the fraud. “Hey, look at this, these people all ate at the same restaurant on the same day…” Viola!!
So I get a notification in the mail saying that my information was lost… I contact a lawyer and become part of a class action lawsuit. All the “victims” of the data breach want their day in court, so the lawsuit gets filed. This all happens in the immediate aftermath of the breach. No one’s identity has been used, however, so none of the “victims” have lost any money or otherwise been harmed (other than the hassle factor). Lawsuit over.
Fast forward 4 years and all of a sudden you get a notice in the mail from a debt collection agency looking for $4,250.00 from unpaid credit card debt… You have just become the victim of identity theft.
The statute of limitations on bringing suit vary by jurisdiction and by allegation. Some are as short as one year. So if you didn’t sue the offending party within one year, you cannot sue, period.
Now, for you lawyers reading this…sure, we can debate when the clock starting running. Did the statute of limitations time start running at the moment the breach notifcation went out? Or did it start to run once the “victim” realized that they had actually become the victim of identity theft. But here’s the thing, it doesn’t matter unless you can get to the heart of the matter: WHERE DID THE BAD GUY GET THE INFORMATION? Which breach? When?
Because in the end, if you don’t know where the bad guy got the information, who are you going to sue?