The FCRA requires credit bureaus to disclose to consumers the identity of the sources of information in your credit file. Yet if you look at your credit report from any of the 3 major giants (TRU, EFX, EXPN), they list out all addresses, phone numbers, and email addresses with no indication of who fed them that info. If you request that info, they ignore or refuse.

The penalty for FCRA violations in that section is $1k. So you might think: “how cool is that? I can simply sue all three credit bureaus for $1k each”. It should work like that, but doesn’t. IIRC, it was a lawyer for a credit bureau who told me in so many words: case law shows that you must incur damages in this particular case. So if you can prove damages, then you can claim $1k (even if the actual damages are $1). But how do you even prove $1 in damages?

I have some ideas but generally this is such an uphill battle that credit bureaus can simply bluntly ignore the law. Which is what they do. It’s a good demonstration of how US corporations will plainly break laws that are unenforceable.

    • evenwicht@lemmy.sdf.orgOPM
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 months ago

      I’m not sure what data breaches you’re referring to. The data that makes it into the credit file is not generally due to a breach¹. Every “member” of a credit bureau is free to share info with the credit bureau. Those members (which are generally banks, insurance companies, creditors) usually put in their privacy policy some vague verbiage about sharing with credit bureaus.

      If you mean breaches of the credit bureau, like what happened with Equifax, I don’t believe a US court would view the breach itself as quantifiable provable damage to every consumer. I think there would only be (court-recognized) damage if the data were actually exploited in a way that costs you money.

      ¹ Although I say unlawfully exfiltrated data would unlikely make it onto the credit report, I cannot know for certain precisely because the credit bureau conceals the info source. That’s the reason we would want the law enforced. If CRAs were to share the source info, we would be able to separate the sources we have agreements with from those we don’t, and possibly chase up the sources we did not authorize to investigate where the data came from, which very well could have a supply chain that leads to the black market, a ransom attack, etc.