On April 29, 2021, the Federal Trade Commission (“FTC”) announced a record $20 million settlement with Vivint, a Utah-based smart home security and monitoring company. This settlement represents the largest in FTC history for violations of the Fair Credit Reporting Act (“FCRA”), which was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by consumer reporting agencies and regulate the use of consumer reports. The FTC has jurisdiction over and monitors FCRA violations.
Vivint was accused of unlawfully utilizing the credit history of third parties to process financing applications for potential customers that failed to qualify based on their personal credit history. When a potential customer applied for financing and was rejected by Vivint’s software, sales representatives would add an unrelated co-signer with acceptable credit, or use a method called “white-paging” to deceive the software into approving the financing application. Under the white-paging method, sales representatives used telephone directories to find unrelated individuals with the same or similar name as a failed applicant, and then reprocess the financing application using the unrelated individual’s credit report.
Despite Vivint’s awareness of these practices since at least 2016 and their termination of hundreds of sales representatives for similar conduct in 2017, Vivint not only rehired many of those same sales representatives, but further failed to enact sufficient safeguards to protect against the continued misuse of consumer credit reports, including a failure to implement an appropriate program for complying with the FTC’s “red flag” rule, which requires certain creditors to institute programs to detect, prevent, and mitigate potential identity theft. Several Vivint employees warned managers of the inadequacy of the company’s safeguards, but Vivint took no remedial action.
Based on the severity of this conduct, the FTC successfully agreed to a record settlement comprised of three parts: (1) a $15 million civil penalty; (2) a $5 million penalty to compensate injured consumers; and (3) a stipulated order requiring Vivint to enact a variety of protective measures, including biennial assessments by an independent third party to ensure FCRA compliance. The settlement reflects an apparent increase in FTC scrutiny and enforcement for FCRA violations.
Users of consumer reports should consider reviewing their processes for ordering consumer reports to assess whether process improvements may be necessary to ensure that reports are being ordered only with a permissible purpose and only on the appropriate report subject. For users of consumer reports that are creditors, the case is a reminder of the need to comply with the red flags rule by putting an appropriate compliance program in place.
AGG’s Data Privacy team provides both counseling and litigation services in the privacy and FCRA areas. Jeffrey S. Jacobovitz is chair of AGG’s Antitrust and Competition Law group and is a former Federal Trade Commission Attorney. Micah Kanters is an associate with AGG. If you have any questions regarding the FTC action, feel free to contact Jeffrey at 202-677-4056.