As we near the end of a year that has seen more than its share of massive data breaches, two bills have been introduced (one re-introduced) in the U.S. Senate. Continue Reading Two Data Breach Bills Introduced in US Senate
Written by Kevin McGinty
Last week an Oregon jury awarded an individual plaintiff over $18 million in compensatory and punitive damages in what some sources have reported to be the first jury verdict in a case brought under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681a(c). The plaintiff, Julie Miller, discovered problems with her credit report in 2009, when a bank, citing Ms. Miller’s poor credit history, rejected a loan to her son for which Ms. Miller was a co-signer. Ms. Miller requested a copy of her credit report from Equifax and discovered that her credit history contained erroneous information, including an incorrect Social Security Number (“SSN”), an incorrect birthdate, and charges and collection activity relating to obligations that Ms. Miller had never incurred. Over the course of the next two years Ms. Miller contacted Equifax nine times in a fruitless effort to correct the credit report. Only then did she bring suit against Equifax, seeking compensatory and punitive damages under the FCRA.
Discovery revealed that Ms. Miller was the victim of a “mixed file,” a known phenomenon in which two individuals’ credit histories are conflated into a single record. The plaintiff’s credit record had become intertwined with that of another Julie Miller who shared the same middle initial, was the same age, and had an SSN that shared seven of nine digits with Ms. Miller’s SSN. These coincidences resulted in the mixing of the two credit records, with the other Julie Miller’s bad credit history becoming a part of the plaintiff Julie Miller’s credit report. Although Equifax had established procedures to address and resolve mixed file issues, Equifax admitted in its pretrial memo “that it should have taken additional steps to assure that Plaintiff’s disputes were handled pursuant to its mixed file procedures . . . .” Equifax’s defenses at trial were that the mixed file was not the result of inadequate procedures, and that its flawed implementation of mixed file procedures was not a willful violation of the FCRA. After three days of trial the jury rejected both of these arguments, finding that Equifax’s violations of the FCRA had resulted in actual damages of $180,000, and that such conduct was willful, thus warranting punitive damages of $18,400,000.
The large verdict against Equifax illustrates the potentially high cost of poor customer service. Given the coincidences at play, the creation of a mixed file was probably not unreasonable. The apparent failure, however, to be responsive to Ms. Miller’s requests for correction unduly prolonged the error and created frustrations that inexorably led to litigation. Ms. Miller wrote to Equifax nine times to seek correction of her record and, despite providing all of the information requested by Equifax, received an identical form letter on nine separate occasions requesting that the necessary information be provided. The surprising thing is not that Ms. Miller brought suit but that it took so long for her to do so. The seeming indifference to Ms. Miller’s efforts to fix her credit history plainly resonated with the jury and fueled the substantial award of punitive damages. The consequences of Equifax’s failure to be responsive to Ms. Miller’s complaint teaches a valuable lesson to all businesses that deal with consumers.
The size of the award to Ms. Miller also suggests that juries are likely to view injury to a plaintiff’s credit history as a significant harm. As such, the verdict highlights the potential costs associated with data breaches, as the impairment of even a single consumer’s credit history by reason of a data breach can provide grounds for a substantial recovery. The risk of such exposure makes it imperative that businesses that use and store consumer credit card numbers, SSNs and other personally identifiable information develop and implement sound practices to maintain data security and to respond to data breaches. A responsive program to minimize the risks of credit history impairment after data breach could be the one thing that stands between a company and an award of punitive damages.
Read more: New York Times (registration may be required)