Fair Debt - Fair Credit Click Here For FREE Case Review
Home Free Case Review Debt & Your Rights Credit Report Mistakes ID Theft & Your Credit Attorney Bios Contact Us
  Catholic University Law Review
Winter, 2005
Comment

*553 IDENTITY THEFT: THE FAIR CREDIT REPORTING ACT AND NEGLIGENT ENABLEMENT OF IMPOSTOR FRAUD


Brendan Delany
Copyright © 2005 by Catholic University Law Review; Brendan Delany

Identity theft victim Michelle Brown estimates that she lost "somewhere in excess of 500 hours" of her time trying to clear her credit, not to mention "countless sleepless nights and seemingly endless days, dedicating [her] valuable time, energy, peace of mind, and what should have been a normal life, trying to restore [her] credit and [her] life." [FN1] Similarly, after spending over 400 hours trying to clear her name and restore her credit, identity theft victim Maureen Mitchell explained, "The impact of being a victim of Identity Theft is all encompassing. It affects you physically, emotionally, psychologically, spiritually and financially. This has truly been a life altering experience." [FN2] Stories like Michelle Brown's and Maureen Mitchell's are becoming more commonplace as the incidence of identity theft increases dramatically. [FN3]

Identity thieves use another's personal identifying information without his or her knowledge for the purpose of committing fraud, theft, or other *554 unlawful activities. [FN4] While the true pervasiveness of identity theft remains unknown, [FN5] the number of reported incidents has increased so dramatically over the past few years that the U.S. Department of Justice now classifies identity theft as the fastest growing white-collar crime in the Nation. [FN6] The growing automation in our economy and the dramatic increase in commercial Internet transactions further exacerbate the problem by enabling criminals to easily access personal identifying information. [FN7] Such advancements in technology also facilitate the spread of identity theft across state and international borders. [FN8]

*555 Identity thieves indiscriminately target all demographic groups, claiming as their victims people from every race, gender, age, and nationality. [FN9] Identity theft may affect victims in two areas: it can ruin a person's financial history, and it can create a criminal record in a person's name. [FN10] It takes an average of forty-four months for victims to resolve their cases. [FN11] That translates into approximately 175 hours spent restoring one's credit and clearing one's name. [FN12] To make matters worse, the victim's damaged credit report remains available for distribution for seven years. [FN13] Furthermore, most victims do not learn about the theft of their identity for over a year, long after identity thieves have tainted the victim's credit history and name. [FN14]

*556 Despite the pervasiveness and severity of the crime, a sufficient remedy for identity theft victims does not exist. [FN15] Identity theft victims John and Mary Elizabeth Stevens stated that "[i]dentity theft is only possible with the full cooperation of three major participants: the impostor, the creditor and the credit bureau. All are coconspirators and equally guilty of identity theft." [FN16] Identity theft victims need to find a remedy from the parties that negligently enable the fastest growing white-collar crime in the Nation to occur. [FN17]

This Comment explores the legislative development and judicial interpretation of the Fair Credit Reporting Act (FCRA) [FN18] with respect to credit reporting and identity theft. It additionally examines common law negligence claims against creditors and credit reporting agencies (CRAs) that stem from identity theft. This Comment ultimately argues for greater federal protection for potential victims of identity theft and for common law judicial recognition of the tort of negligent enablement of impostor fraud. This Comment analyzes congressional regulation of creditors and CRAs under the FCRA, including the 1996 amendments to the Act and the recent reauthorization of the Act. This Comment also details state legislative statutes drafted around the FCRA preemption provisions in California and Georgia, which are designed to prevent identity theft by providing better protection of consumers' personal information. This Comment then explores TRW Inc. v. Andrews [FN19] and Smith v. Citibank, N.A., [FN20] two federal cases that effectively limited creditor liability with respect to suits filed under the FCRA. Next, this Comment examines the common law tort of negligence and limitations on creditor liability under such claims. In so doing, this Comment evaluates Polzer v. TRW, Inc. [FN21] and Huggins v. Citibank, N.A., [FN22] two *557 important state decisions that refused to recognize a duty of care between credit issuers and non-customers in state law negligence actions. This Comment subsequently analyzes the impact of the 1996 amendments to the FCRA and Senate Bill 1753 on the growing crime of identity theft, focusing particularly on the Act's preemption provisions and possible state legislation in spite of the preemptions. This Comment then scrutinizes the difficulties for identity theft victims, which decisions such as Andrews and Smith exacerbate. This Comment next analyzes the inability of identity theft victims to successfully bring common law negligence claims against creditors and CRAs. This Comment then argues for possible amendments to the FCRA that would better protect potential victims of identity theft. Finally, this Comment presents an alternative judicial interpretation of common law negligence claims that would ease victims' recoveries from negligent creditors and CRAs for suffering caused by identity theft.

I. CONGRESS ATTEMPTS TO PROTECT PERSONAL INFORMATION


A. Congress Regulates CRAs with the Fair Credit Reporting Act

Congress enacted the FCRA in 1970 in order to regulate creditors and the obligations of agencies supplying them with information. [FN23] The Act *558 seeks to promote efficiency in the Nation's banking system and protect consumer privacy. [FN24] The Act regulates both the use and content of credit reports, which are generated by a third party (the "consumer reporting agency") based on information supplied by creditors ("furnishers") for future credit-related conclusions by others ("users"). [FN25] The FCRA requires "credit reporting agencies to maintain 'reasonable procedures' designed 'to assure maximum possible accuracy of the information' contained in credit reports and to 'limit the furnishing of [such reports] to' certain statutorily enumerated purposes." [FN26] Furthermore, the Act governs the degree over which a consumer controls her credit report, including the rights of CRAs with respect to the use of such reports and disclosure requirements. [FN27] The original Act provided for civil liability through actions brought by individual consumers and federal regulators, *559 including the Federal Trade Commission. [FN28] However, it substantially limited liability for credit bureaus through provisions that required only "reasonable procedures." [FN29] It also "[limited] defamation actions against credit bureaus for the content of their reports [absent a showing of] 'malice or willful intent to injure such consumer."' [FN30] "The FCRA also [allowed] states to enact [their own] credit reporting laws ... [so long as] they [maintained consistency] with the Act." [FN31]

After six years of deliberation, Congress amended the FCRA in 1996 by adopting the Consumer Credit Reporting Reform Act. [FN32] By doing so, Congress sought to "enhance the accuracy of credit reports, primarily by expanding the practical and legal ability of consumers to access, dispute, and obtain correction of their credit reports." [FN33] Congress attempted to prevent the misuse of personal identifying information and the dissemination of misinformation. [FN34] In light of the existing voluntary reporting system in the United States, Congress could have incorporated either of two fundamentally different regulatory approaches into the FCRA: the preventative approach or the remedial approach. [FN35] The "preventative approach" could have enabled Congress to authorize "specific and mandatory procedures ... for submitting, verifying, matching and re-investigating information on the credit files." [FN36] Instead, Congress incorporated the "'remedial approach,' which harnessed the incentives for producing accurate reports inherent in a competitive credit reporting market, but also established an error detection and correction mechanism initiated by the consumer." [FN37] The remedial approach does provide some incentive for credit bureaus to prevent errors, because the *560 re-verification process remains costly for both them and creditors. [FN38] Thus, "the FCRA reinforces the financial incentive for bureaus to invest in accurate reporting and prevent those errors for which it has a comparative advantage." [FN39] Congress apparently determined that the remedial approach would better serve all parties' interests by correcting the errors found by the consumer rather than attempting to detect errors prior to release. [FN40]

The 1996 amendments aimed to prevent the need for litigation by holding CRAs and furnishers and users of credit reports to a higher standard of care. [FN41] Unfortunately, however, "the Amendments have not achieved their goal and ... in too many instances consumers who want to protect their good name must sue." [FN42] The 1996 Act did in fact authorize states to enforce the FCRA. [FN43] However, Congress recognized the "inherently national nature of credit markets and credit reporting" and thus "preempted the states from enacting statutes or regulations pertaining to the 1996 amendments." [FN44] The resulting federal privacy *561 preemption provisions [FN45] were set to expire on January 1, 2004. [FN46] This *562 gave Congress time to evaluate the statute's performance "[g]iven the dramatic changes that were taking place in technologies, credit, and the uses of credit reports." [FN47] These preemptions prevent states from passing tougher standards with respect to the collection and dissemination of personal information, which could ultimately reduce the incidence of identity theft. [FN48] Additionally, because Congress intended the 1996 *563 amendments to completely obstruct state law, the preemptions prohibit states from imposing stronger duties on CRAs. [FN49]

Although states may not enact legislation dealing specifically with the subject of the 1996 amendments, the California and Georgia Legislatures have nonetheless enacted preventative measures to address privacy and increase consumer protections against identity theft. [FN50] The Social Security number plays an extremely significant role in personal identification in the United States with respect to record-linkage and personal privacy. [FN51] Because many instances of identity theft occur when impostors steal personally identifying information (such as Social Security numbers) from discarded mail, the legislatures in both California and Georgia "have enacted legislation to limit the reproduction of the [Social Security number] in the private sector." [FN52] These legislatures believe that individuals need better protection from impostors maliciously attempting to steal their Social Security numbers, and thus have enacted stricter statutes without violating the FCRA's preemption provisions. [FN53]

*564 Recognizing the changing nature of the credit markets in the U.S. economy, Congress reexamined the FCRA. [FN54] The Senate recently passed legislation (Senate Bill 1753) [FN55] to reauthorize the FCRA, "making permanent national credit reporting standards and imposing new obligations on credit reporting agencies and federal regulators to combat identity theft and encourage more accurate reporting of consumer credit information." [FN56] The Senate bill contains provisions "to combat identity theft, restrict the sharing of consumer information, and improve the accuracy of credit reports." [FN57] Furthermore, the bill would "extend the *565 statute of limitations for civil liability for violations of the FCRA from two to seven years after the date on which the violation occurs, but not later than two years after the violation is discovered." [FN58] The Andrews case, discussed below, demonstrates how such an extension of the statute of limitations will assist identity theft victims trying to clear their tainted record. [FN59]

B. Creditor Liability Remains Limited Under the FCRA

1. The Supreme Court Narrowly Interprets the Statute of Limitations for Actions Brought Under the FCRA

In 2001, the U.S. Supreme Court considered the statute of limitations for suits filed under the FCRA in Andrews. [FN60] In that case, a physician's office receptionist attempted to open credit accounts using patient Adelaide Andrews' Social Security number. [FN61] In response, Andrews filed *566 suit against TRW and Trans Union Corp., claiming that the two defendant CRAs "violated § 1681e(a) of the FCRA, which prohibits disclosure of consumer reports to third parties except for certain enumerated permissible purposes, such as credit transactions in which the consumer is involved." [FN62] Andrews claimed that TRW improperly disclosed her information in response to an impostor's credit application "because TRW failed to verify, predisclosure, that [she] initiated the requests or was otherwise involved in the underlying transactions." [FN63] Andrews further argued that "by processing requests that matched her profile on Social Security number, last name, and first initial but did not correspond on other key identifiers, notably birth date, address, and first name, TRW had facilitated the Impostor's identity theft." [FN64]

*567 In examining Andrews' claims, however, the Court determined that the general discovery rule [FN65] did not apply to toll the statute of limitations on an improper disclosure claim under the FCRA until the consumer's discovery of the CRA's improper decisions. [FN66] Under § 1681p of the FCRA, a party must bring any action to enforce liability created under the Act "within two years from the date on which the liability arises, except that where a defendant has ... willfully misrepresented any information required under [the FCRA] to be disclosed to [the plaintiff] and the information ... is material to [a claim under the FCRA], the action may be brought at any time within two years after [the plaintiff's] discovery of the misrepresentation." [FN67] *568 The Court held that "[t]he Ninth Circuit ... erred in holding that a generally applied discovery rule controls this case." [FN68] Due to the Andrews decision, "victims ... [lost] their opportunity to file a claim against a credit reporting agency for improper disclosures if they learn of the occurrence of a violation at any time after the two-year statute of limitations has expired." [FN69] This placed a significant burden on victims of identity theft, ultimately imposing upon them considerable financial and psychological losses. [FN70]

2. A Missouri Court Holds that Banks Owe No Duty of Care to Non-customers

In Smith v. Citibank, N.A., [FN71] Robin Smith's former employer stole his personal information and applied for a credit card in his name, which was issued by Citibank with the imposter as the secondary card holder. [FN72] Smith sued Citibank alleging that the bank was negligent in opening a credit account in his name on the basis of stolen personal information. [FN73] Smith further alleged that Citibank was negligent in its investigation of disputes regarding liability for amounts due on the account. [FN74]

After rejecting the merits of Smith's negligence claim, the court stated that, in any event, the claim would have failed because Smith failed to notify the agency directly of a dispute pursuant to § 1681i(a)(1) of the Act. [FN75] Because "[t]he record contain[ed] no evidence that Smith [ever] *569 notified [any CRAs,] ... Defendants duty to investigate was [never] triggered." [FN76] Therefore, the court declined to find breach of the duty to investigate Smith's dispute. [FN77] This highlights the difficulty for the many identity theft victims who remain unaware of the statutory procedures for having disputes investigated.

C. Creditor Liability Remains Limited Under Common Law Negligence Claims In addition to identity theft victims seeking recourse based on violations of the FCRA, some victims file suit alleging state law negligence. [FN78] These plaintiffs specifically ask courts to recognize a new cause of action: negligent enablement of impostor fraud. [FN79] Courts, however, have refused to create a new tort of negligent enablement of impostor fraud because they "decline to recognize a legal duty of care between credit card issuers and those individuals whose identities may be stolen." [FN80]

*570 Negligent conduct is that which "falls below the standard established by law for the protection of others against unreasonable risk of harm." [FN81] The Restatement (Second) of Torts defines the standard of conduct to which an actor must conform as "that of a reasonable man under like circumstances." [FN82] In order to establish a claim for negligence, the plaintiff must prove duty, breach, causation, and damages. [FN83] Duty "may be defined as an obligation, to which the law will give recognition and effect, to conform to a particular standard of conduct toward another." [FN84] In other words, duty is the obligation "to conform to the legal standard *571 of reasonable conduct in light of the apparent risk." [FN85] Two views exist concerning liability with respect to the risk involved: (1) limitation of liability to risk and (2) liability beyond the risk. [FN86]

First, the "limitation of liability to risk" theory provides that the same criterion of foreseeability and risk of harm which determined whether the defendant was negligent in the first instance should determine the extent of the liability for that negligence; and that no defendant should ever be held liable for consequences which no reasonable person would expect to follow from the conduct. [FN87]

Whether a defendant owes a duty to a plaintiff depends on the risk of harm and the foreseeable consequences. [FN88] Therefore, "[i]f one could not reasonably foresee any injury as the result of one's act, or if one's conduct was reasonable in the light of what one could anticipate, there would be no negligence, and no liability." [FN89] Indeed, one "will not be held to knowledge of risks which are not known or apparent to him." [FN90]

Second, the "liability beyond the risk" theory provides "that a defendant who is negligent must take existing circumstances as they are, and may be liable for consequences brought about by the defendant's acts, even though they were not reasonably to be anticipated." [FN91] This *572 theory rests on the notion that as between an innocent plaintiff and a negligent defendant "the burden of loss due to consequences beyond the risk should fall, within some quite undefined ultimate limits, upon the wrongdoer." [FN92]

1. New York's Intermediate Appellate Court Refuses to Recognize Negligent Enablement of Impostor Fraud

In Polzer v. TRW, Inc., [FN93] the plaintiffs, individuals whose personal information impostors had stolen and used to obtain credit cards, claimed that the defendant issuers of credit negligently allowed impostors to obtain the credit cards in their names. [FN94] The plaintiffs specifically accused the banks of "facilitat[ing] and exacerbat[ing] the harm plaintiffs suffered." [FN95] The trial court, however, held that New York did not recognize a cause of action for negligent enablement of impostor *573 fraud. [FN96] It thus declined to hold the banks liable "even when [it] failed to take any steps whatsoever to confirm the applicant's identity and where they could have easily and inexpensively done so" because the bank was under no legal duty do so. [FN97] Furthermore, the court held that the plaintiffs failed to state a cause of action for negligence because the issuers "had no special relationship either with the impostor who stole the plaintiffs' credit information and fraudulently obtained credit cards, or with plaintiffs, with whom they stood simply in a creditor/debtor relationship." [FN98] New York's intermediate appellate court upheld the trial court by refusing to recognize that banks have a duty to take greater steps to protect customers from identity theft. [FN99]

2. The South Carolina Supreme Court Refuses To Recognize Negligent Enablement of Impostor Fraud

In the recent South Carolina Supreme Court case, Huggins v. Citibank, N.A., [FN100] Kenneth Huggins, a non-customer, sued three banks alleging that they negligently issued credit cards to an impostor who subsequently used the cards without repaying the banks. [FN101] Huggins claimed that the banks were negligent on four bases:

  1. [I]ssuing the credit cards without any investigation, verification, or corroboration of [the impostor's] identity;
  2. failing to adopt policies reasonably designed to verify the identity of credit card applicants;
  3. adopting policies designed to result in the issuance of credit cards without verifying the identity of applicants; and
  4. attempting to collect [the impostor's] debt from Huggins. [FN102]
Because the case presented unanswered questions of South Carolina state law, the state supreme court examined three main issues. [FN103]

*574 First, the court addressed whether South Carolina law recognized the tort of negligent enablement of impostor fraud. [FN104] Second, the court looked at the possible elements of the tort if South Carolina were to recognize it. [FN105] Third, the court questioned whether Huggins stated a claim for relief. [FN106]

To address these three issues, the court explored the relationship that existed between Huggins and the banks to determine whether a duty of care existed between them. [FN107] The court focused on the fact that Huggins was not a customer at any of the banks. [FN108] It explained that "[i]n a negligence action, the court must determine, as a matter of law, whether the defendant owed a duty of care to the plaintiff." [FN109] The court defined duty as "'the obligation to conform to a particular standard of conduct toward another."' [FN110] According to the court, therefore, duty arises from an existing relationship between an alleged wrongdoer and an injured party. [FN111] Huggins argued that the increase in occurrence of identity theft makes the fraud foreseeable by the banks. [FN112] The court nevertheless maintained that negligence law required proof of a relationship between the plaintiff and the defendant to establish the requisite duty of care. [FN113] The Court further reasoned that "the relationship, if any, between credit card issuers and potential victims of identity theft is far too attenuated to rise *575 to the level of a duty between them." [FN114] Thus, while the court expressed great concern "about the rampant growth of identity theft and financial fraud in this country," [FN115] it nevertheless held that "South Carolina does not recognize the tort of negligent enablement of impostor fraud." [FN116]

II. THE FCRA ULTIMATELY FAILS TO ADDRESS IDENTITY THEFT ADEQUATELY


A. FCRA Improvements and Inadequacies Under Senate Bill 1753

Congress amended the FCRA to protect consumers by "specifying a higher standard of care for CRAs, furnishers, and users of credit reports." [FN117] Some argue, however, that the FCRA has not realized its objective fully. [FN118] Even those closely involved with the drafting of the 1996 amendments have recently described the "need to recognize the reality that the Amendments have not achieved their goal and that in too many instances consumers who want to protect their good name must sue." [FN119] The U.S. credit reporting system relies on "voluntary reporting from thousands of furnishers of credit-related information." [FN120] Therefore, some contend that "the voluntary nature of the reporting process makes it particularly sensitive to the costs imposed by regulatory and legislative mandates." [FN121] In reauthorizing the FCRA with a *576 particular mind towards identity theft, Congress attempted to find a proper balance between consumer protection and efficient credit reporting. [FN122] The bill reauthorizing the FCRA addresses many of the Act's previous shortcomings regarding identity theft. [FN123] However, consumer protection groups remain concerned that the bill fails to provide proper privacy protections and ultimately preempts stronger state protections. [FN124] Senator Dianne Feinstein opposes the bill because she believes that it would "reduce the new privacy protections provided to Californians under the state's new financial privacy law, which sets the strictest financial privacy standards in the country." [FN125] While the Senate rejected Feinstein's amendment, which "would have restricted the sharing of consumers' personal data by some affiliated entities," the bill nonetheless addresses the sharing of consumer information. [FN126] Senate Bill 1753 also proposes improvements in the area of accuracy of consumer information. [FN127] However, the bill adopts the remedial approach to discovery of inaccuracies, which places a heavy burden on *577 consumers to routinely check the accuracy of their credit reports. [FN128] The Fair and Accurate Transactions Act of 2003 amended the FCRA [FN129] by allowing consumers, upon request, to obtain one free copy of their credit report per year in an attempt to help them monitor their financial information so that they can correct any errors. [FN130] However, consumers are nevertheless required to request their credit reports.

Some argue that the federal preemption provisions provide standards under which national creditors may operate without having to adjust to fifty potentially different regiments. [FN131] However, the existing federal privacy preemptions in the FCRA effectively prevent states from holding CRAs liable for negligent dissemination of personal information. [FN132] Furthermore, the preemptions also prevent states from holding banks liable for negligently issuing credit cards to impostors. [FN133] Opponents argue that these national standards weaken consumers' ability to enforce their own rights by creating too many loopholes through which negligent CRAs may escape liability. [FN134] Indeed, some contend that these provisions *578 impede identity theft victims from holding negligent creditors and CRAs liable under common law for economic, psychological, and emotional suffering. [FN135] In reauthorizing the preemptions with new provisions addressing identity theft, Congress attempted to strike a balance between protecting consumers and preserving the efficiency of the national credit reporting system. [FN136]

Although the FCRA's preemption provisions bind states with respect to the collection and dissemination of personal information, state legislatures can take action to prevent identity theft. [FN137] Some state legislatures, like those in California and Georgia, believe they should enact preventative legislation designed to thwart identity theft before it can take place. [FN138] They argue that protective state legislation must limit *579 society's widespread use of personal identifying information. [FN139] While forty-eight states currently have identity theft laws in place, [FN140] almost all these laws fail to address one of the most significant obstacles facing identity theft victims: the statute of limitations. [FN141]

B. Federal Case Law Underscores Obstacles for Consumers

TRW Inc. v. Andrews [FN142] highlights a particular difficulty for victims bringing suit under the FCRA by narrowing the two-year statute of limitations. [FN143] The Andrews Court protected CRAs by limiting the time during which injured plaintiffs could bring negligence suits. [FN144] Arguably, by the time victims know to file suit against negligent creditors, the two-year statute of limitations may have already run. Identity theft victims often do not "learn of the crime for a year or more, only after something goes terribly wrong, because thieves often shield their actions by using a different address when they open new accounts in the victim's name." [FN145] Congress realized this problem and extended the statute of limitations under Senate Bill 1753 from two to seven years after the date of violation, but no later than two years after discovery of the violation. [FN146] Because uncertainty remains as to the application of Andrews' holding to state-law identity theft claims, states must enact comprehensive identity theft laws that directly address the statute of limitations. [FN147]

Smith v. Citibank, N.A. [FN148] erected greater impediments to victims suing negligent banks and CRAs under the FCRA. [FN149] Section 1681s-2 of the FCRA [FN150] makes it difficult to trigger a bank's duty to investigate disputes regarding liability for amounts due on a consumer's account. [FN151] Some *580 argue that the remedial approach adopted by Congress in the FCRA provides the most cost-efficient way of detecting and investigating errors on consumer credit reports. [FN152] However, others argue that the dramatically increasing incidence of identity theft necessitates a preventative approach. [FN153] They believe that the notice requirement incorporated in the national standards provides CRAs with many loopholes through which they can avoid liability for negligent reporting of information and investigation of disputes. [FN154]

C. Common Law Underscores Obstacles for Consumers

Common law negligence claims also have created difficulties for identity theft victims trying to hold creditors liable for issuing credit cards to impostors. [FN155] Because most courts have adopted the "limitation of liability to risk" theory, identity theft victims must prove that identity theft is a foreseeable consequence of negligent dissemination of personal information and negligent issuance of credit cards. [FN156] Polzer v. TRW, Inc. [FN157] demonstrates one court's refusal to recognize a duty of care between creditors and potential victims of identity theft. The court apparently believed that the remedial approach to consumer credit reporting better served all parties' interests and thus requires consumers to discover mistakes in their own credit reports. [FN158] However, one may argue that "firms in the credit industry are better able than injured consumers to spread the losses from identity theft among those who benefit from credit." [FN159] This suggests that courts should adopt the *581 "liability beyond the risk" theory with respect to furnisher negligence. [FN160] The current system requires only that credit bureaus "follow reasonable procedures to assure maximum possible accuracy" when reporting on an individual. [FN161] It may be argued further that such a system allows the agencies to avoid the damaging consequences of identity theft while shifting the entire burden to bear the cost to the innocent consumer. [FN162] The Huggins v. Citibank, N.A. [FN163] court also refused to recognize the tort of negligent enablement of impostor fraud because no duty of care exists "between credit card issuers and those individuals whose identities may be stolen." [FN164] Indeed, no statutory or common law duty currently exists between negligent credit card issuers and potential victims of identity theft. [FN165] The Huggins court held that the relationship "between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of a duty." [FN166] However, at least one commentator contends that as between a negligent issuer of a credit card and an innocent consumer, the bank can better shoulder the loss incurred from identity theft. [FN167] Furthermore, it can be argued that liability should ultimately fall on the wrongdoer when the mistakes of negligent creditors and CRAs affect innocent consumers. [FN168]

*582 III. CONGRESS AND THE STATES MUST WIELD A STRONGER HAND AGAINST


IDENTITY THIEVES


A. Congress Must Better Protect Identity Theft Victims

Congress must hold CRAs, furnishers, and users of credit reports to a higher standard of care to sufficiently protect the use and dissemination of consumers' personal identifying information. [FN169] Under the FCRA's existing national standards, which merely require that creditors not furnish information that either they know is inaccurate or they consciously avoid knowing is inaccurate, [FN170] creditors can freely disseminate information that they have failed to adequately investigate. [FN171] The remedial approach incorporated into the Act by Congress provides some incentive for a credit bureau to prevent errors because the reverification process remains costly for both credit bureaus and creditors. [FN172] However, this approach reinforces the financial incentive for bureaus to invest in accurate reporting and prevent only those errors for which they have a comparative advantage. [FN173] Clearly, these national standards do allow "credit grantors too much leeway to engage in sloppy reporting practices." [FN174] Although the Senate bill addresses the accuracy of consumer information, the Act still relies on consumers to discover inaccuracies in their own credit reports. [FN175] Congress again has placed a heavy burden on consumers to initiate an error detection and correction mechanism. [FN176] While this apparently represents the most cost-effective approach because consumers can theoretically determine accuracy at the lowest cost, this policy mandates that consumers routinely check their *583 credit history. [FN177] Unfortunately, most victims of identity theft remain unaware of the dangers posed by the crime and fail to adequately scrutinize their own credit reports. Therefore, a preventative approach that mandates stricter procedures for CRAs and creditors in "submitting, verifying, matching, and re-investigating information on credit files" would better protect against identity theft. [FN178] While this might increase operating costs that would ultimately pass to consumers, creditors can spread their costs among hundreds of thousands of consumers rather than forcing victims of identity theft to bear the entire cost alone. [FN179] In placing the responsibility for monitoring file accuracy on the consumer, the FCRA essentially relieves credit bureaus of the duty to adequately investigate consumer information before mistakes occur. [FN180] In light of the dramatically increasing rate of identity theft, bureaus should have a greater role in preventing the crime before it occurs. [FN181] State legislatures should also take preventative action by enacting laws similar to those passed in California and Georgia. [FN182] By taking steps to prevent careless dissemination of personal information, states can adopt their own preventative approach to battling identity theft that would compliment the FCRA's remedial approach. [FN183]

Furthermore, the existing notice requirement on which the Smith court relied makes it too difficult for consumers to trigger a CRA's duty to investigate. [FN184] Presumably, the average consumer remains unaware of this intricate notification process mandated by the FCRA. Congress must amend the Act to facilitate the process through which consumers can correct errors made by credit issuers. [FN185] Consumers should not have *584 to meet the strict technical requirement of directly notifying the CRA of a dispute. [FN186] Unfortunately, most consumers remain unaware of the mandatory procedures necessary to trigger a CRA's duty to investigate. By amending § 1681i of the Act and making this duty easier to trigger, Congress could better protect consumer interests and simultaneously promote accuracy in the national credit reporting system.

B. Federal Courts Must Better Protect Identity Theft Victims

Federal courts can better protect identity theft victims by applying the FCRA with a heavier hand against negligent creditors and CRAs. [FN187] The new provisions in H.R. 2622 addressing the statute of limitations will give victims five more years to file claims under the FCRA. [FN188] Senate Bill 1723 proposed an amendment to the Act requiring an action under the FCRA to be brought "not later than 2 years after the date on which the violation is discovered or should have been discovered by the exercise of reasonable diligence." [FN189] This new limitations period for civil liability under the Act will better enable the FCRA to achieve its original purpose by protecting consumers against negligent dissemination of personal information. [FN190] Indeed, courts now will no longer have to follow *585 the precedent that dismissed the claim in Andrews for exceeding the two-year statute of limitations, even when the plaintiff did not know that someone had stolen her identity. [FN191] Federal courts must also recognize a duty of care between banks and non-customers when a bank negligently issues a credit card to an impostor. As between a negligent issuer of a credit card and an innocent consumer, the creditor can better bear the loss incurred as a result of identity theft and the CRAs can better avoid the damage through heightened controls. [FN192] Furthermore, in such a case, the negligent creditor clearly acts in a more wrongful manner than does the innocent consumer. [FN193] Courts in the past have held that issuers of credit have no special relationship with identity theft victims or impostors who steal their personal information. [FN194] However, courts must acknowledge that the increase in identity theft has effectively created a relationship between creditors and consumers giving rise to a higher duty of care. [FN195] Recognition of such a relationship will force CRAs and issuers of credit cards to act with greater care with respect to consumers' personal information. [FN196]

C. State Courts Must Better Protect Identity Theft Victims

State courts must recognize the new tort of negligent enablement of impostor fraud. The Huggins court's reference to the "rampant growth of identity theft and financial fraud in this country" evinces the need to address America's fastest growing white collar crime. [FN197] State courts must adopt the "liability beyond the risk" theory when examining common law negligence claims against credit bureaus and CRAs. [FN198] This will require the exercise of greater care in disseminating personal information and in issuing credit cards. While CRAs argue that identity theft remains an unforeseeable consequence of such negligence, the crime's unbridled proliferation confirms that they should anticipate its *586 occurrence. [FN199] Indeed, the escalating prevalence of identity theft makes the crime a reasonably foreseeable consequence of negligent dissemination of a consumer's personal information. [FN200] In the exercise of ordinary care, a CRA should anticipate that negligent reporting could possibly injure consumers even when a credit bureau might not anticipate the particular injury that might occur. [FN201]

By employing "liability beyond the risk," courts can establish a legal duty for an issuer of credit cards to confirm applicants' identities. [FN202] "Limitation of liability to the risk" enables CRAs and banks to disseminate personal information and issue credit cards without serious inquiry or proof that the consumer is in fact who he or she claims to be. [FN203] Indeed, the Polzer court refused to hold the bank liable "even when they failed to take any steps whatsoever to confirm the applicant's identity and where they could have easily and inexpensively done so." [FN204] "Liability beyond the risk" will impose a greater duty on CRAs and creditors to exercise greater care and thus significantly reduce the possibility of identity theft. [FN205]

IV. CONCLUSION


Congress designed the FCRA to regulate CRAs and the creditors to whom they supply information. Unfortunately, millions of identity theft victims like those introduced at the beginning of this Comment serve as living proof that the FCRA has not achieved its goal. Congress recently addressed the failure of the Act in its recent reauthorization, which included remedial provisions addressing identity theft. However, innocent consumers need even better protection in an age where identity thieves can easily obtain another person's personal information. First, Congress must incorporate a preventative approach into the FCRA that mandates stricter procedures for creditors and CRAs submitting, verifying, matching, and re-investigating information on credit files. This preventative approach will preclude identity theft before it can occur. Additionally, state legislatures must take preventative action to inhibit *587 overuse of personal information throughout the United States. Congress must also modify the FCRA's notification requirement so that consumers trying to dispute their credit reports can do so more easily. Most consumers remain unaware of the stringent procedures currently required under the Act for reporting disputes to CRAs, who then notify furnishers of information. Third, Congress must establish a duty of care between negligent issuers of credit cards and innocent victims of identity theft. Creditors and CRAs can spread the costs associated with preventing identity theft to hundreds of thousands of consumers with ease. Furthermore, the increasing incidence of the crime indicates that a relationship does in fact exist between creditors and consumers that gives rise to a duty of care with respect to the collection and dissemination of consumers' personal information. Finally, state courts must protect identity theft victims by employing the "liability beyond the risk" theory and ultimately recognize the new tort of negligent enablement of impostor fraud. Otherwise, many more millions of Americans will suffer the "physically, emotionally, psychologically, spiritually, and financially ... life altering experience" of identity theft. [FN206]

[FNf1]. J.D. Candidate, May 2005, The Catholic University of America, Columbus School of Law. The author wishes to thank his wife, Céline, and his parents for their relentless support and encouragement. The author would also like to thank Megan Delany, whose constant insight and criticism made this possible in the first place.

[FN1]. Identity Theft: How To Protect and Restore Your Good Name: Hearing Before the S. Subcomm. on Tech., Terrorism, & Gov't Info. of the Comm. on the Judiciary, 106th Cong. 26 (2002) (statement of Michelle Brown, Identity Theft Victim).

[FN2]. Fighting Identity Theft -- The Role of FCRA: Hearing Before the House Subcomm. on Fin. Insts. & Consumer Credit of the Comm. on Fin. Servs., 108th Cong. 185 (2003) [hereinafter Fighting Identity Theft Hearing] (statement of Maureen V. Mitchell, Ohio Identity Theft Victim).

[FN3]. Joseph A. Medrano, the co-founder and chief executive officer of Identity Fraud, Inc., said:
"Identity fraud is very prevalent and very serious[.]" ... "It can be an extraordinarily invasive, complex, and devastating crime. Unprotected victims have their lives turned upside down. Clearing one's name, financially and legally, can be tremendously frustrating, time-consuming, and expensive. As people discover the extent of their problems, they find that identity fraud exacts a profound financial and emotional toll."
Press Release, Identity Fraud, Inc., Identity Fraud: Bad and Getting Worse (Aug. 6, 2002), available at http:// www.identityfraud.com/company/prnewswire.pdf.

[FN4]. The Fair Credit Reporting Act and Issues Presented by Reauthorization of the Expiring Preemption Provisions: Hearings Before the S. Comm. on Banking, Hous., & Urban Affairs, 108th Cong. 69 (2003) [hereinafter Preemption Provisions Hearings] (statement of Sen. Richard C. Shelby, Chairman, Comm. on Banking, Housing, and Urban Affairs). Stolen information may include a person's "name, social security number, address, birth date, unique passwords, even biometric information." Overexposed: The Threats to Privacy and Security on Filesharing Networks: Hearing Before the House Comm. on Gov't Reform, 108th Cong. 69 (2003) (testimony of Mari J. Frank, Esq.). However, an identity thief in reality only needs another's full name, Social Security number, and birth date to open credit or bank accounts under another's name or to drain already existing accounts. Stop Thieves from Stealing You, CONSUMER REP., Oct. 2003, at 12, 13.

[FN5]. Howard Beales, Director of the Federal Trade Commission's Bureau of Consumer Protection, acknowledged that "[w]e have never had an estimate of the overall incidence of [identity theft]." Jennifer Lee, Identity Theft Victimizes Millions, Costs Billions, N.Y. TIMES, Sept. 4, 2003, at A20.

[FN6]. Press Release, supra note 3. Indeed, thieves victimized seven million people in 2002 alone, according to a recent survey by Privacy & American Business. Identity Theft Victims Skyrocket, Surveys Say, INFO. MGMT. J., Nov./ Dec. 2003, at 17, 17. The U.S. General Accounting Office has reported that rates of identity theft grow annually more than 300%. Christopher P. Couch, Forcing the Choice Between Commerce and Consumers: Application of the FCRA to Identity Theft, 53 ALA. L. REV. 583, 585 (2002).

[FN7]. Preemption Provisions Hearings, supra note 4; see also Press Release, supra note 3, at 2 ("In today's business environment, in which sensitive information is being transferred and targeted via the Internet, mail, and the phone, individuals and organizations are increasingly vulnerable to identity crimes."); Patrick Reyna, Statewide Grand Jury: We must all fight ID theft, ASSOCIATED PRESS STATE & LOCAL WIRE, Nov. 13, 2002, LEXIS, AP File. Aided by advances in technology, criminals now can easily steal credit card information in different ways, print fake credit cards or checks, open new bank accounts, buy cars or boats and even take out mortgages, the [final report of Florida's statewide grand jury convened in June 2001 at the request of Florida Governor Jeb Bush] said. Id.

[FN8]. John Ford, Chief Privacy Officer at Equifax, one of the three major credit-reporting companies, said that "the scope of the [identity theft] problem is moving international and moving to larger rings of criminals." Lee, supra note 5. Indeed, criminals also use identity theft to avoid detection while committing various international crimes such as drug trafficking and terrorism. Stop Thieves from Stealing You, supra note 4. For example, authorities have discovered that members of Al-Qaeda frequently use identity theft both to avoid detection and to support their terrorist activities. Identity Theft: Hearings Before the S. Subcomm. on Tech., Terrorism, & Gov't Info. of the Comm. on the Judiciary, 107th Cong. 89 (2002) (statement of Dennis M. Lormel, Chief, Terrorist Financial Review Group, Federal Bureau of Investigation) (explaining that a terrorist cell in Spain used stolen credit and telephone cards as well as false passports to facilitate illegal activities); see also Sheila R. Cherry, Al-Qaeda May Be Stealing Your ID, INSIGHT ON NEWS, Aug. 26, 2002, at 18.

Al-Qaeda terrorist cells hiding in Spain used stolen credit cards to make numerous purchases, being careful to keep their spending below levels at which identification would be needed, according to the FBI. Extensive use of false passports and travel documents were used to open bank accounts where money for the mujahideen movement was sent to and from countries that include Pakistan and Afghanistan .... Id.

[FN9]. Fighting Identity Theft Hearing, supra note 2, at 17 (statement of Tim Caddigan, Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service); see also Stop Thieves from Stealing You, supra note 4 ("[Identity theft] is an equal-opportunity crime, affecting victims of all races, incomes, and ages.").

[FN10]. Erin M. Shoudt, Comment, Identity Theft: Victims "Cry Out" for Reform, 52 AM. U. L. REV. 339, 342-43 (2002).

[FN11]. Fighting Identity Theft Hearing, supra note 2, at 15 (statement of Daniel L. Mihalko, Inspector in Charge, Congressional and Public Affairs, U.S. Postal Inspection Service).

[FN12]. Id.; see Stop Thieves from Stealing You, supra note 4 ("Typically, federal laws cap monetary losses to consumers, but even in routine cases, it takes victims two years on average to clear their names, according to the Privacy Rights Clearinghouse, a nonprofit advocacy group.").

[FN13]. See 15 U.S.C. § 1681c(a) (2000).

[FN14]. Stop Thieves from Stealing You, supra note 4. In addition to identity theft victims, businesses and financial institutions also suffer losses from the implications of this crime. Indeed, according to the Identity Theft Resource Center in San Diego, cases of identity theft cost businesses an average of $17,000 per incident. Katie Kuehner-Hebert, Setting New Policies To Catch Identity Thieves, AM. BANKER, Jun. 11, 2003, at 5A, 2003 WL 3346655. The Federal Trade Commission quotes the current cost to business at $18,000 per incident. Stop Thieves from Stealing You, supra note 4. These losses to businesses ultimately impact the pocketbooks of consumers. Indeed, "[t]he $4.2 billion that businesses will lose this year to the crime, a figure expected to mushroom to more than $8 billion by 2006, [will be] recoup[ed] by charging [consumers] higher fees and prices." Id. Thus, while identity theft may begin as a personal attack on an individual through the theft of one's personal information, its implications and effects eventually extend society-wide.

[FN15]. During the time a victim spends trying to clear his or her name, he or she may face denial of credit by lenders or retailers relying on false information, loss or denial of employment, and criminal prosecution or civil liability for fraud, conversion, or breach of contract. Couch, supra note 6, at 586.

[FN16]. Cherry, supra note 8. Identity theft victim John Stevens further explained:
The perpetuation of identity theft has created a new product line for the credit bureaus, which now sell services alerting cardholders to significant changes on their credit reports .... Protecting the integrity and ensuring the accuracy of information contained in a credit report should be a normal part of their operation and not just available to those willing to pay them for protection. Id.

[FN17]. See Couch, supra note 6, at 597 ("The consumer should only shoulder the burden of cleaning up after the thief if the theft was completely unavoidable .... [But,] often the credit reporting agencies have an indication that a thief is at work.").

[FN18]. §§ 1681-1681x U.S.C.A. (West 1998 & Supp. 2004).

[FN19]. 534 U.S. 19 (2001).

[FN20]. No. 00-0587-CV-W-1-ECF, 2001 WL 34079057 (W.D. Mo. Oct. 3, 2001).

[FN21]. 682 N.Y.S.2d 194 (App. Div. 1998).

[FN22]. 585 S.E.2d 275 (S.C. 2003).

[FN23]. Pub. L. No. 91-508, § 602, 84 Stat. 1127, 1128 (1970). The FCRA's "provisions regulate the behavior of [credit reporting] agencies and the sources of the information they use." Jeff Sovern, The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 64 U. PITT. L. REV. 343, 388 (2003). One article noted that [i]n its "findings" in the preamble to the Act, Congress highlighted the delicate balance it was trying to craft: "The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system .... There is a need to ensure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's privacy." MICHAEL E. STATEN & FRED H. CATE, DOES THE FAIR CREDIT REPORTING ACT PROMOTE ACCURATE CREDIT REPORTING? 9 (Joint Ctr. for Hous. Studies, Harvard Univ., Working Paper No. BABC 04-14, 2004), available at http:// www.jchs.harvard.edu/publicaions/finance/babc/babc_04-14.pdf (omission in original) (quoting 15 U.S.C. § 1681(a)). Indeed, the Act attempts to "balance the competing interests of the credit reporting industry and consumers." Shoudt, supra note 10, at 349. "More specifically, the Act 'governs the information practices of consumer reporting agencies, such as credit bureaus, and the use of consumer reports and the sharing of affiliate information by financial institution holding companies and other multicompany organizations."' Neal R. Pandozzi, Beware of Banks Bearing Gifts: Gramm-Leach-Bliley and the Constitutionality of Federal Financial Privacy Legislation, 55 U. MIA. L. REV. 163, 211 (2001) (quoting 15 U.S.C. § 1681 (1994)).

One of the FCRA's primary goals was to create a regulatory structure that would encourage the creation of credit history files that were factually correct and sufficiently descriptive of a consumer's credit usage so that businesses could rely upon the information to make products and services more readily available to consumers. STATEN & CATE, supra, at 2.

[FN24]. See 15 U.S.C. § 1681(a) (2000); see also Pandozzi, supra note 23, at 211-12 (explaining that because banks depend on fair and accurate credit reporting "[t]o evaluate its customers' character, reputation, credit worthiness, credit standing and credit capacity ... [i]naccurate and unfair credit reporting impairs the efficiency of, and undermines, public confidence in the banking system").

[FN25]. Couch, supra note 6, at 588.

[FN26]. TRW Inc. v. Andrews, 534 U.S. 19, 23 (2001) (alteration in original) (quoting 15 U.S.C. § 1681e(a)-(b) (1999 & Supp. V)). Fifteen U.S.C. § 1681(b) requires that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.

15 U.S.C. § 1681(b) (2000). The FCRA defined "consumer reporting agency" to mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

Id. Viewed as the foundation of our national credit system, the Fair Credit Reporting Act governs personal credit records maintained by consumer reporting agencies (CRAs), which "collect and compile information on consumers' creditworthiness from financial institutions, public records, and other sources." Preemption Provisions Hearings, supra note 4, at 191 (statement of Michael W. Naylor, Director of Advocacy, AARP). In other words, the FCRA is designed to "assure consumers that reporting agencies use reasonable procedures for collecting, using, and disseminating information." Yelder v. Credit Bureau of Montgomery, L.L.C., 131 F. Supp. 2d 1275, 1280 (M.D. Ala. 2001).

[FN27]. Preemption Provisions Hearings, supra note 4, at 191 (statement of Michael W. Naylor, Director of Advocacy, AARP).

[FN28]. 15 U.S.C. §§ 1681n-1681o, 1681s (2000); see also STATEN & CATE, supra note 23, at 12.

[FN29]. 15 U.S.C. § 1681m(c) (2000); see also STATEN & CATE, supra note 23, at 12.

[FN30]. STATEN & CATE, supra note 23, at 12 (quoting 15 U.S.C. § 1681h(e) (2000)).

[FN31]. Id. at 13.

[FN32]. Pub. L. No. 104-208, 110 Stat. 3009 (1996) (codified as amended in scattered sections of 15 U.S.C.).

[FN33]. STATEN & CATE, supra note 23, at 15. Furthermore, "[t]he 1996 Amendments aimed to address several problems, including chronic inaccuracy, non-responsiveness and inadequate reinvestigations by consumer reporting agencies (CRAs) and furnishers, the reinsertion of previously deleted data and the impermissible use of credit reports." Preemption Provisions Hearings, supra note 4, at 481 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN34]. See Preemption Provisions Hearings, supra note 4, at 481 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN35]. STATEN & CATE, supra note 23, at 21.

[FN36]. Id. "In essence, the regulators would stipulate how to run the credit reporting process." Id.

[FN37]. Id. ("Consumers would be permitted (and encouraged) to monitor their own files, and to dispute items perceived to be incorrect.").

[FN38]. Id. at 22. Staten and Cate further explain how all parties share in the costs associated with prevention and detection of reporting errors:
The remedial approach imposes some additional costs on the consumer as well, most notably in the event that an erroneous credit report leads to rejection for credit, insurance or employment. The FCRA gives consumers the opportunity to avoid the higher cost of rejection by purchasing and reviewing a copy of their credit report, at any time, as a preventative measure. The 1996 FCRA amendments placed a ceiling of $8 on the price bureaus could charge consumers for a copy of their credit report .... Responding to swelling consumer interest in detecting fraud and preserving the integrity of their credit files, by 2002 all three of the major U.S. repositories (Equifax, Experian, and Trans Union) had begun offering services to consumers who wish to monitor their credit files on a regular basis. Id. at 22 n.81.

[FN39]. Id. at 23.

[FN40]. See id.

[FN41]. Preemption Provisions Hearings, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN42]. Id. Evan Hendricks, editor and publisher of the Privacy Times stated, "The record is clear that credit report inaccuracy, inadequate reinvestigations, CRA and furnisher non-responsiveness, reinsertion and impermissible use persist to this day as serious problems that are damaging to consumers and the credit reporting system itself." Id. at 481. "Reinsertion" refers to a CRA disseminating to a credit bureau incorrect credit reports which consumers have disputed and the CRA has insufficiently investigated. See 15 U.S.C. § 1681i(a)(5) (2000). Hendricks further explained the difficulty that plaintiffs face in filing suit under the FCRA, which proves to be an especially overwhelming experience due to the large discovery challenges and CRA litigation tactics. Preemption Provisions Hearings, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times). Additionally, very few plaintiffs' attorneys actually specialize in this area, making it extremely difficult for plaintiffs to find representation. Id.

[FN43]. 15 U.S.C. § 1681s(c) (2000).

[FN44]. STATEN & CATE, supra note 23, at 19.

[FN45]. Section 1681t of the FCRA discusses the way in which the Act relates to state laws. 15 U.S.C. § 1681t (2000). Section 1681t(a) provides:

Except as provided in subsections (b) and (c) of this section, this subchapter does not annul, alter, affect, or exempt any person subject to the provisions of this subchapter from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency. Id. § 1681t(a). Section 1681t(b) provides:
No requirement or prohibition may be imposed under the laws of any State--
(1) with respect to any subject matter regulated under--
(A) subsection (c) or (e) of section 1681b of this title, relating to the prescreening of consumer reports;
(B) section 1681i of this title, relating to the time by which a consumer reporting agency must take any action, including the provision of notification to a consumer or other person, in any procedure related to the disputed accuracy of information in a consumer's file, except that this subparagraph shall not apply to any State law in effect on September 30, 1996;
(C) subsections (a) and (b) of section 1681m of this title, relating to the duties of a person who takes any adverse action with respect to a consumer;
(D) section 1681m(d) of this title, relating to the duties of persons who use a consumer report of a consumer in connection with any credit or insurance transaction that is not initiated by the consumer and that consists of a firm offer of credit or insurance;
(E) section 1681c of this title, relating to information contained in consumer reports, except that this subparagraph shall not apply to any State law in effect on September 30, 1996; or
(F) section 1681s-2 of this title, relating to the responsibilities of persons who furnish information to consumer reporting agencies, except that this paragraph shall not apply--
(i) with respect to section 54A(a) of chapter 93 of the Massachusetts Annotated Laws (as in effect on September 30, 1996); or
(ii) with respect to section 1785.25(a) of the California Civil Code (as in effect on September 30, 1996);
(2) with respect to the exchange of information among persons affiliated by common ownership or common corporate control, except that this paragraph shall not apply with respect to subsection (a) or (c)(1) of section 2480e of title 9, Vermont Statutes Annotated (as in effect on September 30, 1996); or
(3) with respect to the form and content of any disclosure required to be made under section 1681g(c) of this title. Id. § 1681t(b). Therefore, § 1681t of the Act [under] the 1996 amendments [specifically] prohibited state laws [pertaining to]:
1. Information-sharing among affiliates (except for two provisions of Vermont law);
2. Prescreening;
3. Notices to be included with prescreened solicitations;
4. Summary of consumer rights to be provided to individuals;
5. Responsibilities of persons who take adverse action based on a credit report;
6. Time to complete reinvestigations;
7. Furnisher responsibilities (except for provisions of California and Massachusetts law); and
8. Time periods for determining the obsolescence of information in consumer credit reports.
STATEN & CATE, supra note 23, at 17 (footnotes omitted).

[FN46]. Louis Trager, Hill, Courts, FTC, Companies Grapple with Information Privacy, WARREN'S WASH. INTERNET DAILY, Aug. 13, 2003, 2003 WL 16117999; see also Preemption Provisions Hearings, supra note 4, at 192 (statement of Michael W. Naylor, Director of Advocacy, AARP). The doctrine of preemption refers to "[t]he principle (derived from the Supremacy Clause) that a federal law can supersede or supplant any inconsistent state law or regulation." BLACK'S LAW DICTIONARY 1197 (7th ed. 1999). Therefore, a state may not enact legislation inconsistent with such federal laws. The complete-preemption doctrine refers to the "rule that a federal statute's preemptive force may be so extraordinary and all-encompassing that it converts an ordinary state-common-law complaint into one stating a federal claim for purposes of the well-pleaded-complaint rule." Id. at 279.

[FN47]. STATEN & CATE, supra note 23, at 17. According to Michael Naylor, the seven preemptions prevent states from overriding or changing the responsibilities and duties of CRAs to consumers. Preemption Provisions Hearings, supra note 4, at 192 (statement of Michael W. Naylor, Director of Advocacy, AARP).

Specific[ally,] the Federal preemptions ... prevent the States from overriding or changing:
The responsibilities of organizations and businesses that furnish information to reporting agencies.
The duties of organizations and businesses to notify consumers when they have been denied credit or employment based on information in their credit reports.
Procedures that a consumer reporting agency must use if a consumer disputes the accuracy of information.
The information that may be included in consumer reports, including the time during which consumer reporting agencies are permitted to report adverse data.
The form or content of the summary of rights that a consumer reporting agency is required to provide a consumer along with information in the consumer's file.
The exchange of information among affiliated institutions.
Prescreening procedures that provide consumers with credit or other financial services or product lines. Id.

[FN48]. See Preemption Provisions Hearings, supra note 4, at 192 (statement of Michael W. Naylor, Director of Advocacy, AARP); id. at 492 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times). Unfortunately, these preemptions make it difficult for states to protect consumers with respect to personal identifying information. Id. ("[C]onsumer protection would be advanced by [allowing] States to protect their citizens in these areas, particularly if Congress is unable to enact a sufficiently strong national standard.").

[FN49]. See 15 U.S.C. § 1681t(b)(1)(D) (2000). "The FCRA's preemption provision covers information-sharing among affiliates without specifically limiting the information's scope to 'consumer reports."' Pandozzi, supra note 23, at 212. The provision thus "trumps any state law that will prevent or restrict information exchanges between affiliates." Id.

[FN50]. Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves: Joint Hearing Before the House Subcomm. on Social Sec. of the Comm. on Ways & Means and the Subcomm. on Immigration, Border Sec. & Claims of the Comm. on the Judiciary, 107th Cong. 79, 83 (2002) (statement of Chris Jay Hoofnagle, Legislative Counsel, Electronic Privacy Information Center).

[FN51]. Id. at 78.

[FN52]. Id. at 78-80, 83. In California, Senate Bill 168 provides individuals the ability to request that a "security alert" be placed on their credit record via a toll-free phone number. The bill also enables Californians to request a "security freeze" that prevents credit agencies from releasing personal information from an individual's credit report. The bill places important restrictions on use of the [Social Security number] -- public posting of a [Social Security number] and printing the [Social Security number] on an identity card or document used to obtain a product or service is prohibited. Businesses that use the [Social Security number] to identify customers, such as utility companies, will no longer be permitted to print the [Social Security number] on invoices or bills sent through the mail.

Id. at 83. In Georgia, businesses now must safely dispose of records that contain personal identifiers. Business records -- including data stored on computer hard drives -- must be shredded or in the case of electronic records, completely wiped clean where they contain [Social Security numbers], driver's license numbers, dates of birth, medical information, account balances, or credit limit information. The Georgia law carries penalties up to $10,000. Id.

[FN53]. See id. "Without a framework of restrictions on the collection and use of the [Social Security number] and other personal identifiers, identity theft will continue to increase, endangering individuals' privacy and perhaps the security of the Nation." Id. at 84.

[FN54]. See Preemption Provisions Hearings, supra note 4. Senator Shelby explained:
In just the 6 years since the Fair Credit Reporting Act was last amended, significant changes have occurred. There are new participants, new technologies, new information use practices, and new products. Indeed, there is more that has changed than has remained the same in the operation of the credit markets since the last time Congress considered the Fair Credit Reporting Act.

While many of these changes introduced positive features, such as more credit and an expedited process for obtaining credit, not every new development has been positive. Unfortunately, as our economy has grown more automated, allowing more and more depersonalized transactions to occur, and, as the transfer of personally identifiable information has become much more frequent, a new type of crime that takes advantage of these circumstances has emerged -- identity theft. Id.

[FN55]. Senate Passes Fair Credit Reporting Bill; Measure Moves to House-Senate Conference, 72 U.S.L.W. 2263, 2263 (Nov. 17, 2003) [hereinafter Senate Passes Bill]. The National Consumer Credit Reporting System Improvement Act of 2003 was passed by a roll-call vote of 95-2. Id. The House passed a similar bill, House Bill 2622, on September 10, 2003. Id. According to a House Financial Services spokesman, "[t]he biggest difference between the two bills is a provision in the Senate bill that would give consumers an opt-out from marketing solicitations based on information shared by affiliated institutions .... Another area for resolution relates to differences in the requirements for notices of counter-offers of credit." Id.

[FN56]. Id. Furthermore, "the bill would make the national credit reporting standards permanent by eliminating a Jan. 1, 2004, sunset from the statute's preemption of state credit reporting laws." Id.

[FN57]. Id. [T]he bill ... would require [CRAs] to take the following steps:
upon a consumer's good faith allegation and request, to include a fraud alert in the consumer's credit file for at least 90 days;
upon the request of a consumer who files an identity theft report, or upon receipt of a properly completed copy of a Federal Trade Commission-developed and standardized affidavit of identity theft, to include a fraud report in the consumer's file for seven years;
block the reporting of information that the consumer alleges resulted from identity theft: and refer such fraud alert to consumer reporting agencies.
Other provisions target identity theft by:
mandating the truncation of credit and debit card numbers, with printing of no more than the last five digits; imposing new duties on companies furnishing information to credit reporting agencies and on debt collectors; and allowing consumers to access their credit reports once a year without charge and when fraud alerts are placed on the report. Id. at 2263-64.

[FN58]. Id. at 2263.

[FN59]. TRW Inc. v. Andrews, 534 U.S. 19 (2001) (interpreting the FCRA's statute of limitations strictly and holding that Andrews was barred from relief under the Act because she filed her complaint after the two-year statute of limitations had run, even though she had only discovered her victimization seventeen months before filing suit); see infra Part I.B.1.

[FN60]. Andrews, 534 U.S. at 22; see also David E. Worsley, Fair Credit Reporting Cases Illustrate Risks for Credit Reporting Agencies, Creditors, and Lawyers, 56 CONSUMER FIN. L.Q. REP. 68, 70-71 (2002), WL 56 CONFLQR 68.

[FN61]. Andrews, 534 U.S. at 23-24. The impostor stole Andrews' information "simply by misusing her position as a doctor's receptionist and copying the information that [Andrews], as a patient in that office, supplied to the doctor." Andrews v. TRW Inc., 225 F.3d 1063, 1065 (9th Cir. 2000), rev'd, 534 U.S. 19 (2001).

[Specifically, o]n June 17, 1993, the plaintiff (Andrews) visited a radiologist's office in Santa Monica, California. She filled out a new patient form listing certain basic information, including her name, birth date, and social security number. Andrews handed the form to the office receptionist, one Andrea Andrews (the Impostor), who copied the information and thereafter moved to Las Vegas, Nevada. Once there, the Impostor attempted on numerous occasions to open credit accounts using Andrews' social security number and her own last name and address.

On four of those occasions, the company from which the Impostor sought credit requested a report from TRW. Each time, TRW's computers registered a match between Andrews' social security number, last name, and first initial and responded by furnishing her file. TRW disclosed Andrews' credit history at the Impostor's request to a bank on July 25, 1994, to a cable television company on September 27, 1994, to a department store on October 28, 1994, and to another credit provider on January 3, 1995. All recipients, except the cable company, rejected the Impostor's applications for credit.

Andrews did not learn of these disclosures until May 31, 1995, when she sought to refinance her home mortgage and, in the process, received a copy of her credit report reflecting the Impostor's activity. Andrews conceded that TRW promptly corrected her file upon learning of its mistake. She alleged, however, that the blemishes on her report not only caused her inconvenience and emotional distress, they also forced her to abandon her refinancing efforts and settle for an alternative line of credit on less favorable terms.

On October 21, 1996, almost 17 months after she discovered the Impostor's fraudulent conduct and more than two years after TRW's first two disclosures, Andrews filed suit. Worsley, supra note 60, at 71.

[FN62]. Shoudt, supra note 10, at 349-50 (footnote omitted). Fifteen U.S.C. § 1681e(a) provides that "[n]o consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 1681b of this title." 15 U.S.C. 1681e(a) (2000).

Section 1681b authorizes certain limited conditions and circumstances under which a consumer's credit report may be produced to a third party, including the allowance that a credit reporting agency may furnish a consumer report "to a person which it has reason to believe ... intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished ...."

Shoudt, supra note 10, at 350 n.85 (omissions in original) (quoting 15 U.S.C. § 1681b(a)(3)(A) (2000)). Andrews claimed that the agencies had supplied her information for impermissible purposes under the Act, because their belief that she was in fact the consumer involved in the transactions was not reasonable. Id. at 350-51.

[FN63]. Andrews, 534 U.S. at 25. Therefore, Andrews claimed that TRW violated § 1681e(a) of the FCRA by its failure to employ reasonable verification procedures to prevent improper disclosures. Id.

[FN64]. Id. Andrews alleged that the defendants violated § 1681e(b), "which requires credit reporting agencies to 'follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates."' Shoudt, supra note 10, at 350-51 (quoting 15 U.S.C. § 1681e(b) (2000)).

[Specifically, Andrews] sought injunctive relief, punitive damages, and compensation for the 'expenditure of time and money, commercial impairment, inconvenience, embarrassment, humiliation and emotional distress' that TRW had allegedly inflicted upon her.

TRW moved for partial summary judgment arguing, inter alia, that the FCRA's statute of limitations had expired on Andrews' claims based on the July 25 and September 27, 1994 disclosures because both occurred more than two years before she brought suit. Andrews countered that her claims as to all four disclosures were timely because the limitations period did not commence until May 31, 1995, the date she learned of TRW's alleged wrongdoing.

Worsley, supra note 60, at 71. The district court granted partial summary judgment for the CRAs on Andrews' first claim of improper disclosures under § 1681e(a) of the FCRA based on the statute of limitations. Andrews v. Trans Union Corp., 7 F. Supp. 2d 1056, 1057 (C.D. Cal. 1998), aff'd in part and rev'd in part sub nom. Andrews v. TRW, Inc., 225 F.3d 1063 (9th Cir. 2000), rev'd, 534 U.S. 19 (2001). In granting summary judgment for the defendants, "the court reasoned that the existence of the exception in § 1681p -- applying the discovery rule when the defendant made a material and willful misrepresentation -- implied that Congress did not intend for the discovery rule to apply to all FCRA cases." Shoudt, supra note 10, at 352. On appeal, the Ninth Circuit reversed the district court's entry of partial summary judgment based on precedent holding that, as a general rule, "a federal statute of limitations begins to run when a party knows or has reason to know that she was injured." Andrews v. TRW Inc., 225 F.3d 1063, 1064, 1066 (9th Cir. 2000), rev'd, 534 U.S. 19 (2001).

[FN65]. The general discovery rule states that the statute of limitations will not run "until the plaintiff has in fact discovered that he has suffered injury, or by the exercise of reasonable diligence should have discovered it." W. PAGE KEETON ET AL., PROSSER AND KEETON ON THE LAW OF TORTS § 30 (W. Page Keeton ed., 5th ed. 1984). Most states, however, have enacted legislation limiting the time in which negligence claims can be brought. Id.

[FN66]. Andrews, 534 U.S. at 26. The Supreme Court granted certiorari to resolve the conflict between the Ninth Circuit's holding that § 1681p of the FCRA incorporates a general discovery rule and four other circuits, which concluded that a discovery exception other than that expressed by Congress may not be read into the Act. Id.

[FN67]. Worsley, supra note 60, at 71 (alterations in original) (quoting 15 U.S.C. § 1681p). The Court held that Andrews' case did not fall within the exceptional circumstances explicitly delineated in § 1681p in which discovery triggers the two-year statute of limitations. Id.

[FN68]. Andrews, 534 U.S. at 28. The Court further held that "beyond doubt, we have never endorsed the Ninth Circuit's view that Congress can convey its refusal to adopt a discovery rule only by explicit command, rather than by implication from the structure or text of the particular statute." Id. at 27-28.

Thus, even if the presumption identified by the Ninth Circuit exists, it would not apply to the FCRA, because the FCRA does not govern an area of law that cries out for application of a discovery rule and was not silent on the issue of when the statute of limitations begins to run.

Worsley, supra note 60, at 72. Additionally, the Court stated that the "most natural reading of § 1681p is that Congress implicitly excluded a general discovery rule by explicitly including a more limited one," and further that "incorporating a general discovery rule into section 1681p ... would in practical effect render that exception entirely superfluous in all but the most unusual circumstances." Andrews, 534 U.S. at 28-29.

[FN69]. Shoudt, supra note 10, at 345-46.

[FN70]. Id. at 356.

[FN71]. No. 00-0587-CV-W-1-EZF, 2001 WL 34079057 (W.D. Mo. Oct. 3, 2001).

[FN72]. Id. at *1. Smith's former employer, Joseph Wilkinson "had access to Smith's personal information" and "directed the bills to subsequently be sent to his business address." Id.

[FN73]. Id.

[FN74]. Id.

[FN75]. Id. at *2-3; see also 15 U.S.C. § 1681i(a)(1)(A) (2000). In addressing the bank's duty to investigate, the court stated that such a duty under § 1681 of the FCRA was not triggered, because Smith presented no evidence that he specifically notified consumer reporting agencies of his dispute. Smith, 2001 WL 34079057, at *3. Section 1681s-2(b)(1) of the FCRA addresses the responsibilities of banks that furnish information to CRAs stating: "After receiving notice ... of a dispute with regard to the completeness or accuracy of any information provided by a person to a consumer reporting agency, the person shall ... conduct an investigation with respect to the disputed information. 15 U.S.C. § 1681s-2(b)(1)(A) (2000). In holding that the defendants' duties to investigate were not triggered, the Smith court relied on precedent recognizing "the requirement that before a furnisher of information must investigate a dispute, the consumer must first notify the agency, who will then notify the furnisher of information." Smith, 2001 WL 34079057, at *3. The court held that Smith's negligence claim focusing on defendants' failure to conduct a proper investigation was outside the realm of the FCRA, and that "[e]ven if [it] was properly brought pursuant to the FCRA, the claim would fail." Id.

[FN76]. Smith, 2001 WL 34079057, at *3 (citations omitted).

[FN77]. Id. In response to Smith's claim that defendants were "negligent in opening a credit account in [his] name and in investigating disputes regarding liability for amounts due on the account." the Smith court relied on previous decisions with respect to duty, stating that courts have held that banks do not owe a duty of care to those persons who are not their customers. Id. at *2. Because Smith maintained in his deposition that he was not a customer of the defendant banks, and further failed to present evidence of a duty owed to him by defendants, the court held that Smith failed to state a claim for state law negligence. Id.

[FN78]. See, e.g., Polzer v. TRW, Inc., 682 N.Y.S.2d 194 (App. Div. 1998); Huggins v. Citibank, N.A., 585 S.E.2d 275 (S.C. 2003).

[FN79]. See, e.g., Polzer, 682 N.Y.S.2d at 195; Huggins, 585 S.E.2d at 276.

[FN80]. See Huggins, 585 S.E.2d at 277-78. One based its reasoning on the fact that "the relationship, if any, between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of a duty between them." Id. at 277.

[FN81]. Restatement (Second) of Torts § 282 (1965). The Restatement (Second) of Torts defines the elements of a cause of action for negligence as follows:
The actor is liable for an invasion of an interest of another, if: (a) the interest invaded is protected against unintentional invasion, and (b) the conduct of the actor is negligent with respect to the other, or a class of persons within which he is included, and (c) the actor's conduct is a legal cause of the invasion, and (d) the other has not so conducted himself as to disable himself from bringing an action for such invasion. Id. § 281.

[FN82]. Id. § 464. The term "actor" refers to anyone other than a child or an insane person. Id. The reasonable person is a "personification of a community ideal of reasonable behavior, determined by the jury's social judgment. The conduct of the reasonable person will vary with the situation with which he is confronted." KEETON ET AL., supra note 65, § 32.

[FN83]. Smith v. Citibank, N.A., No. 00-0587-CV-W-1-EZF, 2001 WL 34079057, at *2 (W.D. Mo. Oct. 3, 2001). More specifically, the traditional formula for the elements of negligence is: 1. A duty, or obligation, recognized by the law, requiring the person to conform to a certain standard of conduct, for the protection of others against unreasonable risks.
2. A failure on the person's part to conform to the standard required: a breach of the duty. These two elements go to make up what the courts usually have called negligence; but the term quite frequently is applied to the second alone. Thus it may be said that the defendant was negligent, but is not liable because he was under no duty to the plaintiff not to be.
3. A reasonably close causal connection between the conduct and the resulting injury. This is what is commonly known as "legal cause," or "proximate cause," and which includes the notion of cause in fact.
4. Actual loss or damage resulting to the interests of another. Since the action for negligence developed chiefly out of the old form of action on the case, it retained the rule of that action, that proof of damage was an essential part of the plaintiff's case. Nominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred. The threat of future harm, not yet realized, is not enough. Negligent conduct in itself is not such an interference with the interests of the world at large that there is any right to complain of it, or to be free from it, except in the case of some individual whose interests have suffered.
KEETON ET AL., supra note 65, § 30 (footnotes omitted).

[FN84]. KEETON ET AL., supra note 65, § 53.

[FN85]. Id.

[FN86]. Id. § 43.

[FN87]. Id. ("The limitation, in other words, is to foreseeable consequences, and liability is restricted to the scope of the original risk created, with the test of responsibility for the result identical with the test for negligence.").

[FN88]. See id. Negligence "necessarily involves a foreseeable risk, a threatened danger of injury, and conduct unreasonable in proportion to that danger." Id.

[FN89]. Id.

[FN90]. Id. § 32. However, the defendant may nevertheless stand in a "special relationship" with the plaintiff such that an obligation to investigate and obtain knowledge arises. See id. In other words, the defendant may be engaged in an activity, or stand in a relation to others, which imposes on him an obligation to investigate and find out, so that the person becomes liable not so much for being ignorant as for remaining ignorant; and this obligation may require a person to know at least enough to conduct an intelligent inquiry as to what he does not know. Id.

[FN91]. Id. § 43. In other words, "what the defendant could foresee is important in determining whether the defendant was negligent in the first instance, but not at all decisive in determining the extent of the consequences for which, once negligent, the defendant will be liable." Id. Prosser and Keeton further explain:
"If a person had no reasonable ground to anticipate that a particular act would or might result in any injury to anybody, then, of course, the act would not be negligent at all; but if the act itself is negligent, then the person guilty of it is equally liable for all its natural and proximate consequences, whether he could have foreseen them or not. Otherwise expressed, the law is that if the act is one which the party ought, in the exercise of ordinary care, to have anticipated was liable to result in injury to others, then he is liable for any injury proximately resulting from it, although he could not have anticipated the particular injury which did happen. Consequences which follow in unbroken sequence, without an intervening efficient cause, from the original negligent act, are natural and proximate, and for such consequences the original wrongdoer is responsible, even though he could not have foreseen the particular result which did follow." Id. n.82 (quoting Christianson v. Chi., St. Paul, Minneapolis & Omaha Ry. Co., 69 N.W. 640 (Minn. 1896)).

[FN92]. Id. § 43. Thus, the negligent defendant should be liable because his negligence caused the plaintiff's injury more so than did any act by the innocent plaintiff. See id.

[FN93]. Polzer v. TRW, Inc., 682 N.Y.S.2d 194 (App. Div. 1998).

[FN94]. See id. at 195. [Specifically, p]laintiffs had impeccable credit histories. The plaintiffs believed that their identities were stolen during the summer of 1994 by an imposter, who either copied, or obtained a copy of, a credit application they had submitted to a bank for a car loan. The imposter, armed with the plaintiffs' personal identification information, as well as all of their legitimate credit account numbers, quickly went to work changing their address at the plaintiffs' banks and at credit reporting agencies to an apartment in Manhattan. That change apparently was accepted by defendants without serious inquiry or requiring any proof that the plaintiffs had actually moved. The "fraud address" was then spread by three major credit reporting agencies, which sold their names and new addresses to other banks seeking to offer them pre-approved credit cards. Those offers were sent to the imposter at the fraud address and the imposter had more than enough information to complete the applications and obtain the credit cards. The imposter ran up $100,000 in fraudulent charges. The plaintiffs were alerted to the fraud by one of their banks which noticed a dramatically different spending pattern. The plaintiffs immediately closed all of their credit accounts and began to rebuild their credit files. Unfortunately, the credit reporting agencies continued to sell the plaintiffs' name coupled with the fraud address to other banks offering them credit. Worsley, supra note 60, at 72.

[FN95]. Worsley, supra note 60, at 72.

[FN96]. Polzer, 682 N.Y.S.2d at 195.

[FN97]. Worsley, supra note 60, at 72.

[FN98]. Polzer, 682 N.Y.S.2d at 195; see also supra note 77 (explaining the Smith court's holding that banks do not owe a duty to non-customers).

[FN99]. See Polzer, 682 N.Y.S.2d at 195.

[FN100]. 585 S.E.2d 275 (S.C. 2003).

[FN101]. Id. at 276. Huggins claimed that the impostor had applied for six credit cards in Huggins' name, which the banks issued, and the impostor used them for cash advances and purchases without making any payments. Shannon P. Duffy, Ballard Team Wins Major Identity Theft Case, LEGAL INTELLIGENCER, Aug. 12, 2003, WL 8/12/2003 TLI 3. As a result, Huggins was pursued by collection agencies. Id.

[FN102]. Huggins, 585 S.E.2d at 276; see also Trager, supra note 46 (stating that Huggins complained about the banks' lack of verification procedures). As evidence of his suffered damages, Huggins pointed to his damaged credit, hounding by collection agencies, personal distress and embarrassment, and the expense of much time and effort to resolve the damage. Huggins, 585 S.E.2d at 276.

[FN103]. Huggins, 585 S.E.2d at 276.

[FN104]. Id.

[FN105]. Id.

[FN106]. Id.

[FN107]. See id. at 276-78.

[FN108]. Id. at 277 & n.2.

[FN109]. Id. at 276.

[FN110]. Id. at 277 (quoting Hubbard v. Taylor, 529 S.E.2d 549, 552 (S.C. 2000)); see also KEETON ET AL., supra note 65, § 53. "[D]uty" is a question of whether the defendant is under any obligation for the benefit of the particular plaintiff; and in negligence cases, the duty is always the same -- to conform to the legal standard of reasonable conduct in the light of the apparent risk. What the defendant must do, or must not do, is a question of the standard of conduct required to satisfy the duty. Id.

[FN111]. Huggins, 585 S.E.2d at 277. The court went on to explain that the relationship between the parties must be "recognized by law as the foundation of a duty of care" for negligence liability to attach. Id.

[FN112]. Duffy, supra note 101.

[FN113]. Huggins, 585 S.E.2d at 277. "In the absence of a duty to prevent an injury, foreseeability of that injury is an insufficient basis on which to rest liability." Id. Indeed, the court explained that "[e]ven though it is foreseeable that injury may arise by the negligent issuance of a credit card, foreseeability alone does not give rise to a duty." Id. The court insisted that "[t]he concept of duty in tort liability will not be extended beyond reasonable limits." Id.

[FN114]. Id.

[FN115]. Id. The court went so far as to say that it was "certain that some identity theft could be prevented if credit card issuers carefully scrutinized credit card applications." Id. However, the court took comfort in the fact that "various state and national legislation provides at least some remedy for victims of credit card fraud." See id.

[FN116]. Id. at 278. In so holding, the court relied primarily on Polzer and Smith to determine that no duty exists between issuers of credit cards and those potential innocent individuals whose identities may be stolen. Id. at 277.

[FN117]. Preemption Provisions Hearings, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN118]. See, e.g., Couch, supra note 6, at 592-97 (explaining that the FCRA does not adequately protect consumers from identity theft).

[FN119]. Preemption Provisions Hearings, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times). Evan Hendricks "was closely involved in the six-year process that resulted in the 1996 Amendments to the Fair Credit Reporting Act." Id. at 481. Hendricks further emphasized that the "unfortunate reality under the current system for many consumers who are victims of inaccurate credit reports and/or identity theft is that they can only force CRAs and furnishers to truly reinvestigate and correct errors by filing a lawsuit." Id. at 482.

[FN120]. STATEN & CATE, supra note 23, at 2.

[FN121]. Id. Staten and Cate further explain that a large part of the legislative balancing act undertaken in crafting the original FCRA was intended to foster accurate reports without discouraging reporting .... Consequently, over the past 32 years, Congress has been notably cautious about imposing new requirements on either [credit] bureaus or data furnishers without a clear indication of a problem that required legislative intervention. Id.
[FN122]. See id. at 21.

[FN123]. Senate Passes Bill, supra note 55, at 2263-64.

[FN124]. Id. at 2263.

[FN125]. Id.

[FN126]. Id. at 2263-64. Specifically the bill requires affiliates that exchange consumer information for market solicitation purposes to alert the consumer of such practice and allow the consumer to prohibit all solicitation for marketing purposes for a five-year period. The bill also directs the federal agencies to promulgate regulations limiting affiliate sharing of consumer information for solicitation purposes. With respect to the sharing of medical information, the bill would require specific affirmative consumer consent, or "opt-in," regarding the use and sharing of medical information by consumer reporting agencies for employment or insurance purposes. Id. at 2264.

[FN127]. Id. The article continues:
The bill mandates the promulgation of federal regulations to enhance the accuracy of consumer credit reports by requiring notice to any consumer receiving an extension or grant of credit based on a counter offer by the creditor on material terms, including interest rate, that are materially less favorable than the terms generally available from the creditor to consumers, based in whole or in part on a consumer report.

Consumer reporting agencies that determine, upon investigation, that information in a consumer's credit file was inaccurate, incomplete, or unverified would be obligated, promptly to delete or modify such information and notify the furnisher of the correction. The furnisher of the information would also have to take corrective action. Id.

[FN128]. See STATEN & CATE, supra note 23, at 21-24.

[FN129]. Pub. L. No. 108-159, 117 Stat 1952 (2003).

[FN130]. Prevention, CYBERCRIME L. REP., Jan. 12, 2004, WL 4 NO. 1 CYBERCRLR 1.
The act also enables consumers to place an alert on their credit files, and it requires credit reporting agencies to block potentially fraudulent information on consumer credit reports as soon as the consumer submits a police report. Finally, the act requires merchants to truncate account numbers on credit or debit card receipts to prevent identity thieves from accessing account information from discarded or stolen receipts. Id.

[FN131]. See Preemption Provisions Hearings, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN132]. See supra note 48; see also Couch, supra note 6, at 587 ("[T]he Act expressly preempts state common law or statutory remedies, making the FCRA the sole recovery tool in actions within its scope.").

[FN133]. See Couch, supra note 6, at 587.

[FN134]. For example, § 1681s-2(a)(1)(A) of the FCRA "merely requires that creditors not furnish information that they know or consciously avoid knowing is inaccurate." Preemption Provisions Hearings, supra note 4, at 493 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times). Specifically, 15 U.S.C. § 1681s-2(a)(1)(A) states: "A person shall not furnish any information relating to a consumer to any consumer reporting agency if the person knows or consciously avoids knowing that the information is inaccurate." 15 U.S.C. § 1681s-2(a)(1)(A) (2000). Furthermore, 15 U.S.C. § 1681s-2(a)(1)(B) states that "[a] person shall not furnish information relating to a consumer to any consumer reporting agency if -- (i) the person has been notified by the consumer, at the address specified by the person for such notices, that specific information is inaccurate; and (ii) the information is in fact, inaccurate." Id. § 1681s-2(a)(1)(B). Moreover, 15 U.S.C. § 1681s-2(a)(2) states that a person who --
(A) regularly and in the ordinary course of business furnishes information to one or more consumer reporting agencies about the person's transactions or experiences with any consumer; and
(B) has furnished to a consumer reporting agency information that the person determines is not complete or accurate, shall promptly notify the consumer reporting agency of that determination and provide to the agency any corrections to that information, or any additional information, that is necessary to make the information provided by the person to the agency complete and accurate, and shall not thereafter furnish to the agency any of the information that remains not complete or accurate.

Id. § 1681s-2(a)(2) (2000). Finally, under § 1681s-2(b), customers can only enforce their own rights after "(1) they dispute the credit grantors' errors with the CRA, (2) the CRA communicates that dispute to the credit grantor, and, (3) the credit grantor reports the disputed inaccurate information again." Preemption Provisions Hearings, supra note 4, at 493 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times); see also 15 U.S.C. § 1681s-2(b) (2000).

[FN135]. See Sovern, supra note 23, at 401-02. Section 1681h(e) of the FCRA provides:
Except as otherwise provided in sections 1681n and 1681o of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to section 1681g, 1681h, or 1681m of this title, or based on information disclosed by a user of a consumer report to or for a consumer against whom the user has taken adverse action, based in whole or in part on the report except as to false information furnished with malice or willful intent to injure such consumer. 15 U.S.C. § 1681h(e) (2000). Indeed, consumers rarely avoid this preclusion by showing that a firm acted with malice or willful intent to injure the consumer. Sovern, supra note 23, at 402-03; see id. at 402 n.250 (explaining that "[c]ourts have interpreted the word 'malice' in light of defamation law as meaning that the statement was made 'with knowledge that it was false or with reckless disregard of whether it was false or not"' (citation omitted)). "Some victims of identity thieves have found a way around the preemption by suing for malicious prosecution. But malicious prosecution is not an easy action to bring successfully, and, in any event, many consumer victims of identity theft are not the subject of prosecution." Id. at 402-03 (footnotes omitted).

[FN136]. See STATEN & CATE, supra note 23, at 21-24.

[FN137]. See supra note 52, for examples of state action designed to prevent identity theft.

[FN138]. See supra note 52.

[FN139]. See supra note 52.

[FN140]. Michael W. Perl, It's Not Always About the Money: Why the State Identity Theft Laws Fail To Adequately Address Criminal Record Identity Theft, 94 J. CRIM. L. & CRIMINOLOGY 169, 183 (2003).

[FN141]. Id. at 192.

[FN142]. 534 U.S. 19 (2001).

[FN143]. See id. at 22-23.

[FN144]. Id.

[FN145]. Stop Thieves from Stealing You, supra note 4, at 12.

[FN146]. Senate Passes Bill, supra note 55, at 2263.

[FN147]. Perl, supra note 140, at 194.

[FN148]. No. 00-0587-CV-W-1-EZF, 2001 WL 34079057 (W.D. Mo. Oct. 3, 2001).

[FN149]. Id. at *3.

[FN150]. Section 1681s-2(b)(1) addressing the responsibilities of furnishers of information to CRAs provides "After receiving notice pursuant to section 1681(a)(2) of this title of a dispute with regard to the completeness or accuracy of any information provided by a person to a consumer reporting agency, the person shall ... conduct an investigation with respect to the information." 15 U.S.C. § 1681s-2(b)(1)(A) (2000).

[FN151]. See id. § 1681i(a)(2)(A) (providing that within five days after "a consumer reporting agency receives notice of a dispute from any consumer in accordance with section 1681i(a)(1), the agency shall provide" notice to the furnisher of information). However, § 1681i(a)(1) requires that the consumer must notify the agency directly of a dispute. Id. § 1681i(a)(1).

[FN152]. STATEN & CATE, supra note 23, at 21-22.

[FN153]. See Preemption Provisions Hearings, supra note 4, at 481-82 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times) (arguing that the current approach is inadequate). But cf. STATEN & CATE, supra note 23, at 21-24.

[FN154]. Preemption Provisions Hearings, supra note 4, at 493 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times). In practice, the national standards have proven ineffective because they create too many hoops through which consumers must jump before simple errors can be corrected. Id.

[FN155]. See, e.g., Huggins v. Citibank, N.A., 585 S.E.2d 275 (S.C. 2003).

[FN156]. See KEETON ET AL., supra note 65, § 43.

[FN157]. 682 N.Y.S.2d 194 (App. Div. 1998).

[FN158]. See Worsley, supra note 60, at 72. The Polzer court admitted that the banks could have "easily and inexpensively" taken steps to confirm the credit applicant's identity. Id.

[FN159]. Sovern, supra note 23, at 405.
If credit reporting agencies and creditors were liable for the losses caused when they report the transactions of identity thieves as the transactions of consumer victims, they would have greater incentives to take steps to prevent identity theft.
....
... At present, creditors are liable under the FCRA for misreporting information only in one of two situations: when they furnish information to a credit reporting agency knowing, or consciously avoiding knowing, that the information is inaccurate; or when they have been notified by the consumer of the erroneous information and the information is in fact inaccurate .... The FCRA thus offers too much protection to creditors and insulates them from the effects of reporting erroneous information. The result is that creditors have little incentive to make sure that their reports are accurate. Id. at 405-06.

[FN160]. See KEETON ET AL., supra note 65, § 43.

[FN161]. 15 U.S.C. § 1681e(b) (2000); see also Sovern, supra note 23, at 405-06 (arguing that "credit reporting agencies, which currently are liable only when they fail to follow reasonable procedures to assure maximum possible accuracy -- which seems to mean no more than ordinary negligence -- should be made strictly liable for attributing the transactions of identity thieves to innocent consumers").

[FN162]. Sovern, supra note 23, at 390 (stating that "credit bureaus that attribute the conduct of an identity thief to someone else are immune from liability under the statute provided they acted as a reasonably prudent person would").

[FN163]. 585 S.E.2d 275 (S.C. 2003).

[FN164]. Id. at 277.

[FN165]. See id.

[FN166]. Id.

[FN167]. See Sovern, supra note 23, at 384. With reforms that hold creditors and CRAs more liable, "[t]he cost of credit may increase slightly, but to the hundreds of thousands of victims of identity theft each year it will be a cost worth paying." Id. at 406.

[FN168]. See KEETON ET AL., supra note 65, § 43.

[FN169]. The Act merely "places burdens on those in positions of reporting, compiling and using information" that are "reasonable under the circumstances" and "necessary to meet the goals of the Act." Couch, supra note 6, at 597.

[FN170]. See 15 U.S.C. § 1681s-2(a)(1)(A) (2000) ("A person shall not furnish any information relating to any consumer reporting agency if the person knows or consciously avoids knowing that the information is inaccurate.").

[FN171]. Where a user or CRA does not willfully or negligently disregard the requirements of the Act, the Act "effectively shifts the burden of identity theft to ... defenseless consumers." Couch, supra note 6, at 593.

[FN172]. See STATEN & CATE, supra note 23, at 22-23.

[FN173]. Indeed, the Andrews Court "focused not on the burden to the credit reporting agencies, but on the overall reasonableness of their procedures in light of the specific facts of the case." Couch, supra note 6, at 595.

[FN174]. Preemption Provisions Hearing, supra note 4, at 482 (testimony of Evan Hendricks, Editor/Publisher, Privacy Times).

[FN175]. By requiring that CRAs do not willfully disregard the Act's requirements, the burden is shifted from them to the consumers. Couch, supra note 6, at 593.

[FN176]. STATEN & CATE, supra note 23, at 21.

[FN177]. See id. Indeed, "the consumer is the only person who knows the true credit history which the credit file attempts to describe." Id.

[FN178]. See id.

[FN179]. See id. at 23.

[FN180]. See id. at 22. "Essentially, the FCRA designates the consumer as the 'quality-control' inspector with the authority to mandate reinvestigation (and alert potential purchasers) of credit information when errors are detected." Id.

[FN181]. Indeed, the users and reporters of consumer financial information are in the best position to carry "the burden of following 'reasonable procedures' to ensure use for 'permissible purposes' aimed at 'maximum possible accuracy"' identified in the Act. Couch, supra note 6, at 597.

[FN182]. See supra note 52.

[FN183]. See supra note 52.

[FN184]. See 15 U.S.C. § 1681i(a)(1)(A) (2000) (requiring the consumer to notify the CRA directly of the dispute).

[FN185]. Under the current system, a CRA must verify or delete disputed information from a consumer's file within thirty days of the consumer's notification. Id. The reporting agency must notify the furnisher of the disputed information within five business days of receiving such notice, and the furnisher must either verify or correct the information furnished to the reporting agency. Id. § 1681i(a)(2)(A), (5)(A). Although the consumer should theoretically rest assured that the information will either be removed or proven correct within thirty days of notification, the process nonetheless remains a comprehensive scheme too detailed for the average consumer to fully comprehend.

[FN186]. Contra, e.g., Smith v. Citibank, N.A., No. 00-0587-CV-W-1-EZF, 2001 WL 34079057, at *3 (W.D. Mo. Oct. 3, 2001). The court said that the claim would have failed because the plaintiff neglected to notify the agency directly of a dispute pursuant § 1681i(a)(1) of the Act, and thus the CRA's duty to investigate was not triggered. Id.

[FN187]. See Couch, supra note 6, at 597.

[FN188]. See 15 U.S.C. § 1681p (2000). Section 1681p provides that any enforcement action must be brought within two years from the date on which the liability arises, except that where a defendant has ... willfully misrepresented any information required under [the FCRA] to be disclosed to [the plaintiff] and the information ... is material to [a claim brought under the FCRA], the action may be brought within two years after [the plaintiff's] discovery of the misrepresentation.
Id.; see also Preemption Provisions Hearings, supra note 4, at 194 (statement of Michael W. Naylor, Director of Advocacy, AARP).

[FN189]. S. 1723, 107th Cong. § 2 (2001). House Bill 3387 suggested inserting "before the end of the 3-year period beginning on the date by which the violation giving rise to the liability is discovered or reasonably should been discovered by the consumer." H.R. 3387, 107th Cong. § 2 (2001).

[FN190]. As one commentator noted, the language "liability arises" from § 1681p does not foreclose use of the discovery rule, and the most logical interpretation is that liability arises when the potential plaintiff first learns of the violation. This proposition is clearly supported by the legislative history of § 1681p, which demonstrates that the Supreme Court's interpretation in Andrews is contrary to congressional intent.

Latasha D. McDade, Note, Data Rape: Assault by an Unknown Predator -- The Supreme Court Went Wrong in TRW, Inc. v. Andrews, 45 S. TEX. L. REV. 395, 416 (2004). Nonetheless, the Andrews Court prevented recovery because the narrow two-year statute of limitations had run. TRW Inc. v. Andrews, 534 U.S. 19, 22-23 (2001).

[FN191]. See Andrews, 534 U.S. at 23-24.

[FN192]. See Couch, supra note 6, at 593.

[FN193]. See id.

[FN194]. See, e.g., Huggins v. Citibank, N.A., 585 S.E.2d 275, 277 (S.C. 2003).

[FN195]. See supra Part II.B (discussing the obstacles that identity theft victims face).

[FN196]. See supra Part II.B.

[FN197]. Huggins, 585 S.E.2d at 277.

[FN198]. See supra Part II.C.

[FN199]. See Couch, supra note 6, at 593 (stating that the outcome of the FCRA is flawed because of its failure to effectively address the burden of avoiding identity theft).

[FN200]. Cf. id. (pointing out that CRAs are only liable when they act willfully). The CRAs and users of credit reports can avoid the damages of identity theft through heightened controls. Id.

[FN201]. See id.

[FN202]. See supra Part II.C (discussing cases in which courts have failed to recognize a duty).

[FN203]. See supra Part II.C.

[FN204]. Worsley, supra note 60, at 72.

[FN205]. See supra Part II.C.

[FN206]. See Fighting Identity Theft Hearing, supra note 2. 		 
Home | Free Case Review | Debt & Your Rights | Credit Report Mistakes | ID Theft & Your Credit | Attorney Profiles | Contact Us
© Attorneys for Consumers | Disclaimer | Privacy
OFFICE VISITS ARE BY APPOINTMENT ONLY PLEASE  -  CALL 866-775-3666
 
Arizona Office
Corporate Headquarters
3737 North 7th Street, Suite 125
Phoenix, AZ 85104
Toll Free: 866-775-3666
We Practice Statewide		 California Office
6455 Pyrus Pl.
Carlsbad CA 92011
Toll Free: 866-775-3666
We Practice Statewide		 Colorado Office
30752 Southview Drive, Ste. 150
Evergreen, CO 80439
Toll Free: 866-775-3666
We Practice Statewide		 Florida Office
9369 Sheridan Street, #656
Cooper City, FL 33024
Toll Free: 866-775-3666
We Practice Statewide
 
Chicago Office
205 N. Michigan Ave.
40th Floor
Chicago IL 60601
Toll Free: 866-775-3666
We Practice Statewide		 Oklahoma Office
433 W. Wilshire, Ste. A
Oklahoma City, OK 73116
Toll Free: 866-775-3666
We Practice Statewide		 New Mexico Office
1216 Indiana St. NE
Albuquerque, NM 87110
Toll Free: 866-775-3666
We Practice Statewide		 Oregon Office
Corporate Headquarters
3737 North 7th Street, Suite 125
Phoenix, AZ 85104
Toll Free: 866-775-3666
We Practice Statewide
 
Texas Office
4510 Bull Creek Road
Austin, TX 78731
Toll Free: 866-775-3666
We Practice Statewide		 Washington Office
3877 N. Deer Lake Rd.
Loon Lake, WA 99148
Toll Free: 866-775-3666
We Practice Statewide