A.

The Fair Credit Reporting Act

Increasingly, companies in the United States make sales based on credit. Since 1980,
almost all homes and most new cars are purchased on credit. Well over half of retail items
are purchased on credit as well.1

As a result of the centrality of different forms of consumer borrowing, consumer reporting

agencies play an increasingly significant role in economic transactions. Consumer
reporting agencies prepare credit reports about people’s credit history for use by creditors
seeking to loan people money. Credit reports contain financial information such as
bankruptcy filings, judgments and liens, p. 80 mortgage foreclosures, and checking
account data. Some companies also prepare investigative consumer reports, which
supplement the credit report with information about an individual’s character and lifestyle.
Creditors depend upon credit reports to determine whether or not to offer a person a loan
as well as what interest rate to charge that person. Credit reports are also reviewed by
some landlords before renting out an apartment.

Credit reports contain a “credit score” that is used to assess a person’s credit risk. In
many cases, a low score will not necessarily mean the denial of a loan, mortgage, or
credit card; rather, it means that a higher rate of interest will be charged. As Evan
Hendricks notes:

According to the Fair Isaac Corporation, a leading developer of credit scoring models, one
delinquent account can lower a credit score from 70 to 120 points. A consumer with
excellent credit (credit score of 720-850) would pay about 7.85% interest rate for a home
equity loan, while a consumer with marginal credit (640-659) would pay 9.2% and one with
poor credit (500-559) would pay a 12.1% rate. The rate swings for a new car loan are even
greater, with good credit risks paying a 5.2% rate, moderate risks paying 11.4% and poor
risks paying 17.2%.2
Credit reports are not only used in connection with granting credit. Employers use credit
reports to make hiring and promotion decisions. The issuance of professional licenses,
such as admittance to the bar, also can require the examination of one’s credit report.

There are three major national consumer reporting agencies: Experian, Equifax, and
Trans Union. Each of these three companies has information on virtually every adult
American citizen, and they routinely prepare credit reports about individuals.

According to Peter Swire, our financial system has been shifting toward more traceable
payment transactions: “The shift from cash to checks to credit and debit cards shows an
evolution toward creating records, placing the records automatically in databases, and
potentially linking the databases to reveal extremely detailed information about an
individual’s purchasing history.”3 This evolution is generating new problems for the
protection of privacy.

In 1970, Congress passed the Fair Credit Reporting Act (FCRA), Pub. L. No. 90-321, to
regulate consumer reporting agencies. The Act was inspired by allegations of abuse and
lack of responsiveness of credit agencies to consumer complaints. More specifically, the
ongoing computerization of the paper records of the already long-established consumer
reporting industry spurred Congress to act. In his history of financial identity in the United
States, Josh Lauer writes, “Where the existence of millions of millions of individual paper
files, dispersed among thousands of local credit bureaus, had been uncontroversial, the
prospect of this detailed personal information flowing directly into a single database
produced terror.” To illustrate the alarm felt by the late 1960s about the digitalization of
this industry, Lowry cites the warning from a member of Congress p. 81 about how the
centralized databases of a newly computerized credit bureau would create “a total
surveillance society and a totally managed society.” At the same time, however, credit
surveillance was acknowledged to be a central element in the nation’s economy.

In its statement of purpose, the FCRA states: “There is a need to insure that consumer
reporting agencies exercise their grave responsibilities with fairness, impartiality, and a
respect for the consumer’s right to privacy.” 15 U.S.C. § 1681. The FCRA requires credit
reporting companies to provide an individual access to her records, establishes
procedures for correcting information, and sets limitations on disclosure.

In 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACTA), which
amended FCRA. Evan Hendricks explains the impetus for passing the FACTA:

[K]ey provisions of the FCRA that preempted State law were set to expire on December
31, 2003. These provisions dealt with issues affecting billions of dollars in commerce: pre-
approved credit card offers, duties on creditors (furnishers) to report accurately and to
reinvestigate, and the sharing of personal data among corporate affiliates. Industry
expressed fears that if legislation was not passed and the preemption expired, state
legislatures would begin passing conflicting laws that would raise compliance costs, and
worse, interfere with profits.
To consumer and privacy groups, legislation was long overdue because the 1996 FCRA
Amendments were not getting the job done. All of the long-standing problems related to
privacy and fair information practices persisted: inaccuracy, faulty reinvestigations,
reinsertion, non-responsiveness, and lax security. More dramatically, identity theft had
been crowned the nation’s “fastest growing crime,” and the biggest harm from identity theft,
everyone knew, was to the privacy of credit reports. . . .
 Both sides wanted legislation, but not the same legislation. Industry wanted a simple,
straightforward bill that would do nothing more than make FCRA preemption permanent.
Consumer privacy groups called for a detailed reform bill that would set a “floor” of new
protections, but which would leave the states free to go further.4
FACTA required credit bureaus to disclose credit scores to individuals. The requirement
to disclose explanatory information regarding the basis for these credit scores is limited.
As Danielle Citron and Frank Pasquale explain, “The law does not require credit scorers
to tell individuals how much any given factor mattered to a particular score. . . . The
industry remains highly opaque, with scored individuals unable to determine the exact
consequences of their decisions” regarding financial matters.5
p. 82

1.FCRA’s Scope and Structure

Scope.
FCRA applies to “any consumer reporting agency” that furnishes a “consumer report.” 15
U.S.C. § 1681b. As a consequence, the scope of the FCRA turns on the definitions of
“consumer report” and “consumer reporting agencies.”

Consumer Report.
A “consumer report” is any type of communication by a consumer reporting agency
“bearing on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living.” This communication must
be used or expected to be used in part to establish a consumer’s eligibility for credit,
insurance, employment, or other permissible uses of credit reports as defined in FCRA.
15 U.S.C. § 1681a.

Consumer Reporting Agency.

A “consumer reporting agency” is defined as “[a]ny person which, for monetary fees,
dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit information or other information on
consumers for the purpose of furnishing consumer reports to third parties.” § 1681b(f).

Courts have held that “even if a report is used or expected to be used for a nonconsumer
purpose, it may still fall within the definition of a consumer report if it contains information
that was originally collected by a consumer reporting agency with the expectation that it
would be used for a consumer purpose.” Ippolito v. WNS, Inc., 864 F.2d 440 (7th Cir.
1988); Bakker v. McKinnon, 152 F.3d 1007 (8th Cir. 1998).

FTC and CFBP Enforcement.

For the first 40 years after the passage of FCRA, the Federal Trade Commission (FTC)
was the agency mainly responsible for rulemaking and enforcement under FCRA.

In 2010, the Dodd-Frank Act created a new federal agency called the Consumer Financial
Protection Bureau (CFPB) and assigned it primary enforcement and rulemaking authority
for FCRA. However, the FTC still retains some FCRA enforcement power and shares this
with the CFPB.

In 2012, the FTC and CFPB signed a memorandum of understanding regarding

coordinating their enforcement of FCRA.6 These two agencies then reauthorized their
memorandum of understanding in 2019.7

Private Right of Action.

Additionally, people who are harmed by violations of FCRA can sue for negligent or willful
failure to comply with FCRA’s requirements.

Preemption.
FCRA preempts state law relatively broadly and does so by reserving a large number of
subjects for federal law. These include the pre- p. 83 screening of consumer reports,
procedures and requirements relating to the duties of a person who takes any adverse
action with respect to a consumer, and procedures and requirements regarding the
information contained in consumer reports. §§ 1681c-1, 1681t(b)(5). These are examples
of subject matter preemption; the federal law occupies the regulatory area.

In 2003, FACTA amended FCRA by adding narrower restrictions targeted to mandated

behavior. As an example, FACTA requires consumer reporting agencies to place fraud
alerts on consumer credit files under certain circumstances. In so doing, it streamlines an
area of industry procedures while, at the same time, permitting states to engage in further
regulation regarding the larger subject area, which is identity theft. 8 As an example of
“required conduct” preemption, FCRA requires consumer agencies to place fraud alerts
on consumer credit files under certain circumstances. At the same time, it permits states
to engage in further regulation regarding the larger subject area, which is identity theft.

UNITED STATES V. SPOKEO, INC.

No. CV12-05001MMM(JHx) (C.D. Cal., June 7, 2012)

_________________________________________________________________

COMPLAINT

Plaintiff, the United States of America, acting upon notification and authorization to the
Attorney General by the Federal Trade Commission (“FTC” or “Commission”), for its
Complaint alleges that:

1. Plaintiff brings this action under sections 5(a), 13(b), and 16(a) of the Federal Trade
Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a), 53(b), and 56(a); and section 621(a) of
the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 s(a), to obtain monetary civil
penalties, and injunctive or other relief from Defendant for engaging in violations of the
FTC Act. . . .

5. Defendant Spokeo, Inc. (“Spokeo”) is a privately-held Delaware C-type corporation

doing business in California. . . .

9. Spokeo assembles consumer information from “hundreds of online and offline

sources,” such as social networking sites, data brokers, and other sources to create
consumer profiles, which Defendant promotes as “coherent people profiles” and “powerful
intelligence.” These consumer profiles identify specific individuals and display such
information as the individual’s physical address, phone number, marital status, age range,
or email address. Spokeo profiles are further organized by descriptive headers denoting,
among other things, a person’s hobbies, ethnicity, religion, or participation on social
networking sites, and may contain photos or other information, such as economic health
graphics, that Spokeo attributes to a particular individual. Among other things, Spokeo
sells the profiles through paid subscriptions, which provide a set number of searches
based on subscription level, as well as through Application Program Interfaces (“API”)
that provide customized and/or higher volume access.
p. 84
10. Since at least 2008, Spokeo has provided its consumer profiles to businesses,
including entities operating in the human resources (“HR”), background screening, and
recruiting industries, to serve as a factor in deciding whether to interview a job candidate
or whether to hire a candidate after a job interview. . . .

11. In 2010, Spokeo changed its website Terms of Service to state that it was not a
consumer reporting agency and that consumers may not use the company’s website or
information for FCRA-covered purposes. However, Spokeo failed to revoke access to or
otherwise ensure that existing users, including subscribers who may have joined Spokeo
through its Spokeo.com/HR page, or those who had previously purchased access to
profiles through API user agreements, did not use the company’s website or information
for FCRA-covered purposes.

12. The consumer profiles Spokeo provides to third parties are “consumer reports” as
defined in section 603(d) of the FCRA, 15 U.S.C. § 1681a(d). . . .

Spokeo profiles are consumer reports because they bear on a consumer’s character,
general reputation, personal characteristics, or mode of living and/or other attributes listed
in section 603(d), and are “used or expected to be used . . .in whole or in part” as a factor
in determining the consumer’s eligibility for employment or other purposes specified in
section 604.

13. In providing “consumer reports” Spokeo is now and has been a “consumer reporting
agency” (“CRA”) as that term is defined in section 603(f) of the FCRA, 15 U.S.C. §
1681a(f). . . .

18. Section 607(a) of the FCRA, 15 U.S.C. § 1681e(a), requires that every consumer
reporting agency maintain reasonable procedures to limit the furnishing of consumer
reports for enumerated “permissible purposes.” These reasonable procedures include
making reasonable efforts to verify the identity of each prospective user of consumer
report information and the uses certified by each prospective user prior to furnishing such
user with a consumer report.

19. . . . Spokeo has failed to maintain such reasonable procedures. For example, Spokeo
has failed to require that prospective users of the profiles identify themselves, certify the
purposes for which the information is sought, and certify that the information will be used
for no other purpose.

22. Section 607(b) of the FCRA, 15 U.S.C. § 1681e(b), requires consumer reporting
agencies to follow reasonable procedures to assure maximum possible accuracy of the
information concerning the individual about whom the report relates.

23. . . . Defendant has failed to use reasonable procedures to assure maximum possible
accuracy of consumer report information. . . .

26. Section 607(d) of the FCRA, 15 U.S.C. § 1681e(d), requires that a consumer reporting
agency provide, to any person to whom it provides a consumer report (“users”), a User
Notice.

27. . . . Defendant has failed to provide User Notices to users and thereby has violated
section 607(d) of the FCRA, 15 U.S.C. § 1681e(d). . . .
30. Section 604 of the FCRA, 15 U.S.C. § 1681b prohibits CRAs from furnishing
consumer reports to persons that it did not have reason to believe had a permissible
purpose to obtain a consumer report.

31. . . . Spokeo has furnished consumer reports to persons that it did not have reason to
believe had a permissible purpose to obtain a consumer report. . . .
p. 85
39. Section 621(a)(2)(A) of the FCRA, 15 U.S.C. § 1681s(a)(2)(A), authorizes the Court
to award monetary civil penalties in the event of a knowing violation of the FCRA, which
constitutes a pattern or practice. Spokeo’s violations of the FCRA, as alleged in this
Complaint, have been knowing and have constituted a pattern or practice of violations.
As specified by the Federal Civil Penalty Inflation Adjustment Act of 1990, 28 U.S.C. §
2461, as amended by the Debt Collection Improvements Act of 1996, Pub. L. 104-134, §
31001(s)(1), 110 Stat. 1321-373, the Court is authorized to award a penalty of not more
than $2,500 per violation for violations occurring before February 10, 2009, and $3,500
per violation for violations occurring on or after that date.

40. Each instance in which Spokeo has failed to comply with the FCRA constitutes a
separate violation of the FCRA for the purpose of assessing monetary civil penalties
under section 621 of the FCRA, 15 U.S.C. § 1681s. Plaintiff seeks monetary civil penalties
for every separate violation of the FCRA.

41. Under section 621(a) of the FCRA, 15 U.S.C. § 1681s(a), and section 13(b) of the
FTC Act, 15 U.S.C. § 53(b), this Court is authorized to issue a permanent injunction
prohibiting Defendant from violating the FTC Act and the FCRA. . . .

CONSENT DECREE AND ORDER FOR CIVIL PENALTIES, INJUNCTION AND OTHER RELIEF

. . . The parties have agreed to entry of this Stipulated Final Judgment and Order for Civil
Penalties, Permanent Injunction, and Other Equitable Relief (“Order”) to resolve all
matters in dispute in this action without trial or adjudication of any issue of law or fact
herein and without Defendant admitting the truth of, or liability for, any of the matters
alleged in the Complaint. Defendant has waived service of the Summons and Complaint.

THEREFORE, IT IS HEREBY ORDERED, ADJUDGED, AND DECREED as follows: . . .

.

4. Defendant makes no admissions to the allegations in the Complaint, other than the
jurisdictional facts. . . .

IT IS ORDERED that:
1. Judgment in the amount of eight hundred thousand dollars ($800,000) is hereby
entered against Defendant, as a civil penalty for violations of the FCRA. . . .

IT IS FURTHER ORDERED that Defendant, and all other persons or entities within the
scope of Fed. R. Civ. P. 65, whether acting directly or through any sole proprietorship,
partnership, limited liability company, corporation, subsidiary, branch, division, device, or
other business entity who receive actual notice of this Order by personal service or
otherwise, are hereby permanently restrained and enjoined from violating the Fair Credit
Reporting Act, 15 U.S.C. §§1681-1681x. . . .

IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:

....

2. For 20 years following entry of this Order, Defendant must submit a compliance notice,
sworn under penalty of perjury, within 14 days of any change p. 86 in the following: (a) any
designated point of contact; or (b) the structure of any entity that Defendant has any
ownership interest in or directly or indirectly controls that may affect compliance
obligations arising under this Order, including: creation, merger, sale, or dissolution of the
entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject
to this Order.

IT IS FURTHER ORDERED that Defendant must create certain records for 20 years after
entry of the Order, and retain each such record for five (5) years. Specifically, Defendant
must maintain the following records [including accounting records, personnel records,
training materials, compliance documents, a copy of each advertisement and marketing
material, and others.]

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance

with this Order, including any failure to transfer any assets as required by this Order:

1. Within 14 days of receipt of a written request from a representative of the Commission

or Plaintiff, Defendant must: submit additional compliance reports or other requested
information, which must be sworn under penalty of perjury; appear for depositions; and
produce documents, for inspection and copying. . . .

Notes & Questions

1.
Unwittingly Falling Under FCRA. According to Spokeo’s founder, he did not realize
Spokeo was regulated under FCRA:

Six years ago, my Stanford roommates and I built Spokeo to help us keep in touch
with friends across a dizzying array of social networks. We are honored today to be
 at the helm of a principal destination for millions of Americans searching for and
looking to connect with others. . . .

A few years ago, we were eager to share our social network search tool with anyone
who could find good use for it. Focusing on a prior version of our website, the U.S.
Federal Trade Commission (FTC) believes that our targeted marketing (at that time)
implicated the Fair Credit Reporting Act (FCRA), which regulates the collection,
dissemination and use of consumer information, including credit information provided
by consumer reporting agencies. It has never been our intention to act as a consumer
reporting agency. We have made changes to our site and our internal business
practices in order to ensure we don’t infringe upon the FCRA’s important consumer
protections, and to ensure an honest and transparent service that will continue to be
easy for our customers to use. We are a technology company organizing people-
related data in innovative ways. We do not create our own content, we do not possess
or have access to private financial information, and we do not offer consumer reports.9
Is it fair to charge Spokeo with violating FCRA when it did not even realize that it had to
follow FCRA? Should small start-up companies be required to know when they trigger
FCRA?
2.
The Digital Frontier of Credit Services. An online frontier of credit services exists
beyond traditional consumer reporting agencies, namely, Equifax, p. 87 Experian, and
Transunion (the traditional “Big Three” of the industry). Like Spokeo, a variety of new
entities draw on digital information in innovative ways to estimate credit worthiness and
offer credit services. This information can then be combined with up-to-date signals about
whether a customer is looking for a financial product or service. As Ed Mierzwinski and
Jeff Chester note, “A new data market has emerged, selling access to a consumer’s intent
to be ‘in-market’ for a product or service.”10 Online data warehouse companies, such as
BlueKai, offer online marketers access to such “intent information” gathered from
databrokers, such as Acxiom. For Mierzwinski and Chester, the law should view these
“online scoring databases” as “equivalent to prescreened lists, which are consumer
reports.” These authors call on the FTC to determine whether companies that sell this
information should fall under the FCRA’s restrictions due to their “establishing the
consumer’s eligibility for personal, family, or household purposes; employment purposes;
or any other purpose authorized under section 1681b [citing FCRA, 15 U.S.C.
§1681a(d)(1)(A)-(C)].”
3.
Standing to Sue for FRCRA Violations. In Spokeo, Inc. v. Robins, 136 S.Ct. 1540
(2016), the Supreme Court considered a case involving a plaintiff suing Spokeo under
FCRA for inaccuracies in his data. The Court remanded the case back to the 9th Circuit
in light of its clarification about the nature of standing. The Court stated that “concrete”
injury “must actually exist” and must be “real and not abstract.” The Court noted that
“intangible injuries can nevertheless be concrete.” Congress may “elevat[e] to the status
of legally cognizable injuries concrete, de facto injuries that were previously inadequate
in law.” Congress can deem even injuries “previously inadequate in law” to be concrete
injuries sufficient to confer standing. But the Court also declared that “Article III standing
requires a concrete injury even in the context of a statutory violation. For that reason,
Robins could not, for example, allege a bare procedural violation, divorced from any
concrete harm, and satisfy the injury-in-fact requirement of Article III.” This means that
despite the fact that FCRA has a cause of action for violations, plaintiffs cannot use that
cause of action for violations that do not amount to an injury-in-fact. According to the
Court, “not all inaccuracies cause harm or present any material risk of harm. An example
that comes readily to mind is an incorrect zip code. It is difficult to imagine how the
dissemination of an incorrect zip code, without more, could work any concrete harm.” Are
inaccuracies such as the example above not likely to lead to any concrete harm?
4.
Standing and Truncation of Credit Card Receipt Information. In Spokeo, as noted
above, the Supreme Court said that an incorrect zip code did not represent a concrete
injury sufficient to support standing. What about a credit card receipt that displayed the
card’s full expiration date? This action violates a requirement that FACTA added to FCRA
in 2003, namely, that businesses truncate certain p. 88 credit card information on printed
receipts. 15 U.S.C. § 1681c(g). According to the statutory language, “no person that
accepts credit cards or debit cards for the transaction of business shall print more than
the last 5 digits of the card number or the expiration date upon any receipt provided to
the cardholder at the point of the sale or transaction.”

In Bassett v. ABM Parking Services, 883 F.3d 776 (9th Cir. 2018), however, the Ninth
Circuit found that a company’s failure to redact a credit card’s full expiration date was not
a sufficient concrete injury to give the plaintiff standing under the facts of that case. The
Bassett court decided that to the extent FCRA created a “substantive right,” it was the
“nondisclosure of a consumer’s private financial information to identity thieves.” But ABM
had not disclosed Bassett’s information to anyone but Bassett. Moreover, Bassett had not
alleged that there was another copy of the receipt, or that his receipt was lost or stolen,
or that he was the victim of identity theft, or even that any person other than his lawyers
ever viewed the receipt.

The Ninth Circuit concluded, “We need not answer whether falling in the forest makes a
sound when no one is there to hear it. But when this receipt fell into Bassett’s hands in a
parking garage and no identity theft was there to snatch it, it did not make an injury.” For
similar results in other circuits, see Crupar-Weinman v. Paris Baguette America, Inc., 861
F.3d. 76 (2d Cir. 2017); Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724 (7th Cir.
2016). Could Bassett have gained standing if he showed that non-truncated credit card
numbers increased the risk of credit card fraud?
5.
Big Data and the Frontiers of FCRA. In a 2016 report on Big Data, the FTC noted that
new kinds of data use can trigger the protections of FCRA. It stated, “Some data brokers
that compile nontraditional information including social media information, may also be
considered [Credit Reporting Agencies] subject to the FCRA.”11 The FTC also presented
an interesting case study:

Suppose a company asks a consumer to provide her zip code and information about
her social media and shopping behavior on a credit application, strips the consumer’s
identifying information, and sends the application to an analytics firm. The firm then
analyzes the creditworthiness of people in the same zip code with similar social media
and shopping behaviors as the consumer and provides that analysis—be it, for
example, in the form of a score, a grade, or a recommendation—to the company,
knowing that it is to be used for a credit decision.12
In the FTC’s assessment, FCRA requirements and protections would apply to the actions
of this company. FCRA applies because “the company is using information about the
consumer to generate an analysis of a group that shares some characteristics with the
consumer and then is using that analysis to make a decision about the consumer.”
p. 89

2.Permissible Uses of Consumer Reports

Permissible Uses of Consumer Reports.
Pursuant to 15 U.S.C. § 1681b, a consumer reporting agency can furnish a consumer
report only under certain circumstances or for certain uses: (1) in response to a court
order or grand jury subpoena; (2) to the person to whom the report pertains; (3) to a
“person which [the agency] has reason to believe” intends to use the information in
connection with (a) the extension of credit to a consumer; (b) employment purposes; (c)
insurance underwriting; (d) licensing or the conferral of government benefits; (e)
assessment of credit risks associated with an existing credit obligation; (f) “legitimate
business need” when engaging in “a business transaction involving the consumer”; (4) to
establish a person’s capacity to pay child support.

A Private Right of Action and Restrictions on Use.

In addition to a private right of action against consumer reporting agencies, FCRA also
creates a private right of action against anyone who obtains “a consumer report under
false pretenses or knowingly without a permissible purpose.” 15 U.S.C. §1681n(a)(1)(B).
Plaintiffs can also obtain punitive damages, reasonable attorney’s fees, and statutory
damages of $1,000 or actual damages.

For example, in Phillips v. Grendahl, 312 F.3d 357 (8th Cir. 2002), Mary Grendahl
became suspicious of her daughter Sarah’s fiancé, Lavon Phillips. She believed he was
lying about being an attorney as well as his ex-wives and girlfriends. Grendahl contacted
Kevin Fitzgerald, a friend who worked for a detective agency. By searching computer
databases, Fitzgerald obtained Phillips’s Social Security number and previous addresses.
He then submitted the data to Econ Control to obtain a report called a “Finder’s Report.”
A Finder’s Report includes a person’s “address, aliases, birthdate, employer addresses,
and the identity of firms with which the consumer had credit accounts and firms that had
made inquiries about the consumer.”

When Phillips discovered the investigation, he sued Grendahl, the detective agency
Fitzgerald worked for, and Econ Control. The court concluded that the Finder’s Report
was a “consumer report” under FCRA. It also concluded that the defendants did not have
a valid purpose under FCRA for obtaining the report:

The only purpose for obtaining the report was to obtain information on Mary Grendahl’s
prospective son-in-law. Investigating a person because he wants to marry one’s daughter
is not a statutory consumer purpose under section 1681b(a). Even if getting married can
be characterized as a consumer transaction under section 1681b(a)(3), it was not Mary
Grendahl, but her daughter, whom Phillips was engaged to marry. He had no business
transaction pending with Mary Grendahl. There was no permissible purpose for obtaining
or using a consumer report.

Consumer Reports for Employment Purposes.

When an employer or potential employer seeks a consumer report for employment
purposes, she must first disclose in writing to the consumer that a consumer report may
be obtained, and the consumer must authorize in writing that the report can be obtained.
The person seeking the report from a consumer reporting agency must certify that she
obtained the consent of the individual and that she will not use the information in
violation p. 90 of any equal employment opportunity law or regulation. § 1681b(b). If the
person who obtained the report takes adverse action based in any way on the report, she
must provide the consumer a copy of the report and a description of the consumer’s rights
under the FCRA. § 1681b(b).

Pursuant to § 1681b(g):

A consumer reporting agency shall not furnish for employment purposes, or in connection
with a credit or insurance transaction or a direct marketing transaction, a consumer report
 that contains medical information about a consumer, unless the consumer consents to the
furnishing of the report.

Law Enforcement Access.

Pursuant to FCRA, “a consumer reporting agency may furnish identifying information
respecting any customer, limited to his name, address, former addresses, places of
employment, or former places of employment, to a governmental agency.” § 1681f. The
FBI can obtain “the names and addresses of all financial institutions . . . at which a
consumer maintains or has maintained an account” by presenting a written request to a
consumer reporting agency. § 1681u(a). Additionally, pursuant to a written request by the
FBI, a consumer reporting agency must disclose “identifying information respecting a
consumer, limited to name, address, former addresses, places of employment, or former
places of employment.” The FBI, however, must certify that the information is sought in
an investigation to protect against “international terrorism or clandestine intelligence
activities” and that the investigation “is not conducted solely upon the basis of activities
protected by the first amendment to the Constitution of the United States.” § 1681u(b). To
obtain additional information from a consumer report, the FBI must obtain a court order
and meet the same standard as above. § 1681u(c).

Moreover, § 1681v provides a broad release exemption “to a government agency

authorized to conduct investigations of, or intelligence or counterintelligence activities or
analysis related to, international terrorism.” These entities can obtain a consumer report
on an individual when the government agency provides “a written certification” to a
consumer reporting agency that the information is “necessary” for an agency investigation
or other agency activity.

Unauthorized Disclosures of Consumer Reports:

Prescreening.
A typical American receives a flood of credit cards offers each year. These offers follow
due to the practice of “prescreening” consumers for such offers, which FCRA permits. A
consumer reporting agency can furnish a consumer report, without the consumer’s
authorization, if

(i) the transaction consists of a firm offer of credit or insurance;

(ii) the consumer reporting agency has complied with subsection (e); and

(iii) there is not in effect the election by the consumer, made in accordance with
subsection (e), to have the consumer’s name and address excluded from lists of names
provided by the agency pursuant to this paragraph. § 1681b(c).
Subsection (e) of § 1681b provides the consumer with a right to opt out of such
unauthorized disclosures. If the consumer notifies the consumer reporting agency by
phone, the opt out shall last for two years and then expire. If the consumer notifies the
consumer reporting agency by submitting a signed opt-out form, then p. 91 the opt out
remains effective until the consumer notifies the agency otherwise. § 1681b(e).

Limitations on Information Contained in Consumer Reports.

Consumer reporting agencies are excluded from providing certain information in
consumer reports, such as bankruptcy proceedings more than ten years old; suits and
judgments more than seven years old; paid tax liens more than seven years old; and
records of arrest, indictment, or conviction of a crime more than seven years old. §
1681c(a). These limitations do not apply, however, when a company is preparing a
consumer report used in connection with a credit transaction more than $150,000;
underwriting a life insurance policy more than $150,000; or employing an individual with
an annual salary more than $75,000. § 1681c(b).

Investigative Consumer Reports.

An “investigative consumer report” is “a consumer report or portion thereof in which
information on a consumer’s character, general reputation, personal characteristics, or
mode of living is obtained through personal interviews, with neighbors, friends, or
associates.” § 1681a(f). The FCRA provides limitations on investigative consumer
reports. These reports cannot be prepared unless “it is clearly and accurately disclosed
to the consumer that an investigative consumer report including information as to his
character, general reputation, personal characteristics and mode of living, whichever are
applicable, may be made.” § 1681d(a)(1). The consumer, if she requests, can require
disclosure “of the nature and scope of the investigation requested.” § 1681d(b). Further,
if the report contains any adverse information about a person gleaned from interviews
with neighbors, friends, or associates, the agency must take reasonable steps to
corroborate that information “from an additional source that has independent and direct
knowledge of the information” or ensure that “the person interviewed is the best possible
source of the information.” § 1681d(d).

3.Consumer Rights and Agency

Responsibilities
Accuracy.
“Whenever a consumer reporting agency prepares a consumer report it shall follow
reasonable procedures to assure maximum possible accuracy of the information
concerning the individual about whom the report relates.” § 1681e(b).

Disclosures to the Consumer.

The FCRA requires that consumer reporting agencies, upon request of the consumer,
disclose, among other things:

(1)
All information in the consumer’s file at the time of the request, except . . . any information
concerning credit scores or any other risk scores or predictors relating to the consumer.
(2)
The sources of the information. . . .
(3)
Identification of each person . . . that procured a consumer report [within two years for
employment purposes; within one year for all other purposes] . . . .
(4)
The dates, original payees, and amounts of any checks upon which is based any adverse
characterization of the consumer, included in the file at the time of disclosure. ...§ 1681g.
p. 92
Responsiveness to Consumer Complaints.
National consumer reporting agencies must provide consumers who request disclosures
under the FCRA with a toll-free telephone number at which personnel are accessible to
respond to consumer inquiries during normal business hours. § 1681g(c).

Procedures in Case of Disputed Accuracy.

Pursuant to § 1681i(a)(1):

If the completeness or accuracy of any item of information contained in a consumer’s file

at a consumer reporting agency is disputed by the consumer and the consumer notifies the
agency directly of such dispute, the agency shall reinvestigate free of charge and record
the current status of the disputed information or delete the item from the file. . . .
The consumer reporting agency must provide written notice to a consumer of the results
of a reinvestigation within five business days after completing the investigation. § 1681i.

If the information is found to be inaccurate or incomplete or cannot be verified, the

consumer reporting agency must promptly delete it from the file. § 1681i. At the request
of the consumer, the consumer reporting agency must furnish notification that the item
has been deleted to “any person specifically designated by the consumer who has within
two years prior thereto received a consumer report for employment purposes, or within
six months prior thereto received a consumer report for any other purpose.” § 1681i(d).

“If the reinvestigation does not resolve the dispute, the consumer may file a brief
statement setting forth the nature of the dispute.” § 1681i(b).

In any subsequent consumer report, the agency must clearly note that the information in
question is disputed by the consumer and provide the consumer’s statement. § 1681i(c).

While FCRA provides an opportunity to dispute items on their credit history, it does not
require credit reporting agencies to reveal how they translated this history to a credit
score. As Citron and Pasquale note, “That is a trade secret; a designation offering
powerful legal protections to companies that want to keep their business practices a
secret.”13

Public Record Information for Employment Purposes.

If a consumer reporting agency furnishes a consumer report for employment purposes
containing information obtained in public records that is likely to have an adverse effect
on the consumer, it must either notify the consumer of the fact that public record
information is being reported along with the name and address of the person to whom the
information is being reported or “maintain strict procedures designed to insure that
whenever public record information which is likely to have an adverse effect on a
consumer’s ability to obtain employment is reported it is complete and up to date.” §
1681k.
p. 93
Requirements on Users of Consumer Reports.
If a user of a consumer report takes any adverse action on a consumer based in any way
on the report, the user shall provide notice of the adverse action to the consumer,
information for the consumer to contact the consumer reporting agency that prepared the
report, and notice of the consumer’s right to obtain a free copy of the report and to dispute
the accuracy of the report. § 1681m(a). Whenever credit is denied based on information
obtained through sources other than a consumer report, upon the consumer’s written
request, the person or entity denying credit shall disclose the nature of that information.
§ 1681m(b).

4.Civil Liability and Qualified Immunity

Civil Liability.
As noted above, any person who “willfully fails to comply with any requirement” of the
FCRA is liable to the consumer for actual damages or statutory damages between $100
and $1,000, as well as punitive damages and attorneys’ fees and costs. § 1681n. Willful
means that one intentionally commits an act “in conscious disregard for the rights of
others.” In Safeco Insurance Co. v. Burr, 551 U.S. 47 (2007), the Supreme Court held
that acting in “reckless disregard” of a consumer’s rights under FCRA was sufficient to
establish willfulness.

Negligent failure to comply with any requirement of the FCRA results in liability to the
consumer for actual damages as well as attorneys’ fees and costs. § 1681.

Liability for Furnishing Data to a Consumer Reporting Agency.

Businesses and financial institutions “furnish” the information about consumers to the
consumer reporting agencies. For example, a bank that issues a consumer a credit card
will furnish information about the timeliness and consistency of the consumer’s payments.
This is how consumer reporting agencies learn about a consumer’s reliability. What if one
of these entities furnishes false data to a consumer reporting agency? The data adversely
affects a consumer’s credit score and results in harm to the consumer. The consumer
can sue not just the consumer reporting agency but also the entity that furnished the false
data. However, as discussed below, FCRA’s qualified immunity will apply.

Qualified Immunity from State Tort Law.

Consumer reporting agencies — as well as those that furnish data to consumer reporting
agencies — could potentially face extensive liability under state tort law. Under
defamation law, a person or entity can be liable for disseminating false information about
a person that injures the person’s reputation. Disseminating false information might also
give rise to a false light action. And disclosing true information could give rise to liability
for public disclosure of private facts.

However, FCRA provides qualified immunity to credit reporting agencies and to the
furnishers of information to credit reporting agencies:

Except as provided in sections 1681n and 1681o of this title, no consumer may bring any
action or proceeding in the nature of defamation, invasion of privacy, or negligence with
respect to the reporting of information against any consumer p. 94 reporting agency, or any
user of information, or any person who furnishes information to a consumer reporting
agency, based on information disclosed pursuant to section 1681g, 1681h, or 1681m of
this title, or based on information disclosed by a user of a consumer report to or for a
consumer against whom the user has taken adverse action, based in whole or in part on
 the report except as to false information furnished with malice or willful intent to injure such
consumer. § 1681h(e).
Plaintiffs can only state tort actions when “defendants acted with malice or willful intent to
injure plaintiff.” § 1681h.

In Lema v. Citibank, 935 F. Supp. 695 (D. Md. 1996), Citibank issued the plaintiff a credit
card. When the plaintiff’s account became delinquent, Citibank reported the information
to consumer reporting agencies. The plaintiff sued Citibank under FCRA, claiming that
the information it supplied to the consumer reporting agencies was inaccurate. The court
dismissed the claim:

The FCRA imposes civil liability only on consumer reporting agencies and users of
consumer information. Thus, plaintiff must show that defendants are either of those entities
in order to withstand defendants’ summary judgment motion. . . .
Plaintiff alleges only that defendants reported to third parties information regarding
transactions between defendants and plaintiff. Defendants did not therefore furnish a
consumer report regarding plaintiff, nor did they act as a consumer reporting agency with
respect to him.

Statute of Limitations.
FCRA’s statute of limitation extends to two years after the date when the plaintiff discovers
the violation or five years after the date of the violation, whichever occurs earlier.

SARVER V. EXPERIAN INFORMATION SOLUTIONS

390 F.3d 969 (7th Cir. 2004)

_________________________________________________________________

EVANS, J. Lloyd Sarver appeals from an order granting summary judgment to Experian
Information Solutions, Inc., a credit reporting company, on his claim under the Fair Credit
Reporting Act (FCRA), 15 U.S.C. §§ 1681 et seq.

Experian reported inaccurate information on Sarver’s credit report, which on August 2,

2002, caused the Monogram Bank of Georgia to deny him credit. Monogram cited the
Experian credit report and particularly a reference to a bankruptcy which appeared on the
report. Both before and after Monogram denied him credit, Sarver asked for a copy of his
credit report. He received copies both times and both reports showed that accounts with
Cross Country Bank were listed as having been “involved in bankruptcy.” No other
accounts had that notation, although other accounts had significant problems. A Bank
One installment account had a balance past due 180 days, and another company,
Providian, had written off $3,099 on a revolving account.
On August 29, 2002, Sarver wrote Experian informing it that the bankruptcy notation was
inaccurate and asking that it be removed from his report. Sarver provided his full name
and address but no other identifying information. On September 11, Experian sent Sarver
a letter requesting further information, p. 95 including his Social Security number, before it
could begin an investigation. Sarver did not provide the information, but instead filed the
present lawsuit, which resulted in summary judgment for Experian. It was later confirmed
that the notation on the Cross Country Bank account was inaccurate and, as it turned out,
another Lloyd Sarver was the culprit on that account.

In this appeal from the judgment dismissing his case, Sarver claims summary judgment
was improper because issues of fact exist as to whether Experian violated FCRA, §§
1681i and 1681e(b). . . .

Section 1681i requires a credit reporting agency to reinvestigate items on a credit report
when a consumer disputes the validity of those items. An agency can terminate a
reinvestigation if it determines the complaint is frivolous, “including by reason of a failure
by a consumer to provide sufficient information to investigate the disputed information.” §
1681i(a)(3). We do not need to decide whether Sarver’s failure to provide the information
Experian requested rendered his complaint frivolous; his claim under § 1681i(a) fails for
another reason, a lack of evidence of damages. In order to prevail on his claims, Sarver
must show that he suffered damages as a result of the inaccurate information. As we
have said in Crabill v. Trans Union, L.L.C., 259 F.3d 662, 664 (7th Cir. 2001):

Without a causal relation between the violation of the statute and the loss of credit, or some
other harm, a plaintiff cannot obtain an award of “actual damages.”
On this point, the district court concluded that there were no damages. Our review of the
record leads us to agree.

Sarver, however, disagrees and claims that he suffered damages when he was denied
credit from Monogram Bank of Georgia on August 2, 2002. This letter cannot be a basis
for his damage claim, however, because as of August 2, Experian had no notice of any
inaccuracies in the report. Even though Sarver asked for a copy of his report on July 18,
he did not notify Experian of a problem until a month and a half later. Experian must be
notified of an error before it is required to reinvestigate. As we have made clear, the FCRA
is not a strict liability statute. Henson v. CSC Credit Servs., 29 F.3d 280 (7th Cir. 1994).

Sarver also does not show that he suffered pecuniary damages between August 29 (when
he notified Experian of the error) and February 20, 2003 (when the Cross Country account
was removed from his file). He does not claim that he applied for credit during that time
period or that a third party looked at his report. In addition, his claim for emotional distress
fails. We have maintained a strict standard for a finding of emotional damage “because
they are so easy to manufacture.” Aiello v. Providian Fin. Corp., 239 F.3d 876, 880 (7th
Cir. 2001). We have required that when “the injured party’s own testimony is the only
proof of emotional damages, he must explain the circumstances of his injury in
reasonable detail; he cannot rely on mere conclusory statements.” Denius v. Dunlap, 330
F.3d 919, 929 (7th Cir. 2003). Finally, to obtain statutory damages under FCRA §
1681n(a), Sarver must show that Experian willfully violated the Act. There is similarly no
evidence of willfulness. Summary judgment was properly granted on this claim.

We turn to Sarver’s claim under § 1681e(b), which requires that a credit reporting agency
follow “reasonable procedures to assure maximum possible accuracy” when it prepares
a credit report. The reasonableness of a reporting agency’s procedures is normally a
question for trial unless the reasonableness or p. 96 unreasonableness of the procedures
is beyond question. Crabill, 259 F.3d at 663. However, to state a claim under the statute,

a consumer must sufficiently allege “that a credit reporting agency prepared a report
containing ‘inaccurate’ information.” However, the credit reporting agency is not
automatically liable even if the consumer proves that it prepared an inaccurate credit report
because the FCRA “does not make reporting agencies strictly liable for all inaccuracies.” A
credit reporting agency is not liable under the FCRA if it followed “reasonable procedures
to assure maximum possible accuracy,” but nonetheless reported inaccurate information
in the consumer’s credit report.
Henson, 29 F.3d at 284. The Commentary of the Federal Trade Commission to the
FCRA, 16 C.F.R. pt. 600, app., section 607 at 3.A, states that the section does not hold
a reporting agency responsible where an item of information, received from a source that
it reasonably believes is reputable, turns out to be inaccurate unless the agency receives
notice of systemic problems with its procedures.

Experian has provided an account of its procedures. The affidavit of David Browne,
Experian’s compliance manager, explains that the company gathers credit information
originated by approximately 40,000 sources. The information is stored in a complex
system of national databases, containing approximately 200 million names and
addresses and some 2.6 billion trade lines, which include information about consumer
accounts, judgments, etc. The company processes over 50 million updates to trade
information each day. Lenders report millions of accounts to Experian daily; they provide
identifying information, including address, social security number, and date of birth. The
identifying information is used to link the credit items to the appropriate consumer. Mr.
Browne also notes that Experian’s computer system does not store complete credit
reports, but rather stores the individual items of credit information linked to identifying
information. The credit report is generated at the time an inquiry for it is received.
One can easily see how, even with safeguards in place, mistakes can happen. But given
the complexity of the system and the volume of information involved, a mistake does not
render the procedures unreasonable. In his attempt to show that Experian’s procedures
are unreasonable, Sarver argues that someone should have noticed that only the Cross
Country accounts were shown to have been involved in bankruptcy. That anomaly should
have alerted Experian, Sarver says, to the fact that the report was inaccurate. What
Sarver is asking, then, is that each computer-generated report be examined for
anomalous information and, if it is found, an investigation be launched. In the absence of
notice of prevalent unreliable information from a reporting lender, which would put
Experian on notice that problems exist, we cannot find that such a requirement to
investigate would be reasonable given the enormous volume of information Experian
processes daily.

We found in Henson that a consumer reporting agency was not liable, as a matter of law,
for reporting information from a judgment docket unless there was prior notice from the
consumer that the information might be inaccurate. We said that a

contrary rule of law would require credit reporting agencies to go beyond the face of
numerous court records to determine whether they correctly report the outcome of the
underlying action. Such a rule would also require credit reporting agencies p. 97 to engage
in background research which would substantially increase the cost of their services. In
turn, they would be forced to pass on the increased costs to their customers and ultimately
to the individual consumer.
Henson, 29 F.3d at 285. The same could be said for records from financial institutions.
As we said, in his affidavit Mr. Browne proclaims, and there is nothing in the record to
make us doubt his statement, that lenders report many millions of accounts to Experian
daily. Sarver’s report, dated August 26, 2002, contains entries from six different lenders.
The increased cost to Experian to examine each of these entries individually would be
enormous. We find that as a matter of law there is nothing in this record to show that
Experian’s procedures are unreasonable.

Notes & Questions

1.
A Critical Perspective on Sarver. Consider Elizabeth De Armond:

In justifying the agency’s failure to resolve the anomalies within the records attributed
to the plaintiff, the court emphasized the 200 million names and addresses, the 2.6
billion trade lines, and the complexity of the system. This reasoning overlooks that
the very complexity of the system reveals the ability of the agency to control the high
volume of individuals and records, and that ability should alert the agency to the high
risk of misattributing information. The court ruled that the agency’s failure to
 investigate the inconsistency was not unreasonable because the agency had no
notice that the specific lender who had provided information about the impaired
accounts was unreliable. However, the question, in order to protect individuals from
reckless attribution, should not be whether any single provider is unreliable. The
question should have been whether reporting it as the plaintiff’s without checking it,
given the obvious inconsistency, was reckless. Where the agency was aware of the
risk of misattribution from fuzzy matching, and that matching produced a record that
was unlike the others, a jury should decide whether the failure to take any steps to
verify the anomalous data breached the FCRA’s accuracy standard.

The Sarver court also reasoned that to require an agency to further investigate the
accuracy of a consumer’s records when an anomaly appeared would impose
“enormous” increased costs. However, the court did not refer to any estimate of the
costs or explain why an already complex system capable of making many
comparisons among different records could not inexpensively adjust to cross-
checking data when reliability was at issue. Furthermore, when an anomaly appears
that would work to the consumer’s detriment, an agency could simply decline to
attribute the negative data should it not want to take the extra effort of verifying it. The
decision allows the agency all of the benefits of its database technology with none of
the responsibilities.14
This criticism raises a baseline issue: who should bear the costs of relative degrees of
inaccuracy and accuracy in the credit system? If credit agencies need investigate more
kinds of inconsistencies in credit reports, will consumers as a group bear the additional
costs?
p. 98
2.
Is FCRA Too Deferential to Industry Interests? Consider De Armond on the flaws of
FCRA:

[FCRA] inadequately protects individuals from the consequential and emotional

damages caused by misattributed acts for several reasons. . . .

The Act’s most significant flaw is that it imposes meaningful accuracy requirements
only after a false and negative item has been reported, has already been put into the
data sea. However, given that digitized data is far more available, accessible,
duplicable, and transmittable than old paper records, once a false record has been
put into the data sea, it is very hard to ever completely cull it out. . . .

The Act is designed to impose meaningful accuracy standards only after inaccurate
information has already been provided by a data provider and reported by a data
aggregator. The Act permits the original data provider, called a furnisher under the
Act, to furnish nearly any item in a consumer’s name without first verifying that it
belongs to that consumer. But the Act only prohibits the furnisher from furnishing
information that the furnisher either “knows or has reasonable cause to believe” to be
 inaccurate. A furnisher only has “‘reasonable cause to believe that an item of
information is inaccurate’” if the furnisher has “specific knowledge, other than solely
allegations by the consumer, that would cause a reasonable person to have
substantial doubts about the accuracy of the information.” . . .

Thus, the agency acquires information that likely has not been subjected to any
scrutiny, let alone verified. The agency acquires the information, either electronically
or via magnetic tape from the provider, and stores it electronically, where it sits until
needed for a report. Just as the Act imposes a relatively weak accuracy requirement
on data providers at the point of initial provision, the Act places only loose limits on
aggregators that then report the information. When a subscriber requests a report on
a particular consumer, the aggregator, the consumer reporting agency, must only
follow “reasonable procedures to assure maximum possible accuracy” of the
information that it returns to the subscriber. The provision does not in fact require
agencies to ensure the maximum possible accuracy of every item of information, or
to do much if anything to match, verify, or cross-check the information. . . .

It is only after an individual has learned that an agency has falsely charged him or
her with negative data that the individual can require an aggregator to examine the
data. . . .
As Sarver also points out, the Experian computer system does not store computer credit
reports, but only generates them when an inquiry is received. Individual items of credit
information are stored linked to identifying information, which allows their retrieval and
compilation into a credit report. Should individual items of information be reviewed for
accuracy at the initial time that the credit agency collects them?
3.
Is Negligence the Best Standard? Jeff Sovern notes that the FCRA’s fault standard for
liability — negligence — is inadequate to allow many victims to pursue relief because
victims “are not normally aware of the procedures a credit bureau uses when issuing an
erroneous credit report or what constitutes reasonable procedures.” Because each
individual consumer’s losses will not be very high, consumers may not bring valid cases
because of high litigation costs. Therefore, Sovern argues, credit reports should “be made
strictly liable for p. 99 attributing the transactions of identity thieves to innocent customers.”
Sovern also recommends liquidated damages for identity theft cases in order to reduce
litigation costs.15
4.
What Constitutes Negligence in Investigating Errors in Consumer
Reports? In Dennis v. BEH-1, LLC, 520 F.3d 1066 (9th Cir. 2007), Jason Dennis was
sued by his landlord, but the parties agreed to drop the lawsuit after reaching a settlement.
The parties filed a “Request for Dismissal” with the court clerk, and the court register
properly registered the dismissal. Later on, Experian Information Solutions, Inc. stated on
Dennis’s credit report that a civil claim judgment had been entered against him for $1,959.
Dennis contacted Experian to complain about the error. Experian had Hogan Information
Services, a third-party contractor, verify Dennis’s claims. Hogan replied that Experian’s
information was correct and sent along a copy of the stipulation of settlement between
Dennis and his landlord. Experian told Dennis that it would not correct his report. Dennis
sued under FCRA, contending that Experian failed to maintain “reasonable procedures”
under § 1681e(b) to ensure the accuracy of credit reports and that it failed to adequately
reinvestigate the disputed information under § 1681i. The district court dismissed
Dennis’s case on summary judgment. The court of appeals, however, concluded:

The district court erred insofar as it held that Dennis couldn’t make the prima facie
showing of inaccurate reporting required by sections 1681e and 1681i. Experian’s
credit report on Dennis is inaccurate. Because the case against Dennis was
dismissed, there could have been no “Civil claim judgment” against him: “A dismissal
without prejudice . . . has the effect of a final judgment in favor of the defendant.”
Dennis has made the prima facie showing of inaccuracy required by sections 1681e
and 1681i.

The district court also seems to have awarded summary judgment to Experian
because Dennis didn’t offer evidence of “actual damages” as required by section
1681o(a)(1). Here, too, the district court erred. Dennis testified that he hoped to start
a business and that he diligently paid his bills on time for years so that he would have
a clean credit history when he sought financing for the venture. The only blemish on
his credit report in April 2003 was the erroneously reported judgment. According to
Dennis, that was enough to cause several lenders to decline his applications for
credit, dashing his hopes of starting a new business. Dennis also claims that
Experian’s error caused his next landlord to demand that Dennis pay a greater
security deposit. In addition to those tangible harms, Dennis claims that Experian’s
inaccurate report caused him emotional distress, which we’ve held to be “actual
damages.”
The court of appeals reasoned that Hogan failed to understand the meaning of the
Request for Dismissal document and that Experian could readily have detected this
mistake:

Experian could have caught Hogan’s error if it had consulted the Civil Register in
Dennis’s case, which can be viewed free of charge on the Los Angeles p. 100 Superior
Court’s excellent website. As described above, the Register clearly indicates that the
case against Dennis was dismissed. Experian apparently never looked at the
Register.

Experian also could have detected Hogan’s mistake by examining the document
Hogan retrieved from Dennis’s court file. Hogan mistakenly believed that this
document proved that judgment had been entered against Dennis; in fact, the
document confirms Dennis’s account of what happened. The document is a written
 stipulation between Dennis and his landlord that no judgment would be entered
against Dennis so long as Dennis complied with the payment schedule. The parties
couldn’t have been clearer on this point: “If paid, case dismissed. If not paid, judgment
to enter upon [landlord’s] declaration of nonpayment. . . .”
The court of appeals further concluded that it had no need to remand the case for a jury
trial regarding Experian’s negligence:

Even accepting as true everything Experian has claimed, no rational jury could find
that the company wasn’t negligent. The stipulation Hogan retrieved from Dennis’s
court file may be unusual, but it’s also unambiguous, and Experian was negligent in
mis-interpreting it as an entry of judgment. Experian is also responsible for the
negligence of Hogan, the investigation service it hired to review Dennis’s court file. .
..

When conducting a reinvestigation pursuant to 15 U.S.C. § 1681i, a credit reporting

agency must exercise reasonable diligence in examining the court file to determine
whether an adverse judgment has, in fact, been entered against the consumer. A
reinvestigation that overlooks documents in the court file expressly stating
that no adverse judgment was entered falls far short of this standard. On our own
motion, therefore, we grant summary judgment to Dennis on his claim that Experian
negligently failed to conduct a reasonable reinvestigation in violation of section 1681i.
Whether Experian’s failure was also willful, in violation of section 1681n, is a question
for the jury on remand.

This case illustrates how important it is for Experian, a company that traffics in the
reputations of ordinary people, to train its employees to understand the legal
significance of the documents they rely on. Because Experian negligently failed to
conduct a reasonable reinvestigation, we grant summary judgment to Dennis on this
claim. We remand only so that the district court may calculate damages and award
attorney’s fees. As to all other claims under the Fair Credit Reporting Act, we reverse
summary judgment for Experian and remand for trial. Dennis is also entitled to
attorney’s fees for an entirely successful appeal. 15 U.S.C. § 1681o(a)(2). . . .
5.
Alternative Credit Scoring Models? There is now a debate around alternative credit
scoring models. Rather than relying on traditional credit scoring models, some policy
advocates call for use of different data to increase access to credit for all, and, in
particular, those individuals traditionally left out of credit markets. Alternative credit
scoring includes payment records from utilities, cable television, cellphone providers, and
landlords. For Pamela Foohey and Sara Greene, the idea is that these payment histories
“show lenders and providers of goods and services that the person has a history of
repaying debt as agreed, which is what companies are trying to assess with a credit score
and p. 101 credit report.”16
Foohey and Greene are skeptical, however, about the use of these behavioral attributes.
Their view is that “alternative credit scoring likely will do little to combat certain people’s
lack of access to credit and opportunities that allow them to achieve financial stability and
growth.” This coming failure is due to the multiple challenges that the poor face. For
example, they note, “[A]s with rent payments, many Americans simply do not make
enough money to consistently pay utility bills on time.” Moreover, the use of alternative
credit scoring creates “a veil of inclusiveness” for the credit scoring industry that is
unmerited. The real problem is that this industry has helped perpetuate “historic racism
and other discrimination.” In response, Foohey and Greene call for the creation of a
“backstop” for individuals from groups that have faced “significant, historical socio-
economic barriers to savings and wealth accumulation.”

Will alternate credit forms of credit scoring raise new or different privacy risks? Note that
Foohey and Greene observe that "[t]raditional credit scores are based on a relatively
small set of data points." Will using additional data points mean additional invasions of
privacy for lower income credit applicants?

5.Identity Theft and Consumer Reporting

Identity theft is one of the most rapidly growing forms of crime. Identity theft occurs when
a criminal obtains an individual’s personal information and uses it to open new bank
accounts, acquire credit cards, and obtain loans in that individual’s name. Consider the
following example from journalist Bob Sullivan:

Starting in August 1998, Anthony Lemar Taylor spent a year successfully pretending to be
the golf superstar [Tiger Woods]. Taylor’s $50,000 spending spree included a big-screen
television, stereo speakers, a living room set, even a U-Haul to move all the stolen goods.
Taylor, who looks nothing like the golf legend, simply obtained a driver’s license using
Tiger’s real name, Eldrick Woods; then, he used Wood’s Social Security number to get
credit in his name. . . .
When Tiger himself testified during the case in 2001, Taylor, a 30-year-old career criminal,
didn’t stand a chance. Wood’s star power helped the state throw the book at Taylor. . . .
The firm, swift justice might have made other potential identity thieves think twice, but for
this: Precious few identity thefts are even investigated, let alone prosecuted to the full
extent of the law. The average victim has enough trouble getting the police to bother filling
out an incident report. . . .
The real world of identity theft . . . is . . . a haunting, paperwork nightmare, one often
compared to financial rape, littered with small and large tragedies. . . . Couples can’t buy
homes because their credit is damaged. Identity theft victims are often denied access to
the lowest interest rates and can pay as much as 50 percent more to borrow money. . . .
And thousands of people face hundreds of hours of electronic trials against their erroneous
 credit reports and eventually end p. 102 with fraudulent debts and endless nightly
threatening calls from collection agencies.17
According to a 2007 report to the FTC, “approximately 8.3 million U.S. adults discovered
that they were victims of some form of ID theft in 2005.”18 According to this report’s
estimates, the total losses from ID theft in that year were $15.6 billion. Moreover, “victims
of all types of ID theft spent hours of their time resolving the various problems that result
from ID theft. The median value for the number of hours spent resolving problems by all
victims was four. However, 10 percent of all victims spent at least 55 hours resolving their
problems.”

In an important caveat, however, this report also notes that it may not capture all types of
identity theft. In particular, it does not measure “synthetic ID theft.” This activity involves
a criminal creating a fictitious identity by combining information from one or more
consumers. Affected consumers face considerable obstacles in detecting synthetic ID
theft; therefore, any survey of identity theft, which depends on consumer self-reporting,
is likely to underreport it.

A significant amount of identity theft involves the consumer reporting system. When an
identity thief starts creating delinquent debts in a person’s name, creditors report the
delinquencies to the consumer reporting agencies, and the delinquencies begin to appear
on the person’s credit report. This can severely affect the person’s credit score and make
it impossible for the person to secure credit. What are the responsibilities of consumer
reporting agencies in ensuring that the data it reports about individuals really pertains to
them rather than to the identity thief who impersonated them?

In addition to protections already in FCRA, the FACTA added a few additional measures
to address identity theft.

One-Call Fraud Alerts.

The FACTA amends FCRA to enable consumers to alert only one consumer reporting
agency of potential fraud rather than all of them. That agency must notify the other
consumer reporting agencies. 15 U.S.C. § 1681c-1.

Business Transaction Data.

The FACTA gives victims of identity theft the right to require certain disclosures from the
creditors used by the identity thief; these disclosures concern information about the
fraudulent transactions carried out in the victim’s name. 15 U.S.C. § 1681g(e)(1). To
obtain this information from the creditors, however, the victim must provide one form of
identification from a list (that the business gets to pick) as well as proof of the claim of
identity theft (police report, affidavit). The victim’s request must be in writing and must
specify the date of the transaction and other transaction data. Business entities can
decline this request if they believe in good faith that there is not “a high degree of
confidence in knowing the true identity of the individual requesting the information.” §
1681g(e)(2). Further, business entities cannot be sued if they make a disclosure in good
faith under these provisions. § 1681g(e)(7). Business entities are not required p. 103 to
alter their record-keeping practices to provide the information required by these
provisions. § 1681g(e)(8).

Block of Identity Theft Information.

The FACTA amends the FCRA to provide:

(a)
Block. Except as otherwise provided in this section, a consumer reporting agency shall
block the reporting of any information in the file of a consumer that the consumer identifies
as information that resulted from an alleged identity theft, not later than 4 business days
after the date of receipt by such agency of —
(1)
appropriate proof of the identity of the consumer;
(2)
a copy of an identity theft report;
(3)
the identification of such information by the consumer; and
(4)
a statement by the consumer that the information is not information relating to any
transaction by the consumer.
(b)
Notification. A consumer reporting agency shall promptly notify the furnisher of
information identified by the consumer under subsection (a) —
(1)
that the information may be a result of identity theft;
(2)
that an identity theft report has been filed;
(3)
that a block has been requested under this section; and
(4)
of the effective dates of the block. § 1681c-2.

Social Security Number Truncation.

If a consumer requests it, consumer reporting agencies must not disclose the first five
digits of the consumer’s Social Security Number. § 1681g(a)(1)(A).

Free Consumer Reports.

FACTA requires consumer reporting agencies to provide a free consumer report once a
year at the request of a consumer. § 1681j.

Disclosure of Credit Scores.

FACTA requires consumer reporting agencies to disclose to a consumer her credit score.
Many consumer reporting agencies previously would not divulge a person’s credit score.
§ 1681g.

SLOANE V. EQUIFAX INFORMATION SERVICES, LLC

510 F.3d 495 (4th Cir. 2007)

_________________________________________________________________

DIANA GRIBBON MOTZ, J. After Suzanne Sloane discovered that a thief had stolen her
identity and ruined her credit, she notified the police and sought to have Equifax
Information Services, LLC, a credit reporting service, correct the resulting errors in her
credit report. The police promptly arrested and jailed the thief. But twenty-one months
later, Equifax still had not corrected the errors in Suzanne’s credit report. Accordingly,
Suzanne brought this action against Equifax for violations of the Fair Credit Reporting Act
(FCRA), 15 U.S.C.A. §§ 1681 et seq. A jury found that Equifax had violated the Act in
numerous respects and awarded Suzanne $351,000 in actual damages ($106,000 for
economic losses and $245,000 for mental anguish, humiliation, and emotional distress).
The district court entered judgment in the amount of $351,000. In addition, without
permitting Equifax to p. 104 file a written opposition, the court also awarded Suzanne
attorney’s fees in the amount of $181,083. On appeal, Equifax challenges the award of
damages and attorney’s fees. We affirm in part and reverse and remand in part.

On June 25, 2003, Suzanne Sloane entered Prince William Hospital to deliver a baby.
She left the hospital not only a new mother, but also the victim of identity theft. A recently
hired hospital employee named Shovana Sloan noticed similarity in the women’s names
and birth dates and, in November and December 2003, began using Suzanne’s social
security number to obtain credit cards, loans, cash advances, and other goods and
services totaling more than $30,000. At the end of January 2004, Suzanne discovered
these fraudulent transactions when Citibank notified her that it had cancelled her credit
card and told her to contact Equifax if she had any concerns.
Unable to reach Equifax by telephone on a Friday evening, Suzanne went instead to the
Equifax website, where she was able to access her credit report and discovered Shovana
Sloan’s name and evidence of the financial crimes Shovana had committed. Suzanne
promptly notified the police, and contacted Equifax, which assertedly placed a fraud alert
on her credit file. Equifax told Suzanne to “roll up her sleeves” and start calling all of her
“20-some” creditors to notify them of the identity theft. Suzanne took the next two days
off from work to contact each of her creditors, and, at their direction, she submitted
numerous notarized forms to correct her credit history.

Suzanne, however, continued to experience problems with Equifax. On March 31, 2004,
almost two months after reporting the identity theft to Equifax and despite her efforts to
work with individual creditors as Equifax had advised, Suzanne and her husband, Tracey,
tried to secure a pre-qualification letter to buy a vacation home, but were turned down.
The loan officer told them that Suzanne’s credit score was “terrible” — in fact, the “worst”
the loan officer had ever seen — and that no loan would be possible until the numerous
problems in Suzanne’s Equifax credit report had been corrected. The loan officer also
told Suzanne not to apply for additional credit in the meantime, because each credit
inquiry would appear on her credit report and further lower her score.

Chagrined that Equifax had not yet corrected these errors in her credit report, Suzanne
refrained from applying for any type of consumer credit for seven months. But, in October
2004, after the repeated breakdown of their family car, Suzanne and Tracey attempted to
rely on Suzanne’s credit to purchase a used car at a local dealership. Following a credit
check, the car salesman pulled Tracey aside and informed him that it would be impossible
to approve the financing so long as Suzanne’s name appeared on the loan. Similarly,
when the Sloanes returned to the mortgage company to obtain a home loan in January
2005, eight months after their initial visit, they were offered only an adjustable rate loan
instead of a less expensive 30-year fixed rate loan in part because of Equifax’s still
inaccurate credit report.

In frustration, on March 9, 2005, more than thirteen months after first reporting the identity
theft to Equifax, Suzanne sent a formal letter to the credit reporting agency, disputing
twenty-four specific items in her credit report and requesting their deletion. Equifax agreed
to delete the majority of these items, but after assertedly verifying two accounts with
Citifinancial, Inc., Equifax notified Suzanne that it would not remove these two items. At
trial, Equifax admitted that p. 105 under its “verified victim policy,” it should have
automatically removed these Citifinancial items at Suzanne’s request, but it failed to do
so in violation of its own written procedures.

Two months later, on May 9, 2005, Suzanne again wrote to Equifax, still disputing the two
Citifinancial accounts, and now also contesting two Washington Mutual accounts that
Equifax had previously deleted but had mistakenly restored to Suzanne’s report. When
Equifax attempted to correct these mistakes, it exacerbated matters further by generating
a second credit file bearing Shovana Sloan’s name but containing Suzanne’s social
security number. Compounding this mistake, on May 23, 2005, Equifax sent a letter to
Suzanne’s house addressed to Shovana Sloan, warning Shovana that she was possibly
the victim of identity theft and offering to sell her a service to monitor her credit file. Then,
on June 7, 2005, Equifax sent copies of both credit reports to Suzanne; notably, both
credit reports still contained the disputed Citifinancial accounts.

The stress of these problems weighed on Suzanne and significantly contributed to the
deterioration of her marriage to Tracey. . . . In May 2005, the credit situation forced
Tracey, a high school teacher, to abandon his plans to take a sabbatical during which he
had hoped to develop land for modular homes with his father. The Sloanes frequently
fought during the day and slept in separate rooms at night. . . . Also, during this period,
Suzanne was frequently unable to sleep at night, and as her insomnia worsened, she
found herself nodding off while driving home from work in the evening. Even after the
couple took a vacation to reconcile in August 2005, when they returned home, they were
greeted with the denial of a line of credit from Wachovia Bank. . . .

On November 4, 2005 — following twenty-one months of struggle to correct her credit

report — Suzanne filed this action against Equifax, Trans Union, LLC, Experian
Information Solutions, Inc., and Citifinancial, alleging violations of the FCRA. After settling
a separate suit against Prince William Hospital and the personnel company that placed
Shovana Sloan in the hospital’s accounting department, Suzanne settled her claims in
this action against Experian, Trans Union, and Citifinancial. Equifax, however, refused to
settle. Thus, the case proceeded to trial with Equifax the sole remaining defendant. The
jury returned a verdict against Equifax, awarding Suzanne $106,000 for economic loss
and $245,000 for mental anguish, humiliation, and emotional distress.

Equifax moved for judgment as a matter of law and for a new trial or remittitur on the jury’s
award of damages for emotional distress. The district court denied Equifax’s post-trial
motions and then, without permitting Equifax to submit an opposition to Suzanne’s
request for attorney’s fees, ordered Equifax to pay $181,083 in attorney’s fees. This
appeal followed. . . .

In this case, the jury specifically found, via a special verdict, that Suzanne proved by a
preponderance of the evidence that Equifax violated the FCRA by negligently: (1) failing
to follow reasonable procedures designed to assure maximum accuracy on her consumer
credit report; (2) failing to conduct a reasonable investigation to determine whether
disputed information in her credit report was inaccurate; (3) failing to delete information
from the report that it found after reinvestigation to be inaccurate, incomplete, or
unverified; and (4) reinserting information into her credit file that it had previously deleted.
On appeal, Equifax p. 106 does not challenge the jury’s findings that Suzanne proved that
it violated the FCRA in all of these respects.

The FCRA provides a private cause of action for those damaged by violations of the
statute. See 15 U.S.C.A. §§ 1681n, 1681o. A successful plaintiff can recover both actual
and punitive damages for willful violations of the FCRA, id. § 1681n(a), and actual
damages for negligent violations, id. § 1681o(a). Actual damages may include not only
economic damages, but also damages for humiliation and mental distress. The statute
also provides that a successful plaintiff suing under the FCRA may recover reasonable
attorney’s fees. 15 U.S.C.A. §§ 1681n(a)(3), 1681o(a)(2). . . .

Equifax first argues that because Suzanne assertedly suffered a single, indivisible injury,
she should not recover any damages from Equifax or, alternatively, her recovery should
be reduced to take account of her prior settlements with other defendants. According to
Equifax, the prior settlements have fully, or almost fully, compensated Suzanne for all of
her injuries.

Equifax relies on the “one satisfaction rule” to support its argument. See Chisholm v. UHP
Projects, Inc., 205 F.3d 731, 737 (4th Cir. 2000) (“[T]his equitable doctrine operates to
reduce a plaintiff’s recovery from the nonsettling defendant to prevent the plaintiff from
recovering twice from the same assessment of liability.”). But, in the case at hand, we
cannot find, as a matter of law, that Suzanne has suffered from a “single, indivisible harm”
that has already been redressed by other parties. . . .

To the contrary, Suzanne provided credible evidence that her emotional and economic
damages resulted from separate acts by separate parties. She did not attempt to hold
any of the credit reporting agencies responsible for damages arising from either the
identity theft itself or the initial inaccuracies that the theft generated in her credit reports.
Moreover, although some of Suzanne’s interactions with Equifax overlapped with
exchanges with other credit reporting agencies, her encounters with Equifax both predate
and postdate these other exchanges. . . .

Further, during the period when Suzanne attempted to correct the mistakes made by all
three agencies, each agency produced reports with different inaccuracies, and each
agency either corrected or exacerbated these mistakes independently of the others. Thus,
even during this period, the inaccuracies in Equifax’s credit reports caused Suzanne
discrete injuries independent of those caused by the other credit reporting agencies.

For all of these reasons, we reject Equifax’s argument that Suzanne has suffered from a
single, indivisible injury or has been doubly compensated as a consequence of her prior
settlements.
Equifax next argues that the evidence does not support any award for economic losses.
Equifax claims that only speculation and conjecture support such an award, and so the
district court erred in denying Equifax’s motion for judgment as to this award.

We disagree. The evidence at trial in this case clearly demonstrates that on numerous
occasions Suzanne attempted to secure lines of credit from a variety of financial
institutions, only to be either denied outright or offered credit on less advantageous terms
that she might have received absent Equifax’s improper conduct. At times, these financial
institutions consulted credit reports from other agencies, but at other times these
institutions relied exclusively on the erroneous p. 107 credit information provided by
Equifax. Based on these incidents, we find that there is a legally sufficient evidentiary
basis for a reasonable jury to have found that Equifax’s conduct resulted in economic
losses for Suzanne. Therefore, the district court did not err in denying Equifax’s motion
regarding this award. . . .

Notes & Questions

1.
Harm. Recall Sarver where the court held that Sarver did not apply for credit after he
notified Experian of the error whereas Sloane did. Moreover, the Sarver court concludes
that Sarver’s testimony was insufficient to prove emotional distress damages. In what
ways was Sloane’s case stronger on emotional distress?
2.
Transparency. Chris Hoofnagle proposes that policy responses to identity theft are
hobbled by a lack of information about the dimensions of the problem. 19 He argues: “We
are asking the wrong people about the crime. . . . Victims often do not know how their
personal data were stolen or who stole the information.” Hoofnagle’s solution is to create
a reporting requirement on financial institutions, including all lenders and organizations
that control access to accounts (such as PayPal and Western Union). There would be
three disclosure requirements for these entities: “(1) the number of identity theft incidents
suffered or avoided; (2) the forms of identity theft attempted and the financial products
targeted (e.g., mortgage loan or credit card); and (3) the amount of loss suffered or
avoided.”

Do you think that consumers would respond to such market information and actually
switch accounts from one organization to another? Personal information might be stolen
from nonfinancial institutions, such as a college, and then used by a criminal for fraud at
a bank. How can incentives be provided for nonfinancial institutions to have adequate
security?
4.
Identity Theft and the Poor. Sara Greene calls attention to the invalidity of a piece of
conventional wisdom. She writes, “Because low-income individuals are disproportionately
likely to have low credit scores, many people believe that their credit profiles would not
appeal to thieves since their profiles usually are offered credit products with particularly
high interest rates.”20 Green points to data, however, that shows at least one-third of
identity theft victims live in lower-income households. In her explanation, “[T]hieves likely
target low-income individuals because they are less likely to pursue a complaint, and
since thieves do not intend to pay back debt accrued, higher interest rates do not deter
them.” In addition, thieves often engage in behavior that a low-credit score identity will
allow. These include using “low-income stolen identities to open credit card accounts, to
receive public benefits and health care, to open utility accounts,” and to present a false
identity if arrested by authorities.
p. 108
The solution? Greene calls for creation of a new federal agency, the Data Privacy and
Identity Recovery Agency (DPIRA). This agency would address identity theft victimization
and have funds available to assist “victims in need,” defined as those living at 200 percent
of the poverty line. More generally, Green also argues that more needs to be done to
identify systemic failures in the law regulating identity theft that leads to disproportionate
harms to low-income groups