Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • District Court Upholds $60 Million Jury Verdict for Credit Reporting Agency’s Use of OFAC Alert

    Courts

    On November 7, the Northern District Court of California upheld a $60 million jury verdict against a credit reporting agency regarding the use of its OFAC Alert (previously covered by InfoBytes). The verdict stems from a 2012 class action lawsuit in which the plaintiffs allege the defendant had failed to distinguish law-abiding citizens from drug traffickers, terrorists, and other criminals with similar names found on the Treasury Department’s OFAC database. Following the defendants motion for judgment as a matter of law or a new trial, the district court agreed with the jury’s findings that the defendants (i) “willfully fail[ed] to follow reasonable procedures to assure the maximum possible accuracy of the OFAC information it associated with members of the class’’; (ii) “willfully failed to clearly and accurately disclose OFAC information in the written disclosures it sent to members of the class”; and (iii) “failed to provide class members a summary of their FCRA rights with each written disclosure made to them.”

    Courts FCRA OFAC Credit Reporting Agency Consumer Finance

    Share page with AddThis
  • District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

    Privacy, Cyber Risk & Data Security

    On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

    As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach

    Share page with AddThis
  • Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out

    Privacy, Cyber Risk & Data Security

    On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.

    On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach Senate Judiciary Subcommittee Consumer Finance

    Share page with AddThis
  • Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled

    Privacy, Cyber Risk & Data Security

    The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.

    Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair and deceptive acts and practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.

    NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo released a notice directing the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.

    State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency State AG NYDFS Enforcement Data Breach

    Share page with AddThis
  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

    Share page with AddThis
  • Eleventh Circuit Rules Credit Reporting Agency Did Not Willfully Violate FCRA

    Courts

    In an August 24 opinion, the U.S. Court of Appeals for the Eleventh Circuit held that a credit reporting agency had not interpreted the Fair Credit Reporting Act (FCRA) in an “objectively unreasonable” manner when it included in a plaintiff’s credit report that the plaintiff was an authorized user of her parents’ delinquent credit card account. In doing so, the appellate court upheld the Georgia district court’s decision to dismiss the class action lawsuit over allegations that two credit reporting agencies failed to take reasonable precautions to ensure the accuracy of the plaintiff’s credit score. The appellate court concluded that including the information was a reasonable interpretation of the FCRA obligation to “follow reasonable procedures to assure the maximum possible accuracy” of the reported information—meaning the report must be technically accurate. Because this interpretation was not objectively unreasonable, the plaintiff could not plead that the violations were willful.

    The case concerned a plaintiff who was designated as an authorized user of her parents’ credit card when they became ill. After the plaintiff’s parents died, the account went into default, and the credit card company reported the default to consumer reporting agencies listing the consumer as an authorized user, which caused her credit score to drop by 100 points. The credit card company—responding to the plaintiff’s complaint over the inaccurate information—interceded in the matter with the credit reporting agencies. The information was expunged from the plaintiff’s report and her credit score returned to its prior level. The plaintiff then filed a consumer class action complaint in 2015, contending that the consumer reporting agencies had violated their duty under the FCRA when they failed to take reasonable precautions to ensure the accuracy of her credit score.

    At issue, the appellate court opined, was which interpretation should be applied when determining “maximum possible accuracy,” which, depending on differing court opinions, might mean (i) making certain that any included information is “technically accurate,” or (ii) ensuring the information is not only technically accurate but also not misleading or incomplete. The appellate court asserted that while the first interpretation was a less exacting reading of the FCRA, the plaintiff failed to cite any judicial precedents or agency interpretive guidance advising that reporting authorized user information was a violation. Further, the plaintiff failed to show that the credit reporting agency reported false information.

    Of note, the appellate court determined the plaintiff had shown an “injury in fact” and had standing to sue based on the following reasons: (i) reporting inaccurate credit information “has a close relationship to the harm caused by the publication of defamatory information,” which has a long provided basis as a cause of action; (ii) a concrete injury was allegedly sustained due to time spent resolving the problems resulting from the credit inaccuracies; and (iii) the plaintiff was affected personally because her credit score fell due to the reported information.

    Courts Credit Reporting Agency Appellate Eleventh Circuit FCRA

    Share page with AddThis