Class Alleges Credit Score Disclosed in Violation of FCRA, FDCPA
Rizzo vs. Discover
Class complaint – Discover, through its counsel, allegedly disclosed plaintiff’s credit score in public court documents. In bringing suit against plaintiff to collect an owed debt, Discover attached a copy of a monthly billing statement that included plaintiff’s credit score. Plaintiff argued this constituted an unauthorized disclosure of part of her ‘consumer report’ in violation of the FCRA, as well as a violation of the FDCPA as the ‘consumer report’ information was not obtained or used for a permissible purpose (abusive, deceptive, and unfair).
[W.D. WI; 3:17-cv-00408]
jbho: a little redacting can go a long way?
Remember court documents are public. Anyone with a PACER subscription can see them. That’s where I get most of my information for the cases I cover on this blog.
Customers Asking For Info Automatically Enrolled (and Credit Checked)
Ohlman v. CenturyLink
Class complaint – CenturyLink allegedly pulled plaintiff’s credit during a phone call where she was inquiring about service plan pricing information. Plaintiff claimed her credit was pulled despite her request it not be (since she was only browsing), and her credit score dropped 12 points as a result. Plaintiff further claimed she later received a confirmation of activation of services she did not order.
[N.D. Ill; 1:17-cv-03640]
jbho: too early to tell what’s really going on here. However, call center agents are often paid commissions based on the number of accounts they open, so could be a rogue employee. Stay tuned…
For now, a reminder that you should include remuneration criteria in any risk calculus.
No Harm In Prematurely Pulled Credit Report
Bultemeyer v. CenturyLink
Dismissed – Century Link allegedly pulled plaintiff’s credit report despite the fact she did not order Century Link services, or initiate a business transaction with Century Link.
Plaintiff began a five-step process to order Century Link services:
• Step 1: Choose Services
• Step 2: Customize (e.g., modem and installation choices)
• Step 3: Shopping Cart (review itemized charges)
• Step 4: Customer Info (enter personal information)
• Step 5: Checkout (enter payment information and authorize payment)
During Step 5, plaintiff changed her mind and abandoned the checkout process. Plaintiff alleged the (unauthorized) credit check took place between Step 4 and Step 5.
The court found that even if Century Link ran her credit without a permissible purpose, there was no harm. Plaintiff failed to allege the pulling of the report injured her credit, or that Century Link disseminated her information. Thus the bare procedural violation, without more, did not constitute a concrete injury.
[D. AZ; 2:14-cv-02530]
jbho: a take-away here is: if you’re gonna pull credit, make sure the person is aware, consents (e.g., click-wrap agreement), and is provided all the statutorily required disclosures – including FCRA rights on a dedicated page.
It would have been interesting to see if there would have been a discussion of consent. According to the order, to proceed from Step 4 to Step 5, plaintiff had to tick a checkbox with the language “I’ve read these terms and conditions and I accept them” and then had to click ‘Next.’
Also interesting is that the court distinguished between FCRA and TCPA violations. It acknowledged that the 9th Circuit has held TCPA ‘invasion of privacy’ violations ‘by their nature’ are sufficient for standing. However, it declined to apply the same standard in this case as privacy protection was not the primary goal of the FCRA (congress enacted the FCRA “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy”).
The pattern developing seems to be that collection and retention alone are not sufficient to confer standing. In most cases, it appears there must be at least a disclosure to elevate a bare-procedural violation to a concrete harm (violation of a substantive statutorily created right).
$1.75 Million To Settle FCRA Class Action
Ernst v. Dish
Settlement preliminary approval – Dish allegedly idled – but did not terminate – “high risk” field technicians based on the results of reports run without worker notice or consent. The reduction was allegedly based on the goal of protecting consumers by preventing certain technicians from entering consumer premises. These ‘adverse actions’ (loss of work, loss of wages) were allegedly taken without providing copies of the reports used, and without allowing technicians an opportunity to contest report data. Additionally, some of the reports allegedly contained outdated information (over 20 years old) that should not have been used for employment purposes.
- 1,750,000 non-reversionary settlement fund
- $80 for each Authorization Class member
- technicians on whom reports were run without proper notice/consent
- approximately 37,980 class members
- $482 for each Adverse Action Class member
- technicians identified as “high risk”
- approximately 8,916 class members
- $5,000 for each named plaintiff
- $583,333 for class counsel (1/3 of settlement fund)
Unclaimed funds will revert to cy pres recipients.
[S.D. N.Y.; 1:12-cv-08794]
jbho: make sure the purposes of pulling a report (and FCRA rights) are disclosed on a dedicated page of any application process.
Looks like a reduction in hours/responsibilities based on a background check can be enough to trigger the ‘adverse action’ notifications under FCRA. Dish policies appear to have only required notice upon termination; despite warnings from its own internal counsel.
Breach Notification Confirms Harms Were Concrete?
Galaria v. Nationwide
Reversed & remanded – Nationwide allegedly harmed some one million people by failing to prevent hackers from accessing its computer systems, and allowing plaintiffs’ names, dates of birth, marital statuses, genders, occupations, employers, social security numbers, and driver’s license numbers and other personal information to be exposed. Nationwide notified individuals of the breach, and offered each one year of free credit monitoring / identity-fraud protection. Additionally, the notification advised individuals to put a security freeze on their accounts, but did not offer to pay for expenses associated with a security freeze.
The district court dismissed all claims:
- FCRA claims – plaintiff failed to allege injury arising from violation of a particular statutory requirement or prohibition set forth in the FCRA
- Negligence, Invasion of Privacy, Bailment claims – plaintiff lacked sufficient factual allegations to show future injury was imminent; he could not create standing by choosing to make expenditures in order to mitigate purely speculative harms (i.e., no Article III standing)
Given the lack of Article III standing, the district court dismissed all claims for lack of subject matter jurisdiction.
Plaintiff appealed the dismissal of FCRA, negligence, and bailment claims.
The appellate court found plaintiff’s complaints adequately alleged Article III standing. Mitigation costs incurred by plaintiff constituted a concrete injury since: “(w)here Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse … particularly when Nationwide recommended taking these steps … (a)lthough Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover” (emphasis added). Moreover, the appellate court found the injuries were ‘fairly traceable’ to Nationwide’s conduct – alleged failure to secure data from hackers. Thus the district court erred in dismissing for lack of subject matter jurisdiction.
On FCRA claims, the court found that if plaintiff failed to allege injury arising from a FCRA violation, the proper course was to dismiss for failure to state a claim, and not a lack of subject matter jurisdiction.
[Galaria v. Nationwide: 6th Cir.; 15-3386 (orig: S.D. OH; 2:13-cv-00118) & Hancox v. Nationwide: 6th Cir.; 15-3387 (orig: S.D. OH; 2:13-cv-00257)]
jbho: wow. So a data breach alone is enough for Article III standing? Pretty scary that the court seemed to use language in the breach notification letter – statutorily required under some state laws – as the basis for Nationwide’s admission of harm.