Equifax Information Services LLC, one of the countries "big three" consumer reporting agencies, has settled charges with the FTC that it improperly sold lists of consumers who were late on their mortgage payments in violation of the FTC Act and the Fair Credit Reporting Act ("FCRA"). Equifax will pay $393,000 to resolve allegations that it maintained inadequate procedures to protect consumer information and ultimately sold records containing information about millions of consumers, including sensitive information such as credit scores and mortgage delinquency data, to an entity (Direct Lending Source, Inc.) that did not have a legitimate right to receive such information. Under the FCRA, companies may only obtain a prescreened list to make "firm offers of credit or insurance"—offers that will be honored if consumers meet pre-selected criteria. In addition to bringing action against Equifax, the FTC also had the Justice Department file a complaint against Direct Lending and its related entities. According to that complaint, Direct Lending did not have a legally permissible purpose to obtain the prescreened lists from Equifax, and in addition, improperly sold the information from the prescreened lists to third parties to market products to consumers in financial distress. Direct Lending and its affiliates will pay a $1.2 million civil penalty to settle the charges. Equifax's role in the alleged legal violations was in failing to investigate Direct Lending's activities after discovering that Direct Lending was violating Equifax's policies on prescreening. Equifax was also alleged to have insufficient procedures in place to protect the consumer information sold to Direct Lending as part of prescreened lists. Equifax has agreed to improve its procedures surrounding sharing of prescreened lists, as well as to pay almost $400,000 in civil penalties.
TIP:This case is a reminder to companies to think not only about whether there are restrictions on sharing personally identifiable information under various federal or state laws (like the FCRA), but also to conduct diligence to ensure that third parties who receive information will treat it properly. This case shows the FTC's willingness to pursue an entity that shares information with a third party when it is the third party that misuses the information.