InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
7th Circuit affirms summary judgment for consumers in FDCPA suit
On May 2, the U.S. Court of Appeals for the 7th Circuit affirmed four district court decisions granting summary judgment in favor of consumers who alleged a debt collector violated the Fair Debt Collection Practices Act (FDCPA) by communicating debts to credit reporting agencies without indicating the debts were disputed. According to the opinion, the debt collector sent the four consumers a debt validation notice regarding an alleged credit card debt. More than 30 days later, a local legal aid organization sent the debt collector’s general counsel a notice of representation for each of the four consumers, noting, “the amount reported is not accurate.” After the attorney letters were sent, the debt collector reported the debts to the credit reporting agencies. The consumers each filed a separate action in district court alleging a violation of the FDCPA, and each district court granted the consumer summary judgment, finding the debt collector did not handle the letters properly. In the consolidated appeal, the 7th Circuit agreed with the district courts, holding that the actions of the debt collector were “a clear violation of the statute” as each attorney letter stated the amount was inaccurate and the debt collector still reported the debts without noting they were disputed. While the panel noted that there is no clear definition of “dispute” under the FDCPA, the court concluded, “there is simply no other way to interpret [the] language” of the attorney letter, rejecting the debt collector’s “bona fide error defense.”
Senators release report on credit reporting agency from data in CFPB’s public complaint database
On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.
District court grants partial summary judgment, rules bank did not violate federal and state fair credit reporting laws
On April 25, the U.S. District Court for the Northern District of California granted a bank’s partial motion for summary judgment, holding that a Fair Credit Reporting Act (FCRA) disclosure and authorization form (disclosure form) completed by the plaintiff as part of the bank’s background check hiring process did not violate federal and state fair credit reporting laws. The plaintiff—who brought the proposed class action suit following the bank’s decision not to hire plaintiff following an offer of employment that was contingent upon a satisfactory background check—asserted claims under the FCRA, the California Investigative Consumer Reporting Agencies Act (ICRA), and the California Consumer Credit Reporting Agencies Act (CCRA), including that (i) the disclosure form was not a standalone document; (ii) the disclosure did not accurately identify the investigative consumer reporting agency; and (iii) the bank failed to comply with CCRA disclosure requirements.
Addressing whether the disclosure form, which “appeared as a separate and distinct web page separated from the rest of the documents,” violated the FCRA, the court ruled that because it “was a stand-alone document that contained no extraneous information or liability waiver” it was in compliance. The court also determined that the bank did not violate the ICRA because it was only required to disclose the agency it engaged to provide an investigative consumer report, not the various sources the agency itself may have used when conducting its investigation. Finally, the court ruled that the plaintiff’s argument that the disclosure form failed to comply with the CCRA lacked merit because—although the bank could not apply an exemption under state law to the section allegedly violated—the bank’s disclosure form complied with the CCRA’s disclosure requirements, and furthermore, the bank was not required to disclose the reasons for requesting the report nor the “various repositories” of information the disclosed source used when compiling the report.
State judge says Massachusetts can sue credit reporting agency over data breach
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.
States pass bills amending security freeze laws
On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.
On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.
Multiple states update security freeze legislation
On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.
On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.
Florida prohibits fees for security freezes
On March 21, the Florida governor signed HB 953, which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the service. HB 953 still allows a consumer reporting agency to charge a fee of up to $10 for replacing or reissuing a personal identification number or password. The legislation is effective July 1.
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
Multiple states address cost of security freezes
On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.
On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service.
CFPB reviews removal of public records from credit reports
On February 22, the CFPB released a report finding that the removal of public records from consumer credit reports may have had an effect on consumers’ credit scores. The report reviewed the impact of the civil public records minimum information standards established pursuant to the National Consumer Assistance Plan (NCAP) – an initiative launched by the top three U.S. credit reporting agencies (CRAs) as a result of settlement agreements between the CRAs and over 30 state attorneys general. Starting in July 2017, the NCAP required public records furnished to the CRAs to include a name, address, and social security number and/or date of birth and required the records be refreshed every 90 days. According to the report, prior to the NCAP, six percent of consumers had a civil judgment or tax lien on their credit report; and after the NCAP implementation, the CFPB found that only 1.4 percent of consumers had a tax lien on their credit report and zero consumers had civil judgments. However, the report notes that while there was a significant drop in the overall reporting of public records, only six percent of those affected by the NCAP new reporting requirements, experienced an increase from “deep subprime or subprime credit scores in June before the standards took effect and rose to near prime or above in September.” The CFPB noted in a blog release that the Bureau cannot assess scoring-model accuracy because it requires two years of data following the implementation of new standards to perform the analysis.