Credit Reporting & Data Brokers

Subscribe to Credit Reporting & Data Brokers

On March 11, the U.S. District Court for the Central District of California approved a settlement stipulation between the parties in the long-running Fair Credit Reporting Act litigation involving Spokeo, Inc.  See Thomas Robins v. Spokeo, Inc., Case No. 2:10-cv-05306 (C.D. Cal.).  The settlement brings an end to the dispute that led to the U.S. Supreme Court’s landmark 2016 ruling on the contours of Article III jurisdiction and the ability of courts to hear cases alleging statutory, technical, or procedural damage without actual injury-in-fact.  Ultimately, the settlement means that the ongoing dispute – which has generated a wealth of related litigation and motions practice in consumer class actions and similar statute-heavy arenas – has concluded with a whimper.

Troutman Sanders has reported on Spokeo on numerous occasions over the past four years, including here, here, here, here, here, and here.

Background

On May 16, 2016, the Supreme Court of the United States issued its much-anticipated decision in Spokeo, Inc. v. Robins.  Spokeo considered whether Congress may confer Article III standing by authorizing a private right of action based on the violation of a federal statute alone, despite a plaintiff having suffered no “real world” harm.  The Supreme Court, in a 6-2 decision, vacated and remanded the decision of the Ninth Circuit, the latter of which found the existence of Article III standing in a claim under the FCRA.  The Court found that while the Ninth Circuit had considered whether the harm was particularized, the lower court had failed to consider whether the “invasion of a legally protected interest” was “concrete.”  After holding that a “violation of one of the FCRA’s procedural requirements may result in no harm,” the Supreme Court instructed the Ninth Circuit to decide “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”

On August 15, 2017, the Ninth Circuit issued its decision on remand, reversing and remanding the case to the California district court after finding that Robins had standing to pursue his claims.  Spokeo appealed that ruling to the Supreme Court again, arguing that the Court’s prior opinion created massive uncertainty among lower courts as to the contours of Article III standing – particularly in cases alleging statutory claims based on purely technical or procedural violations.

On January 22, 2018, the Supreme Court denied the second petition for a writ of certiorari filed by Spokeo.

Settlement

Left pending in the California federal district court, the parties engaged in mediation after the Supreme Court’s January 2018 denial and ultimately came to a settlement.

On March 8, 2019, Robins filed a stipulation for relief that was entered by the district court three days later.  Per the stipulation:

  • For a period of three years, “Spokeo will not publish any numerical estimates or predictions of consumer credit scores” unless its terms and conditions “specify that Spokeo’s profiles may only be used for [non-FCRA] purposes.”
  • Spokeo will provide “a clear and appropriately-titled hyperlink” to an opt-out form on its privacy page, which will be available from all pages on its website via its “general navigation menu.”
  • A disclaimer on Spokeo’s terms and conditions page is required to state that its site users may not use any information for any FCRA purposes.
  • Spokeo must include additional disclaimers indicating that it is not a consumer reporting agency as defined by the FCRA.
  • Spokeo customers will be required to certify and agree that they will not use the company’s website and its information for any FCRA purpose.

A copy of the stipulation can be found here.  The case was dismissed with prejudice by the Court on March 12.

On February 26, the Northern District of California held in Banneck v. Federal National Mortgage Association that the defendant, commonly referred to as “Fannie Mae,” was not a consumer reporting agency, or “CRA,” as defined in the Fair Credit Reporting Act, granting summary judgment in a putative nationwide class action.  The lawsuit had alleged violations of the FCRA and California Consumer Reporting Agencies Act (“CCRAA”).  

The FCRA defines a CRA as (1) “any person which … regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers” and (2) “for the purpose of furnishing consumer reports to third parties.”  The CCRAA contains a virtually identical definition.

In finding that Fannie Mae is not a CRA, the Court relied on binding precedent from the Ninth Circuit.  In Zabriskie v. Federal National Mortgage Association, the Ninth Circuit held that Fannie Mae met neither prong of the FCRA’s definition of a CRA.  The Ninth Circuit first held that Fannie Mae did not assemble or evaluate consumer credit information, but rather offered tools to mortgage lenders so that they could evaluate mortgage loan applicants.  The Zabriskie Court also found that Fannie Mae did not assemble or evaluate consumer credit information for the purpose of furnishing consumer reports to third parties, but instead it assembled such information only “to determine a loan’s eligibility for subsequent purchase.”

In ruling that Fannie Mae was not a CRA, the Court determined that Banneck’s FCRA and CCRAA claims necessarily failed.  The Court also brushed aside Banneck’s attempts to distinguish Zabriskie on procedural grounds, finding that the applicable summary judgment standard did not substantively change the analysis from that of Zabriskie and that the pending petition for rehearing en banc in Zabriskie did not eliminate its binding authority.

Troutman Sanders will continue to monitor and report on developments in FCRA actions and related litigation.

Requiring an employee or consumer to submit any dispute to binding arbitration as a condition of employment or purchase of a product or service is commonly referred to as “forced arbitration.”  Many times, the employee or consumer is required to waive their right to sue or to participate in a class action lawsuit.  Critics argue that these arbitration agreements disempower the middle class and some in Congress have taken notice.

Last Thursday, Congressman Jerrold Nadler (D-N.Y.) and Sen. Richard Blumenthal (D-Conn.) announced a package of bills at a press conference that could end the practice of forced arbitration.

“One of the systems that is truly rigged against consumers and workers and the American people is our current system of forced arbitration,” Blumenthal said while introducing the Forced Arbitration Injustice Repeal Act.  Under the bill, companies would no longer be able to enforce arbitration agreements in consumer, employment, civil rights, or antitrust disputes.  The Democrats also introduced the Ending Forced Arbitration of Sexual Harassment Act which would eliminate arbitration in disputes that involve sexual harassment.

According to Nadler, the goal of these proposals is to help workers and consumers obtain justice.  “All Americans deserve their day in court,” Nadler said.  “We make a mockery of this principle when we allow individuals to be forced to take their claims to private arbitration.”

These lawmakers aim to reverse the Supreme Court’s ruling in Epic Systems Corp. v. Lewis – that employers may require employees to settle collective disputes in individual arbitration, thereby barring them from banding together in class-action lawsuits against employers.  Justice Neil Gorsuch wrote the decision for the majority.  The ruling was a contentious 5-4 decision along party lines.

Blumenthal believes that the bills will pass because Democrats have a majority in the House of Representatives.  However, it is unclear whether these bills are dead-on-arrival in the Republican-controlled Senate.  Furthermore, it appears unlikely that President Trump will sign a bill reversing the decision written by his first nomination to the Supreme Court.  Therefore, it appears that, notwithstanding the present legislation, the enforceability of arbitration provisions is here to stay for the time being.

Troutman Sanders will continue to monitor and report on important developments involving the changing landscape of arbitration.

On February 26, the House Financial Services Committee held a hearing entitled “Who’s Keeping Score? Holding Credit Bureaus Accountable and Repairing a Broken System,” with the CEOs of the big three credit bureaus – TransUnion, Equifax, and Experian – testifying. The hearing was the first time the current CEOs of the major credit bureaus have testified before the Committee since the cyberattack on Equifax that affected more than 100 million Americans and spawned extensive litigation. As a result, legislators focused heavily on data security issues and the steps the major credit bureaus have taken to improve security.

But the hearing also involved discussion of two bills introduced by Chairwoman Maxine Waters (D-Calif.) that would make sweeping changes to the Fair Credit Reporting Act: the Comprehensive Consumer Credit Reporting Reform Act and the Protecting Innocent Consumers Affected by a Shutdown Act. These bills would have a tremendous impact not only on the big three credit bureaus, but also the dozens of other nationwide consumer reporting agencies. 

Waters’s Proposed Legislation 

The Protecting Innocent Consumers Affected by a Shutdown Act would establish a nationwide database of consumers affected by a shutdown of the federal government and would prevent credit reporting agencies from including any adverse financial information that occurs during the shutdown or within 90 days thereafter. The proposal would also prevent the users of consumer reports from considering adverse information regarding a consumer affected by a shutdown.

The Comprehensive Consumer Credit Reporting Reform Act would, as the name suggests, impose changes with far-reaching ramifications. In Waters’s own words, the bill is designed to place “the burden of removing mistakes from credit reports onto the credit bureaus and furnishers.” Among other sweeping changes, the legislation would:

  • Largely eliminate the use of credit checks for employment purposes;
  • Establish new requirements on consumer reporting agencies when notified of inaccurate or incomplete information;
  • Create a right to appeal the results of investigations into disputed information;
  • Require furnishers to maintain records to verify the accuracy of disputed information;
  • Require the removal of paid or settled derogatory accounts;
  • Restrict the appearance of information about medical debts;
  • Reduce the amount of time most derogatory items are permitted to remain on a consumer’s credit report, from 7 years to 4 years, with bankruptcies being permitted to remain on credit reports for a maximum of 7 years instead of the current 10-year maximum;
  • Prevent the reporting of adverse information relating to mortgage loans if the information relates to “an unfair, deceptive, or abusive” act or practice;
  • Require a loan rehabilitation option for consumers with private student loans “who were defrauded or misled”;
  • Grant the Consumer Financial Protection Bureau the authority to regulate the development of new credit scoring models; and
  • Require consumer access to free annual credit scores 

Impact on Consumer Reporting Agencies

The proposed legislation would impact nationwide consumer reporting agencies, including agencies that specialize in reporting residential or tenant history, medical records or payments, and employment history. The Comprehensive Consumer Credit Reporting Reform Act in particular would require a dramatic reworking of the information reported and the handling of disputes over the accuracy of information. The bill seeks to all but eliminate the use of credit screening for employment purposes, carving out narrow exceptions where screening is required by local, state, or federal law.

Democratic representatives at the Financial Services hearing focused on perceived abuses in the financial system, while many Republican representatives expressed concerns that the proposed legislation would impose unnecessary regulatory burdens and remove so much information from consumers’ records so as to render credit reports ineffective. The House Financial Services Committee has scheduled a hearing regarding the CFPB’s semi-annual review for March 7 but has not scheduled any other hearings specifically regarding Waters’s proposed bills. Troutman Sanders will continue to monitor these legislative proposals.

On February 25, the Federal Trade Commission and the Consumer Financial Protection Bureau reauthorized their Memorandum of Understanding, or “MOU.”

The MOU, which governs the FTC’s and CFPB’s joint operations, focuses on five key areas of cooperation:

  • Joint law enforcement efforts – The agreement requires one agency to give notice to the other prior to commencing an investigation. Both agencies are required to give the other details about the proceedings they are initiating, including the court in which the proceeding is being brought, the alleged facts surrounding the case, and the agency’s requested relief. Importantly, the agreement also allows either agency to intervene in any action commenced by the other agency, as long as the intervening agency shares jurisdiction.
  • Joint resolution efforts One agency must also notify the other prior to proposing or entering into any consent decree or settlement with an MOU Covered Person. Each agency must also notify the other prior to issuing no-action letters, warning letters, or closing letters.
  • Joint rulemaking efforts – The agencies must consult and notify one another prior to issuing proposed rules or agency guidance under statutes such as the Omnibus Appropriations Act of 2009, the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and UDAAP.
  • Supervisory Information and Examination Schedules – The CFPB must provide, and the two agencies must confer as to, the CFPB’s plans to examine MOU Covered Persons, and the CFPB must provide the FTC with Confidential Supervisory Information relating to MOU-covered persons subject to FTC jurisdiction, upon request from the FTC.
  • Consumer Complaints – Under the agreement, the agencies are to direct consumers to the agency best suited to resolve their complaints and are to make consumer complaints available to one another.

According to the FTC, the MOU is an agreement for “ongoing coordination between the two agencies under the terms of the Consumer Financial Protection Act,” aiming to avoid duplication of law enforcement and rulemaking efforts between the FTC and CFPB.  The full MOU is available here

On February 7, 2019, AllianceOne Receivables Management, Inc. (“AllianceOne”), a debt collector, agreed to pay $2.2 million to settle a nationwide class action alleging violations of the Fair Credit Reporting Act (“FCRA”) for obtaining consumer reports on individuals with outstanding parking tickets without a permissible purpose.

The parties moved to approve the settlement after more than three years of litigation and propose that AllianceOne will pay $2.2 million to a class fund, plus $5,000 to the named Plaintiff and up to $733,333.33 in attorney’s fees. The settlement follows the district court’s grant of partial summary judgment in Plaintiff’s favor and certification of a nationwide class of individuals.

In the case, Rodriguez v. AllianceOne, filed in 2015 in the United States District Court for the Western District of Washington, Rodriguez alleged that AllianceOne’s purpose in pulling consumer reports on individuals with outstanding parking tickets – to obtain contact information and identify assets – was not “permissible” under § 1681b of the FCRA.

The District Court agreed with Rodriguez’s theory, granting partial summary judgment in his favor, finding that AllianceOne did not have a permissible purpose to obtain consumer reports under § 1681b because a vehicle parking violation is not a credit transaction “initiated” by a consumer. However, the District Court also held that Rodriguez failed to prove any actual damages; thus, leaving only the possibility of statutory damages based on a willful violation of the FCRA. The Court further found that whether AllianceOne’s conduct was “willful” is a question of fact for the jury.

Recognizing that “there is no assurance that the jury would find a willful violation,” the parties agreed to settle the case on a class-wide basis and moved for approval of the class settlement. The certified class contains nearly 15,000 people. Assuming no opt-outs, the proposed settlement contemplates about $98 per class member for the alleged FCRA violation. This nears the minimum statutory penalty of $100 for a willful violation of the FCRA but is far less than the maximum penalty of $1,000 per violation. The District Court is expected to approve the settlement.

The Federal Reserve Board of Governors and the Federal Deposit Insurance Corporation (“FDIC”) issued a joint advisory making financial institutions aware of a recent change to the Fair Credit Reporting Act (“FCRA”) that provides that financial institutions may offer to remove defaults in private education loan borrowers’ consumer reports under an approved rehabilitation program. Qualifying borrowers must show consumer reports containing a default on a private education loan, and the financial institution must submit a written request for approval of the program to their federal regulatory agency. 

The amendment appeared in Section 602 of the Economic, Growth, Regulatory Relief and Consumer Protection Act (EGRRCPA”), enacted on May 24, 2018.  The amendment changed FCRA Section 623 to allow financial institutions to offer the Section 602 Program.  The recent joint advisory addresses requirements of the Section 602 Program. 

The joint advisory explains that if a borrower meets the requirements of a financial institution’s Section 602 Program, the institution can remove a reported default from the borrower’s consumer report.  The advisory further explains that the financial institutions that choose to establish a private education loan rehabilitation Section 602 Program are entitled to a safe harbor from potential claims under the FCRA related to removal of the reported default.

The Seventh Circuit recently affirmed judgment in favor of the national consumer reporting agencies (“CRAs”), rejecting a plaintiff’s attempt to impose Fair Credit Reporting Act liability upon the CRAs for reporting information the furnisher had verified as accurate.  This case represents a significant victory for CRAs facing collateral attacks of the accuracy of the accounts they report. 

The case is Humphrey v. Trans Union, LLC, et al.  A copy of the opinion can be found here. 

Plaintiff Ian Humphrey never made payments on his federal student loans, which were serviced by Navient and became due in 2011.  Instead, he submitted multiple disability-discharge applications, but each application was deficient, and the debt was not discharged.  Accordingly, Navient continued to report his account as past due.  Finally, in July 2014, Humphrey’s loans were discharged, but his credit reports continued to reflect the past nonpayment periods.  

Humphrey then submitted disputes (on many grounds) with the CRAs, who then sent Navient Automated Credit Dispute Verifications (“ACDVs”).  Each time, Navient confirmed to the CRAs the information was accurate.  Humphrey’s suit against the CRAs alleged violations of FCRA § 1681e(b) for inaccurate reporting and of § 1681i for an unreasonable reinvestigation.  Navient was also named in the suit.  The district court granted the CRAs’ joint motion for judgment on the pleadings.   

In affirming the district court’s decision, the Seventh Circuit flatly rejected Humphrey’s argument that the CRAs could face liability under the FCRA by continuing to report the debt even though he claimed he had no obligations to make payments while his disability-discharge application was pending.  The court first noted that §1681e(b) and § 1681i claims both require the consumer to “sufficiently allege that his credit report contains inaccurate information.”   

In finding Humphrey had not alleged a factual inaccuracy, the Court confirmed the importance of the distinction between factual and legal inaccuracies.  The inaccuracy alleged by Humphrey relating to his requirement to make payments “required a legal determination about whether his disability-discharge applications required Navient to cease collections” and, therefore, did not constitute a legal inaccuracy. 

Like other courts before it, the Seventh Circuit recognized that an attack on the validity of a debt is not the CRAs fight to fight, ruling “a consumer may not use the Fair Credit Reporting Act to collaterally attack the validity of a debt by challenging a CRAs reinvestigation procedure.” This sound reasoning demonstrates why these collateral attacks should fail.  The Court noted that “Navient was in a better position than the CRAs” to make the legal determination regarding Humphrey’s loan obligations.  Additionally, because the CRAs had properly contacted Navient to verify the loans, the reinvestigations were reasonable, as “CRAs are not a tribunal sitting to resolve legal disputes.”  Indeed, no reasonable reinvestigation by the CRAs could have resolved the question because it “was a legal question beyond the scope of a reasonable reinvestigation.”   

Like here, CRAs often face lawsuits wherein the plaintiff attacks the validity of the underlying debt under the guise of challenging the accuracy of the CRA’s reporting.  The Seventh Circuit’s decision provides helpful support to CRAs facing these types of suits.

On January 28, Thomas W. Thrash, Jr., the Chief Judge of the United States District Court for the Northern District of Georgia, issued four decisions on motions to dismiss in cases arising out of the Equifax data breach. Below are a few noteworthy takeaways. 

Factual Background

From mid-May through the end of July 2017, hackers stole personally-identifiable information of nearly 148 million American consumers by exploiting a vulnerability in certain software used by Equifax (the “Data Breach”). Litigation arising out of the Data Breach was consolidated into a Multidistrict Litigation (“MDL”) styled as In Re Equifax, Inc., Customer Data Security Breach Litigation, 1:17-md-2800-TWT.

Chief Judge Thrash issued decisions on motions to dismiss in the MDL regarding (1) the Consumer Cases, (2) the Financial Institution Cases, and (3) the Small Business Cases. Chief Judge Thrash is also presiding over a consolidated federal securities fraud class action lawsuit arising out of the Data Breach and issued an order on a motion to dismiss in that case on the same day. Each of the Court’s decisions are discussed in turn below.

The Consumer Cases

In the Consumer Cases, the plaintiffs (“Plaintiffs”) brought a variety of claims, purporting to represent a class of individuals who were allegedly injured by the Data Breach. The Court first held that Plaintiffs could not assert claims under the Fair Credit Reporting Act because Equifax did not “furnish” any “consumer report” within the meaning of the FCRA. Rather, hackers stole information about Plaintiffs which did not fall within the definition of data subject to the FCRA.

However, the Court held Plaintiffs could assert tort claims for negligence and negligence per se under Georgia common law, which applies to the case due to choice-of-law principles. The Court held Equifax had an independent duty to protect the consumers’ information because it knew of a foreseeable risk to its security systems and allegedly did not follow reasonable procedures to secure the information. Plaintiffs sufficiently alleged actual injury, as some Plaintiffs had suffered identity theft, and had sufficiently alleged concrete potential injury in the form of an increased risk of harm. The criminal nature of the hackers’ behavior did not cut off Equifax’s potential liability because a jury could conclude such conduct is reasonably foreseeable in light of the many other data breaches that have occurred.

The Court further held Plaintiffs failed to assert claims for breach of contract because Equifax’s Privacy Policy prohibited damages, and Plaintiffs could not assert an implied contract due to the valid merger clause in Equifax’s Terms of Use. The Court also reached Plaintiff’s unjust enrichment claim given the lack of a contractual relationship and absence of any allegation that Plaintiff had provided anything of value to Equifax.

Plaintiffs’ claims under various Georgia statutes—the Georgia Fair Business Practices Act (“GFBPA”), the Georgia Uniform Deceptive Trade Practices Act (“GUDTPA”), and Georgia’s statute regarding notification after a personal information data breach—all failed. Under current Georgia law, the GFBPA and GUDTPA do not apply to data breaches, and Georgia’s law regarding notification after a data breach is not privately enforceable. Plaintiffs also asserted claims under other states’ Uniform Deceptive Trade Practices Act laws and other states’ data breach notification laws, some of which survived the motion to dismiss. Finally, Plaintiffs’ claim for attorneys’ fees under Georgia law was allowed to proceed because the Plaintiffs’ made sufficient allegations of “bad faith.”

The Financial Institution Cases

In the Financial Institution Cases, various banks, credit unions, and associations sought to remedy the financial losses they allegedly suffered and continue to suffer as a result of the Data Breach. The claims asserted by these Plaintiffs include negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes.

Equifax moved to dismiss Plaintiffs’ claims, arguing, among other things: (1) Plaintiffs lack standing and fail to allege any cognizable injuries; (2) Plaintiffs fail to establish a duty or causation as required to proceed with their negligence-based claims; (3) Plaintiffs’ negligence per se claim fails because the statutes relied upon do not set out any specific statutory duty to protect personally identifiable information; and (4) Plaintiffs failed to plead their negligent misrepresentation claim with the required specificity as required under Rule 9(b).

Ultimately, Equifax’s motion was granted in part and denied in part. With respect to standing, the Court found the Plaintiffs in this case can be categorized into two groups.  The first group was made of the “Financial Institution” Plaintiffs, who allegedly spent time and money: (1) responding to the compromise of the credit reporting system and personal information they rely upon for their business; (2) assessing the impact of the Data Breach as required by applicable law; and (3) mitigating the alleged “substantial risk” of future fraudulent activity. The second group of Plaintiffs, the “Financial Institution Card Issuers,” assert the same allegations plus a fourth – they allege they issued payment cards compromised in the Data Breach and have spent time and money reissuing payment cards or reimbursing customers.

After dividing Plaintiffs into these two categories, the Court found Plaintiffs adequately pled standing as to the Financial Institution Card Issuers but failed to adequately plead standing with respect to the Financial Institution Plaintiffs. In support of this conclusion, the Court found that reissuing payment cards and reimbursing customers for fraudulent charges, as alleged only by the Financial Institution Card Issuers, “are not speculative and are not threatened future injuries, but are actual, current, monetary damages.” Because the same type of concrete and particularized injury had not been alleged by the Financial Institution Plaintiffs, and because their alleged injuries were not actual or imminent, their case was dismissed.

The Court also dismissed the case with respect to the “Association Plaintiffs” who sought to bring claims on behalf of their financial institution members who had allegedly suffered injury as a result of the Data Breach because the Association Plaintiffs did not identify the specific members who have standing.

After addressing standing, the remainder of the Court’s opinion and order applied only to the surviving claims of the Financial Institution Card Issuers. With respect to the negligence claim, the Court concluded Equifax owed the Financial Institution Card Issuers a duty of care to safeguard the information in its custody, namely arising from the allegations that Equifax knew of a foreseeable risk to Equifax’s data security systems but failed to implement reasonable security measures. The Court also dismissed the negligence per se claim to the extent it was predicated upon the Gramm-Leach-Bliley-Act (“GLBA”) alone, which the Court ruled does not provide a specific standard of conduct that is sufficient to give rise to a legal duty under Georgia law. To the extent the negligence per se claim was predicated on the Safeguards Rule of the GLBA, however, which does provide an ascertainable standard of conduct, the Court permitted the claim to continue. The Court also agreed with Plaintiffs that Section 5 of the FTC Act can provide a statutory duty for a negligence per se claim under Georgia law and therefore, Equifax’s Motion to Dismiss with respect to the negligence per se claim was largely denied.

In addressing Equifax’s argument that Plaintiffs failed to sufficiently plead a claim for negligent misrepresentation, the Court, following the Georgia District Court’s precedent, found that Rule 9(b) does not apply to claims of negligent misrepresentation, but that even if Rule 9(b) were to apply, Plaintiffs’ allegations would likely suffice. Indeed, the Court found “Plaintiffs have alleged the specific misrepresentations that the Defendants made, which Defendants made them, how such representations were false, and why the Defendants knew or should have known that those statements were false.” Such allegations, the Court concluded, are sufficient.

Finally, the Court also reviewed the claims brought under the Georgia Fair Business Practices Act, foreign state fraud and consumer protection statutes, claims relating to payment card data, and Plaintiffs’ “ancillary claims.” The Court dismissed the GFBPA claim, finding the Act does not require the safeguarding of personally identifiable information but allowed a majority of the other claims to continue.

The Small Business Cases

A group of ten small businesses sought to bring claims on behalf of a class of small businesses that allegedly relied upon the personal creditworthiness of their owners to obtain and maintain credit (the “Small Business Plaintiffs”). The Small Business Plaintiffs contended their owners’ personal information might have been involved in the Data Breach, and alleged they were harmed by having to take measures to combat the risk of identity theft and by expending time and effort to monitor the credit of their owners.

Equifax moved to dismiss the Small Business Plaintiffs’ claims, arguing: (1) the businesses lacked Article III standing to assert claims for alleged injuries arising out of the alleged breach of their owners’ personal information, and (2) the economic loss doctrine precluded the Small Business Plaintiffs from asserting tort claims. The Court agreed with both of Equifax’s arguments and dismissed the claims.

The Court noted that each of the Small Business Plaintiffs are distinct legal entities from their individual owners. While the owners could seek recovery of their damages in the Consumer Cases, the Small Business Plaintiffs were “not entitled to a second recovery” for the alleged injuries to the owners as small business owners. The Court further held the Small Business Plaintiffs’ alleged injuries were too speculative because Small Business Plaintiffs would have to prove: (a) their owners’ data was compromised and obtained by some criminals; (b) the owners’ credit was directly impacted by the criminals’ misuse of the information; (c) the Small Business Plaintiffs thereafter attempted to rely on the owner’s credit for their own “creditworthiness and continued operations”; and (d) the Small Business Plaintiffs’ “creditworthiness [or] continued operations” were harmed as a direct result of the owner’s damaged credit.

The Small Business Plaintiffs also failed to allege a substantial risk of harm that was sufficient to confer standing. Because of the long, attenuated chain of events that would have to occur before the Small Business Plaintiffs might suffer an injury because of the Data Breach, they did not face an “imminent injury” and their allegations about the alleged costs they incurred were “nothing more than the exercise of ordinary due diligence in monitoring their creditworthiness.”

Finally, the Court held that the economic loss doctrine barred the Small Business Plaintiffs’ tort claims. The doctrine prevents a plaintiff from recovering economic losses associated with injury or damage to another person. Because the Small Business Plaintiffs were distinct legal entities from their owners, the businesses could not recover for alleged injuries to the owners. Equifax did not breach an independent legal duty to the Small Business Plaintiffs, the Court held, because Equifax’s duty to safeguard the information of the individuals was owed to them personally. Accordingly, the Court dismissed the Small Business Cases in their entirety.

The Securities Case

A separate case—In Re Equifax, Inc. Securities Litigation, 17-cv-3463-TWT—is also pending before Chief Judge Thrash, who issued an order on Defendants’ motion to dismiss on the same day as the other orders discussed above. In this case, the lead plaintiff (“Plaintiff”) has brought claims on behalf of a putative class of investors that purchased securities of Equifax from February 25, 2016 through September 15, 2017. Plaintiff asserted claims under sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against Equifax and four individuals who were corporate officers at Equifax during the putative class period. [Disclosure: Troutman Sanders LLP represents one of the individual Defendants in this litigation, former Chief Executive Officer Richard F. Smith.]

Plaintiff alleged Defendants made false or misleading statements and/or omissions about the sensitive information in Equifax’s custody, the vulnerability of Equifax’s internal systems, and Equifax’s compliance with cybersecurity regulations and best practices. As a result, Plaintiff and the other putative class members allegedly suffered a loss in the value of their investments when the Data Breach was revealed.

The Court dismissed the claims against three of the individual Defendants but allowed the claims against Equifax and its former CEO to proceed to discovery. Additionally, the Court limited the scope of allegedly false or misleading statements that could be actionable, holding: (1) “Defendants were under no duty to disclose the existence of the Data Breach before they knew it had occurred”; (2) the mere “occurrence of the Data Breach did not itself make [certain] prior statements false or misleading”; (3) Defendants’ warnings that “Equifax could be vulnerable to a data breach” were not misleading; and (4) Defendants’ representations about certain internal controls in place at Equifax were not false or misleading.

Troutman Sanders will continue to monitor these cases for further developments.

2018 was a busy year in the consumer financial services world. As we navigate the continuing heavy volume of regulatory change and forthcoming developments from the Trump administration, Troutman Sanders is uniquely positioned to help its clients successfully resolve problems and stay ahead of the compliance curve.  

In this report, we share developments on consumer class actions, background screening, bankruptcy, FCRA, FDCPA, payment processing and cards, mortgage, auto finance, the consumer finance regulatory landscape, cybersecurity and privacy, and TCPA. 

We hope you find this helpful as you navigate the evolving consumer financial services landscape.

Access full report here.