Privacy & Cybersecurity Law Blog

On April 9, 2014, the Federal Trade Commission announced settlements with two data brokers, Instant Checkmate, Inc. (“Instant Checkmate”) and InfoTrack Information Services, Inc. (“InfoTrack”), which sell public record information about consumers. The settlements stem from allegations that Instant Checkmate and InfoTrack violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the FTC asserts that the companies violated the FCRA by “providing reports about consumers to users such as prospective employers and landlords without taking reasonable steps to make sure that they were accurate, or without making sure their users had a permissible reason to have them.”

In its complaint against Instant Checkmate, the FTC alleged that, although Instant Checkmate included disclaimers on its website stating that it is not a consumer reporting agency (“CRA”), Instant Checkmate has operated as a CRA because it promoted its consumer reports to users for use in determining eligibility for employment and housing. According to the complaint, Instant Checkmate failed to maintain reasonable procedures to limit the furnishing of consumer reports to the permissible purposes under Section 604 of the FCRA. In addition, Instant Checkmate purportedly failed to (1) follow any reasonable procedures to assure maximum possible accuracy of the information in its reports, and (2) provide the requisite “User Notice” to its clients who purchased consumer reports. Pursuant to the FCRA, a court may award monetary civil penalties of up to $3,500 for each knowing violation of the FCRA.

The consent order, filed in the United States District Court for the Southern District of California, requires Instant Checkmate to:

• pay $525,000 to the U.S. Treasurer as a civil penalty;
• refrain from violating relevant provisions of the FCRA;
• submit a compliance report to the FTC within one year;
• notify the FTC of any changes in its structure that may affect its compliance with the settlement for three years;
• create and maintain certain records (e.g., accounting and personnel records as well as consumer complaints and training materials) for three years; and
• submit compliance reports to the FTC upon request.

In its complaint against InfoTrack, the FTC similarly alleged various violations of the FCRA, including failure to follow reasonable procedures to assure maximum possible accuracy of the consumer reports and to provide “User Notice” and “Furnisher Notice” as required by the FCRA. Specifically, the complaint asserts that InfoTrack’s practices resulted in furnishing consumer reports to employers that included National Sex Offender Registry records of individuals who were not the subject of the inquiry, which led to denied employment opportunities in some instances.

The consent order, filed in the United States District Court for the Northern District of Illinois, includes requirements that InfoTrack:

• pay $1 million to the U.S. Treasurer as a civil penalty (of which InfoTrack is required to pay only $60,000 as the rest of the penalty is suspended premised on the financial statements of InfoTrack and its corporate officer);
• within 60 days, notify each consumer who was the subject of a consumer report that included the National Sex Offender Registry records of more than one individual;
• refrain from violating relevant provisions of the FCRA;
• submit a compliance report to the FTC within one year;
• notify the FTC of any changes in its structure that may affect its compliance with the settlement for 20 years;
• create certain records (e.g., accounting and personnel records as well as consumer complaints and training materials) for 20 years and maintain such records for five years; and
• submit compliance reports to the FTC upon request.