June 4, 2014

No Punishment for This Good Deed: Sixth Circuit says Preventing Identity Theft is a Legitimate Business Need that Justified a Good Faith Request for a Consumer’s Credit Report

Written By

No one wants their personal information misused or misplaced, especially if “Identity Theft” results.  Various federal and state laws require holders of personal information to take precautions to protect it.  And the law can provide remedies when businesses misuse what a consumer provides to them.  For example, FCRA (the Fair Credit Reporting Act of 1970) is designed to protect consumer privacy while promoting efficiency in the nation’s banking system. Toward this end, FCRA regulates the permissible uses of “consumer reports” that summarize credit history and credit worthiness, and provides a private right of action allowing injured consumers to recover for negligent and willful violations. But these remedies are to curb misuse, promote safeguarding of information, and to compensate the injured, not just to fuel sensational lawsuits, as one Kentucky plaintiff recently discovered.

Under established Kentucky law, businesses that use credit checks for consumer-initiated transactions have a legitimate business need when the check is to assess eligibility for a business service. In a May 13 ruling, the Sixth Circuit Court of Appeals determined the legitimacy of the check is not diminished just because the inquiry comes from an imposter, a decision that should put an end to hyper-technical attacks on sound business processes that prevent subscription fraud for consumer services.

Dissecting the matter
In 2009, an imposter tried to order satellite TV service by telephone using a fake name derived from the real name of an unknowing person. Unfortunately for that real person, the imposter also had his Social Security number and used it as part of the scheme.

The provider’s agent took the order and ran a computerized check to cross-verify the personal information. The automated response from a national credit reporting agency was “Declined No Hit” and the order was rejected after two additional credit agencies responded the same way. Since the provider did not accept the phony service order, the would-be thief failed in the attempt to defraud Dish – and also prevented a false subscription that could have harmed the innocent consumer.

Was the provider awarded a gold star for preventing the chicanery? No. Was the matter over? No, wait for it…

As it turned out, the short conversation between the identity thief and the agent provided “the humble origins” for a federal lawsuit in Kentucky against Dish Network and Equifax Information Services, alleging not only FCRA violations, but also intentional infliction of emotional distress. Two weeks after the attempted fraud against Dish, Mr. Bickley learned the provider had made some form of credit inquiry under his name. Indeed, Dish had even contacted him, informing him of the impersonation attempt, and provided a recording of the phone conversation between “Crgringina Dickley” (sic) and its sales representative. Despite this, a year later, Bickley sued.

A federal district court in Louisville granted summary judgment to Dish. The lower court said that accessing Brinkley’s information for “a legitimate business need” – such as confirming the identity of a caller and determining their creditworthiness – satisfied FCRA’s requirements for permissible use of a “consumer report.”

On appeal, Bickley fared even worse at the Sixth Circuit, which was highly critical of the plaintiff and his lawyers’ tactics. As the Court put it, observing that Bickley filed his lawsuit despite knowing that Dish had prevented the theft of his identity, “…this is a case about identity theft and apparently reflects the axiom that no good deed should go unpunished.”

As for the common law claims of emotional distress and “loss of privacy” the Court found it odd that despite having more than a dozen other credit inquiries on his report, Bickley only sued over the one inquiry that caused Dish to receive a consumer report that enabled it to prevent ID theft.

Dish itself didn’t think much of the claims and responded to the suit with a counterclaim for abuse of process. The district judge dismissed that claim due to a pleading defect, and the Circuit Court affirmed.  However, the Court dropped a hint at the end of the opinion:  “Although we dismiss Dish’s claim for abuse of discretion, we want to make clear that we are not addressing the propriety of Rule 11 sanctions.”  In other words, an invitation for Dish to return to district court and move for sanctions based on the frivolous arguments of plaintiff that were unsupported by any caselaw and easily rejected by both courts.