Hi friends

Eric J. Troutman here, mythical (or is it mystical?) Czar of the TCPAWorld.

It is no secret that I’ve been excited to expand our offerings beyond the TCPA–and the fact that SCOTUS may strike down the TCPA at any minute has a little something to do with it. Ha.

But in truth, the pursuit of this new legal WORLD to explore was driven by YOU, my esteemed and splendid readers and friends.

How many of you have asked at one of my many, many, many speaking engagements over the years a cross-over question regarding CCPA or data privacy? Indeed every company interested in TCPA is–to some degree or another–interested in data security and applicable law. (I even did a webinar on this once–and I hate webinars.)

How many of my dear clients have sought guidance on the FCRA–noting the complete lack of ANY meaningful internet resource on the subject? (For shame internet!)

And of course BIPA–who had ever even heard of that statute before Jay Edelson’s huge interview on my podcast last year? I don’t see many hands out there. And that’s because the phenomenon of BIPA litigation is taking root right before our very eyes.

All three of these areas of law–along with the alphabet soup of enactments like CIPA, SCA, ECPA, and yes even HIPAA (shy wonderful HIPAA)– are fast-paced and developing. They need attention and meaningful analysis by real privacy lawyers steeped in this stuff and from a firm with the resources to devote to tracking case law developments and spotting trends in real time–as they develop.

Why?

Well, because you’ve asked for it, that’s why. And so we delivered.

For those of you familiar with TCPAWorld.com–and you all are aren’t you?–we take the mission of chronicling and exploring case law and related developments incredibly seriously, but we don’t take ourselves too seriously. Pretense is dull. So are barriers to content. Plus lawyers often hide behind legalese when they don’t really understand what they’re trying to say. (But I’m not telling you anything you don’t already know now am I?)

None of that here.

We’ll review all the case law and give you exactly what you need to know, and we’ll try to do it in a way that is light-hearted and relatable. At times–dare I say–even entertaining (although some of us are better than that than others. Ha.)

Our formula is simple– if something happens out there in the wide world of consumer privacy law, we want to give it to you straight and as immediately as possible. You need to know this stuff right now–not days or *cough* weeks later. And you don’t want gobbledy gook or nonsense. We get it.

More than that, you want  to trust that you can rely on what you read and you want a single resource that will comprehensively cover the law that matters most to you–from all angles.

Ta-da!

Squire Patton Boggs has assembled its truly amazing team of privacy lawyers–I mean look at this team– and spared no resource to assure that consumerprivacyworld is exactly what you need it to be– timely, smart, engaging, analysis you can work with and learn from.

So welcome to your new privacy law wonderland! Please do make it YOUR wonderland. If you have questions or thoughts on how we can improve–reach out. Don’t like an article or disagree with some analysis? Let us know. And of course if you actually do like something you see here–tell us. We want to know how to make your experience on consumerprivacyworld.com as useful as possible.

We sincerely hope you’ll enjoy your stay and take your time to appreciate everything the website has to offer over time (we’ll be rolling out new features shortly–don’t worry if it feels a bit Spartan in the short term, bells and whistles and a merry-go-round will be installed shortly.)

It is great to have you here. Enjoy–and tell a few dozen pals.

Thanks friends. Chat soon.

In Vaughn v. Grand Brands, LLC, No. 2:19cv596, 2020 U.S. Dist. LEXIS 176744 (E.D. Va. Sep. 25, 2020), a Fair Credit Reporting Act dispute, the Court was tasked with deciding whether Grand Brands LLC (“Defendant”) should be awarded reasonable expenses associated with a motion to compel directed at non-party Equifax Information Services, LLC (“Equifax”). The motion resulted from Defendant’s inability to secure agreement from Plaintiff Danita Vaughn’s (“Plaintiff”) attorneys to provide written authorization from their client permitting Equifax to provide a copy of Plaintiff’s credit report to Defendant. Plaintiff did not contest that her credit report was relevant to the immediate case nor did she oppose Defendant’s efforts to obtain the report.

In ruling that an award of Defendant’s reasonable expenses for compiling its motion to compel was appropriate, the Court noted that according to Fed. R. Civ. P. 37(a)(5)(A), the only time an award of fees is not mandatory is where “(i) the movant filed the motion before attempting in good faith to obtain the disclosure or discovery without court action; (ii) the opposing party’s nondisclosure, response, or objection was substantially justified; or (iii) other circumstances make an award of expenses unjust.” In determining the absence of any exceptions, the Court noted that Defendant, “endeavored at length to obtain Plaintiff’s written authorization.”

Plaintiff’s counsel advanced two arguments to shield itself from imposition of fees: (1) Equifax was obligated to comply with an attorney subpoena under 15 U.S.C. § 1681b(a)(1) so Defendant contacting Plaintiff in order to obtain the subpoenaed documents was “superfluous and unnecessary,” and (2) “a genuine dispute exists” as to whether Plaintiff was required to assist with Defendant’s subpoena because it was Equifax and not Plaintiff who was subject to the subpoena. The Court rejected both arguments. As to the first argument, the Court observed that “the only subpoena which qualifies [for disclosure under 15 U.S.C. § 1681b(a)(1)] is one issued in connection with a Federal grand jury investigation [thus] certainly a subpoena presented by an attorney in private civil litigation does not.” Continuing with its analysis, the Court noted that  regardless of physical possession, Plaintiff was in control of her credit report and obligated to produce it under Fed. R. Civ. P. 34(a)(1).

Ultimately, the Court found that “Plaintiff required [Defendant] to incur significant expense, not to mention the unnecessary involvement of the Court, when a simple written authorization would have sufficed.” Accordingly, without a “good reason” in refusing to cooperate and by not contesting that the information sought was relevant to the case, Plaintiff “was not substantially justified in refusing to cooperate in discovery.” The Court concluded by noting it has the authority to award costs against Plaintiff, her attorneys or both and decided to only award costs against Plaintiff’s attorneys because there was no information suggesting that Plaintiff “was the instigating force behind the decision to refuse to cooperate.”

Defendant has twenty-one days from the date of the Court’s order to submit a motion substantiating its costs and fees pursuant to the factors enumerated in Robinson v. Equifax Info. Servs., LLC, 560 F.3d 235, 243-44 (4th Cir. 2009). The lesson here: don’t be difficult merely for the sake of making your opponent jump through hoops; the court is likely to take notice and make you pay – literally.

A new opinion from the Fifth Circuit found that an incomplete credit report can still be “accurate” under § 1681e(b) – even where the credit report omits a favorable item from a consumer’s credit report that could be germane to the consumer’s credit history.  Although plaintiff had argued that, in deleting a favorable credit item, Credit Reporting Agencies (“CRAs”) had failed to ensure “maximum possible accuracy” of his credit report under § 1681e(b), the court instead ruled that an incomplete report is not always “inaccurate” to the point of being misleading.  The Fifth Circuit affirmed the district court’s dismissal of plaintiff’s complaint, and further found that the CRAs did not have a duty to reinvestigate where plaintiff disputed the completeness, rather than an item, of his credit report.

In Hammer v. Equifax Info. Servs., No. 19-10199, 2020 U.S. App. LEXIS 28800, at *5 (5th Cir. Sept. 9, 2020), plaintiff had continually made timely payments to a credit card, and wanted the favorable account included on his credit report.  The account associated with the credit card was reported by the three major CRAs until 2017.  When plaintiff learned that the CRAs had stopped reporting the account, he requested that it be restored to his credit reports; Equifax and Experian, the defendant CRAs, refused.  After several disputes from plaintiff, they added the credit account to his report, but one, Equifax, ultimately removed it again.  Plaintiff’s credit score fell after the removal, and he sued Equifax and Experian for negligent and willful violations of the FCRA.  The district court granted defendants’ motions to dismiss the complaint, and plaintiff appealed.

The Fifth Circuit determined that the CRAs had not violated § 1681e(b), finding that a credit report is not “inaccurate,” in violation of the statute, every time a report is incomplete – it is only inaccurate when an omission renders the report misleading in a way that would adversely affect credit decisions.  Plaintiff’s credit score falling did not suffice for that adverse impact.  The court looked to a prior case, Sepulvado v. CSC Credit Servs., Inc., 158 F.3d 890, 895 (5th Cir. 1998), in which a credit report included an entry that had been assigned, but did not report that the obligation had arisen six years earlier.  Although the consumer in Sepulvado had argued that the omission made the report inaccurate or misleading, the Fifth Circuit had held that the credit report may have been incomplete, but that did not mean it was inaccurate.  The same was true in Hammer: the omission of the favorable account did not render the credit report so misleading that it was “inaccurate” under § 1681e(b).  The Hammer court noted that businesses have no reason to believe that a credit report reflects all available information about a given consumer – and that such a requirement would actually be impossible for any CRA to satisfy, because creditors only furnish CRAs with consumer information on a voluntary basis.

Plaintiff had also alleged that defendants violated § 1681i(a) for failing to investigate the omission of the favorable credit account from his credit report.  The court disagreed, observing that § 1681i(a) concerns the accuracy of “item[s] of information.”  The CRAs’ duty to investigate under § 1681i(a) had not been triggered because plaintiff had not disputed the accuracy or completeness of an item of information, but instead of his credit report as a whole, which plaintiff claimed was incomplete.

Plaintiff’s claim that Equifax violated § 1681i(a)(5)(B) fared no better.  While plaintiff claimed that the CRA failed to give him the required statutory notice that it reinserted the credit account into his credit report, the court noted that plaintiff’s brief had not argued that the CRA removed the credit account from plaintiff’s credit file – only from his credit account – and so there was no duty to inform under § 1681i(a)(5)(B).  And, although plaintiff argued that he should be allowed to amend the pleading even if he failed to state a claim under § 1681i(a)(5)(B), the court disagreed, finding that the district court had already given plaintiff two opportunities to amend, and each time he had claimed that Equifax never deleted the credit account from his credit file.

So what’s the right standard?  Although CRAs must follow “reasonable procedures to assure maximum possible accuracy” of a credit report under § 1681e(b), Hammer shows that there is no one-size-fits-all test for either “reasonable procedures” or “maximum possible accuracy.”  Even where  plaintiff’s credit score had fallen as a result of the omitted information, the court still saw the favorable account as a “single credit item,” and leaving out that single item did not make the report inaccurate or misleading.  Hammer also highlights the critical difference between a credit entry and a credit report under § 1681i(a).  Plaintiff had not disputed that the favorable credit account was inaccurate as a credit entry, or that it was incomplete.  Instead, he disputed the entire report based on the fact that he believed another entry should have been included – and did not trigger a duty to investigate as a result.

Tuesday at 11:00 EST the FTC will announce “a major law enforcement sweep” on a teleconference.

It’s unclear exactly what industry is the target of this sweep, but suspense is high.  The announcement will come alongside “federal and state partners” to include New York Attorney General Letitia James.  My initial reaction is that target could be debt collection and/or financial services practices during the COVID-19 pandemic, but only time will tell . . . stay tuned.

 

Time theft, especially in an age of booming remote work, is a serious concern for employers.

Time theft’s cost on productivity motivates many companies to explore ways to reduce it.  In a recent case, time theft motivated a company to implement a timekeeping system that clocked employees through their fingerprints instead of the usual badges or employee numbers.  As this case illustrates, however, an attempt to increase productivity by decreasing time theft can quickly lead to bleeding resources into litigation.  Further, in some circumstances, the bleeding can turn into hemorrhaging, such as when a defendant finds itself simultaneously litigating in state and federal court.

In Burlinski v. Top Golf USA, Inc., No. 19-cv-06700, 2020 U.S. Dist. LEXIS 161371 (N.D. Ill. Sep. 3, 2020), the defendant faced a class action lawsuit by former employees over alleged timekeeping practices.  It allegedly required its employees to record their time by scanning their fingerprints.  The defendant’s purpose for using fingerprints in lieu of timecards or unique employee numbers was to prevent time theft by precluding employees from recording time for anyone but themselves.

The plaintiffs were employed in Illinois, which implicated state privacy laws.  Illinois is one of a few states with laws regulating the collection of fingerprints and other biometric data.  A company may be liable under the Illinois Biometric Privacy Act (“BIPA”) if it does not:  (1) maintain a public retention and destruction schedule before collecting biometric data; or (2) acquire written consent prior to collecting biometric data or disclosing such data to third parties.

Procedural trouble began when the defendant removed the suit.  While the district court was evaluating the defendant’s motion to dismiss and the plaintiffs’ motion to remand, the Seventh Circuit issued an opinion that changed everything.  In Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 624-26 (7th Cir. 2020), the Seventh Circuit ruled on whether district courts had Article III jurisdiction over BIPA claims.  The court found there was jurisdiction over claims alleging that a company failed to obtain written consent prior to collecting biometric data.  The court, however, found there was no jurisdiction over claims alleging a failure to maintain a public retention and destruction schedule prior to collecting biometric data.  In other words, federal courts have jurisdiction over some BIPA claims, but not others.  Burlinski contained both types of claims.

Bryant had an immediate effect in Burlinski.  The court remanded one claim to state court and kept the remaining claims.  The court then rejected the defendant’s arguments to dismiss the removed claims, and the defendant found itself simultaneously litigating in state and federal courts.

To sum it up, Burlinski serves as a reminder for companies to vigorously ensure their own compliance with any applicable privacy statutes.  With many services now turning remote, time theft will likely become only a larger problem.  Before implementing a new timekeeping system, however, companies should recall the tale of Burlinski and its double litigation.

In a new and critical ruling, the Eleventh Circuit Court of Appeals just held that business has a “legitimate business need” to pull a credit report any time it is responding directly to a consumer-initiated request—even if that consumer is not who he purports to be.  This ruling provides a much needed clarification to one of the Fair Credit Reporting Act’s (“FCRA”) most often used permissible purposes,  “legitimate business need.”

In Domante v. Dish Networks, L.L.C., No. 19-11100, 2020 U.S. App. LEXIS 28682, at *7-8 (11th Cir. Sept. 9, 2020), the Eleventh Circuit affirmed summary judgment for a satellite TV provider, finding that it had a “legitimate business need” for obtaining a consumer report to verify the identity of a person applying for satellite TV services.  This case, however, was not the first time the parties had encountered one another.  Prior to this suit, the plaintiff (a repeat victim of identity theft) and the defendant had settled a previous lawsuit stemming from the fraudulent use of the plaintiff’s identity to open an account with the defendant.  Pursuant to that settlement, the defendant agreed to flag any future applications using the plaintiff’s identity—specifically, the plaintiff’s first and last names, date of birth, and Social Security number—and preclude opening an account in plaintiff’s name.

Several years later, in the events that prompted this suit, someone attempted to fraudulently register for satellite TV services using a limited amount of the plaintiff’s personal information.  Specifically, the applicant provided only the last four digits of the plaintiff’s Social Security number, her date of birth, and her first name.  The applicant provided a different last name, address, and phone number.  The defendant’s automated system submitted this information to a consumer reporting agency, which matched the applicant’s information to the plaintiff’s information and returned to the defendant a consumer report for the plaintiff.  Upon receipt of the report and after realizing this connection, the defendant rejected the fraudulent application and requested that the consumer reporting agency delete the credit inquiry it made for the plaintiff.

In affirming summary judgment that the defendant did not violate the FCRA, the Eleventh Circuit followed the Sixth Circuit’s lead in Bickley v. Dish Networks, LLC, 751 F.3d 724 (6th Cir. 2014).  In Bickley, the Sixth Circuit affirmed summary judgment for the same on a similar factual pattern:  the defendant had requested a consumer report for that plaintiff after receiving a fraudulent application.  Upon receiving the report, the defendant detected that the application was fraudulent and cancelled it.  The Sixth Circuit found that the defendant had a “legitimate business need” for obtaining the consumer report, which was “verifying the identity of a customer and assessing his eligibility for a service.”

The Eleventh Circuit found that the defendant had a “legitimate business need” because a consumer (the fraudulent applicant) initiated the transaction.  In doing so, the court rejected the plaintiff’s argument that the defendant did not have a “legitimate business need” due to its requirement under the settlement agreement to deny any future applications using the plaintiff’s information.  The court observed that at the time of the application, the applicant did not provide sufficient information such that the defendant would be aware of what was occurring.  The applicant provided only a first name, the last four digits of a Social Security number, and a date of birth.  He did not provide the correct last name or a complete Social Security number.  The defendant required the information presented in the consumer report to realize that the pending application was fraudulent and involved the plaintiff.

Domante has a few takeaways.  First, in what may be a prelude for cases to come, the court stated in a footnote that the FCRA does not require a user of consumer reports to “confirm beyond doubt” the identity of potential consumers prior to requesting a consumer report.  With the issue of what constitutes a “legitimate business need” picking up within the circuits, courts may find themselves determining whether the FCRA requires a certain level of due diligence prior to requesting a consumer report.  Second, the consumer initiating a request does not necessarily have to be the person he purports himself to be in order for the user to have a permissible purpose under the FCRA.  Missing from the court’s opinion is any indication that the identity of the consumer for purposes of a consumer-initiated transaction was relevant to the outcome.  Given the hodgepodge of information fraudulent consumers may supply, Domante suggests that users of consumer reports do not face increased liability under these circumstances.

Aww the internet of things. A strange and ephemeral virtual network where our refrigerators and stoves harmonize and communicate with our air conditioners and toaster ovens assuring a single “smart” home or office environment.

One day, perhaps, the IoT will assure life on Earth nears Nirvana-like perfection for all of its living inhabitants. We’ll never enter a room without it have been pre-cooled to our desired temperature and our ovens will never need to be preheated because their predictive algorithms will know we intend to bake cookies before it ever dawns on us to do so.

For now, however, the IoT is a clunky and inelegant thing patched together from innumerable overlays and sketchy network protocols. And it is ever so subject to hacking and infiltration. Leaving us susceptible, it would seem, to rouge coffee makers filling our bedrooms with espresso aromas at all hours of the night and ice machines that just won’t stop spewing the cold stuff, even when the bin is full.

Chilling.

Whether the threat of “killer appliances” is real or imagined or just made up by me, right now, in this blog post, I leave for you to decide. But Congress isn’t taking any chances.

In a new bill that went flying through yesterday, the House of Representatives passed a bill designed to better secure all of the appliances used by Government agencies from cyber-attacks. The bill is called IoT Cybersecurity Improvement Act of 2020 and it is found here.  And lest anyone think this bill is more useful than that, it is specifically written to not include “conventional Information Technology devices, such as smartphones and laptops.”

No folks. This bill is designed exclusively and intentionally to protect the nation’s coffee makers and refrigerators. In the event of war, we simply cannot risk members of our valuable federal government being without these critical appliances.

To assure that the nation’s “infrastructure” is safe, the bill requires the National Institute of Standards and Technology to promulgate “standards and guidelines” for the Federal Government on the “appropriate use and management by agencies of Internet of Things devices” including “minimum information security requirements for managing cybersecurity risks associated with such devices.”

Allow me to translate: the House just passed a bill requiring rules to be developed for federal agency employees to abide by when handling their smart appliances.

Ahem.

As a few examples of what these rules should include: i) examples of possible security vulnerabilities of Internet of Things devices (I’m looking forward to that list); ii) considerations for managing the security vulnerabilities of Internet of Things devices (considerations?); and iii) identification management for IoT devices. (Identification management. For appliances.)

Well, while reasonable minds can disagree on the need for national standards to protect our national crockpots from foreign interference, it is nice to see that the House can come together to pass an important piece of legislation even in this era of crazed partisanship.

We’ll see if the Senate chooses to do the same.

The CFPB has two upcoming public events you won’t want to miss.  On 15 September, the public can dial-in to the CFPB “listening session” where the CFPB “advisory committees will meet with the Bureau’s Taskforce on Federal Consumer Financial Law to share recommendations on improvements to the current state of federal consumer protection laws, regulations, and practices.”  Indeed, we will be covering what is said here on Consumer Privacy World.

Next, our very own Glenn Brown provided a detailed summary of the CFPB’s 5-9 October Tech Sprint.  At this multi-day event, regulators, financial institutions, technology gurus, and subject matter experts will come together to shape policy that focuses on “developing a range of innovative approaches to electronically-delivered adverse action notices” required under the Fair Credit Reporting Act and Equal Credit Opportunity Act.  Whether you can make it for none of it or all of it, we will certainly provide the highlights here on Consumer Privacy World.

Stay tuned.

Kenn v. Eascare, Civil Action No. 20-cv-10070-ADB, 2020 U.S. Dist. LEXIS 158820 (D. Mass. Sep. 1, 2020) is a Fair Credit Reporting Act (“FCRA”) standing case. Here, the Court concluded that a mere technical violation of the FCRA (specifically, the disclosure requirement) does not automatically confer standing. The Court also discusses Plaintiff Nicole Kenn’s (“Plaintiff”) insufficient pleading of an informational injury or invasion of privacy; ultimately dismissing Plaintiff’s FCRA allegations. What follows is the case background and a more detailed analysis.

On December 5, 2019, Plaintiff sued her previous employer, Eascare, LLC (“Eascare”), an Eascare manager, Mark E. Brewster (“Brewster”), and her former supervisor, Joseph Hughes (“Hughes”) (collectively, “Defendants”). Plaintiff’s lawsuit alleged four counts; including, Eascare and Brewster violating Massachusetts’ wage laws under Mass. Gen. Laws ch. 149, §§ 148, 150 (“Count I”), Eascare and Brewster engaging in sexual discrimination in violation of Mass. Gen. Laws ch. 151B, § 4 (“Count II”), and two violations of the Fair Credit Reporting Act (“FCRA”) as a result of running a background check on Plaintiff and others during the hiring process (“Count III” and “Count IV”). Notably, Plaintiff seeks to bring a class action against Eascare as a result of its alleged FCRA violations; however, before the Court in Kenn v. Eascare is Eascare’s motion to dismiss Counts III and IV for failure to state a claim, and Plaintiff’s motion to remand Counts I and II to state court.

Regarding Counts III and IV, Plaintiff alleges that, “Eascare violated the FCRA … by including a liability waiver and other extraneous language on [a] stand-alone disclosure form and by subsequently running a background check without proper authorization.” Plaintiff believes this allegation is a violation of the FCRA sufficient to constitute an injury “because her privacy was invaded.” Eascare, believing the opposite, argued that Plaintiff lacked standing to bring a claim because her alleged FCRA violations failed to show she suffered “a sufficiently concrete or particularized injury.”

In its analysis, the Court recognized that Plaintiff’s FCRA allegations stem from “two distinct, substantive rights that Congress sought to protect: first, an informational right, and second, a right to privacy.” With a split of authority as to whether a violation of the FCRA’s standalone disclosure or authorization requirements are sufficient to constitute a concrete harm, the Court here was unconvinced that Plaintiff’s allegations rose to the level required of an “informational injury.” In particular, the Court noted that, “Plaintiff has not alleged that she was confused by, or unaware of, the document she was signing and  Plaintiff’s conclusory allegations are insufficient to allow the Court to infer confusion or misapprehension.” Ultimately, the Court noted, “Plaintiff’s allegation of an informational injury fails because she has not alleged that … extraneous information, allegedly contained in the Disclosure Form, caused any actual confusion about whether her personal information would be made available for a background check.” The Court similarly held that because Plaintiff “consented to the [background check] and has not sufficiently pled that she suffered an informational injury in that she misunderstood the form … or the subsequent authorization, Plaintiff cannot sustain an argument for an invasion of privacy.” Accordingly, the Court granted Eascare’s motion to dismiss Counts III and IV because Plaintiff did not sufficiently allege, “confusion, distraction, or misunderstanding of the form [that she signed].”

With Plaintiff’s federal law claims dismissed, the Court chose not to exercise supplemental jurisdiction over the remaining state law claims and remanded the remaining counts to state court pursuant to 28 U.S.C. § 1367(c)(3).

Good morning, all.  The Consumer Privacy World team is out there again sharing wise advice on how to handle a cyber breach.  This time, the team discusses organizational risk of a data breach, and how companies can learn something from Uber’s recent data privacy missteps that ended in a criminal complaint.  In “Executive Responsibilities and Consequences: A Case Study of Uber’s Data Breaches” published in Corporate Compliance Insights, Squire Patton Boggs lawyers Colin Jennings, Ericka J. and Dylan Yépez offer key takeaways from the company’s high-profile data breaches and the criminal charges that followed.

As a side, curious what a criminal complaint looks like in such a case, view it HERE.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) maintains the Specially Designated Nationals (“SDN”) list, which is published to identify suspected terrorists and other bad actors.  US persons are generally prohibited from dealing with anyone on the list, so companies and governments regularly run checks against the SDN list and other “terrorist watch list” data to ensure that they are not doing business with such bad actors.  Some consumer reporting agencies (“CRAs”) provide these checks to alert users of a possible terrorist in order to prevent prohibited transactions with such individuals.  Often these users are legally required to run such checks.

Such terrorist watch lists, however, often contain very little personal information about the individuals on the list—sometimes the list only discloses a name and country of birth.   Compounding the issue, some CRAs report a match or potential match if the name of the subject simply matches a name on the list even if other information, such as a date of birth, does not match the subject.  Did you catch that?  A name can match with little to no other corroborating personally identifiable information and that terrorist alert can land squarely on an innocent consumer’s credit report just for having the same or similar name as a suspected terrorist.  Indeed, as we have seen in the courts in recent years, false positive results from these checks are not uncommon.

This creates issues for CRAs that include terrorist watch list data in consumer reports, given the Fair Credit Reporting Act’s (“FCRA”) mandate that reasonable procedures must be used to ensure the “maximum possible accuracy” of information included in credit reports. If a CRA only has a name and country of birth from a terrorist watch list, or is not even attempting to use information in the terrorist watch list other than the name to match the consumer, how will it accurately attribute the record to the correct individual’s file?  Well, recent high-stakes litigation on this issue suggests that complacent inclusion of terrorist watch list data in consumer reports violates the FCRA, and plaintiffs brought the issue back to federal court again this week in Pennsylvania.

Earlier this week, one of the “big three” credit bureaus was sued in the Eastern District of Pennsylvania over an alleged practice that the Ninth Circuit and the Third Circuit had previously determined violated the FCRA in unrelated class action litigation against the same credit bureau.[1] The class action complaint alleges that TransUnion, LLC (“TransUnion”) included information found on terrorist watch lists in its consumer reports in violation of the FCRA.

This is not the first time TransUnion has had to defend these practices. In 2010, the Third Circuit affirmed a jury award of compensatory and punitive damages against TransUnion and in favor of a class.  The lead plaintiff was initially refused an auto loan because TransUnion included an “alert” on her credit report flagging her as being a possible match for an individual on the OFAC’s watch list.[2]  Indeed, even though the individual on the OFAC list had a different date of birth than the plaintiff, TransUnion’s product flagged the plaintiff’s report because it only considered the name in determining a match.   When the plaintiff disputed the information, TransUnion refused to conduct a reexamination on the basis that the information was not part of her credit file.  She sued on behalf of the class and was awarded compensatory and punitive damages by a jury as a result of TransUnion’s failure to ensure the maximum possible accuracy of consumer reports, among other FCRA violations.  On appeal, the Third Circuit found that the FCRA’s accuracy standard “requires more than merely allowing for the possibility of accuracy,” meaning that CRAs do not meet that standard by flagging certain consumers as “possible” matches for individuals on the OFAC’s watch list.  The court also found that TransUnion’s failure to use a date of birth where available in the matching process was “reprehensible” and warranted punitive damages.

In 2011, a husband and wife also attempted to purchase an auto but were also initially refused because the husband’s name was flagged by the same TransUnion product involved in the Cortez case.  Again, the husband brought class action litigation against TransUnion and the jury returned a verdict in favor of the class and awarded statutory and punitive damages.[3]  On appeal, the Ninth Circuit reduced the amount of the punitive damages, but upheld the lower court’s finding of willfulness, holding that “TransUnion was provided with much of the guidance it needed to interpret its obligations under the FCRA with respect to OFAC Alerts in 2010 when Cortez was decided.  Despite this warning, TransUnion continued to use problematic matching technology and to treat OFAC information as separate from other types of information on consumer report.”

The complaint in the instant case is therefore the third time that TransUnion is having to defend a product and process that it has unsuccessfully defended thus far.  The lead plaintiff in this case was denied a mortgage loan based on being flagged by the same TransUnion product involved in the Cortez and Ramirez cases.  Plaintiff contends that his personal information does not match the individual on the OFAC watch list and that he is not a terrorist, but a law-abiding US citizen.  TransUnion continues to market the OFAC watch list data as a “credit report add-on” on its website.  TransUnion has apparently made no substantive changes to its procedures for associating consumers with information from these watch lists- it continued to use only first and last names, and did not consider dates of birth where available. It also allegedly continues to present these alerts as “potential” matches despite the results of the previous litigation. It should be no surprise that the law firm representing the plaintiffs in this case also represented the plaintiffs in Cortez and Ramirez.  This is a case to watch, and we will do so here on CPW.

[1] Al-Shaikli v. TransUnion, LLC, 5:20-cv-04155 (E.D. PA. August 24, 2020).

[2] Cortez v. TransUnion, 617 F.3d 688 (3d Cir. 2010).

[3] Ramirez v. TransUnion, No. 17-17244, 2020 WL 946973 (9th Cir. Feb. 27, 2020).