Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

    Share page with AddThis
  • Eleventh Circuit Rules Credit Reporting Agency Did Not Willfully Violate FCRA


    In an August 24 opinion, the U.S. Court of Appeals for the Eleventh Circuit held that a credit reporting agency had not interpreted the Fair Credit Reporting Act (FCRA) in an “objectively unreasonable” manner when it included in a plaintiff’s credit report that the plaintiff was an authorized user of her parents’ delinquent credit card account. In doing so, the appellate court upheld the Georgia district court’s decision to dismiss the class action lawsuit over allegations that two credit reporting agencies failed to take reasonable precautions to ensure the accuracy of the plaintiff’s credit score. The appellate court concluded that including the information was a reasonable interpretation of the FCRA obligation to “follow reasonable procedures to assure the maximum possible accuracy” of the reported information—meaning the report must be technically accurate. Because this interpretation was not objectively unreasonable, the plaintiff could not plead that the violations were willful.

    The case concerned a plaintiff who was designated as an authorized user of her parents’ credit card when they became ill. After the plaintiff’s parents died, the account went into default, and the credit card company reported the default to consumer reporting agencies listing the consumer as an authorized user, which caused her credit score to drop by 100 points. The credit card company—responding to the plaintiff’s complaint over the inaccurate information—interceded in the matter with the credit reporting agencies. The information was expunged from the plaintiff’s report and her credit score returned to its prior level. The plaintiff then filed a consumer class action complaint in 2015, contending that the consumer reporting agencies had violated their duty under the FCRA when they failed to take reasonable precautions to ensure the accuracy of her credit score.

    At issue, the appellate court opined, was which interpretation should be applied when determining “maximum possible accuracy,” which, depending on differing court opinions, might mean (i) making certain that any included information is “technically accurate,” or (ii) ensuring the information is not only technically accurate but also not misleading or incomplete. The appellate court asserted that while the first interpretation was a less exacting reading of the FCRA, the plaintiff failed to cite any judicial precedents or agency interpretive guidance advising that reporting authorized user information was a violation. Further, the plaintiff failed to show that the credit reporting agency reported false information.

    Of note, the appellate court determined the plaintiff had shown an “injury in fact” and had standing to sue based on the following reasons: (i) reporting inaccurate credit information “has a close relationship to the harm caused by the publication of defamatory information,” which has a long provided basis as a cause of action; (ii) a concrete injury was allegedly sustained due to time spent resolving the problems resulting from the credit inaccuracies; and (iii) the plaintiff was affected personally because her credit score fell due to the reported information.

    Courts Credit Reporting Agency Appellate Eleventh Circuit FCRA

    Share page with AddThis