In a new and critical ruling, the Eleventh Circuit Court of Appeals just held that business has a “legitimate business need” to pull a credit report any time it is responding directly to a consumer-initiated request—even if that consumer is not who he purports to be.  This ruling provides a much needed clarification to one of the Fair Credit Reporting Act’s (“FCRA”) most often used permissible purposes,  “legitimate business need.”

In Domante v. Dish Networks, L.L.C., No. 19-11100, 2020 U.S. App. LEXIS 28682, at *7-8 (11th Cir. Sept. 9, 2020), the Eleventh Circuit affirmed summary judgment for a satellite TV provider, finding that it had a “legitimate business need” for obtaining a consumer report to verify the identity of a person applying for satellite TV services.  This case, however, was not the first time the parties had encountered one another.  Prior to this suit, the plaintiff (a repeat victim of identity theft) and the defendant had settled a previous lawsuit stemming from the fraudulent use of the plaintiff’s identity to open an account with the defendant.  Pursuant to that settlement, the defendant agreed to flag any future applications using the plaintiff’s identity—specifically, the plaintiff’s first and last names, date of birth, and Social Security number—and preclude opening an account in plaintiff’s name.

Several years later, in the events that prompted this suit, someone attempted to fraudulently register for satellite TV services using a limited amount of the plaintiff’s personal information.  Specifically, the applicant provided only the last four digits of the plaintiff’s Social Security number, her date of birth, and her first name.  The applicant provided a different last name, address, and phone number.  The defendant’s automated system submitted this information to a consumer reporting agency, which matched the applicant’s information to the plaintiff’s information and returned to the defendant a consumer report for the plaintiff.  Upon receipt of the report and after realizing this connection, the defendant rejected the fraudulent application and requested that the consumer reporting agency delete the credit inquiry it made for the plaintiff.

In affirming summary judgment that the defendant did not violate the FCRA, the Eleventh Circuit followed the Sixth Circuit’s lead in Bickley v. Dish Networks, LLC, 751 F.3d 724 (6th Cir. 2014).  In Bickley, the Sixth Circuit affirmed summary judgment for the same on a similar factual pattern:  the defendant had requested a consumer report for that plaintiff after receiving a fraudulent application.  Upon receiving the report, the defendant detected that the application was fraudulent and cancelled it.  The Sixth Circuit found that the defendant had a “legitimate business need” for obtaining the consumer report, which was “verifying the identity of a customer and assessing his eligibility for a service.”

The Eleventh Circuit found that the defendant had a “legitimate business need” because a consumer (the fraudulent applicant) initiated the transaction.  In doing so, the court rejected the plaintiff’s argument that the defendant did not have a “legitimate business need” due to its requirement under the settlement agreement to deny any future applications using the plaintiff’s information.  The court observed that at the time of the application, the applicant did not provide sufficient information such that the defendant would be aware of what was occurring.  The applicant provided only a first name, the last four digits of a Social Security number, and a date of birth.  He did not provide the correct last name or a complete Social Security number.  The defendant required the information presented in the consumer report to realize that the pending application was fraudulent and involved the plaintiff.

Domante has a few takeaways.  First, in what may be a prelude for cases to come, the court stated in a footnote that the FCRA does not require a user of consumer reports to “confirm beyond doubt” the identity of potential consumers prior to requesting a consumer report.  With the issue of what constitutes a “legitimate business need” picking up within the circuits, courts may find themselves determining whether the FCRA requires a certain level of due diligence prior to requesting a consumer report.  Second, the consumer initiating a request does not necessarily have to be the person he purports himself to be in order for the user to have a permissible purpose under the FCRA.  Missing from the court’s opinion is any indication that the identity of the consumer for purposes of a consumer-initiated transaction was relevant to the outcome.  Given the hodgepodge of information fraudulent consumers may supply, Domante suggests that users of consumer reports do not face increased liability under these circumstances.