Identity Theft

Recent high-profile data breaches of online retailers, banks, government agencies, and data brokers have exposed the vast potential for damage to consumers when their personal information is illegally sold or inadvertently released into the public domain. Ironically, these breaches have occurred despite the existence of comprehensive federal and state legislative schemes aimed at safeguarding personal data.

Federal legislation passed during the past several decades has sought to protect personal information housed in both government agencies and private corporations. These statutes include the Privacy Act, Gramm-Leach-Bliley Act, Truth in Lending Act, Health Insurance Portability and Accountability Act, Drivers Privacy Protection Act, Video Privacy Protection Act, Electronic Communications Privacy Act, Cable Communications Policy Act, Telephone Consumer Protection Act, and the Fair Credit Reporting Act ('FCRA').

Yet, despite the increase in regulation and monitoring, recent statistics demonstrate that identity theft and consumer fraud continue to occur unabated. According to the Federal Trade Commission ('FTC'), identity theft complaints represented nearly 37% of the 686,683 complaints filed with the commission in 2005. Notably, identity theft complaints comprised a greater percentage of complaints in previous years. The total number of complaints, however, is steadily increasing. The FTC estimates that identity theft complaints filed with the commission have grown from 215,177 in 2003, to 246,847 in 2004, to 255,565 last year.

Furthermore, in the past decade data brokers and credit clearinghouses have spawned entirely new industries around assembling, storing, packaging, and selling the personal data of individuals. Not surprisingly, as the markets for personal data grow, so does fraud. As these companies compete to gain market share, the focus on promoting a business model with the least amount of impediments to the sale of data tends to outweigh strict compliance with state and federal privacy laws. A report from the March 2005 California Identity Theft Summit estimated that Experian's fraud unit gets between 600 and 700 new credit fraud cases per day.

Due to the rise in cases of identity theft and fraud, attorneys have attempted to enforce many of the federal privacy statutes to protect victims and redress injuries. Plaintiffs' attorneys have repeatedly looked to the FCRA to find remedies for victims of data breaches and impermissible distribution of personal data from creditors and data brokers. (The Gramm-Leach-Bliley Act does not allow private sector enforcement.) Many of these actions have sought to invoke statutory provisions calling for liquidated or statutory damages because such remedies lend themselves to class action efficiencies.

Yet, attorneys often disagree about whether proof of actual damages is necessary in order to collect liquidated or statutory damages. Relying on cases such as Doe v. Chao, 540 U.S. 614 (U.S. 2004), defense attorneys often demand that plaintiffs make a showing of actual damages as a condition precedent to recovering statutory damages under the FCRA. This interpretation overlooks the plain language of the FCRA, which clearly supports statutory damages without any showing of actual damages.

The remedies provision provided by the FCRA for a willful violation of the statute reads in relevant part:

(a) In general. Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of

(1)(A) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; '

15 U.S.C. '1681n

A facial reading of the statute supports the proposition that penalties for a willful violation may consist of either actual damages or statutory damages. At no point in the text does it state that actual damages are a condition precedent to the recovery of statutory sums. At best, proponents of this interpretation seek to bootstrap an actual damage standard from interpretations of other federal statutory schemes. Yet, those interpretations are inapposite because they are in clear contrast to the literal words of the statute ' which differs significantly from the federal statutes that do require a showing of actual damages in order to collect statutory damages.

Defense attorneys' contrary reading of '1681n(a)(1)(A) is a sui generis reading of the statute and ignores the basic guidelines of statutory interpretation. Typically, the court's starting point when interpreting a statute is the plain language of the statute and its facial meaning. Thus, any attempt to evaluate a statute without first employing an analysis of the basic text overlooks the first step to proper statutory interpretation.

Moreover, the legislative history of the FCRA also provides important insight. In 1968, the legislature passed the FCRA as Title VI of the Consumer Credit Protection Act. The legislation was intended, in part, to 'insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy ' ' 15 U.S.C. '1681a. The drafters' intent was to create remedial legislation. See Reynolds v. Hartford Financial Services Group, Inc., 426 F.3d 1020, 1031 (9th Cir. 2005). Thus, the statute's 'consumer-oriented objectives support a liberal construction of the FCRA.' Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995).

Ten years ago, Congress amended civil penalties for wilful noncompliance with the statute to include statutory damages as an alternative to actual damages. The original text, 'any actual damages sustained by the consumer as a result of the failure,' was amended by adding 'or damages of not less than $100 and not more than $1,000.' The penalties for negligent noncompliance of the FCRA include actual damages that result from the disclosure, costs, and reasonable attorney's fees. 15 U.S.C. '1681o.

The amendment of the willful noncompliance subsection alone, without change to the negligent violation, demonstrates the legislature's intent to provide a remedy for willful violations even without a showing of actual damages. Further, the FCRA's stated purpose to promote 'accuracy and fairness' in credit reporting would only be stifled if remedies were unavailable to victims and defendants would evade punishment for their actions.

Several Circuits adopt the view that actual damages are not necessary to seek damages under the willful violation subsection 15 U.S.C. '1681n. The 2002 Trans Union decision provided that the remedies provision for a willful violation of the FCRA 'clearly and unambiguously' allows for either statutory or actual damages as a measure of compensatory damages. (See In re Trans Union Corp. Privacy Litig., 211 FRD 328, 342 (2002, ND. Ill.).

Further, courts have allowed for both punitive and statutory awards, without a showing of actual damages, as a result of a 'willful' violation of the FCRA under 15 U.S.C. '1681n. (See the Eighth Circuit in Graham v. CSC Credit Services, Inc., 306 F. Supp. 2d 873 (D. Minn. 2004)).

A comparison of other provisions of the Consumer Protection Act, including the Truth in Lending Act ('TILA'; see 15 U.S.C. '1601 et. seq.) and the Fair Debt Collections Practices Act ('FDCPA'; see 15 U.S.C. '1692 et. seq.), further sheds light on the FCRA actual damage dilemma. As companion statutes to the FCRA under the Consumer Protection Act, these statutes each set forth actual, statutory, and attorneys' fees as separate categories of possible remedies for consumers. Thus, a reading of the FCRA that is contrary to the other statutes within the Consumer Protection Act runs afoul of the legislature's intention for the Consumer Protection Act.

The TILA, as set forth in Title I of the Consumer Protection Act, regulates certain credit transactions, mandates disclosures to consumers by companies extending credit, and promotes consumer understanding of credit. Under '1640 of TILA, which sets forth damages for individual and class actions, a showing of actual damages is not necessary to collect statutory damages. Thus, statutory damages may be collected based solely upon proof of a violation of the statute. The language in the TILA is clear ' a plaintiff may collect either actual or statutory damages. Courts have long held that actual damages are not required in order to collect statutory damages. Furthermore, several courts have noted that the goal of TILA is to encourage lawsuits so that creditors comply with the Act. As a result, any necessary showing of actual damages before a plaintiff may seek statutory remedies would stifle the underlying goal of the statute and thus prevent individual consumers from protecting their rights, and allow creditors to continue with illegal practices.

Similarly, under the FDCPA, the federal government seeks to regulate the collection of consumer debts by preventing abusive practices by creditors, as well as to regulate procedures so that creditors may freely compete, and to promote consistent state enforcement of such regulation. Akin to TILA, the statute clearly sets forth damages for plaintiffs in the form of actual and statutory damages. Further, a successful plaintiff may recover costs and attorneys' fees. Unlike TILA, the FDCPA includes the words 'additional damages as the Court may allow but not exceeding $1,000 ' ' 15 U.S.C. '1692k(a)(2). The rational interpretation of these words, which courts have followed, is that these 'additional' damages include punitive and statutory damages that are to be awarded at a court's discretion. Further, the term 'additional' is meant to prevent any further punitive awards.

Doe v. Chao

When arguing in support of an actual damage standard, defense attorneys often cite the recent Supreme Court decision, Doe v. Chao, 540 U.S. 614 (U.S. 2004). In Doe, the Court interpreted the Privacy Act of 1974 to require a showing of actual damages in order to collect the statutory minimum damages. The Privacy Act regulates the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The statutory language at issue in Doe sets forth civil penalties for the government's intentional or wilful misuse of information.

' the United States shall be liable to the individual in an amount equal to the sum of actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000. 5 U.S.C. '552a(g)(4)(A)

In the opinion by Justice David Souter, the Court affirmed the Fourth Circuit Court's holding and the government's position that actual damages were necessary. The Court described the government's contention as being supported by a 'straightforward textual analysis.' Doe v. Chao, 540 U.S. 614, 620.

Further, the Court looked to the legislative history of the Privacy Act. In its holding, the Court pointed to the legislature's act of removing language from the Senate bill that would have authorized statutory damages without an actual damage showing.

The Court's ruling has prompted counsel to advocate for an actual damage standard for a number of privacy statutes. However, this interpretation is in error because each statute must be taken alone, and a favorable analysis in Doe can't be bootstrapped to all privacy-related statutes that provide for presumed statutory damages.

James Kehoe v. Fidelity Federal Bank & Trust

This appellate decision has cast aside theories requiring actual damages to be awarded before statutory damages are collected under at least one privacy statute. Last year, the 11th Circuit Court ruled that plaintiffs in a federal class action could recover statutory damages under the Driver's Privacy Protection Act ('DPPA') (18 U.S.C. '2721 et. seq.) without a showing of actual damages. The DPPA allows states to sell names and addresses of licensed drivers to companies. The Act was later amended to require drivers' express permission in order to proceed with such sales. In a unanimous decision, the appellate court held that actual damages were not necessary in a suit against a West Palm Beach, FL, bank that plaintiffs alleged illegally acquired their drivers license data from the state of Florida.

Specifically, the remedies provision in question states, ' ' actual damages, but not less than liquidated damages in the amount of $2,500.' 18 U.S.C. '2724(b)(1). The case turned on a technical reading of the DPPA. The court found that the clause after the comma was not dependent on proof of the first clause. Kehoe v. Fidelity, WL 2043005 at *3 (11th Cir. Fla, 2004). The decision overturned the Summary Judgment order from the lower court, which held that in order to maintain their claim, plaintiffs must prove a measure of actual damage.

Similar to the appellate court, the lower court's holding came down to an interpretation of the clause 'but not less than,' and the comma preceding it. The lower court's opposite interpretation stemmed from the Supreme Court case Doe v. Chao, 540 U.S. 614 (U.S. 2004), where the Court held that actual damages were necessary to recover statutory damages under the Privacy Act.

In overturning the lower court's ruling, the appellate court invoked the reasoning of the Supreme Court in Rex Trailer Co. v. United States that upholds the awarding of statutory damages. In Rex, the Supreme Court wrote: 'liquidated damages 'serve a particularly useful function when damages are uncertain in nature or amount or are unmeasurable' [sic] ' [a]nd the fact that no damages are shown is not fatal.' Rex Trailer Co. v. United States, 350 U.S. 148, 153 (U.S. 1956), quoting Priebe & Sons v. United States, 332 U.S. 407, 411-412, (U.S. 1947).

The Kehoe decision underscores the importance of statutory damage remedies in protecting and maintaining privacy rights. The court noted: 'Damages for a violation of an individual's privacy are a quintessential example of damages that are uncertain and possibly unmeasurable [sic].' Kehoe, supra, WL 2043005 at *3. The court ' as have commentators in support of consumer privacy rights ' highlighted the importance of statutory damages as providing a 'substitute' for uncertain and immea-surable actual damages when privacy violations occur.

Liquidated and statutory damages are critical to enforcement of data privacy measures. The FTC estimates that consumer losses due to fraud exceeded $680 million last year. Given that a victim's actual damages are often uncertain and immeasurable at the time of suit, statutory damage provisions (in the absence of actual damages) are critical because they help to ensure enforcement of data privacy laws, prevent similar offenses, and ensure remedies for aggrieved parties.

The uncertainty of damages is evidenced by the time it takes to become a victim of identity theft or fraud. The life cycle of privacy violations can be difficult to pin down because data released by a breach may not be used for months or years after the initial violation. One law enforcement agency estimates that it takes a person at least 18 months to find out that he or she is a victim of fraud or identity theft. Statutory damages provide relief to an aggrieved plaintiff at the time of violation, and with varying time delays in becoming a victim of fraud or identity theft, the statutory sums may be the only remedy available.

Conclusion

Statutory analysis of the FCRA provides a straightforward resolution to the actual damage debate. It only takes a reading of the facial language of the act to determine that an award of statutory damages is not dependent on a prior showing of actual damages. In addition, as part of the Consumer Protection Act, the FCRA must be read in light of other statutes ' many of which also call for awards of statutory damages, without a showing of actual damages.

Matthew Righetti is a partner at Righetti Law Firm, P.C., in San Francisco. The firm has litigated numerous national cases involving FCRA issues and other theories alleging violations of state and federal privacy statutes. He can be reached at [email protected].

Recent high-profile data breaches of online retailers, banks, government agencies, and data brokers have exposed the vast potential for damage to consumers when their personal information is illegally sold or inadvertently released into the public domain. Ironically, these breaches have occurred despite the existence of comprehensive federal and state legislative schemes aimed at safeguarding personal data.

Federal legislation passed during the past several decades has sought to protect personal information housed in both government agencies and private corporations. These statutes include the Privacy Act, Gramm-Leach-Bliley Act, Truth in Lending Act, Health Insurance Portability and Accountability Act, Drivers Privacy Protection Act, Video Privacy Protection Act, Electronic Communications Privacy Act, Cable Communications Policy Act, Telephone Consumer Protection Act, and the Fair Credit Reporting Act ('FCRA').

Yet, despite the increase in regulation and monitoring, recent statistics demonstrate that identity theft and consumer fraud continue to occur unabated. According to the Federal Trade Commission ('FTC'), identity theft complaints represented nearly 37% of the 686,683 complaints filed with the commission in 2005. Notably, identity theft complaints comprised a greater percentage of complaints in previous years. The total number of complaints, however, is steadily increasing. The FTC estimates that identity theft complaints filed with the commission have grown from 215,177 in 2003, to 246,847 in 2004, to 255,565 last year.

Furthermore, in the past decade data brokers and credit clearinghouses have spawned entirely new industries around assembling, storing, packaging, and selling the personal data of individuals. Not surprisingly, as the markets for personal data grow, so does fraud. As these companies compete to gain market share, the focus on promoting a business model with the least amount of impediments to the sale of data tends to outweigh strict compliance with state and federal privacy laws. A report from the March 2005 California Identity Theft Summit estimated that Experian's fraud unit gets between 600 and 700 new credit fraud cases per day.

Due to the rise in cases of identity theft and fraud, attorneys have attempted to enforce many of the federal privacy statutes to protect victims and redress injuries. Plaintiffs' attorneys have repeatedly looked to the FCRA to find remedies for victims of data breaches and impermissible distribution of personal data from creditors and data brokers. (The Gramm-Leach-Bliley Act does not allow private sector enforcement.) Many of these actions have sought to invoke statutory provisions calling for liquidated or statutory damages because such remedies lend themselves to class action efficiencies.

Yet, attorneys often disagree about whether proof of actual damages is necessary in order to collect liquidated or statutory damages. Relying on cases such as Doe v. Chao, 540 U.S. 614 (U.S. 2004), defense attorneys often demand that plaintiffs make a showing of actual damages as a condition precedent to recovering statutory damages under the FCRA. This interpretation overlooks the plain language of the FCRA, which clearly supports statutory damages without any showing of actual damages.

The remedies provision provided by the FCRA for a willful violation of the statute reads in relevant part:

(a) In general. Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of

(1)(A) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; '

15 U.S.C. '1681n

A facial reading of the statute supports the proposition that penalties for a willful violation may consist of either actual damages or statutory damages. At no point in the text does it state that actual damages are a condition precedent to the recovery of statutory sums. At best, proponents of this interpretation seek to bootstrap an actual damage standard from interpretations of other federal statutory schemes. Yet, those interpretations are inapposite because they are in clear contrast to the literal words of the statute ' which differs significantly from the federal statutes that do require a showing of actual damages in order to collect statutory damages.

Defense attorneys' contrary reading of '1681n(a)(1)(A) is a sui generis reading of the statute and ignores the basic guidelines of statutory interpretation. Typically, the court's starting point when interpreting a statute is the plain language of the statute and its facial meaning. Thus, any attempt to evaluate a statute without first employing an analysis of the basic text overlooks the first step to proper statutory interpretation.

Moreover, the legislative history of the FCRA also provides important insight. In 1968, the legislature passed the FCRA as Title VI of the Consumer Credit Protection Act. The legislation was intended, in part, to 'insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy ' ' 15 U.S.C. '1681a. The drafters' intent was to create remedial legislation. See Reynolds v. Hartford Financial Services Group, Inc., 426 F.3d 1020, 1031 (9th Cir. 2005). Thus, the statute's 'consumer-oriented objectives support a liberal construction of the FCRA.' Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995).

Ten years ago, Congress amended civil penalties for wilful noncompliance with the statute to include statutory damages as an alternative to actual damages. The original text, 'any actual damages sustained by the consumer as a result of the failure,' was amended by adding 'or damages of not less than $100 and not more than $1,000.' The penalties for negligent noncompliance of the FCRA include actual damages that result from the disclosure, costs, and reasonable attorney's fees. 15 U.S.C. '1681o.

The amendment of the willful noncompliance subsection alone, without change to the negligent violation, demonstrates the legislature's intent to provide a remedy for willful violations even without a showing of actual damages. Further, the FCRA's stated purpose to promote 'accuracy and fairness' in credit reporting would only be stifled if remedies were unavailable to victims and defendants would evade punishment for their actions.

Several Circuits adopt the view that actual damages are not necessary to seek damages under the willful violation subsection 15 U.S.C. '1681n. The 2002 Trans Union decision provided that the remedies provision for a willful violation of the FCRA 'clearly and unambiguously' allows for either statutory or actual damages as a measure of compensatory damages. (See In re Trans Union Corp. Privacy Litig., 211 FRD 328, 342 (2002, ND. Ill.).

Further, courts have allowed for both punitive and statutory awards, without a showing of actual damages, as a result of a 'willful' violation of the FCRA under 15 U.S.C. '1681n. ( See the Eighth Circuit in Graham v. CSC Credit Services, Inc. , 306 F. Supp. 2d 873 (D. Minn. 2004)).

A comparison of other provisions of the Consumer Protection Act, including the Truth in Lending Act ('TILA'; see 15 U.S.C. '1601 et. seq.) and the Fair Debt Collections Practices Act ('FDCPA'; see 15 U.S.C. '1692 et. seq.), further sheds light on the FCRA actual damage dilemma. As companion statutes to the FCRA under the Consumer Protection Act, these statutes each set forth actual, statutory, and attorneys' fees as separate categories of possible remedies for consumers. Thus, a reading of the FCRA that is contrary to the other statutes within the Consumer Protection Act runs afoul of the legislature's intention for the Consumer Protection Act.

The TILA, as set forth in Title I of the Consumer Protection Act, regulates certain credit transactions, mandates disclosures to consumers by companies extending credit, and promotes consumer understanding of credit. Under '1640 of TILA, which sets forth damages for individual and class actions, a showing of actual damages is not necessary to collect statutory damages. Thus, statutory damages may be collected based solely upon proof of a violation of the statute. The language in the TILA is clear ' a plaintiff may collect either actual or statutory damages. Courts have long held that actual damages are not required in order to collect statutory damages. Furthermore, several courts have noted that the goal of TILA is to encourage lawsuits so that creditors comply with the Act. As a result, any necessary showing of actual damages before a plaintiff may seek statutory remedies would stifle the underlying goal of the statute and thus prevent individual consumers from protecting their rights, and allow creditors to continue with illegal practices.

Similarly, under the FDCPA, the federal government seeks to regulate the collection of consumer debts by preventing abusive practices by creditors, as well as to regulate procedures so that creditors may freely compete, and to promote consistent state enforcement of such regulation. Akin to TILA, the statute clearly sets forth damages for plaintiffs in the form of actual and statutory damages. Further, a successful plaintiff may recover costs and attorneys' fees. Unlike TILA, the FDCPA includes the words 'additional damages as the Court may allow but not exceeding $1,000 ' ' 15 U.S.C. '1692k(a)(2). The rational interpretation of these words, which courts have followed, is that these 'additional' damages include punitive and statutory damages that are to be awarded at a court's discretion. Further, the term 'additional' is meant to prevent any further punitive awards.

Doe v. Chao

When arguing in support of an actual damage standard, defense attorneys often cite the recent Supreme Court decision, Doe v. Chao, 540 U.S. 614 (U.S. 2004). In Doe, the Court interpreted the Privacy Act of 1974 to require a showing of actual damages in order to collect the statutory minimum damages. The Privacy Act regulates the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The statutory language at issue in Doe sets forth civil penalties for the government's intentional or wilful misuse of information.

' the United States shall be liable to the individual in an amount equal to the sum of actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000. 5 U.S.C. '552a(g)(4)(A)

In the opinion by Justice David Souter, the Court affirmed the Fourth Circuit Court's holding and the government's position that actual damages were necessary. The Court described the government's contention as being supported by a 'straightforward textual analysis.' Doe v. Chao, 540 U.S. 614, 620.

Further, the Court looked to the legislative history of the Privacy Act. In its holding, the Court pointed to the legislature's act of removing language from the Senate bill that would have authorized statutory damages without an actual damage showing.

The Court's ruling has prompted counsel to advocate for an actual damage standard for a number of privacy statutes. However, this interpretation is in error because each statute must be taken alone, and a favorable analysis in Doe can't be bootstrapped to all privacy-related statutes that provide for presumed statutory damages.

James Kehoe v. Fidelity Federal Bank & Trust

This appellate decision has cast aside theories requiring actual damages to be awarded before statutory damages are collected under at least one privacy statute. Last year, the 11th Circuit Court ruled that plaintiffs in a federal class action could recover statutory damages under the Driver's Privacy Protection Act ('DPPA') (18 U.S.C. '2721 et. seq.) without a showing of actual damages. The DPPA allows states to sell names and addresses of licensed drivers to companies. The Act was later amended to require drivers' express permission in order to proceed with such sales. In a unanimous decision, the appellate court held that actual damages were not necessary in a suit against a West Palm Beach, FL, bank that plaintiffs alleged illegally acquired their drivers license data from the state of Florida.

Specifically, the remedies provision in question states, ' ' actual damages, but not less than liquidated damages in the amount of $2,500.' 18 U.S.C. '2724(b)(1). The case turned on a technical reading of the DPPA. The court found that the clause after the comma was not dependent on proof of the first clause. Kehoe v. Fidelity, WL 2043005 at *3 (11th Cir. Fla, 2004). The decision overturned the Summary Judgment order from the lower court, which held that in order to maintain their claim, plaintiffs must prove a measure of actual damage.

Similar to the appellate court, the lower court's holding came down to an interpretation of the clause 'but not less than,' and the comma preceding it. The lower court's opposite interpretation stemmed from the Supreme Court case Doe v. Chao , 540 U.S. 614 (U.S. 2004), where the Court held that actual damages were necessary to recover statutory damages under the Privacy Act.

In overturning the lower court's ruling, the appellate court invoked the reasoning of the Supreme Court in Rex Trailer Co. v. United States that upholds the awarding of statutory damages. In Rex, the Supreme Court wrote: 'liquidated damages 'serve a particularly useful function when damages are uncertain in nature or amount or are unmeasurable' [sic] ' [a]nd the fact that no damages are shown is not fatal.' Rex Trailer Co. v. United States , 350 U.S. 148, 153 (U.S. 1956), quoting Priebe & Sons v. United States, 332 U.S. 407, 411-412, (U.S. 1947).

The Kehoe decision underscores the importance of statutory damage remedies in protecting and maintaining privacy rights. The court noted: 'Damages for a violation of an individual's privacy are a quintessential example of damages that are uncertain and possibly unmeasurable [sic].' Kehoe, supra, WL 2043005 at *3. The court ' as have commentators in support of consumer privacy rights ' highlighted the importance of statutory damages as providing a 'substitute' for uncertain and immea-surable actual damages when privacy violations occur.

Liquidated and statutory damages are critical to enforcement of data privacy measures. The FTC estimates that consumer losses due to fraud exceeded $680 million last year. Given that a victim's actual damages are often uncertain and immeasurable at the time of suit, statutory damage provisions (in the absence of actual damages) are critical because they help to ensure enforcement of data privacy laws, prevent similar offenses, and ensure remedies for aggrieved parties.

The uncertainty of damages is evidenced by the time it takes to become a victim of identity theft or fraud. The life cycle of privacy violations can be difficult to pin down because data released by a breach may not be used for months or years after the initial violation. One law enforcement agency estimates that it takes a person at least 18 months to find out that he or she is a victim of fraud or identity theft. Statutory damages provide relief to an aggrieved plaintiff at the time of violation, and with varying time delays in becoming a victim of fraud or identity theft, the statutory sums may be the only remedy available.

Conclusion

Statutory analysis of the FCRA provides a straightforward resolution to the actual damage debate. It only takes a reading of the facial language of the act to determine that an award of statutory damages is not dependent on a prior showing of actual damages. In addition, as part of the Consumer Protection Act, the FCRA must be read in light of other statutes ' many of which also call for awards of statutory damages, without a showing of actual damages.

Matthew Righetti is a partner at Righetti Law Firm, P.C., in San Francisco. The firm has litigated numerous national cases involving FCRA issues and other theories alleging violations of state and federal privacy statutes. He can be reached at [email protected].