A federal court in California has ruled that the Fair Credit Reporting Act, 15 U.S.C. 1681 (FCRA), does not authorize companies to set fraud alerts on behalf of consumers. Experian Information Systems, Inc. v. LifeLock, Inc., C.D. Cal. No. SA-CV-08-00165 AG (MLGx). If upheld, this decision may limit the types of identity theft protection services that companies can offer, placing the onus on consumers to set fraud alerts themselves by directly contacting one of the national credit bureaus.
Initial Fraud Alerts
Under the FCRA, a consumer who asserts a good faith suspicion of fraud or a related crime, such as identity theft, can request that a national credit reporting agency—Experian, Equifax or TransUnion—place an "initial fraud alert" in his or her credit file. There is no charge to place a fraud alert directly with one of these credit bureaus. The initial fraud alert lasts up to 90 days, and can be converted into an "extended" fraud alert if the consumer provides a police report or other identity theft report confirming that fraud has occurred.
When a fraud alert is placed, the credit reporting agency is required to place certain information in the consumer's file, refer the request to the other reporting agencies, and send the consumer certain disclosures. A consumer who places an initial fraud alert also is entitled to a free credit report. Fraud alerts trigger certain safeguards designed to protect against identity theft and fraud, as they require potential creditors to use "reasonable policies and procedures" to verify a person's identity prior to issuing credit or opening a new account. A business that sees such an alert on a credit report therefore must take extra steps to verify an applicant's identity before issuing credit—for example, by contacting the person directly.
Normally, a consumer has to directly contact a credit bureau to place a fraud alert. Because an alert lasts only 90 days, this process must be repeated every 90 days for as long as the risk of fraud or identity theft remains. In recent years, however, a cottage industry of companies offering identity theft protection services has formed. For a fee, several such companies provide "fraud alert services" that place a fraud alert on behalf of a customer, and continuously renew the alert every 90 days.
The Challenged Activity
LifeLock, an Arizona business, is one such company that sought to capitalize on the fraud alert process and help consumers avoid the hassle of having to place and renew such alerts. On its face, the fraud alert service offered by LifeLock appeared consistent with the FCRA, which specifically allowed third parties acting on behalf of a consumer to place alerts. Credit bureau Experian had a different view of LifeLock's activities, however, and filed suit against the company in the United States District Court for the Central District of California. Experian asserted that the FCRA did not permit companies such as LifeLock to place initial fraud alerts, and that the obligations imposed on credit reporting agencies "were never intended to be triggered by a private company seeking to profit by illegally placing fraud alerts on behalf of consumers who do not have a genuine suspicion of imminent fraud." Experian's complaint harshly criticized LifeLock, claiming that the company "surreptitiously placed hundreds of thousands of fraud alerts on Experian's files by posing as the consumer," and deceptively implemented recurring "initial" alerts by submitting new fraud alert requests every 90 days, even where there was no suspicion of identity theft. Experian claimed that LifeLock's activities cost it millions of dollars annually to process fraud alerts, mail mandatory notices to consumers and provide free credit reports.
The Legal Ruling
On May 19, 2009, U.S. District Judge Andrew J. Guilford granted a motion for partial summary judgment filed by Experian. Judge Guilford accepted Experian's argument that LifeLock's activities violated Section 17200 of the California Business & Professions Code, California's Unfair Competition Law (UCL), which prohibits "any unlawful, unfair or fraudulent business act or practice." Taking the literal wording of the FCRA and its legislative history together, the court found that the FCRA embodies an "established public policy against companies like LifeLock placing fraud alerts on behalf of consumers," and that LifeLock's fraud alert services therefore constituted an unfair business practice under the UCL.
In so holding, the court noted that the FCRA grants the right to place a fraud alert to a "consumer"—defined in the FCRA as an "individual"—rather than to a "person," which is defined to include individuals and entities. Accordingly, the court accepted Experian's argument that Congress expressly excused credit reporting agencies from placing fraud alerts requested by companies such as LifeLock. The court found further support for this conclusion in the legislative history of the FCRA, which contained statements that the fraud alert provision was meant to apply only to specific individuals such as a consumer's authorized family members or guardians "and not to companies and entities such as credit repair clinics." In reaching its conclusion, the court rejected LifeLock's defense that its actions were consistent with the purpose of the FCRA—to enhance consumer protection.
The Ruling's Implications
This ruling illustrates how courts will look not just to the goal of privacy legislation—here, the FCRA's aim to guard against fraud—but also will carefully examine the particular means through which Congress has authorized the goal to be achieved. As LifeLock learned, it is not enough simply to be consistent with the purpose of the law; the specific procedures of the law must be respected as well. In response to this ruling, at least one private service offering identity theft protection has announced that it will no longer offer customers fraud alert services, and will instead offer credit monitoring; other companies in the industry may be inclined to follow suit. LifeLock itself has sought reconsideration of the ruling, arguing, among other things, that new evidence undermines the court's public policy finding. If the ruling remains unchanged on reconsideration or appeal, consumers will be limited in the extent to which they can outsource certain privacy-protecting activities and rely on identity theft protection services to protect against fraud. Similarly, companies that experience a data breach may no longer be able to offer fraud alert services to individuals affected by a breach, leaving those individuals with the burden of personally protecting themselves by implementing and renewing fraud alerts.