In 2011 and 2013, Peri Domante's personal information was stolen and fraudulently used to open two accounts with Dish Networks, LLC ("Dish"), a provider of television services. After being alerted to the fraud, Domante sued Dish for violation of the Fair Credit Reporting Act ("FCRA").  The parties settled the lawsuit.  As part of the agreement, Dish promised to flag Domante's Social Security number to preclude further unauthorized attempts to obtain Dish services. To implement this provision, Dish entered Domante's personal information, including her date of birth and Social Security number, into an internal system designed to prevent unauthorized accounts from being opened.

In 2017, an unknown individual applied online for a Dish account using the last four digits of Domante's Social Security number, date of birth, and first name, while using a different last name, address, and telephone number. Dish's automated system submitted the applicant's information to a consumer reporting agency ("CRA") to verify the individual's identity. The CRA matched this information with Domante and returned her credit report to Dish, which included Domante's full Social Security number. Dish then blocked the application, and no Dish account was opened in Domante's name.  Dish also requested that the CRA delete the inquiry from Domante's credit record, and the CRA complied.

Domante sued Dish in the U.S. District Court for the Middle District of Florida, alleging that Dish negligently and willfully obtained her credit report without a "permissible purpose" in violation of § 1681b of the FCRA.

The trial court granted summary judgment in favor of Dish, ruling that Dish had a legitimate business need to verify the information that was submitted to determine the eligibility of the applicant.

On appeal to the U.S. Court of Appeals for the Eleventh Circuit, Domante argued that Dish did not have a legitimate business need to pull her credit report because Dish either knew or should have known that Domante had not initiated the business transaction because of their prior settlement agreement.

In affirming the district court's ruling, the Eleventh Circuit noted that, when the account application was submitted, Dish had only the last four digits of the provided Social Security number, not the full number. Dish depended in part on the CRA's credit report to verify the identity of the applicant so that it could obtain the full Social Security number for cross-checking with its internal records. In reaching this conclusion, the Eleventh Circuit followed the Sixth Circuit's reasoning in Bickley v. Dish Network, LLC, 751 F.3d 724 (6th Cir. 2014), which held that requesting and obtaining a consumer report for verification and eligibility purposes is a "legitimate business need" under the FCRA.

A key takeaway for requesters of consumer credit reports, including employers, is the importance of developing and maintaining internal verification and eligibility procedures that are consistent with the information contained in the requested report.  For example, the Eleventh Circuit specifically pointed to Dish's argument that, in obtaining Domante's credit report, Dish in fact prevented an identity theft by cross-referencing the report with its internal systems, and further noted the district court's finding that "verification for eligibility indeed was Dish's purposed in requesting and obtaining the report."

A copy of the decision can be accessed by clicking  here.

Originally published by Troutman Pepper, October 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.