A federal district court in California has granted partial summary judgment in Experian Information Services, Inc. v. Lifelock, Inc., holding that LifeLock violates the state’s Unfair Competition Law.
LifeLock—infamous for its TV ads in which the founder puts his Social Security Number on the side of trucks—exploits an opportunity in fraud protection law. 15 U.S.C. § 1681c-1 allows “a consumer, or an individual acting on behalf of or as a personal representative of a consumer” to put a free ninety-day fraud alert on her credit file. This “initial” fraud alert requires the consumer to claim “a suspicion that [she] has been or is about to become a victim of fraud or related crime.” The law also allows for an “extended” alert, which lasts for seven years, but requires that the consumer have suffered actual fraud. What LifeLock does is place and renew initial fraud alerts every ninety days on behalf of customers, creating a sort of permanent initial fraud alert.
Experian doesn’t like that, partly because it has to expend resources processing all those repeating fraud alerts. So it sued LifeLock, claiming unfair competition, among a host of other complaints. The court agreed.
Its reasoning, in a nutshell, was this: the credit freeze law only allows fraud alerts to be placed by the consumer or an individual acting on her behalf. According to the legislative history of § 1681c-1, the word “individual” was specifically chosen over “person” so that individuals such as family members, attorneys, and guardians could place fraud alerts, but not companies (which are legally considered to be “people”). The court found that language to show a public policy against companies placing fraud alerts. Because the “unfair” business practices prohibited by California’s Unfair Competition Law include not only illegal practices, but also those contrary to public policy, the court found LifeLock’s placement of initial fraud alerts on behalf of individuals to be an unfair business practice, and thus illegal.
What’s interesting about this ruling—other than its implications for LifeLock—is that it reached its result without ever considering whether permanent initial fraud alerts themselves are contrary to the statute. It only says that organizations cannot place fraud alerts. But what about the practice of continually renewing an “initial” fraud alert so that it’s essentially permanent? The statute seems to contemplate specific remedies under specific situations: if you think you might be at risk of fraud, you get a ninety day alert that puts some restrictions on anyone who pulls your credit report. If you have been the victim of fraud, you get a seven-year alert with stricter restrictions. Arguably, if Congress had intended to allow for a permanent fraud alert, it would have provided for one. This ruling doesn’t address that issue.
This doesn’t seem to slam the door on all permanent initial fraud alerts. An individual consumer could always call all three credit reporting agencies every ninety days to place the fraud alert herself. She could also have an attorney, acting as her personal representative, do it for her. What this ruling says is that organizations can’t place fraud alerts: only individuals. It also effectively outlaws LifeLock’s business in California—or will, once the appeals are exhausted.
I believe that there is an even better solution to the Lifelock, Debix or a cosnumer using a “fraud alert” to protect their credit file. Credit Freezes are a good solution that is low cost and totally prevents anyone from even accessing your credit report. I have an article on my site with some more info: http://www.wisefinsh.com/