Tenth Circuit Permits Trade Group Challenge to New Mexico Fair Credit Reporting Act

FCRA Consumer Reporting Privacy/Cyber Risk & Data Security

On May 7, the U.S. Court of Appeals for the Tenth Circuit published an opinion that a trade group has standing to sue the Attorney General of New Mexico over that state’s credit reporting and identify theft requirements. Consumer Data Industry Assoc. v. King, No. 11-2085, 2012 WL 1573563 (10th Cir. May 7, 2012). In 2010, New Mexico enacted the Fair Credit Reporting and Identity Security Act, which, among other things, requires consumer reporting agencies (CRAs) to oblige a consumer’s request to remove credit report information resulting from identify theft until told otherwise by a court or the requesting consumer. The Consumer Data Industry Association challenged the law on behalf of its members, arguing that the state law is preempted by the federal Fair Credit Reporting Act (FCRA). Under FCRA, a CRA can deny a consumer request to remove information based on identify theft if the CRA reasonably determines that the request is fraudulent or erroneous. The district court held that the CDIA failed to prove redressability and therefore lacked constitutional standing to sue. The Tenth Circuit vacated the district court holding and ordered further proceedings. It found that federal courts consistently have found a case or controversy in suits between private parties subject to enforcement and the state entity responsible for enforcement and that if a plaintiff faces a credible threat of enforcement, redressability is established. Here, the court held, the threat of enforcement faced by the CDIA members is sufficient to provide standing to sue for both injunctive and declaratory relief.