Banking and Finance Law Daily Obtaining a consumer report to verify identity is a legitimate business purpose under FCRA
News
Thursday, September 10, 2020

Obtaining a consumer report to verify identity is a legitimate business purpose under FCRA

By Nicole D. Prysby, J.D.

Obtaining a consumer report in order to verify the identify of an online applicant for Dish Networks’ services was a legitimate business purpose and thus did not violate the FCRA.

The U.S. Court of Appeals for the Eleventh Circuit rejected a consumer’s claim that Dish Networks, L.L.C. violated the Fair Credit Reporting Act (FCRA) when it obtained her consumer report to verify the identify of an online applicant for Dish services. An identity thief fraudulently submitted some of the consumer’s personal information to Dish. Dish sent the information to Equifax and obtained the consumer report, and realized the application was fraudulent and blocked it from going forward. The consumer alleged that Dish violated the FCRA simply by obtaining the consumer report, even though it did not open an account in her name. The Eleventh Circuit held that Dish had a legitimate business need to obtain the consumer report from Equifax in an effort to verify the identity and determine the eligibility of the potential consumer who applied online for Dish services. The court found the Sixth Circuit’s holding in a similar case persuasive: that the term "legitimate business need" in the FCRA (15 U.S.C. § 1681b) includes verifying the identity of a consumer and assessing his or her eligibility for a service. And a prior settlement between the consumer and Dish did not prohibit Dish’s actions. The limited information provided by the applicant matched the consumer’s, but the settlement agreement did not prohibit Dish from entertaining an application from a potential consumer who shares a few personal identifiers with the consumer (Domante v. Dish Networks, L.L.C., Sept. 9, 2020, per curiam).

The consumer brought claims for FCRA violations and breach of contract against Dish Networks. Dish obtained the consumer’s credit report from Equifax, a nationwide consumer reporting agency, after an identity thief fraudulently submitted some of the consumer’s personal information to Dish. Despite the fact that Dish discovered this but never opened an account in her name, the consumer alleged that Dish violated the FCRA simply by requesting and obtaining the consumer report in the first place. The consumer also alleged that Dish’s actions violated a settlement agreement that the parties signed after a similar incident occurred several years ago involving the same parties. The federal district court granted summary judgment to Dish, and the consumer appealed.

FCRA claims. The Eleventh Circuit held that the FCRA claims failed because Dish had a legitimate business need to obtain the consumer report from Equifax in an effort to verify the identity and determine the eligibility of the potential consumer who applied online for Dish services. The unknown individual applied online for a Dish account using the last four digits of the consumer’s social security information, her date of birth, and her first name. However, the online applicant used a different last name, address, and telephone number. Dish’s automated system submitted the applicant’s information to Equifax to verify the individual’s identity. Equifax matched this information with the consumer and returned to Dish her consumer report, which included the consumer’s full social security number. Dish then blocked the application from going forward. After learning that the consumer’s credit report reflected that the credit inquiry had occurred, Dish requested that Equifax delete the inquiry from her credit record, and Equifax obliged.

The court had not previously considered what constitutes a "legitimate business need" in connection to a business transaction for FCRA purposes, but found the Sixth Circuit’s holding in a similar case (also involving Dish) persuasive. The Sixth Circuit held that the term "legitimate business need" in 15 U.S.C. §1681b includes "verifying the identity of a consumer and assessing his eligibility for a service." The court rejected the consumer’s argument that Dish should have known that the consumer had not initiated the business transaction because of their prior settlement agreement. When the unknown applicant applied for Dish services online, Dish had only the last four digits of the provided social security number, not the full number. Dish depended on Equifax to verify the identity of the applicant so that it could obtain the full social security number and cross-check that information via its internal mechanisms. The fact that Equifax had the mechanisms in place to verify that the scant information provided by the applicant actually belonged to the consumer does not necessarily lead to the conclusion that Dish was able to verify that as well.

Although the consumer suggested that Dish should have done more to verify her identity before requesting a consumer report, the FCRA does not explicitly require a user of consumer reports to confirm beyond doubt the identity of potential consumers before requesting a report. The court also concluded that the settlement agreement itself did not prohibit Dish’s actions: all that the online application provided to Dish was a partial identity—a first name, birth date, and last four digits of a social security number. This limited information matched the consumer’s, but the settlement agreement does not expressly prohibit Dish from entertaining an application from a potential consumer who happens to share a few personal identifiers with the consumer.

Breach-of-contract claim. The consumer’s claim for breach of contract also failed. The only affirmative action Dish agreed to take in the settlement agreement was "to flag" the consumer’s social security number. Dish satisfied the terms of the agreement when, after obtaining the consumer’s full social security number from Equifax, it plugged the number into its internal system, triggered the "flag," and stopped the fraudulent application without opening an account.

The case is No. 19-11100.

Attorneys: Kaelyn Steinkraus (Law Office of Michael A. Ziegler, PL) for Peri Domante. Gabriell Frances Levin (Gibson, Dunn and Crutcher LLP) for Dish Networks, L.L.C.

Companies: Dish Networks, L.L.C.

MainStory: TopStory AlabamaNews FairCreditReporting FloridaNews GeorgiaNews GCNNews IdentityTheft Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.