Driver’s License Swipe Leads To Class Action
Skiles v. Tesla
Class complaint – Tesla allegedly collected and shared plaintiff’s driver’s license information without his knowledge or consent. Plaintiff claimed his personal information was collected (intercepted) when the magnetic stripe of his driver’s license was scanned via iPad (through an app created by Appstream) when he sought to test drive a Tesla. Plaintiff claimed he provided his license only to verify he was legally permitted to drive, however the information was used to ‘score’ him based on his creditworthiness, and used to enroll him in marketing databases without his consent (purposes not permitted under the DPPA). Plaintiff claimed an Experian ‘Mosiac’ score (a consumer report) was created and used for marketing purposes (without his knowledge or consent), and the information was stored in a Salesforce marketing database, a database which he had no ability to control regarding the use or distribution of his personal information.
Named plaintiffs include Tesla, Appstream, Experian, and Salesforce. Claims were filed under the FCRA, ECPA, and DPPA.
[N.D. CA; 3:17-cv-05434]
jbho: a reminder that remedies available for violating the DPPA make it attractive for class actions. A private right of action for knowing violations allows a court to award (18 USC §2724):
(1) actual damages, but not less than liquidated damages in the amount of $2,500
(2) punitive damages upon proof of willful or reckless disregard of the law
(3) reasonable attorney’s fees and other litigation costs reasonably incurred
(4) other preliminary and equitable relief as the court determines to be appropriate
I’ve not seen it tested too many times, but it may only be a matter of time…
Also, not sure Mosaic counts as a credit report, but there is a fair amount of demographic information available through the product. It will be interesting to see how this case proceeds.
Extraneous Information Only Bare Procedural Violation Of Stand-Alone Disclosure Requirement
Groshek v. Time Warner (& Great Lakes Higher Education)
Affirmed – Time Warner and Great Lakes Higher Education allegedly included liability releases and other extraneous information in their consumer report authorization forms, in violation of the “stand-alone disclosure requirement,” thus invalidating plaintiff’s consent to pull his consumer reports. Both cases were dismissed post-Spokeo, the courts finding plaintiff failed to allege any concrete harms, and the extraneous disclosures only constituted bare procedural violations.
The appellate court agreed, finding plaintiff failed to allege the extraneous information rendered the disclosures incomprehensible, that he was confused, or would not have otherwise signed compliant forms. Since plaintiff admitted he signed the forms, he could not maintain he suffered a concrete privacy injury.
Additionally, the appellate court found plaintiff did not allege he was denied a compliant disclosure form (should he have asked). Therefore, plaintiff failed to demonstrate he had suffered an informational injury, let alone a concrete informational injury.
[7th Circ. 16-3355 (Orig: E.D. WI; 2:15-cv-00157 & W.D. WI; 3:15-cv-00143, consolidated on appeal)]
jbho: still might be worth it to follow the “stand-alone disclosure requirement,” if for no other reason than to avoid the years of litigation?
According to the court, plaintiff submitted 562 job applications. He only interviewed with Great Lakes, but worked for Time Warner for 3 months. He filed suit against Great Lakes one month after applying, and against Time Warner days after voluntarily resigning.
$60 Million For Bad OFAC Data
Ramirez v. TransUnion
$60M jury verdict – TransUnion allegedly included OFAC alerts in credit reports provided to procurers, but did not include OFAC alerts in reports provided to consumers. As a result, defendants alleged, consumers were not advised of OFAC alerts, and had no chance to correct inaccuracies related to OFAC alerts on thier reports. Plaintiff further alleged, TransUnion placed OFAC alerts on consumer reports based only on partial matches, and failed to exercise the ‘maximum possible accuracy standard’ when including OFAC information. Finally, plaintiff alleged these inaccuracies led to him being denied an auto loan.
When challenging the information, TransUnion allegedly informed plaintiff there was no OFAC information on his file, and he could not dispute non-existent information. Transunion did ultimately send two communications: 1) a copy of his credit report that did not include the OFAC alert, and 2) a separate letter describing the OFAC match, but that did not include the statutorily required information (e.g., FCRA rights, how to dispute, etc.).
At trial, it was revealed TansUnion did include OFAC alerts in credit reports, and validation procedures were engaged only after a consumer disputed results. It was further revealed that TransUnion initially declined to implement features that could have reduced false positives, although it informed procurers that a potential OFAC match wasn’t a guarantee – it was only a ‘first step’ procurers could use for their own purposes.
The jury found TransUnion willfully failed to:
• follow reasonable procedures to assure the maximum possible accuracy of OFAC information
• clearly and accurately disclose OFAC information in consumer disclosures
• provide FCRA rights in consumer disclosures
The jury awarded each of the 8,185 class members $984.22 in statutory damages and $6,353.08 in punitive damages ($60,055,801 in total).
[N.D. CA; 3:12-cv-00632]
jbho: Looks like the auto dealership followed the FCRA, and cited the OFAC alert in its Adverse Action notice. Make sure your notices are buttoned up, especially if basing decision on items that may not traditionally be considered part of a credit report.
Note that plaintiff had asked the jury for $8M, but it appears the jury believed the technology to avoid the alleged errors was well within TransUnion’s grasp, thus chose to send a message with the punitive award. It appears this is the largest FCRA award to date.
Class Alleges Credit Score Disclosed in Violation of FCRA, FDCPA
Rizzo vs. Discover
Class complaint – Discover, through its counsel, allegedly disclosed plaintiff’s credit score in public court documents. In bringing suit against plaintiff to collect an owed debt, Discover attached a copy of a monthly billing statement that included plaintiff’s credit score. Plaintiff argued this constituted an unauthorized disclosure of part of her ‘consumer report’ in violation of the FCRA, as well as a violation of the FDCPA as the ‘consumer report’ information was not obtained or used for a permissible purpose (abusive, deceptive, and unfair).
[W.D. WI; 3:17-cv-00408]
jbho: a little redacting can go a long way?
Remember court documents are public. Anyone with a PACER subscription can see them. That’s where I get most of my information for the cases I cover on this blog.
Customers Asking For Info Automatically Enrolled (and Credit Checked)
Ohlman v. CenturyLink
Class complaint – CenturyLink allegedly pulled plaintiff’s credit during a phone call where she was inquiring about service plan pricing information. Plaintiff claimed her credit was pulled despite her request it not be (since she was only browsing), and her credit score dropped 12 points as a result. Plaintiff further claimed she later received a confirmation of activation of services she did not order.
[N.D. Ill; 1:17-cv-03640]
jbho: too early to tell what’s really going on here. However, call center agents are often paid commissions based on the number of accounts they open, so could be a rogue employee. Stay tuned…
For now, a reminder that you should include remuneration criteria in any risk calculus.
No Harm In Prematurely Pulled Credit Report
Bultemeyer v. CenturyLink
Dismissed – Century Link allegedly pulled plaintiff’s credit report despite the fact she did not order Century Link services, or initiate a business transaction with Century Link.
Plaintiff began a five-step process to order Century Link services:
• Step 1: Choose Services
• Step 2: Customize (e.g., modem and installation choices)
• Step 3: Shopping Cart (review itemized charges)
• Step 4: Customer Info (enter personal information)
• Step 5: Checkout (enter payment information and authorize payment)
During Step 5, plaintiff changed her mind and abandoned the checkout process. Plaintiff alleged the (unauthorized) credit check took place between Step 4 and Step 5.
The court found that even if Century Link ran her credit without a permissible purpose, there was no harm. Plaintiff failed to allege the pulling of the report injured her credit, or that Century Link disseminated her information. Thus the bare procedural violation, without more, did not constitute a concrete injury.
[D. AZ; 2:14-cv-02530]
jbho: a take-away here is: if you’re gonna pull credit, make sure the person is aware, consents (e.g., click-wrap agreement), and is provided all the statutorily required disclosures – including FCRA rights on a dedicated page.
It would have been interesting to see if there would have been a discussion of consent. According to the order, to proceed from Step 4 to Step 5, plaintiff had to tick a checkbox with the language “I’ve read these terms and conditions and I accept them” and then had to click ‘Next.’
Also interesting is that the court distinguished between FCRA and TCPA violations. It acknowledged that the 9th Circuit has held TCPA ‘invasion of privacy’ violations ‘by their nature’ are sufficient for standing. However, it declined to apply the same standard in this case as privacy protection was not the primary goal of the FCRA (congress enacted the FCRA “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy”).
The pattern developing seems to be that collection and retention alone are not sufficient to confer standing. In most cases, it appears there must be at least a disclosure to elevate a bare-procedural violation to a concrete harm (violation of a substantive statutorily created right).
$1.75 Million To Settle FCRA Class Action
Ernst v. Dish
Settlement preliminary approval – Dish allegedly idled – but did not terminate – “high risk” field technicians based on the results of reports run without worker notice or consent. The reduction was allegedly based on the goal of protecting consumers by preventing certain technicians from entering consumer premises. These ‘adverse actions’ (loss of work, loss of wages) were allegedly taken without providing copies of the reports used, and without allowing technicians an opportunity to contest report data. Additionally, some of the reports allegedly contained outdated information (over 20 years old) that should not have been used for employment purposes.
- 1,750,000 non-reversionary settlement fund
- $80 for each Authorization Class member
- technicians on whom reports were run without proper notice/consent
- approximately 37,980 class members
- $482 for each Adverse Action Class member
- technicians identified as “high risk”
- approximately 8,916 class members
- $5,000 for each named plaintiff
- $583,333 for class counsel (1/3 of settlement fund)
Unclaimed funds will revert to cy pres recipients.
[S.D. N.Y.; 1:12-cv-08794]
jbho: make sure the purposes of pulling a report (and FCRA rights) are disclosed on a dedicated page of any application process.
Looks like a reduction in hours/responsibilities based on a background check can be enough to trigger the ‘adverse action’ notifications under FCRA. Dish policies appear to have only required notice upon termination; despite warnings from its own internal counsel.
Breach Notification Confirms Harms Were Concrete?
Galaria v. Nationwide
Reversed & remanded – Nationwide allegedly harmed some one million people by failing to prevent hackers from accessing its computer systems, and allowing plaintiffs’ names, dates of birth, marital statuses, genders, occupations, employers, social security numbers, and driver’s license numbers and other personal information to be exposed. Nationwide notified individuals of the breach, and offered each one year of free credit monitoring / identity-fraud protection. Additionally, the notification advised individuals to put a security freeze on their accounts, but did not offer to pay for expenses associated with a security freeze.
The district court dismissed all claims:
- FCRA claims – plaintiff failed to allege injury arising from violation of a particular statutory requirement or prohibition set forth in the FCRA
- Negligence, Invasion of Privacy, Bailment claims – plaintiff lacked sufficient factual allegations to show future injury was imminent; he could not create standing by choosing to make expenditures in order to mitigate purely speculative harms (i.e., no Article III standing)
Given the lack of Article III standing, the district court dismissed all claims for lack of subject matter jurisdiction.
Plaintiff appealed the dismissal of FCRA, negligence, and bailment claims.
The appellate court found plaintiff’s complaints adequately alleged Article III standing. Mitigation costs incurred by plaintiff constituted a concrete injury since: “(w)here Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse … particularly when Nationwide recommended taking these steps … (a)lthough Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover” (emphasis added). Moreover, the appellate court found the injuries were ‘fairly traceable’ to Nationwide’s conduct – alleged failure to secure data from hackers. Thus the district court erred in dismissing for lack of subject matter jurisdiction.
On FCRA claims, the court found that if plaintiff failed to allege injury arising from a FCRA violation, the proper course was to dismiss for failure to state a claim, and not a lack of subject matter jurisdiction.
[Galaria v. Nationwide: 6th Cir.; 15-3386 (orig: S.D. OH; 2:13-cv-00118) & Hancox v. Nationwide: 6th Cir.; 15-3387 (orig: S.D. OH; 2:13-cv-00257)]
jbho: wow. So a data breach alone is enough for Article III standing? Pretty scary that the court seemed to use language in the breach notification letter – statutorily required under some state laws – as the basis for Nationwide’s admission of harm.