EPIC - Smith v. LexisNexis Screening Solutions

Smith v. LexisNexis Screening Solutions

Concerning the Standard of Care for Data Brokers Providing Employment Background Checks

Background|
EPIC's Interest|
Legal Documents|
News|
Resources|

Summary

Smith v. LexisNexis Screening Solutions, Inc. concerns the standard of care required of credit reporting agencies (“CRAs”) under the Fair Credit Reporting Act (“FCRA”), which requires CRAs to “follow reasonable procedures to assure maximum accuracy” when preparing consumer reports. 15 U.S.C. § 1681e(b). Plaintiff David Alan Smith applied for a job that required him to submit to an employment background check conducted by Defendant LexisNexis Screening Solutions. LexisNexis did not require Smith's prospective employer to provide a middle name. In preparing the background check report, LexisNexis pulled the criminal records of a David Oscar Smith, who had been convicted of fraud. LexisNexis also pulled David Alan Smith's credit report, but did not investigate the discrepancy between criminal records for "David Oscar Smith" and a credit report for "David A. Smith." As a result of the miss-match, Smith's prospective employer withdrew its offer of employment. Smith sued LexisNexis for violating FCRA, alleging that the CRA did not follow "reasonable procedures to assure maximum accuracy."

On September 12, 2016, the U.S. Court of Appeals for the Sixth Circuit held that LexisNexis had been negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information in Smith's credit report.

Top News

EPIC Files Brief in Suit Over Faulty Background Checks: EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement. (Mar. 1, 2016)

Questions Presented

What standard of care does FCRA require credit reporting agencies to demonstrate when preparing employment background check reports?

Background

Factual History

As part of Plaintiff David Alan Smith’s application for a job with Great Lakes Wine and Spirits (“GLWS”), Smith agreed to submit to a “background investigation check.” The background check “occurred toward the end of the hiring process, after an applicant submitted an application, was interviewed for the position, and received an offer of employment.” Smith provided GLWS with “his full name—including middle name—date of birth, address, and social security number.”

Pursuant to its contract with GLWS, Defendant LexisNexis conducted the background investigation. Although GLWS had Smith’s middle name, GLWS only provided LexisNexis with Smith’s “first name, last name, date of birth, and social security number.” Evidence presented at trial showed that “a middle name, unlike other information, was not required information that Defendant demanded to conduct a search in its proprietary criminal database.”

The background report prepared by LexisNexis contained a “critical—and undisputed—error.” The report contained “records of fraud-related convictions belonging to David Oscar Smith, an individual whom both parties agree is not Plaintiff David Alan Smith.” Evidence presented at trial showed that LexisNexis both retrieved a credit report from Equifax for “David A. Smith,” and also generated a criminal background report for “David Oscar Smith.” Despite the discrepancy, testimony showed that LexisNexis “undertook no steps to determine why the middle initial on the credit report did not match the middle name on the criminal records.”

Upon receiving the background report, GLWS withdrew its offer of employment. Smith disputed the criminal record and provided proof of identity, and GLWS ultimately hired Smith six weeks later.

Procedural Background and Lower Court Opinion

Smith sued LexisNexis for violating FCRA by failing to “‘follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.’” Smith alleges that LexisNexis “both negligently and willfully failed to comply with this mandate, and that the consequent error cost him six weeks of lost wages, in addition to considerable reputational and emotional injury.” A jury found LexisNexis liable, and awarded Smith $75,000 in compensatory damages and $300,000 in punitive damages.

Before the case had been submitted to the jury, LexisNexis filed a motion for judgment as a matter of law, challenging the sufficiency of evidence “on the issues of negligence, willfulness, and compensatory damages.” The court took the motion under advisement, submitted the matter to the jury, and subsequently denied the motion. LexisNexis then renewed its motion for judgment as a matter of law, or in the alternative for new trial and/or remittitur.

The court denied LexisNexis’s renewed motion for judgment as a matter of law, finding that Smith presented sufficient evidence for a reasonable jury to find in his favor.

First, the court affirmed that Smith had presented sufficient evidence of LexisNexis’s negligence. In its initial motion, LexisNexis had argued that FCRA requires a plaintiff to present “specific evidence—such as an analysis of business costs—to establish the reasonableness of alternative procedures that Defendant knew about, but negligently failed to follow.” In its renewed motion, LexisNexis argued that evidence of reasonable alternatives is required when a credit reporting agency (“CRA”) such as LexisNexis has not been put on notice of a problem. The court rejected these arguments, finding as a matter of law that the structure of FCRA and numerous cases in and out of the Sixth Circuit indicate that FCRA does not require a plaintiff to supply evidence of reasonable alternatives, nor does it require proving that a CRA had notice of inaccuracy before it can be held liable.

LexisNexis had also challenged the court’s conclusion that Smith demonstrated sufficient evidence by showing that: (i) there was an “internal discrepancy within Plaintiff's report at the time Defendant issued it to GLWS,” and (ii) LexisNexis “self-limited the information it received from clients by failing to make the middle-name field of its submission form a mandatory field.” The court rejected LexisNexis’s contention that “because third parties often return multiple names or variations thereof” and “[b]ecause discrepancies are common, it would not be reasonable to investigate every one of them.” Noting the “troubling implications” raised by this argument, the court concluded that FCRA “cannot be viewed to tolerate as ‘reasonable’ a CRA's failure to take action simply because discrepancies are too numerous.” The court also held that a jury could infer “that individuals with common names carry a higher risk that information belonging to others with the same name will be mistakenly attributed to them, and that a reasonable person would take steps to reduce that risk.” Finally, the court found that jury could infer that “a reasonable CRA would require a client to address the existence of a middle name, and that such a field would be reasonable to implement.”

Second, the court affirmed that Smith had presented sufficient evidence of recklessness. A jury could find that LexisNexis’s “policy of never requiring clients to provide middle names, even where available, posed an unjustifiably high risk of harm that was so obvious Defendant should have been aware of it” and LexisNexis’s “failure to address a glaring discrepancy” in Smith’s “created a risk of inaccurate information so obvious that it went beyond careless.”

Finally, the court found that Smith presented sufficient evidence of emotional distress and economic loss to justify the jury’s award of compensatory damages.

The court did grant LexisNexis’s motion for a new trial and/or remittitur, however, and reduced the punitive damages award from $300,000 to $150,000. The court concluded that LexisNexis’s conduct was not highly reprehensible because, in part, there is “no evidence that the error committed here has occurred on a widespread scale.” Because “reprehensibility is low and compensatory damages are substantial,” the court followed Sixth Circuit precedent in finding that “a 1:1 or 2:1” ratio of punitive damages to compensatory damages is the upper limit.

Appellate Challenge & Appellate Arguments

LexisNexis has appealed the lower court’s opinion, and argues in relevant part that the trial evidence does not support the jury’s verdict that LexisNexis failed to follow reasonable procedures to assure the “maximum possible accuracy” of its background report about Smith.

LexisNexis asserts that its procedures “met or exceeded industry standards.” LexisNexis implies that when a company meets industry standards, the burden shifts to the plaintiff to present contrary evidence. Because “Smith presented no contrary evidence regarding industry standards,” the “uncontroverted evidence establishes that LexisNexis’s procedures were reasonable.”

LexisNexis also argues that it “relies on all of the information provided by employers in preparing its reports” and “relies on employers to provide complete and accurate information.” Therefore, LexisNexis should not be liable when GLWS had the option to provide a middle name but chose not to.

In addition, LexisNexis asserts that “its consumer dispute percentage is extremely low.” Indeed, “there is no evidence that LexisNexis’ procedure of requesting, but not requiring, a middle name ever has resulted in an inaccurate criminal background report prior to Smith’s report.” LexisNexis asserts that “Smith’s situation is the first time a problem has arising by using first name, last name, and date of birth for criminal record report.”

LexisNexis argues that no court has required a CRA to investigate and resolve internal discrepancies before providing employment background checks, and that it would not be reasonable to conduct an investigation based on the discrepancy between a middle name shown on a criminal record and a middle initial shown on an Equifax credit report. “[B]ecause LexisNexis cannot validate or confirm the accuracy of that information and many Equifax reports contain multiple names; discrepancies are therefore common and checking each of them would not be a reasonable procedure.”

Smith has filed a cross-appeal, challenging the lower court’s reduction of punitive damages.

Standard of Review

The Sixth Circuit “review[s] de novo a district court’s denial of a renewed motion for judgment as a matter of law.” The court cannot “weigh the evidence, question the credibility of witnesses, or substitute our own judgment for that of the jury.” Instead, the Sixth Circuit can overturn the district court “only ‘when viewing the evidence in a light most favorable to the non-moving party, giving that party the benefit of all reasonable inferences, there is no genuine issue of material fact for the jury, and reasonable minds could come to but one conclusion in favor of the moving party.’”

The Sixth Circuit reviews statutory interpretation by a district court judge as a “question of law requiring de novo review.”

EPIC's Interest

EPIC has a long history of protecting consumer privacy, particularly when it comes to inaccurate information collected by data brokers.

In January 2016, EPIC submitted an amicus brief to the U.S. Supreme Court case Utah v. Strieff. In the brief, EPIC argued that information contained in government databases should not attenuate the taint of an unlawful police stop. EPIC’s brief detailed the substantial quantity of information now contained in government databases, some of which is pulled from third-party data brokers. EPIC also discussed the inaccuracies in government databases, including databases of criminal records.

In an amicus brief submitted to the U.S. Supreme Court in September 2015 for Spokeo v. Robins, EPIC defended the ability of an individual consumer to sue a private company for violating federal privacy law. In Spokeo, the data broker Spokeo.com published inaccurate personal information about Robins in violation of FCRA. EPIC’s brief detailed how consumers face unprecedented threats from identity theft and consumer fraud, and discussed how data brokers sell consumer information without verifying the accuracy or completeness of the records.

In 2002, EPIC submitted an amicus brief to the New Hampshire Supreme Court in the case Resmburg v. Docusearch. The case concerned the 1999 murder of Amy Boyer by Liam Youens, who shot her in front of her workplace. Youens had obtained Boyer’s social security number and work address from the data broker Docusearch; Docusearch had, in turn, obtained Boyer’s work address by having a subcontracter call Boyer “pretextually.” The subcontracter lied to Boyer to convince her to reveal her employment information. Boyer’s mother sued Docusearch for wrongful death, intrusion upon seclusion, commercial appropriation of private information, violation of FCRA, and violation of the New Hampshire Consumer Protection Act. EPIC’s brief argued that Docusearch should be liable under all claims. The New Hampshire Supreme Court ultimately held that data brokers and private investigators can be liable for the harms caused by selling personal information.

In March 2015, EPIC submitted comments to the FTC for the agency’s review of the merger remedy process. EPIC urged the Commission to consider the privacy risks to consumers that result from the merger of big data firms. The comments detailed EPIC's efforts, over 15 years, to warn the FTC about such mergers as Abacus and DoubleClick, then DoubleClick and Google, AOL and Time Warner, and most recently Facebook and WhatsApp. EPIC urged the FTC to assess both competitive and privacy impacts of merger, and to enforce privacy commitments prior to granting merger approval.

In September 2014 comments submitted to the Consumer Financial Protection Bureau (“CFPB”), EPIC urged the Bureau to limit the information debt collectors gather about consumers and to prohibit debt collectors from contacting employers and others about consumer debt. EPIC argued that the CFPB should functionally interpret the term “debt collector” in the Fair Debt Collection Practices Act, which would allow the Act to cover any party that engages in the collection of debt. EPIC urged the Bureau to regulate creditors and third-party debt collectors, and discussed how first-party creditors and third-party debt collectors can cause the same types of harm to consumers. EPIC advised the CFPB to limit access to sensitive consumer debt information and to limit the consumer information included in debt validation notices. Debt collectors should also be required to adhere to consistent, well-vetted record-keeping standards.

In April 2014, EPIC submitted comments to the White House on “Big Data and the Future of Privacy.” EPIC warned the White House about the enormous risk to Americans of current “big data” practices but also made clear that problems are not new, citing the Privacy Act of 1974 which responded to the challenges of "data banks." EPIC noted the dramatic increases in identity theft and security breaches. EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. EPIC wrote that it is “vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics.”

In December 2004, EPIC submitted a complaint to the FTC about the compliance of ChoicePoint and other data brokers with FCRA. EPIC’s complaint urged the FTC to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint, arguing that these dossiers might constitute “consumer reports” for purposes of FCRA. The complaint ultimately led to a $10 million settlement between ChoicePoint and the FTC.

In May 2005, EPIC testified before the House Committee on Commerce, Science, and Transportation on “Identity Theft and Data Broker Services,” and urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. In July 2005, EPIC testified before the House Committee on Energy and Commerce about “Data Security: The Discussion Draft of Data Protection Legislation,” and recommended that the Committee consider the privacy risks raised by data brokers.