In 2017, Experian, one of the three major credit reporting agencies, revealed a breach that could have compromised the data of 143 million consumers. This data breach led to a multitude of lawsuits against Experian, including lawsuits by both consumers and investors.
A class of consumers sued Experian for, among other things, violations of FCRA. Yesterday, Judge Thomas W. Thrash Jr., the federal court judge tasked with sorting through the multitude of lawsuits, issued several opinions addressing various issues, including Experian’s potential FCRA liability.
Experian had filed a motion to dismiss, arguing that its actions did not constitute a violation of FCRA because the stolen data was not “furnished” by Experian. Instead, Experian argued, the data had been taken from Experian involuntarily. Judge Thrash agreed, reasoning that “furnish” describes “the active transmission of information to a third party rather than a failure to safeguard the data.”
Similarly, Experian argued that the information stolen, which involved credit card numbers, social security numbers, and addresses, did not fall within FCRA’s definition of a “consumer report.” The FCRA definition of a “consumer report” requires that the information bears on the consumer’s creditworthiness or related factors. Applying this definition, Judge Thrash held that the information stolen did not itself bear on any individual’s creditworthiness, and therefore did not constitute a consumer report.
Thus, the court dismissed the consumers’ FCRA claims, while allowing several non-FCRA claims to remain.
This opinion serves as a reminder to FCRA plaintiffs and defendants to begin with the basics and to pay attention to the definitions used in the statutory language. Even if a claim involves data from a credit reporting agency, it does not necessarily implicate FCRA.