FCRA May Be a Dead End for Data Breach Plaintiffs
Richmond partner David Anthony and associate Julie Hoffmeister’s article – “ FCRA May Be a Dead End for Data Breach Plaintiffs” – was published on Law360 on January 28.
In it, they discuss how companies using the Fair Credit Reporting Act for protection in class action lawsuits that follow data attacks (“being hacked”) may no longer be a viable option when trying to claim information was furnished to a data hacker for impermissible purposes.
“…[A]t first glance, the FCRA appears to be a viable vehicle for class action plaintiffs that have suffered data security breaches but who are unable to allege present, concrete harm. However, a number of courts have dismissed such claims at the pleading stage. … To fall within the scope of the FCRA, a company that was subject to the data breach must fall under the FCRA’s definition of a ‘consumer reporting agency.’ That definition requires, in part, that the company ‘furnish’ consumer reports to third parties,” the two contend.
“The question thus arises: does a consumer reporting agency technically ‘furnish’ information to hackers? While the term ‘furnished’ is not specifically defined in the act, courts have consistently held that theft cannot be construed as ‘furnishing’ consumer information.”