Archive for February, 2016

When is a report not a “consumer report?” When it’s only used to prevent identity theft.

February 5, 2016 Leave a comment

This month’s post will be about a 2014 case that recently caught my eye:  Bickley v. Dish Network, LLC, 751 F.3d 724 (6th Cir. 2014).  The gist of the case is that somebody stole plaintiff Greg Bickley’s social security number, called a Dish retailer, and tried to open a satellite TV contract, using the stolen SSN.  (The identity thief cleverly identified herself on the phone as “Gregina Dickley”).  The retailer pulled reports from Trans Union, Equifax, and Experian to find out whether the caller’s name (“Gregina Dickley”) matched the social security number that she provided.  All three said that no, it didn’t, so the identity thief was foiled.  

The lawsuit came about when Mr. Bickley saw (on a later credit report) that Dish had pulled a report about him.  He didn’t remember allowing Dish to do that, so he filed suit, alleging that Dish violated the FCRA’s permissible purpose provision, at 15 U.S.C. Sec. 1681b.  Dish ultimately prevailed:  the district court held, and the Sixth Circuit affirmed, that it was okay, even laudable, for a business to try and thwart identity theft by pulling reports from the bureaus (as Dish’s retailer had done).  Dish’s retailer had a permissible purpose to pull a report to thwart theft, so there was no FCRA violation.

That’s background; it’s not why I’m writing this post.  I am writing this post because in getting to the final holding, the Sixth Circuit asked whether the kind of report that Dish’s retailer pulled was in fact a “consumer report.” If it was, then Bickley could claim that Dish violated the FCRA.  If it wasn’t, he couldn’t.  Here’s what the Sixth Circuit said:

The [Dish retailer] inputted Dickley’s name and social security number into an interface that connects to three credit reporting agencies: Equifax,  Click for Enhanced Coverage Linking SearchesExperian, and TransUnion.  The agencies followed a “waterfall” process as they attempted to cross-verify that the information matched. The basic process was as follows: the first agency assessed whether the social security number corresponded to the consumer’s name. If a match was found, in this instance by Equifax,  it would inform American Satellite that the person was “Approved;” but if the search revealed a “Declined No Hit” response, Equifax  Click for Enhanced Coverage Linking Searcheswould send the consumer’s information to a second agency, Experian, to run the information through a similar cross-verification process. If this second search also returned a “Declined No Hit” response, Experian would forward the information to a third credit agency, TransUnion,  Click for Enhanced Coverage Linking Searcheswhich would run the information through its databases. If TransUnion  Click for Enhanced Coverage Linking Searchesalso returned a “Declined No Hit” response, it would forward this final determination to the requesting company….

Bickley contests the district court’s determination that Dish did not receive a “consumer report”…..

[While] the credit inquiries resulting in a “Declined No Hit” response (1 & 2) and [] the ambiguously termed “Header Information” (3) are not “consumer reports,” the Decision Detail Report (4) appears to be a consumer report. Both parties acknowledge that the Decision Detail Report contains an “Echostar Risk” number, which is “based on the number of consumer initiated inquiries in the past 12 months, length of time bank revolving accounts have been opened, length of time accounts have been opened, and the percent of accounts opened in the past 24 months versus total accounts reported in the past 12 months.” R. 42-2, Decision Detail Report, PageID # 471. The Echostar Risk number clearly has bearing on a consumer’s credit worthiness, and therefore is a “consumer report” as defined under 15 U.S.C. Sec. 1681a(d)(5).

Taken altogether, there is sufficient evidence for a rational trier of fact to find that there was a “consumer report” within the meaning of the statute, meaning that Bickley has satisfied the first element of his claim for improper use of a credit report.

Why is this interesting to me?  Because it suggests that end users (like Dish’s retailer) and consumer reporting agencies (like the bureaus and others) could create a special “identity theft prevention report” that would not be a “consumer report” and would not subject the end user or the agencies to any potential FCRA liability.  It appears that here, Dish’s retailer ordered a kind of “combined report”: it had an identity-theft component (the “waterfall” that checked to see whether a person’s name matched the social security number that he provided), and it also had a traditional credit component (the “Echostar Risk number” that provided some detail on the person’s credit history).  The Sixth Circuit held that this “combined report” was subject to the FCRA, because of the credit history component.

However, there is no reason why an end user would need to order a combined report:  it might well ask for (or be provided with) an opportunity to run the “identity theft prevention report” first, which, if and only if it came back showing no sign of identity theft, would be followed (perhaps automatically) by a full credit report.

Structuring the report in this way would require some work, and given the costs and the (low?) risk of FCRA liability, the companies that sell and use these reports might decide not to bother.

But how low is the risk of FCRA liability, really?  Suppose that a consumer calls a creditor himself to try and open the account; the creditor pulls a combined report to assess identity theft, and the creditor turns the consumer down because the report says (incorrectly) that the consumer is not who he claims to be.  In a situation like that, the consumer would have grounds to sue under the FCRA, because:  a) the combined report is a consumer report and thus subject to the FCRA; and b) the consumer has arguably suffered some harm.

The hypothetical that I’ve just given is probably not uncommon, at least in a country that generates millions of credit inquiries each day.  It might very well make sense for some agencies – especially agencies that are not Experian, Equifax, and Trans Union, but who do have the capacity to cross-check a name and/or date of birth against a social security number – to limit their reports to just that kind of cross-checking.  Doing so would likely avoid any risk of FCRA liability, at least under the Sixth Circuit’s analysis in Bickley.