The FCRA, FTC Settlements and the Ties to big Data and Security

I was thinking about the recent settlement between the FTC and Telecheck Services, Inc. and realized another connection between my Fair Credit Reporting Act ("FCRA") practice and the work I do with big data and data security – FTC settlements.    In 2007, I wrote an article with Mike Lamb for the American Corporate Counsel titled Defining Data Security Measure that Protect your Company and Customers. The article made one point that has been repeated often and recently, namely that the FTC is creating security standards via enforcement actions.  The FTC and the New Common Law of Privacy Whether complying with the FCRA or implementing sound information security practice, the result is the same.  Announcing broad standards and stating what should not be done provides little guidance as to what conduct is acceptable.

There has been little guidance from the FTC on some of the more technical points for complying with the FCRA.  While the FTC's 2011 40 Year Report provides a good summary of decisions from the Courts and informal opinions by the FTC, it had been twenty-one years since the previous publication.  This recap however provides little guidance in how to conform twenty-first century practices to the language of the FCRA written in 1972.  Indeed, the decision to no longer provide advisory opinions has further hampered the ability of companies to navigate the legal complexities of the FCRA.  With the transfer of interpretive guidance to the Consumer Finance Protection Bureau, the FTC appears to have turned to enforcement actions.

While there have been enforcement actions relative to misuse of consumer report data, for example, for marketing purposes (see, Spokeo), there have been few actions relative to the day-to-day operations of regulated entities, until recently.  The settlement with Telecheck appears to reveal a trend which includes the recent settlements with Certegy and HireRight  The FTC is using its enforcement authority to announce its position on many issues that have been the subject of debate and litigation.  The problem however is that these settlements provide insufficient visibility into why the practices of Telecheck, Certegy or HireRight were insufficient and so clarity into the requirements of the FCRA.

For example, TeleCheck Services, Inc. agreed to pay the FTC $3.5 million, the same amount that Certegy agreed to pay the FTC.  TeleCheck, based in Houston, Texas, is a consumer reporting agency used by retail merchants throughout the United States to determine whether to accept consumers’ checks. The FTC’s complaint alleges, among other things, that TeleCheck did not follow proper dispute procedures, including refusing to investigate disputes. The complaint also alleges that TeleCheck failed to follow reasonable procedures to assure the maximum possible accuracy and failed to promptly correct errors on consumers’ reports.  These same claims were made against Certegy.  In neither case was sufficient information disclosed as to the problem nor was direction provided in the settlement as to what conduct would comply with the FCRA's requirements.  As the FCRA permits a consumer reporting agency to request additional information from the consumer, a blanket statement that TeleCheck required information from the consumer provides little guidance.  Notwithstanding the broad statement made in the complaints and settlements, we can only guess that TeleCheck and Certegy failed to forward these disputes to the furnisher of the information or otherwise failed to contact the source of the information for clarity.

The FTC's settlement with Certegy includes another example of where what is publicly available provides really no guidance for compliance. The FTC found that Certegy required "more information than is reasonably necessary to properly identify the consumers before Certegy provides their annual file disclosure." The FTC acknowledged that a consumer reporting agency is permitted by §1681h to verify the identity of the inquirer before disclosing sensitive file information. However, the complaint does not go into detail of what Certegy required. As a result, the complaint (nor any other document) provides guidance as to what is prohibited or permitted to comply with §1681h.

HireRight provides yet another example. HireRight settled with the FTC, paying $2.6 million in fines.  Among other claims, the FTC alleged that HireRight failed to (1) report the current public record status of consumers’ information, such as expungement of a criminal record; (2) follow reasonable procedures to prevent the inclusion of multiple entries for the same criminal offense in the same report; and (3) follow reasonable procedures to prevent the provision of obviously erroneous consumer report information to employers, such as purported information on a single consumer that included records of other consumers with different names, dates of birth, or other identifiers that are available in the public record.”  The complaint and settlement provided little detail of HireRight's accuracy practices.  Having worked with consumer reporting agencies for ten years, this is a difficult issue to address as what is reasonable varies greatly depending on the source of the information and the intended use of the product.  The use of alias's and identity theft has further complicated this process.  Indeed, what might be appropriate in the employment context may not be reasonable in other contexts.

With a total of almost $10 million in fines and related private litigation, it is important for businesses to carefully navigate the often technical requirements of the FCRA.  Absent clearer guidance from the FTC or CFPB, companies are left to rely on sound judgment based on current trends in litigation and regulatory enforcement actions.  Simply because it has worked in the past, even for multiple years, does not mean it will stand up to regulatory scrutiny.  Just as with data security and privacy, now is the time to be proactive in reviewing and modifying FCRA process and procedures.  Likewise, these practices in dealing with big data in the context of the FCRA may provide guidance as companies anticipate regulations as to other data practices.