Trust but Verify? Liability for Engaging in Transactions with an Identity Thief
After a data breach, consumers often sue to recover for injuries they suffer, or fear they will suffer, when identity thieves use the stolen data. These suits usually target the company that suffered the data breach.
But can a company that allows an identity thief to make purchases or apply for credit in a consumer’s name using the stolen data also be subject to suit?
The U.S. District Court for the Eastern District of North Carolina recently considered that question in Rogers v. Keffer, Inc. Chief Judge James C. Dever III’s decision in Rogers raises several interesting issues. This post discusses two of them:
- Can overlooking inconsistencies in information supplied by an identity thief to make purchases or to obtain credit in a consumer’s name give rise to liability under N.C. Gen. Stat. § 75-1.1?
- Does disclosing stolen data supplied by an identity thief in furtherance of a fraudulent transaction constitute a “security breach” that requires notification to the affected consumer?
Gone (and Back) in 11 Days: an Unusually Brazen Car Thief
In November 2015, an impostor claiming to be Andrew Stutfield Rogers entered a Charlotte car dealership operated by Keffer, Inc. The impostor provided Rogers’s social security number and date of birth, along with a driver’s license with the name “Andrew Leon Rogers” and a nonexistent South Carolina mailing address. Rogers had not lived in South Carolina since 1992.
Keffer took this information and made inquiries into Rogers’s credit report. Keffer then used Rogers’s information to help the impostor obtain a car loan in Rogers’s name from JPMorgan Chase Bank. The impostor applied the loan proceeds to buy a car.
Eleven days later, the impostor returned to Keffer and repeated the scheme. With Keffer’s help, he again obtained a car loan in Rogers’s name—this time from a different lender—and bought and drove away with a second car.
Rogers, of course, didn’t know any of this when it happened.
Instead, he first learned of a problem several weeks later, when he received an email from JPMorgan that congratulated him on his new car loan. Rogers then repeatedly called JPMorgan to explain that he had not requested or authorized the loan and that his identity had been stolen.
Even after those contacts, JPMorgan continued to report the loan to credit reporting agencies as belonging to Rogers. JPMorgan also mailed two letters to Rogers that demanded he make payments on the loan.
Rogers sued Keffer and JPMorgan (among other defendants) in Wake County Superior Court, complaining of injuries that included harm to his credit score, loss of employment opportunities, and emotional distress. JPMorgan removed the case to federal court.
Rogers’s claims against Keffer and JPMorgan included a section 75-1.1 claim based on their failure to recognize and to respond appropriately to the impostor’s fraudulent scheme. He also accused Keffer of violating N.C. Gen. Stat. § 75-65, which requires companies to notify individuals of security breaches that involve their personal information.
Keffer and JPMorgan both moved to dismiss.
Unwitting Accomplice as Section 75-1.1 Defendant?
According to Rogers, Keffer violated section 75-1.1 by failing to verify the impostor’s identity and by overlooking inconsistencies in information supplied by the impostor to complete the car loan applications.
Judge Dever, however, determined the claim could not proceed on those grounds.
Judge Dever first observed that, under North Carolina law, “wrongful and intentional” harm to a plaintiff’s credit rating and business prospects can support a claim under section 75-1.1. But he found that Rogers’s allegations against Keffer did not satisfy that standard.
Judge Dever acknowledged that Keffer’s actions may have been negligent. But, as often happens when courts confront direct unfairness claims, he concluded without much explanation that those actions were not unfair enough to violate section 75-1.1. Rogers, he observed, simply had not shown those actions were “immoral, unethical, oppressive, or unscrupulous,” or met other formulations of the unfairness standard under the statute.
As to JPMorgan, Rogers’s section 75-1.1 claim rested on two grounds:
- reporting the fraudulent loan to credit reporting agencies and failing to properly investigate and to correct erroneous information in its records; and
- sending collection letters to Rogers despite multiple notifications from Rogers that the account was procured by fraud.
Relying on a 2010 opinion from the Fourth Circuit, Judge Dever held that the claim was preempted as to the first ground by the federal Fair Credit Reporting Act, under which Rogers had asserted a separate claim.
As to the second ground, however, Judge Dever denied JPMorgan’s motion. He found that JPMorgan’s sending of collection letters to Rogers fell outside the scope of the Fair Credit Reporting Act and that the section 75-1.1 claim was not preempted insofar as it relied on that conduct. And because JPMorgan had reason to know that the loan was fraudulent before it sent those letters, the claim could proceed on that ground.
Is Furnishing Stolen Information a Security Breach?
Rogers also alleged that Keffer violated section 75-65 by failing to notify him of a security breach involving his social security number. Notably, section 75-65 expressly states that violation of its notification requirement is a per se violation of section 75-1.1.
According to Rogers, Keffer’s disclosure of his social security number to credit reporting agencies and banks in the course of helping the identity thief to obtain the car loans was a “security breach” for purposes of section 75-65. Keffer failed to notify him of that breach, he argued, and therefore violated the statute.
Judge Dever dismissed the claim. In doing so, however, Judge Dever did not directly address whether Keffer’s unwitting disclosure of Rogers’s social security number to other parties in furtherance of the impostor’s scheme qualified as a “security breach” giving rise to a duty to notify Rogers.
Even assuming it did, he reasoned, Rogers could not show that Keffer’s failure to notify him proximately caused Rogers any injury. Rogers discovered the fraud before Keffer discovered it; indeed, Rogers notified Keffer about the fraud. And Rogers could not point to any expenses that he could have avoided had Keffer found the fraud first and notified him.
Lessons from Rogers
The prospect of recovery under 75-1.1 is no doubt attractive to consumers unwinding the effects of identity theft in the wake of a data breach. Judge Dever’s decision, however, indicates that these types of claims face an uphill battle.
According to Rogers, they must allege more than a mere failure to recognize a thief’s scheme, even when the facts suggest it should have been obvious. Once a company has actual notice that fraud has occurred, though, continuing to act as if it has not may well be enough.
As for per se claims premised on section 75-65, Rogers leaves open the intriguing question whether its breach notification requirement applies to companies who unwittingly share stolen information after an identity thief comes to call. But if a notification obligation does apply, Rogers confirms that would-be plaintiffs must allege specifically how they were harmed by the defendant’s failure to comply.
Author: Alex Pearce