United States: Prevalence of Identity Theft Problem Spurs Action in Congress

The Federal Trade Commission ("FTC") recently released a report estimating that 27.3 million Americans have been the victims of identity theft in the past five years, including 9.9 million people in the last 12 months alone. (Federal Trade Commission—Identity Theft Survey Report, September 2003 ("FTC Report").) According to the FTC Report, losses to businesses and financial institutions from identity theft totaled nearly $48 billion last year, while consumers reported another $5 billion in out-of-pocket expenses.

In addition to the FTC estimates, a comprehensive report by the General Accounting Office makes reference to estimates of between 250,000 and 750,000 victims of identity theft annually. (United States General Account-ing Office Report GAO-02-363, Identity Theft—Prevalence and Cost Appear to Be Growing, March, 2002, p. 2 (the "GAO Report").) Another report, by the research company Gartner, Incorporated, concluded that 7 million U.S. adults, or 3.4 percent of U.S. consumers, were victims of identity theft during the 12 months ending June 2003.

As is evident by the differences between the FTC, GAO, and Gartner studies, estimates of the scope of identity theft often vary markedly. The General Accounting Office has performed a number of studies on the issue and has identified a number of reasons why accurate measurements have proved elusive. For example, victims may not learn that they have been victimized for months after the fact and often choose not to report the theft to police or credit bureaus. GAO Report at 2. Other differences arise based on the definition of identity theft chosen for the study. For example, the FTC defines identity theft to include: (1) the misuse of an individual’s personal information—such as social security number, date of birth, and mother’s maiden name—to open new credit accounts; and (2) the unauthorized use of another’s existing accounts, such as credit cards, checking accounts, or telephone accounts. Id. The definitions used by the GAO and Gartner studies are both somewhat less comprehensive. Although these reports differ on the precise magnitude of the problem, all agree that the prevalence of identity theft is increasing.

In an effort to address the identity theft problem, Congress passed legislation in 1998 mandating that the FTC establish a system to assess the issue and to provide remedial information to consumers who believed that they may have been victims of identity theft.

(Identity Theft And Assumption Deterrence Act of 1998, Public Law 105-318 (1998).) As set forth in the Act, the FTC established the Identity Theft Data Clearinghouse in November 1999. In its first month in operation, the FTC Clearinghouse logged 445 calls per week related to identity theft issues. GAO Report at 4. By December 2001, the weekly average had increased to 3,000 calls. Id. During 2002, the FTC collected a total of 218,714 calls regarding identity theft issues, with an average of 4,502 calls per week in December. (FTC Information on Identity Theft For Consumers and Victims From January 2002 Through December 2002 at http:// www.consumer.gov/idtheft/stats.html (last visited on November 13, 2003).)

Victims of identity theft often will attempt to recover their losses under state law by suing the lenders that extended credit to their imposters and later reported negative information regarding the consumers’ failure to repay the debt. These actions have received mixed treatment by courts, depending on the jurisdiction in which the action was raised. For example, the plaintiff in Patrick v. Union State Bank, 681 So.2d 1364 (Ala. 1996) brought a claim against a bank for negligently allowing an imposter to open a checking account in her name. As a result of the imposter’s actions, the plaintiff was jailed for 10 days for issuing bad checks. Id. at 1366. Because the plaintiff herself had never opened an account with the bank, the bank argued that it did not owe her any duty. Id. at 1367. The Alabama Supreme Court disagreed, finding that by opening an account in her name with all of her personal identifiers, the bank had established a relationship with the plaintiff sufficient to create a duty of reasonable care on the part of the bank to the plaintiff:

Id. at 1369. As a result, the court reversed the trial court’s decision which had granted the bank summary judgment based in part on the plaintiff’s failure to show that the bank owed her a duty of care. Id.

Conversely, the South Carolina Supreme Court recently held that banks do not owe a duty of care to potential victims of identity theft who are not their customers. Huggins v. Citibank, N.A., 585 S.E.2d 275, 278 (S.C. 2003). The plaintiff in Huggins sued three banks alleging that each was negligent in issuing credit cards to an imposter who had claimed that he was the plaintiff. After the imposter failed to repay the charges on the cards, the plaintiff alleged that his credit was damaged and that he was hounded by debt collectors. The banks asserted that they owed no duty to the plaintiff because he was not their customer. The South Carolina Supreme Court agreed with the banks and rejected the plaintiff’s negligence claims because the relationship "between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of any duty between them." Id. at 277. Because it concluded that there is no duty under South Carolina law on the part of credit card issuers to protect potential victims of identity theft, the court ruled that South Carolina does not recognize the tort of negligent enablement of imposter fraud. Id. at 278.

In addition to state law, victims of identity theft may also raise claims against financial services companies and credit reporting agencies under FCRA, 15 U.S.C. § 1681, et seq. Claims under the FCRA involving identity theft issues, however, face several obstacles. First, with one narrow exception, claims must be raised under the FCRA within two years from the date of the alleged wrongdoing, no matter how long it takes a victim to learn of the identity theft. 15 U.S.C. § 1681p. In the first identity theft case to reach the Supreme Court, the Court held that a general discovery rule does not toll the statute of limitations governing claims under the FCRA until a plaintiff learns of evidence of the alleged wrongdoing. TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001). Andrews involved claims against a credit reporting agency for improperly providing credit reports to creditors in connection with credit applications filed by an imposter and for failing to maintain reasonable procedures to ensure the accuracy of the reports. The plaintiff in Andrews conceded that she had not raised her claims for more than two years after two of the alleged disclosures, but argued that the claims regarding those disclosures were still timely because she had not learned of the disclosures for more than one year, when she sought to refinance her home. Id.

The Supreme Court in Andrews rejected the plaintiff’s call for a general discovery rule applicable to FCRA claims based on a strict reading of the statute. Id. at 28–31. Claims under the FCRA must be brought "within two years from the date on which the liability arises…[unless] a defendant has materially and willfully misrepresented any information required under [the Act] to be disclosed [to the plaintiff] and the information so misrepresented is material to [a claim under the Act]" in which case "the action may be brought at any time within two years after discovery by the individual of the misrepresentation." 15 U.S.C. § 1681p. According to the Court, the "most natural reading of § 1681p is that Congress implicitly excluded a general discovery rule by explicitly including a more limited one." As a result, the Court reversed the ruling of the Ninth Circuit which had ruled that the plaintiff’s claims were timely. Id. at 28.

Because victims of identity theft may not learn of the actions of imposters for months or even years, Andrews will likely preclude a number of claims related to identity theft under the FCRA. See FTC Report at 20 (stating that 24 percent of victims whose credit information was used to open new accounts did not discover the identity theft for more than six months).

Another case which demonstrates the difficulties in raising claims under the FCRA related to identity theft is Aklagi v. NationsCredit Financial Services, Corp., 196 F.Supp.2d 1186 (D. Kan. 2002). In Aklagi, husband and wife victims of identity theft sued a lender for failing to provide accurate information about the plaintiffs under 15 U.S.C. § 1681s-2 after the lender had extended a mortgage loan to an individual posing as one of the plaintiffs. Id. at 1192. The plaintiffs also alleged that the lender failed to correct the information that it was reporting even after notification by the plaintiffs and knowledge of an FBI investigation of their claims. Id. The lender moved for summary judgment because it alleged that the plaintiffs failed to produce any evidence demonstrating liability under the FCRA.

The court in Aklagi granted the lender’s motion for summary judgment because the plaintiffs could not show that they had initiated a dispute with a credit reporting agency. Id. at 1192-94. The statutory basis for the plaintiffs’ claims in Aklagi, 15 U.S.C. § 1681s-2, imposes two independent duties on furnishers of credit information: a general duty to provide accurate information under § 1681s-2(a); and a duty to conduct an adequate investigation after receiving notice of dispute from a consumer reporting agency under § 1681s-2(b). Carney v. Experian Information Solutions, Inc., 57 F.Supp.2d 496, 501 (W.D. Tenn. 1999). Congress, however, only provided consumers with a private cause of action for violation of § 1681s-2(b), which is only triggered after the consumer has initiated a dispute with a credit reporting agency. Id. The enforcement of the general duty to provide accurate information about a consumer under § 1681s-2(a) is limited to governmental agencies and officials. Id.

Because a private cause of action does not arise against furnishers of credit information until the consumer has raised a dispute with a credit reporting agency, a plaintiff cannot raise a claim under the FCRA against a lender for information that was reported prior to the consumer first learning of the theft of his or her identity. As discussed previously, this may be a significant period of time.

On December 4 , 2003 President Bush signed the Fair and Accurate Credit Transactions Act, 2003, Public Law No. 108-159 (the "Act"). The Act dramatically amends the FCRA to more directly address identity theft issues. Among other things, the Act establishes a procedure to allow consumers to request that credit reporting agencies and lenders block the reporting of information that is alleged to have resulted from identity theft. Under the Act, if a consumer submits sufficient information to establish that he or she was a victim of identity theft to a credit reporting agency, the agency must block reporting of the requested information unless the agency reasonably determines that the consumer made an error or material misrepresentation relevant to the request or the consumer obtained possession of goods, services, or money as a result of the relevant transaction. P.L. 108-159 §152.

In addition, the Act mandates that credit reporting agencies establish a two-tiered "fraud alert" system to respond to consumer allegations of identity theft. First, credit reporting agencies contacted by a consumer claiming to be the victim of identity theft must: include an initial fraud alert in that consumer’s file and in any credit scores generated using that file for a period of not less than 90 days; refer the information regarding the initial fraud alert to the other credit reporting agencies; and disclose to the consumer that he or she is entitled to a free credit report. P.L. 108-159 §112 (a). Additional requirements are triggered if a consumer submits an "Identity Theft Report" which is defined as a report alleging that the consumer was a victim of identity theft, that it was filed with a law enforcement agency, and that it would subject the consumer to criminal penalties for filing false reports. P.L. 108-159 §112 (b). A credit reporting agency receiving such a report must include an extended fraud alert in that consumer’s file and in any credit scores generated using that file for up to seven years, and exclude the consumer from any lists provided to third parties offering credit or insurance as part of a transaction not initiated by the consumer for up to five years. Id.

Likewise, lenders receiving credit reports containing initial and extended fraud alerts will face new obligations. Lenders receiving a consumer’s credit report containing an initial fraud alert will be prohibited from granting new credit applications or increasing the consumer’s credit limits "unless the [lender] utilizes reasonable policies and procedures to form a reasonable belief that the [lender] knows the identity of the person making the request." P.L. 108-159 §112 (h). Where a lender has received a credit report or credit score containing an extended fraud alert, the lender is prohibited from extending that consumer credit unless the lender confirms the consumer’s identity in person or by telephone at a number specified by the consumer for verification purposes. Id. The Act calls for the Federal Trade Commission to prescribe regulations to define what constitutes appropriate proof of identity.

The Act also effectively overrules the Supreme Court’s ruling in TRW, Inc. v. Andrews by rewriting §1681p to allow claims to be brought under the FCRA "not later than the earlier of: (1) two years after the date of discovery by the plaintiff of the violation that is the basis for such liability; or (2) five years after the date on which the violation that is the basis for such liability occurs." P.L. 108-159 §156.

Given the ever-growing reports of identity theft and the new requirements under the FCRA, there is likely to be an increase in litigation in this area. Financial services companies should consult closely with their counsel to ensure compliance with the new requirements of the law in this area.

This article is presented for informational purposes only and is not intended to constitute legal advice.