Fair Credit Reporting: 13.7.4 Coordination with Federal Agencies Required
In addition to the substantive limitations on state enforcement authority, discussed above, the FCRA imposes procedural requirements and limitations on state officials.
In addition to the substantive limitations on state enforcement authority, discussed above, the FCRA imposes procedural requirements and limitations on state officials.
Nothing in the FCRA’s provision on state enforcement shall prevent the chief law enforcement officer of a state from exercising the powers to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence in connection with any FCRA enforcement action brought by the state.260
States have worked together to obtain significant reforms in credit reporting practices on a few occasions. In the early 1990s, following widespread dissatisfaction with the accuracy of information in credit reports and apparent systematic FCRA compliance difficulties, several state attorneys general brought enforcement actions against Equifax, TRW Inc.
Of the four varieties of common law invasion of privacy, public disclosure of private facts has the most potential to constrict the flow of personal financial information. However, it is not particularly well suited to keeping financial information private.
Like the tort of public disclosure of private facts, the tort of intrusion can also apply to the discovery of financial information.62 The tort, also sometimes called “intrusion into seclusion” or “unreasonable intrusion,” creates liability for the intentional intrusion upon another person’s solitude, seclusion, or private affairs in a manner that would be highly offensive to a reasonable person.63 Generally, the intrusion need not be physical; this tort can lead to liability for the unauthorized pr
The tort of appropriation at first glance appears to be suitable for addressing identity theft.
Title V of the Gramm-Leach-Bliley Act (the GLBA)89 addresses financial institutions’ use of consumers’ “nonpublic personal information.”90 That term is defined to mean any personally identifiable financial information that is provided by the consumer to the financial institution;91 results from any transaction with the consumer or service performed for the consumer; or is otherwise obtained by the financial institution, but which is not “publicly availab
Prior to the Dodd-Frank Act amendments, the FTC and banking regulators had all issued GLBA regulations that were substantially similar to one another.95 The FTC’s authority to issue the regulations survived a challenge brought by TransUnion, one of the three major CRAs.96 As for agency enforcement actions, the FTC has publicly taken enforcement action under the GLBA,97 and the FRB has taken “formal” enforcement action.
The GLBA applies to “financial institutions.” Whether an entity is a “financial institution” is determined by whether it engages in “financial activities” as that term is defined by the Bank Company Holding Act of 1956.112 That Act describes five different categories of financial activities that cover lending, insuring, financial advising, issuing or selling asset pool instruments, and underwriting securities.113 Under Regulation P, a more restricted definition applies to those entities subject
The GLBA protects both “customers” and “consumers.” All customers are consumers, but not all consumers are customers. Customers and consumers are equally protected by the opt-out and nondisclosure provisions of the GLBA and Regulation P.119 The difference is only relevant to whether the institution must provide an initial privacy notice and annual privacy notices to the individual, and turns on the individual’s particular relationship with the financial institution.
The GLBA does not prevent financial institutions from revealing any information that they get from consumers; the only information restricted by the Act is “nonpublic personal information.” Nonpublic personal information is deemed to be personally identifiable financial information that is not publicly available.126 The Act does not define “personally identifiable financial information”; nonetheless, the FTC’s authority to define the term, and to define the term broadly, has been upheld.127 Pres
Though not expressly labeled as an exception, a key feature of the GLBA is that disclosures to an institution’s own affiliate are completely unrestricted by the Act and Regulation P.141 An affiliate is “any company that controls, is controlled by, or is under common control with another company.”142 Thus, private consumer information may flow freely throughout a company’s extended family.
The only category of information that the GLBA protects from disclosure outright, without any action on the consumer’s part, is the highly potent information of account numbers and similar forms of access codes. Financial institutions are prohibited from disclosing these numbers or codes to any nonaffiliated third party for marketing use other than to a consumer reporting agency, even if the financial institution has given the consumer a conforming opt-out notice.218
The GLBA requires agencies subject to the Act to establish standards “relating to administrative, technical, and physical safeguards” to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to those records, and protect against unauthorized access to those records.224 The banking regulators have issued Interagency Guidelines Establishing Information Security Standards.225
The GLBA specifically provides that it does not “modify, limit, or supersede the operation of the Fair Credit Reporting Act.”230 The CFPB has issued regulations that recognize that financial institutions will design information-sharing policies to simultaneously comply with the GLBA and the FCRA.231 As is discussed above,232 the GLBA specifically exempts disclosures made to a CRA in accordance with the FCRA, and from a consumer report issued by a C
A fundamental flaw of the GLBA is that it fails to provide consumers with a private cause of action for violation of any its requirements, whether notice and opt-out rights, privacy policy disclosures, or safeguarding of data.234 This renders the Act of little practical value to those who seek to limit, or even monitor, the use of their private data.
While any privacy protection is welcome, the GLBA blocks only a very few of the many channels through which financial institutions distribute consumers’ financial information. This becomes apparent if the focus shifts from what the GLBA prohibits to what it permits. A financial institution can always disclose any consumer financial information to any of its affiliates.
The federal Computer Fraud and Abuse Act criminalizes various forms of unauthorized use of federal government and financial institution computers.248 Although the Act prohibits the unauthorized, intentional access of a computer to obtain the records of a financial institution, a card issuer, or a CRA, the Act’s limited private right of action provision provides relief for a violation only in unusual circumstances.249 As a practical matter, such a plaintiff will likely have to show that the acces
The Financial Information Privacy Act imposes criminal penalties on those who obtain customer information from a financial institution by pretext or through the use of an illegitimate document.259 The statute covers both communications with a financial institution’s agents and employees and with a customer of the institution, and further prohibits the solicitation of someone to obtain such information—attempting to reach those who hire the information brokers.260 The statute exempts information
The Federal Trade Commission Act264 prohibits unfair methods of competition and unfair or deceptive acts and practices.
The Driver’s Privacy Protection Act (the “DPPA”)269 restricts state departments of motor vehicles from freely trading the information they gather for motor vehicle licensing purposes. This data often includes name, address, Social Security number, certain medical information, height, weight, date of birth, gender, and photograph.
Section 11.3, supra, considers Article III constitutional standing requirements for FCRA claims brought in federal court, in light of the Supreme Court’s decisions in Ramirez and Spokeo.
Financially-troubled consumers are attracted to solicitations from credit repair organizations. These organizations, calling themselves “credit repair” or “credit service” agencies, “credit clinics,” or similar titles, promise consumers that for a fee,1 negative items will be eliminated from a credit history.
The federal Credit Repair Organization Act (CROA) was adopted in 1996.14 CROA’s broad definitions and prohibitions make it applicable not just to traditional credit repair organizations, but probably to a wide range of other entities as well.15 It offers a private cause of action with powerful remedies.