Ruling Against Fraud Alert Companies
A RECENT California district court ruling in the case Experian Information Solutions v. LifeLock, Inc., dealt a blow to companies that put fraud alerts on consumer credit reports. But it is unclear what effect the decision will have on consumers.
When fraud alerts are placed on credit reports, potential creditors have to follow “reasonable policies and procedures” to verify identity before issuing credit in a consumer’s name, according to the Federal Trade Commission (FTC). A fraud alert lasts 90 days (unless it is an extended fraud alert based on identity theft history) but it can be renewed.
These alerts can prevent credit from being opened but cannot prevent various other types of identity theft. Fraud alerts are not to be confused with credit monitoring services, which tell individuals when changes occur in their credit activity; the latter is less likely to prevent fraudulent credit lines from being opened, but it may be a way of limiting the damage by ensuring that the victim is aware of the problem.
The ruling granted a motion for partial summary judgment, and it stated that LifeLock could not legally act as a third party to place fraud alerts on Experian customers, as it was a violation of the Fair Credit Reporting Act (FCRA), which the court interpreted to state that only an individual could request a fraud alert for another individual, not a company acting on behalf of an individual.
Some commercial enterprises have been offering fraud alert services as mitigation for their own data breaches. This ruling could affect that as well. But Jay Foley of the Identity Theft Resource Center, who says the case was the first of its kind, expects the decision to be overturned.
The ruling was surprising from a legal perspective, says Chris Hoofnagle, director of the Berkeley Center for Law and Technology’s Information Privacy programs at the University of California, Berkeley, School of Law.
Hoofnagle says the decision took into consideration the legislative history of FCRA, including a legislative report issued by the House Financial Services Committee, which had jurisdiction over the bill. The report stated that the fraud alert should be placed by an individual, not a company.
“The problem here is that that report is not law,” says Hoofnagle.
In California, courts are expected to delve into legislative history only when the court decides that the “plain meaning” of the law is not clear and unambiguous, which Hoofnagle says was not necessarily the case here.
But the use of legislative history is not uncommon, says Jan Raymond, a California lawyer who has written extensively on the topic.
The decision is already having ramifications in the marketplace. Debix, a company that offered its own fraud alert service, had about 400,000 people enrolled in the fraud alert program. But directly following the ruling, the company halted fraud alerts and “upgraded” those customers into a credit monitoring service that provides alerts based on credit monitoring triggers.
“While we don’t necessarily agree with the court’s decision, as a company, we respect the law and have no intention of breaking the law,” says Julie Ferguson, Debix’s vice president of emerging technologies.
She estimates that Debix has stopped $19 million in losses over about 10 months, but adds that without fraud alerts, some of the losses may now get through, because fraudulent accounts or credit lines will be opened.
However, Ferguson says Debix will still be responsible for correcting the problem for their customers and the customer experience should remain the same, despite the court’s ruling. The major players harmed in this decision are the banks, which “are now going to have to eat the cost of the fraud losses [that might be presented],” says Ferguson.
Hoofnagle says that the decision might have been motivated in part by skepticism that these companies could do what they promise.
Bob Hartle, president of the nonprofit ID Theft Services, says companies might not be able to deliver on all their promises but better FTC oversight would help weed out the less competent ones.
Not every privacy advocate sees value in the service these companies provide, however. Paul Stephens of the Privacy Rights Clearinghouse notes that consumers can ask for alerts themselves at no cost. He also notes that fraud alerts are not foolproof. He says there is a middle ground between the milder credit monitoring services and the extreme decision of getting an absolute credit freeze placed on an account.
As for LifeLock, the company has filed a motion to have the judgment reconsidered. And CEO Todd Davis confirms that LifeLock will continue the fraud alerts with the other two credit agencies.