Toni FOUDY, Shaun Foudy, Plaintiff–Appellants, v. MIAMI–DADE COUNTY, FLORIDA, Defendant–Appellee.
Toni and Shaun Foudy (the “Foudys”) appeal the district court's dismissal of their Driver's Privacy Protection Act, 18 U.S.C. §§ 2721–2725 (“DPPA”) claims. The district court dismissed the Foudys' DPPA claims as time barred under the applicable statute of limitations, 28 U.S.C. § 1658(a). The Foudys argue that their claims were not barred and the district court erred by not applying the discovery rule to § 1658(a). Whether the statute of limitations in § 1658(a) accrues when the alleged DPPA violation occurs or at the time of discovery is a question of first impression in this circuit. After reviewing the briefs and having the benefit of oral argument, we conclude that the district court correctly applied the occurrence rule to § 1658(a) and affirm the district court's judgment of dismissal.
The Florida Department of Highway Safety and Motor Vehicles (“DHSMV”) maintains the Driver and Vehicle Information Database (“DAVID”). DAVID contains personal information including, but not limited to, a driver's photograph, social security number, date of birth, state of birth, detailed vehicle registration information and description, prior and current home and mailing addresses, driving record, insurance carrier, and emergency contact information. Florida law enforcement personnel have access to DAVID, but are admonished at the login page that authorized personnel may only access the system for official business. The Foudys supplied their personal information to DHSMV for driver's license purposes, including their social security numbers, photographs, dates of birth, states of birth, prior and current mailing addresses, weights, heights, and eye colors. This information was stored and managed in DAVID.
Toni Foudy graduated from the Indian River police academy in 2005 and worked as a deputy in the St. Lucie and Indian River County Sheriff's Departments until her termination in 2011. During her time as a deputy, Toni alleged that she was treated differently from her male counterparts, and that she and her husband, Shaun, were harassed by law enforcement agents. Starting in July 2005, various Florida law enforcement officers accessed the Foudys' private personal information on the DAVID system. The Foudys claim that these officers accessed their personal information for malicious and vindictive reasons, such as resentment of Toni as a woman in law enforcement, interest in Toni because of her physical attractiveness, and confirmation of rumors and gossip about Toni. Relevant to the instant action, the Foudys provided evidence that Edna Almeida Rice, a Miami–Dade County employee, accessed Toni's personal information on January 10, 2008, and Shaun's personal information on May 26, 2005.
The Foudys were unaware that their personal information was being accessed until Toni Foudy requested her St. Lucie and Indian River County DAVID record from the DHSMV in 2011 and obtained a statewide DAVID audit in 2013. The records revealed over five-hundred accesses of her personal information by law enforcement personnel.
B. Procedural History
On December 31, 2012, the Foudys filed their initial lawsuit alleging DPPA violations against several cities and counties, various entity Does, Florida Department of Law Enforcement Does, Department of Highway Safety and Motor Vehicles Does, and present and former Commissioners of each of these departments. Appellee, Miami–Dade County (“Miami–Dade”), was not named as a defendant in this initial omnibus suit. The district court entered an order severing the Foudys' claims and dismissing without prejudice all defendants except the St. Lucie County Sheriff's Department. The district court ordered the Foudys to file separate actions against any defendant or group of defendants by August 15, 2014, noting that any newly filed actions would be “considered a continuation of [the] original action for statute of limitations purposes.”
The Foudys subsequently filed thirteen separate actions, including the instant action, filed on August 15, 2014. The Foudys restated claims for DPPA violations against Miami–Dade, Edna Almeida Rice, and John and Jane Does. The district court dismissed Edna Almeida Rice and the Jane and John Doe defendants. The only remaining defendant, Miami–Dade, filed a motion to dismiss based on the expiration of the statute of limitations. The district court agreed that the statute of limitations had expired, and dismissed the case with prejudice on April 21, 2015. The Foudys then perfected this appeal.
II. STANDARD OF REVIEW
“We review the district court's interpretation and application of statutes of limitations de novo.” Ctr. for Biological Diversity v. Hamilton, 453 F.3d 1331, 1334 (11th Cir.2006) (citations omitted).
The DPPA regulates the dissemination of personal information used by states' motor vehicle departments (“DMVs”). Reno v. Condon, 528 U.S. 141, 143, 120 S.Ct. 666, 668, 145 L.Ed.2d 587 (2000). Personal information is defined in the statute as “information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5–digit zip code), telephone number, and medical or disability information.” 18 U.S.C. § 2725(3). The DPPA prohibits state DMVs and their employees from knowingly disclosing or making available personal information contained in a motor vehicle record, unless for an exception listed within the statute. See id. § 2721(a)-(b); Reno, 528 U.S. at 144–45, 120 S.Ct. at 669. The statute also creates a cause of action for an individual whose personal information has been knowingly obtained, disclosed, or used “for a purpose not permitted.” 18 U.S.C. § 2724(a).
The DPPA does not contain its own statute of limitations. Thus, the catch-all statute of limitations in 28 U.S.C. § 1658(a) applies. Section 1658(a) provides that “[e]xcept as otherwise provided by law, a civil action arising under an Act of Congress enacted after the date of the enactment of this section may not be commenced later than 4 years after the cause of action accrues.” The subsection that follows, added as part of the Sarbanes–Oxley Act, provides that “[n]otwithstanding subsection (a), a private right of action that involves a claim of [securities] fraud, deceit, manipulation, or contrivance ․ may be brought not later than the earlier of ․ 2 years after the discovery ․ [or] 5 years after such violation.” § 1658(b); see Sarbanes–Oxley Act of 2002, Pub.L. No. 107–204, § 804(a), 116 Stat. 745, 801 (2002).
The parties agree that § 1658(a) is applicable to the Foudys' DPPA claim, but dispute the interpretation of the word “accrues” in § 1658(a). The Foudys argue that the district court should have applied the discovery rule to find that their DPPA claim accrued when the Foudys discovered the alleged violations. Miami–Dade argues that the district court properly found that the claims accrued when the alleged violation occurred.
Whether the statute of limitations in § 1658(a) for a DPPA claim accrues at the time the violation occurred or at the time of discovery is a question of first impression in this circuit. The Eighth Circuit recently decided the issue, finding that a DPPA claim accrues under § 1658(a) when the violation occurs. McDonough v. Anoka Cnty., 799 F.3d 931 (8th Cir.2015). We agree, and adopt the Eighth Circuit's well-reasoned analysis and conclusion. See id. at 940–43.
The majority of the Foudys' arguments1 for application of the discovery rule in this case are discussed and disposed of by McDonough 's thorough analysis of the United States Supreme Court decisions in TRW and Gabelli. See generally Gabelli v. S.E.C., 568 U.S. ––––, 133 S.Ct. 1216, 185 L.Ed.2d 297 (2013); TRW Inc. v. Andrews, 534 U.S. 19, 122 S.Ct. 441, 151 L.Ed.2d 339 (2001). Read together, these cases instruct that, in the absence of a clear Congressional directive or a self-concealing violation, the court should not graft a discovery rule onto a statute of limitations. McDonough, 799 F.3d at 942. Here, the structure of § 1658 shows that “at the time Congress amended § 1658 to add subsection (b), it knew how to write statutory text that differentiated between the discovery and occurrence rules and yet chose to preserve as the general rule the more ambiguous language of § 1658(a).” Id. at 943. Having left this ambiguous language in a catch-all statute of limitations, “Congress may have intended the trigger for the date of accrual to vary depending upon the specific cause of action at hand.” Id. The alleged “DPPA violations are not by their nature self-concealing,” nor do they “cry out” for application of the discovery rule. See id. (discussing TRW and noting that “[i]f the FCRA, a statute designed to protect against misuse of individuals' sensitive, personal information, ‘does not govern an area of the law that cries out for application of a discovery rule,’ then neither does the DPPA” (internal citations omitted) (quoting TRW, 534 U.S. at 28, 122 S.Ct. at 447)). Accordingly, we conclude that the Foudys' arguments that the discovery rule applies in this case fail, and we calculate the statute of limitations based on when the alleged violations occurred.
The only alleged DPPA violations that implicate Miami–Dade occurred on January 10, 2008 and May 26, 2005. The Foudys filed their initial complaint against Miami–Dade on March 7, 2014, well beyond the four-year statute of limitations for DPPA claims.2 Accordingly, the district court properly dismissed the Foudys' claims as time barred under § 1658(a).
Adopting the reasoning and conclusion of the Eighth Circuit in McDonough, we hold that the statute of limitations for a DPPA claim “accrues” under § 1658(a) when the alleged violation occurs. Therefore, the district court did not err in dismissing the Foudys' claims, and we affirm its judgment of dismissal.
DUBINA, Circuit Judge: