Home | What's New | Topics | Resources

What's New

 

The Importance of Internal Security Safeguards

Payment Card ABC's for Auto Dealers

New Risk-based Pricing Rule Alert for Auto Dealers

Recent Case Involving Fraud Alerts On Credit Files Shows How Broadly State UDAP Laws Can Be Interpreted

by Randy Henrick

We've all seen the commercials for LifeLock, a so-called identity protection service.  The company's founder posts his Social Security number on a big truck and drives around daring anyone to try to steal his identity.  No matter that about 20 people have done so.  It's a good marketing gimmick and LifeLock has signed up millions of U.S. consumers hoping to protect the privacy of their personal information using LifeLock.  But a recent court decision in California will limit LifeLock's activities and perhaps lessen the number of fraud alerts you will see placed on consumer credit files.  A federal district court in California ruled that LifeLock cannot put initial fraud alerts on its customers' credit files.  But that's not the only lesson for your dealership from this decision.

First the facts.  It turns out that one of LifeLock's main ways to protect their clients' identities is to put an automatic initial fraud alert on every client's credit file and keep renewing them every 90 days. (Initial fraud alerts expire after 90 days unless affirmatively renewed each time).  Fraud alerts were established by the 2003 FACT Act and added to the federal Fair Credit Reporting Act ("FCRA") to help prevent identity theft. They give a consumer the right to place an alert on their credit file if they believe they are or may become the victim of identity theft.  A fraud alert provides a contact number for a potential creditor's use to verify the consumer's identity.  Fraud alerts on a credit file are one of the FTC's suggested "Red Flags" and require a greater level of due diligence by the creditor in verifying the identity of their customer.

According to the credit bureaus, the problem was that due to the activities of companies like LifeLock, fraud alerts were appearing and being consecutively renewed on millions of credit files to the point where some creditors allegedly were not taking them seriously.  Placing fraud alerts on credit files also costs credit bureaus administrative expenses to enter the data, provide the information to the other credit bureaus, monitor the expiration date, and include the customer's contact data (often, a generic phone number to an identity protection company that would in turn call the consumer at their real number).  Besides, and maybe more significantly, LifeLock was a competitive threat to Experian's own credit monitoring services.  When Experian was unable to block LifeLock's massive telephone data dumps placing fraud alerts on millions of clients' accounts simultaneously, Experian decided to sue.

Experian has no right to sue LifeLock under the FCRA which governs fraud alerts.  So Experian's complaint principally relied on the California Unfair Competition Law (Cal. Business and Professions Code Section 17200 et seq.).  They alleged various unfair and deceptive practices ("UDAPs") claims for violating the FCRA.  The claims were somewhat technical and turned on whether the FACT Act allowed corporations ("persons") or only a consumer acting alone ("individuals") to place a fraud alert on the credit file of another consumer.  Experian argued that use of the word "individual" (defined by the FCRA to mean a consumer) as opposed to the word "person" (which includes both consumers and corporations) meant that a corporation could not put a fraud alert on a consumer's credit file.  Experian cited a House of Representatives report accompanying the FACT Act.  The House Report said "A request for a fraud alert must be made directly by a consumer, or directly by an individual acting on behalf of or as a personal representative of the consumer.  The Committee used the word "individual:" instead of "person" to ensure that the provision would only apply to specific individuals . . . and not to companies such as credit repair clinics."

ILifeLock's main defense was that since Experian couldn't sue under the FCRA, it couldn't sue indirectly under another law citing alleged FCRA violations.  Besides, LifeLock's activities furthered the FCRA's policy of preventing identity theft.  However, the Court ruled under the California Unfair Competition Law-a law not different from many other states' UDAP laws- quite broadly to decide against LifeLock.  Consider the following language from the opinion:

[The California law] prohibits any "unfair or fraudulent business act or practice."  The "unfair" standard of the second prong of [the law] provides an independent basis for relief.  It makes clear that a practice may be deemed unfair even if not specifically proscribed by some other law.  The section was intentionally framed in its broad, sweeping language, precisely to enable judicial tribunals to deal with the innumerable new schemes which the fertility of man's invention would contrive. (Citations omitted).

Wow.  Things the fertility of man's invention would contrive.  This is very broad language that you would be well advised to share with your sales and F&I people or post in their offices for how low the legal standard can be to sue and recover for an unfair trade practice.  Don't think the plaintiffs' lawyers won't notice.

The Court then ruled that the language of the FCRA and the House Report established a public policy against companies like LifeLock placing fraud alerts on behalf of consumers and thus LifeLock engaged in an unfair business practice under the California law.    Experian could recover its costs and damages of allocating resources and employee time, maintenance costs of toll-free telephone numbers and WebPages used to accept fraud alert requests, as well as printing and postage costs of mailing disclosure letters to consumers.

The Court did not seem terribly impressed with the public policy of the FACT Act and the FCRA to prevent identity theft, the very purpose for which fraud alerts were expressly established.  It would seem logical that preventing identity theft would be a more compelling public policy than saving credit bureaus money by prohibiting corporations to perform services for their customers, but the Court obviously felt otherwise.  Lawyers often say that "bad facts or bad defendants make bad law" and this may be an example of exactly that.

Nevertheless, there are two important lessons you should take away from this case, even if you are not located in California:

1. Never underestimate the creativity of a plaintiff's lawyer or the willingness of a court to interpret a UDAP law to cover almost any business practice. If saving credit bureaus money is a "public policy" more compelling than protecting consumers against identity theft, anything is possible.

2. Pay careful attention to fraud alerts and follow the means contained in them to contact the consumer. Fraud alerts should be a red flag in every dealer's Red Flags Identity Theft Prevention Program and since they will no longer be put in place on a mass basis by LifeLock, you should assume every one represents the real consumer's concerns from their personal experience that may suggest they are at risk of or have been victimized by identity theft. Move fraud alerts up a notch on your Red Flags priority list because the argument that "LifeLock puts them on everybody so they may not be legitimate" is no longer the case.

Experian Information Systems v. LifeLock, Inc., 2009 U.S. Dist. LEXIS  44010 (C.D. Cal. May 19, 2009).

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations.

Terms and Conditions | About Us | Contact Us | Privacy Notice