Epic Poem: Financial Data Privacy & the Quest for Justice

FCRA The Balancing Act Between Fairness, Accuracy, and Privacy

History & Legislative Intent

According to the Fair Credit Reporting Act and the Privacy of your Credit Report, from the Electronic Privacy Information Center, (EPICthe Fair Credit Reporting Act, 15 USC § 1681, (FCRA) or Public Law №91–508, (1970) was the first law enacted to regulate the use of personal information by private businesses. The interesting history of the Credit Reporting Agency is detailed in the article above, but bears similarities to the changes in the Energy Policy that came out of the stock market crash of 1929 and resulting Great Depression, mainly addressing the monopolization by of the handful of Holding Companies, and the control they exerted, but that is another article.

The original Credit Bureau, Retail Credit Co, began in 1899, and now is known as Equifax. Retail Credit Co. (AKA Equifax) sold ‘reports’ to employers and issuers of credit. By the late 1960’s, corruption was increasingly and undeniably evident in the data collection processes. These reports contained details about an individual’s drinking preferences and sexual orientation, elements that had no bearing on credit, and in many cases were merely blatant misrepresentations.

Sadly, these data concerns are nothing new. Back in the 1960’s investigators were caught attempting to fulfill their ‘negatives’ quota with personal and inappropriate information. These reports compiled into dossiers were ripe with inaccurate and incomplete information. By the 1970’s, Congress stepped in to regulate. But, that did not stop this abuse of law, there have been ongoing issues with ‘compliance.’

The FCRA was created to promote accurate information through both fairness and privacy of all consumer report files. Consumers have the right to easily discuss and resolve inaccuracies in their credit files. On September 1997, Congress amended the FCRA to require Experian, Equifax and Trans Union to provide consumers who desired to discuss with a toll-free number during normal business hours.

Yet, there still seems to be issues with compliance. As recent as Jan. 2000, the three Credit Report Agencies, (CRAs) paid 2.5 million dollars to settle a case before the Federal Trade Commission (FTC) in violation of the FCRA. This settlement addressed the failure to allow consumers to contact the three CRA’s (Equifax, Experian, & Transunion), and discuss their files during ‘normal business hours’ and at no expense through the use of a toll-free number, a regulation found in §609(c)(1)(B). The settlement enforced this compliance.According to an FTC Press Release, Nation’s Big Three Consumer Reporting Agencies Agree To Pay $2.5 Million To Settle FTC Charges of Violating Fair Credit Reporting Act. (2000). Federal Trade Commission

The complaints and proposed settlements were filed in U.S. District Courts in Illinois, Georgia, and Texas earlier today by the Department of Justice on behalf of the FTC. The Commission vote to refer the matters to DOJ for filing was 4–0, with Commissioner Sheila F. Anthony recused.

A full list of complaints and proposed settlements are listed on the FTC Website. In 2003, Equifax was again non compliant and was found in violation of the Consent Decree listed above. The Company was ordered to pay an additional $250,000, per Equifax to Pay $250,000 to Settle Charges. (2003).

In 2003, the FACTA was passed amending the FCRA, ‘improving’ the law. However, once again, the ‘protections,’ are anything but comprehensive and can be easily circumvented with a landslide of disclosures and forms. One of the most distressing aspects of using this antiquated system of questionable data efficacy is the extent to which it touches the lives of every American, and yet, most do not even realize they do in fact, have rights.

Dirty Little Secrets The Untouchables: Black Data Boxes

While I thought I had a clear understanding of the FACTA, the evolved FCRA; I did not. For example, reminiscent of the 1950’s, the CRA’s can also compile a dossier on individuals they choose to, these are known as ‘Investigative Consumer Reports’ (ICR). ICR’s are created from your ‘acquaintances of business or personal nature’ These are afforded greater protection under FACTA. However, the mere fact that this exists, seriously erodes the little faith I had left in the American Credit system. There are numerous situations that this could be exploited just as it had been prior to the passage of FCRA.

Then, there is a little issue that arose in 2003, the manipulation around the FCRA, according to Frontline, in Citibank’s testimony before the U.S. Senate Banking Committee, June 2003 defending a misuse of information via a secret ‘affiliate’ score to determine eligibility for credit, supplementing FICO. While Citibank felt this was perfectly appropriate, Ed Mierzwinski of U.S. PIRG, cite this as using

“Black box databases.”

Further citing,

“Sharing information with affiliates is simply not fair, because consumers have no access, knowledge of, or control over the use of their information…Consumers should have the right to look at their file and to dispute the file…”

(As they do under the FACTA) While this appears to be a violation as it parallels the types of information covered under the FCRA and FACTA, this supplement is not a ‘protected report,’ currently, see 15 USC § 1681.

“These large banks are using consumer information to create unregulated databases. It could be used to redline people — and they wouldn’t even know about it…”

The company continued, citing that by sharing credit the information with its affiliates “largely reduced errors and “the burden” on customers to provide documentation to their bank’s affiliates.

Yet, opponents such as Evan Hendricks, of Privacy Times, disagree.

‘“The fact of the matter is, we don’t know exactly what such companies are doing. This is a very murky area,” Hendricks says. He says the Citigroup testimony was the first time that the sharing of “insider scores” with affiliates was acknowledged by the industry. Hendricks calls it an aggressive use of personal information that does not comport with fair information practices. “If people don’t have access [to their information], that’s going to breed inaccuracies.”’

The problems with credit reports do not stop there. Employers also use these, in albeit ‘compliant’ ways.

Employer Provisions

The Employer interpretations document was eye-opening. While the FCRA is supposedly there to protect the employees and employers alike, it fails to do so; but rather, it offers simple disclosures as a way to circumvent the protections afforded.

In a competitive job market, and with complications that surround identity theft, coupled with the lack of actual reparations or remedy available, these reports should be considered with grave caution; but, they again, are not. The notion that these reports represent anything resembling consent is laughable, because they are actually nothing short of mandatory, in other words, they are not a choice for the employment seeker.

From the ’defined permissible purposes,’ see FCRA §604 of which, Employment purposes are listed among many others. This then, triggers a myriad of forms to document the ‘adherence and or compliance.’ including but not limited to, all background checks, not only Credit Reporting. Applicants must consent and be given the following, Background Disclosure and Authorization (“D&A”) form (signed and returned by the applicant), and a Summary of Rights Under the FCRA.

Yet, again, I make the argument if you are in need of employment, there is little if any element of choice. The process of disclosures and compliance may add additional paper trails to Human Resources Processes, but they do little for the employee themselves, as cited in 14 Duq. Bus. L.J. 165, 166 (2012), 25% of Americans credit reports contain errors, some more egregious than others.

Form-Nation

This is a biased process which lacks efficacy and spawns a business niche in the fraudulent and deceptive world of ‘credit repair,’ many whom prey upon victims of Identity fraud who desperately seek assistance to deal with the overwhelming burden that identity theft places on its victims. Credit repair is a $4 Billion industry.

While the Employer processes contain a variety of forms that are explained throughout ‘The Accurate, Whitepaper,’ they do little to address the public health hazard that is represented in the prevalence of identity theft.

Some of the forms needed for compliance are the Pre-Adverse action letter, which, in addition to a full copy of the Background Report, must include a Summary of Consumer Rights under the FCRA. Information regarding the hiring decision is not disclosed here. This is a simple way to cover the employer through disclosure of rights and the coordinating consents required, including your right to refuse. But, again, given the amount of PII (Personally Identifiable Information) data that is breached annually, this measure lacks efficacy, and is just another superfluous requirement.

Upon the Adverse Action Decision, should you choose not to extend employment, there are more forms designed to ‘protect’ the employee. Some are designed to look for accurate information, yet most are designed to offer another form to document the ‘fairness’ of the process. These requirements serve little, if any, protections and are an additional boxes on the list of compliance checklist that must be ticked. They do not create any substantive protections that cannot be easily circumvented via disclosure.

From the breaches that abound, to the matters of Family law and the permissible character in which spouses may misuse the law, because they can. The FACTA has very severe, if not tragic flaws. This Federal law protects your privacy, but does it?

A summary of your rights under the United States Code, is listed below, See 15 USC § 1681. Just as with last week’s discussion of privacy, Privacy Law in 60 Seconds, the terms are ambiguous at best, add in the “Affiliate Dossiers.’ and we could be right back to the corruption laden 1960’s.

Taken from: Privacy Law in 60 Seconds

Privacy Rights Under FCRA

1. The right of an Adverse Decision Letter Notification
2. Consumer disclosure, or the right to know what is in your file under certain qualifying criteria
3. The right to request a credit score
4. The right to dispute incomplete or inaccurate information
5. The right to require consumer reporting agencies to correct or delete inaccurate, incomplete, or unverifiable information
6. The right to privacy; access to your information is limited
7. The right to give or deny consent for such
8. The right to opt out of prescreened offers
9. The right to sue for damages

FCRA v. FACT

The FCRA was amended in 2003 to address the issues of identity fraud. According to Lexis Nexis, the differences between the two revolve around their legislative intent.

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the FCRA in numerous respects. It is designed to prevent identity theft and to allow consumers greater access to their consumer files than initially provided by the FCRA.

The FACT Act also sets new standards about what can be included in a consumer report and modifies, in part, the process by which consumer disputes are handled.

Un-Winning — Score of Bias AKA Pay Per Play

Credit scores use the Fair Issac Credit Algorithm, a proprietary measure by the Fair Issac Corporation, which quantifies your creditworthiness via a multi-variant model. There are several FICO scores; some are easier to project than others.

For example, the mortgage score is the most difficult to forecast; needing a highly coveted code to be inserted prior. While the legislative intent of the FCRA is clear, a phrase that demonstrates its ineffectiveness, as a function of the social measure it is currently used for is noted by Donald Campbell,

“The more any quantitative social indicator is used for social decision-making, the more subject it will be to corruption pressures and the more apt it will be to distort and corrupt the social processes it is intended to monitor.”

This statement is found to be devastatingly true when you look at the ‘Credit Repair,’ and ‘Credit Monitoring’ entities that collectively represent a multi-billion dollar industry according to the Industry Research from the Industry Insider Report

While consumers desire to remain safe, is this a pay per play in the realm of safety, truly fair?

According to both Kiplinger’s and the Privacy Rights Clearinghouse, the answer is a resounding, NO! While the quandary represents an interesting catch-22, there is a solution, the Blockchain. The threat is real, the market to exploit and capitalize is equally as real. See Senator Elizabeth Warren’s statements on Equifax profiting from their own data breach.

Mr. Smith Goes to Washington: The Congressional Hearing of Equifax.

“Fraud is a huge opportunity for us; it is a massive growing business for us.” — Mr. Richard Smith

According to Kiplinger’s interview with Paul Stephens, from Privacy Rights Clearinghouse,

“We don’t feel that credit-monitoring services are worth it,”

Stephens points out that putting a fraud alert on your account entitles you to a free copy of your credit report from each of the three credit bureaus every 90 days. Add in the free annual reports you can get from each bureau at www.annualcreditreport.com, and you’re entitled to 15 free credit reports every year.

And if you really want protection, says Stephens, the best thing you can do is limit access to your credit report with a security freeze.

Placing a freeze on your credit file is annoying, but it beats the latter, and with the payout of 100’s of hours tracking down documents for a payout of near $50.00, and yet the liability of irreparable harm, it makes fiduciary sense as well. According to Business Insider, Freezing your credit after the Equifax breach won’t prevent the most common type of identity theft — here’s what will

A 2015 data breach at the health-insurance company Anthem exposed the personal information, including Social Security numbers, of 80 million people. A class-action lawsuit was settled this summer, awarding up to $50 to each person who was affected. Last year, 4.2 billion personal records were stolen. If someone wants your data, it’s probably already out there.

The vast majority of identity theft victims — 86% in 2014 — have problems with a current account, such as a credit card of bank account, according to BJS data (Bureau of Justice Statistics). Freezing your credit won’t prevent that type of crime.

It would be interesting to see if Americans feel the same after the Equifax Breach of 2017, as that has cast a much larger light on the vulnerability thereof. Therefore, with the prevalence of data breach, Equifax profiting off of such, and the American consumer left to foot the bill, these regulations have crossed the line of ineffectiveness, and the FCRA has become an inappropriate tool of protection, it now is one that reinforces bias.

While the need to mitigate risk is clear, Campbell’s statement rings true, as evidenced by a report citing that 25% of Americans have errors in their credit report, and subsequently pay more for credit extension, couple this with employment, and insurance and the flaws of centralization outweigh the benefits of risk.

Blockchain Will Ensure Effective Data Management

Just like countless other fields will be revolutionized through implementation of Blockchain technologies, so too will the Data issues that surround the failures discussed. Our privacy is far too precious a commodity to allow anything less.

The Data Privacy and Breach prevalence are a public health crisis. By using distributive ledger technology, there is not a single point of failure. Add in the other elements of transparency and trust through the immutable record and you soon have a solution that mitigates risk and yet, ensures data privacy. One example is Big Data Block, for responsible data storage on the Blockchain.

Resources Consulted

15 USC 1681b: Permissible purposes of consumer reports. (2018). Uscode.house.gov. Retrieved 10 July 2018, from http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title15-section1681b&num=0&edition=prelim

(2018). Nymag.com. Retrieved 9 July 2018, from http://nymag.com/selectall/2018/03/equifax-identifies-2-4-million-hack-victims-in-data-breach.html

Cole, L. (2018). Freezing your credit after the Equifax breach won’t prevent the most common type of identity theft — here’s what will. Business Insider. Retrieved 9 July 2018, from http://www.businessinsider.com/equifax-breach-credit-freeze-prevent-identity-theft-2017-9

Credit Repair Services (US) — Industry Research Reports | IBISWorld . (2018). Ibisworld.com. Retrieved 10 July 2018, from https://www.ibisworld.com/industry-trends/specialized-market-research-reports/advisory-financial-services/intermediaries/credit-repair-services.html

EPIC (2018). EPIC — The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report. Epic.org. Retrieved 9July 2018, from https://epic.org/privacy/fcra/#introduction

“EQUIFAX IS MAKING MONEY OFF ITS OWN SCREWUP!!!” Elizabeth Warren DESTROYS Equifax’s Ex-CEO. (2018). YouTube. Retrieved 10 July 2018, from https://www.youtube.com/watch?v=aWsnAmhUoHE&feature=youtu.be

Equifax to Pay $250,000 to Settle Charges. (2003). Federal Trade Commission. Retrieved 9 July 2018, from https://www.ftc.gov/news-events/press-releases/2003/07/equifax-pay-250000-settle-charges

Meredith Schramm-Strosser, The “Not So” Fair Credit Reporting Act: Federal Preemption, Injunctive Relief, and the Need to Return Remedies for Common Law Defamation to the States, 14 Duq. Bus. L.J. 165, 166 (2012)

Nation’s Big Three Consumer Reporting Agencies Agree To Pay $2.5 Million To Settle FTC Charges of Violating Fair Credit Reporting Act. (2000). Federal Trade Commission. Retrieved 9 July 2018, from https://www.ftc.gov/news-events/press-releases/2000/01/nations-big-three-consumer-reporting-agencies-agree-pay-25

Personal Finance News, Investing Advice, Business Forecasts-Kiplinger. (2018). Kiplinger.com.Retrieved 9 July 2018, from https://www.kiplinger.com/article/spending/T048-C000-S002-paying-for-id-theft-protection-is-not-necessary.html

Privacy Law in 60 Seconds. (2018). YouTube. Retrieved 9 July 2018, from https://www.youtube.com/watch?v=mlpZS5xfdk0&feature=youtu.be

Secret History Of The Credit Card — More To Explore | FRONTLINE | PBS. (2018). Pbs.org. Retrieved 9 July 2018, from https://www.pbs.org/wgbh/pages/frontline

What is the difference between FACT Act and FCRA?. (2018). Personalreports.custhelp.com. Retrieved 17 July 2018, from https://personalreports.custhelp.com/app/answers/detail/a_id/3112/~/what-is-the-difference-between-fact-act-and-fcra%3F