October 12, 1999
MEMORANDUM OF DECISION
In this action the Commonwealth alleges that the defendant, Source One Associates, Inc. (Source One) and Peter Easton (Easton) have committed unfair and deceptive acts and practices in violation of G.L.c. 93A by regularly obtaining personal confidential financial information of individuals through trickery and ruse and selling such information. Acting through the Attorney General the Commonwealth seeks civil penalties, a permanent injunction, attorneys fees and costs.
The defendants deny the allegations in their answer and have put the Commonwealth to its proof.
The Commonwealth presented numerous witnesses and thousands of documents at trial which commenced on September 13, 1999 and concluded on September 20, 1999. The defendants called no witnesses. The Commonwealth introduced the deposition of Easton at which he took the Fifth Amendment in response to all material questions.
"In a civil action, a reasonable inference adverse to a party may be drawn from the refusal of that party to testify on grounds of self-incrimination." Labor Relations Commission v. Fall River Educators' Association, 382 Mass. 465, 471 (1981); See, also, Kaye v. Newhall, 356 Mass. 300, 305-306 (1969); Baxter v. Palmigiano, 425 U.S. 308, 318 (1976).
The allegations admitted in the complaint, the evidence at trial and reasonable inferences therefrom establish the following facts by a fair preponderance of the evidence.
Source One is a corporation organized under the laws of the State of New York, with a principal place of business on Cromwell Drive in Poughquag, New York. Easton is the President of Source One, and at all material times has been responsible for the day to day operations of Source One.
Financial Information Sold by Source One to Massachusetts Asset Search Firms
Source One engaged in numerous transactions with persons in Massachusetts who were seeking to obtain bank account information about named individuals and businesses. These transactions were accomplished by telephone and fax. In response to these customer requests Source One would report that either that no information could be found or would supply information about the names of banks in which the named individual held accounts, the account numbers, the type of account, the balances in those accounts and other similar information relating to mutual fund and stock ownership. Direct evidence of such transactions was supplied by the testimony and records of two persons who were in the business of obtaining such information for Massachusetts and some non-Massachusetts customers. That evidence was voluminous and entirely credible. It was corroborated by advertising emanating from Source One.
In particular the court finds that Mr. Edward L. Amaral, Jr., Esq. ("Amaral") is a Massachusetts attorney who also operates a business called "Asset Searches Plus." Between 1995 and 1997, Amaral was the sole owner and employee of Asset Searches Plus, and Amaral managed and handled all the daily operations of Asset Searches Plus.
Amaral regularly advertised the services of Asset Searches Plus in Massachusetts Lawyers Weekly. (Amaral and his business Asset Searches Plus will hereafter be referred to as "Amaral.") Amaral sold asset information to other attorneys, investigators, and others who hired him to perform asset research. Amaral hired and paid Source One to obtain financial information of third parties. From 1995 through 1997, Amaral's sole source of financial information was through Source One.
Amaral's typical business practice with regard to obtaining and selling financial information was as follows: A person who wished to obtain financial information called Amaral, and Amaral faxed that person a description of available services. Amaral generally required the requestor to send him a written facsimile document setting forth what information the requestor desired on a preprinted form prepared by Amaral. Amaral would in turn send a written fax to Source One setting out the financial information that Amaral sought from Source One.
The only information required by Source One from Amaral was the (a) name, (b) last known address, and (c) social security number, if known, of the subject of the search. Source One would then, through its methods, obtain the financial information. Source One would generally use the same fax sheet used by Amaral, and Easton would handwrite the bank, bank account number, and bank account balances he located, and whatever other financial information he obtained, onto the fax sheet, and fax the page back, often on the same day.
Amaral requested, but did not require, the requestor to indicate what the purpose of the asset search was; there was space for this information on the preprinted form. In the records introduced in evidence the "purpose" section completed by requesters on the preprinted form was left blank 175 times. When that section was completed, it was often filled in with such terms as "confidential", "debt" or "litigation pending."
Amaral did not inform the subject of the search that any search of their assets was being conducted, and he did not obtain their consent. Amaral did not know how Source One obtained the bank account and other information, and, when asked, Easton told him that he did not obtain credit reports of consumers and did not engage in other deceptive practices to obtain the information.
Amaral used Source One's services regularly during the period from 1995 through September 1997. Amaral spoke on the telephone with Easton regularly during this time — at least two times per month, and at trial was able to identify tape recordings of Easton's voice as being Easton.
After the Attorney General's Office brought suit against Bearak Reports, Inc. ("Bearak"), in a suit where the allegations were similar to those raised here, Amaral sought to determine from Source One whether Source One was engaging in conduct that was unlawful. Easton stated that he was not using the deceptive techniques alleged in the Commonwealth's Complaint against Bearak. Amaral also provided Source One with a copy of the preliminary injunction issued in the Bearak case and the Commonwealth's memorandum of law in support of its application for a preliminary injunction.
After reviewing an article about the Bearak case in the Massachusetts Lawyers Weekly in late 1997, Amaral approached the Attorney General's Office, and explained that he had been obtaining financial information through Source One, and was concerned about the legality of obtaining such information. Amaral entered into a settlement with the Commonwealth, and agreed to cooperate with the Attorney General's investigation.
Amaral provided the Attorney General's Office with all of his business records concerning asset searches, including those files as to which he sought bank account or other financial information through Source One. Amaral's records, constituting 378 files that relate to Source One (and contained in the boxes marked as exhibits 8 — 15), cover the time period from December of 1993 through November 5, 1997.
They disclose that Source One and Easton performed 1,028 bank searches and/or searches for stocks, bonds or mutual funds. Of those 1,028 searches, 766 relate to Massachusetts residents, 261 relate to out-of-state residents, and one search relates to an out-of-country resident. Only one search was requested to be performed by a governmental entity.
Of the 1,028 searches, Amaral was provided with no reason for the search request 175 times. The other search requests recited various reasons for the search, including the following noted reasons: judgment, divorce, collection, debt, litigation, lawsuit, confidential, bankruptcy, and child support. Child support was noted less than 10 times.
Of the 1,028 searches, there were 782 "hits" — that is, Source One reported finding financial information 782 times.
According to the files, Amaral was paid a total of $173,791 from his clients during the time period covered by the files.
A review of the invoices that Amaral had received from Source One and Easton, and that are marked as Exhibits 27, 28 and 29 shows they did not represent a complete set of the invoices that Amaral should have received from Source One and Easton. The invoices covered a smaller period of time than the files and the invoices did not cover calendar year 1994.
According to the invoices, Source One and Easton billed Amaral $43,350, a figure that appears to be less than what Amaral was likely billed by the defendants given the discrepancy between the invoices and the files. Of the 378 files admitted in evidence, Source One obtained financial information, including bank account balances, 1,028 times. Source One charged Amaral $100 for each state bank search, and approximately $50 more for an additional multi state search.
The transactions between Amaral and Source One were mirrored by transactions involving another Massachusetts asset search firm, Bearak Reports. The facts are as follows:
Irene Davis ("Davis") and her husband Henry Davis, d/b/a Henry Davis Consulting, Inc. provided consulting services to Bearak Reports, a Framingham asset search firm. Henry Davis Consulting, Inc. used to be based in Natick, Massachusetts. Although the services provided by Davis to Bearak initially related to marketing, in February 1995 the services came to include obtaining financial information concerning the subjects of Bearak's bank searches.
Davis obtained the financial information from Source One in a manner similar to that as did Amaral: Davis received a fax from Bearak Reports concerning the identities of the persons of whom he wished to obtain financial information. Davis faxed Source One with the name, address, and (usually) the social security number of a search target. Soon thereafter, Source One faxed the financial information back to Davis. Davis in turn provided the financial information to Bearak for disclosure to Bearak's asset search clients. Source One charged at least $100 for each of these searches.
Davis dealt directly with Easton at Source One, and he is the only person she ever dealt with at Source One. Davis made over 500 requests to Source One for financial information, and approximately 400 times Source One provided her with the financial information she had sought. Between March and October 1995, Davis paid Easton at least $47,400 for bank searches.
The Bank Account Information Provided by Source One was Private and Confidential
The information provided by Source One included the account number, the type of account, balances in the account, and other similar information. This information was regarded as confidential by the bank customer, the bank, and by the public in general. Various statutes, regulations, bank practices referred to below and the testimony of various individuals whose banking information was disclosed by Source One support this conclusion.
The court heard the testimony of Mr. Frederick G. Tilley ("Tilley"), Director of Corporate Assets and Recovery, BankBoston. Based on his background, training and experience and demeanor, among other factors, the court found his testimony to be highly credible. He is the most senior security official at BankBoston. He has worked for BankBoston for thirty years, has extensive knowledge of and experience with information security, bank customer confidentiality procedures, auditing of information security procedures, customer authentication procedures, and the various means by which banks such as BankBoston guard the unauthorized release of private financial information. He also has a depth of knowledge and expertise concerning the means by which information brokers attempt to obtain private financial information. He is an expert in the area of financial privacy policies, the security of financial institutions, and the techniques used by information brokers to obtain private financial information in contravention of financial institution policy.
BankBoston policies prohibit the release of any account or other information, including an account number, account balances, customer address information, a customer's lending limits, or the existence of a checking, savings or other account, to a non-customer unless BankBoston is required to do so by subpoena or BankBoston has the written consent of the account holder. Every employee is responsible for maintaining the confidentiality of customer accounts. Employees are informed of these policies and trained to implement them. BankBoston's corporate policy book contains the confidentiality policy. BankBoston's policies are consistent with those of the banking industry in general, and in fact is based upon an Office of the Comptroller of the Currency ("OCC") Circular dated May 1998. OCC Circulars such as Trial Exhibit 35 are mandates with which a bank is obligated to comply.
In addition to general confidentiality policies, BankBoston has detailed procedures in place that require BankBoston employees to verify that a person calling to inquire about account information is the BankBoston customer who is entitled to that information, and BankBoston trains its employees to implement these policies to prevent the unauthorized release of private financial information.
Since 1993, Tilley has personally directed approximately five or six investigations of attempts made by third parties to obtain private customer financial information. As a result of investigations he directed, Tilley learned that individuals were obtaining private account information by pretending to be a BankBoston account holder, and while pretending to be this account holder, applied great pressure on the BankBoston clerk to release the account information.
Tilley learned that because of these ruses and trickery, BankBoston clerks had released private account information. Since beginning the investigations in 1993, BankBoston staff will now call BankBoston, pretending to be an account holder seeking private account information to test whether BankBoston staff is responding appropriately to these types of inquires for private information.
BankBoston privacy policies are grounded on circulars and advisories of the Office of the Comptroller of the Currency ("OCC"). He has reviewed relevant OCC Advisories and OCC Circulars. OCC advisories, as opposed to OCC circulars which contain mandates directed to banks such as BankBoston, simply advise banks about issues in the banking industry.
Similar credible testimony was given by Joseph Vincent, the Controller and Vice-President of the Framingham Cooperative Bank ("FCB"), in Framingham, Massachusetts. He serves as the official Bank Security Officer, and is responsible for security, including information security at FCB. FCB policy prohibits the release of customer information, including private financial information, to a non-customer third party unless FCB is required to do so by subpoena or FCB has the written consent of the account holder. FCB employees are informed of this policy, and receive training to protect the confidentiality of customer information and to verify the identity of those seeking such information. To the extent a person seeks account information by telephone, FCB policy requires the account holder to provide an account number and a social security number, and if the account holder is seeking to verify balances information, FCB requires the account holder to verify the date of the last deposit.
The information obtained by Source One and sold to Amaral, Davis, and others, including bank account locations, type, numbers, balances, and stock and fund ownership, is private (hereinafter referred to as "private information."). G.L.c. 167B, § 16; In the Matter of Touch Tone Information, Inc. No. 982-3619, http://www.ftc.gov/os/1999/9904/majoritystatement.htm; Prepared Statement of the FTC, "Obtaining Confidential Financial Information by Pretexting," U.S. House of Representatives Committee on Banking and Financial Services, July 28, 1998; In re Beneficial Corp., 86 F.T.C. 119, 171-172 (1975), aff'd in relevant part, 524 F.2d 611 (3d Cir. 1976); Bank's Liability Under State Law for Disclosing Financial Information Concerning Depositor or Customer, 81 ALR 4th 377; Report of the Privacy Protection Study Commission (1977), at 101. See also Domestic Relations Special Rule 401 of the Supplemental Probate Court Rules; G.L.c. 62C, § 21 (prohibits disclosure of any information contained in any tax return or document filed with the Department of Revenue); G.L.c. 151A, § 46 (financial and other information obtained by the Department of Employment and Training is confidential and privileged); G.L.c. 66, § 17A (protects confidentiality of records relating to receipt of or application for public assistance); G.L.c. 271, § 43 (same); G.L.c. 118A, § 6 (same for assistance to the aged or disabled); G.L.c. 118E, § 49 (same for medical assistance).
From all the evidence, I find that it is more likely than not that the only way that information brokers can obtain private financial information from banks is through the use of deception and trickery, including impersonation of account holders. Thus, if Source One obtained the private financial information of a BankBoston customer or FCB customer and sold such information to Amaral, Source One would likely have had to use deceit or trickery to obtain the information.
From time to time personal financial information can be discovered by collecting and reviewing discarded bank statements in waste paper and trash or at ATM machines. But such sources are sporadic, disorganized and not available as a regular source of information. It would be impossible for Source One to supply personal financial information on demand to its customers by relying on such sources. The fact that information may occasionally find its way into the hands of someone by inadvertence or trickery does change the character of such information as confidential in the sense material to the allegations in this case.
The records of Amaral and Davis reveal the names of hundreds of individuals whose private financial information was sold by Source One to Amaral or Davis, and the particulars of such information. Some of those persons testified at trial. They were all persons whose personal financial information was sold to Amaral by Source One as evidenced by the testimony and records of Amaral.
Edward Cohen is married to Reesa Cohen, and he and his wife have two children, Jodi and Seth Cohen. Mr. Cohen has personal knowledge about the bank accounts that he and his family members have. Mr. Cohen had a household checking account with Shawmut (Fleet) in August of 1996, and believed that the balances in that account in August of 1996 were approximately $5,800. Cohen did not know whether in August of 1996 the bank was then known as Shawmut or Fleet; the banks merged at around that time.
In August of 1996, Mr. Cohen's his wife Reesa and his daughter Jodi had bank accounts with the Framingham Cooperative Bank. The approximate balance in his wife's account at that time was $827.00 and the balance in his daughter's account was $439.29.
Mr. Cohen did not authorize Shawmut (Fleet) to release his bank account information to anyone in August of 1996 or at any time. Further, the Framingham Cooperative Bank had no information in its files that indicated any authorization to disclose the account information of any of his family members to third parties.
Mr. Cohen did not authorize Amaral, Asset Searches Plus, Easton or Source One to conduct any searches into his financial information. He also did not authorize any of them to obtain a copy of his credit report.
Reesa Cohen, Edward Cohen and Jodi Cohen maintained financial accounts at FCB in recent years including in August 1996, when Source One sold private financial information concerning the Cohens to Amaral. No subpoena, legal process, consent, release or other authorization permitted FCB to release the private financial information of the Cohens.
The FCB telephone number in August 1996 (and currently) is (508) 820-4000. If Source One called FCB in August 1996 and simply requested information concerning any accounts of the Cohens, FCB would not have released such information.
Source One called FCB on August 7, 1996, the same date Source One faxed the private financial information of the Cohens to Amaral. Source One obtained this private financial information by ruse, trickery, or other deceitful conduct.
Mr. Cohen did not learn that his family's bank account information was released to any third party, and he was shocked to learn that it was. He expected that the banks would keep this information confidential.
In June of 1996, Mr. Cohen was in negotiations with a Worcester bank regarding a mortgage dispute as to commercial property. He settled the dispute within six months by paying the bank all sums it claimed it was then owed. No lawsuit was ever filed as to this obligation, and no judgment was ever obtained. Further no authorization was created on account of this dispute for any third party to obtain his private bank account information, or that of his family.
Peter Dwyer is married to Jean Dwyer. In September of 1997, the Dryers had bank accounts with Bank of Boston. Peter Dwyer had a Bank of Boston checking account with an approximate balance at that time of $3,000.00 and a savings account with an approximate balance of $1,905.00. Peter Dwyer and his wife Jean had a joint Bank of Boston checking account with an approximate balance of $632.00.
Neither Mr. Dwyer nor his wife Jean authorized representatives of Bank of Boston to release their account balances to anyone. They also did not authorize Amaral, Asset Searches Plus, Source One or Easton to obtain the information or to obtain his credit report. (Dwyer Test.)
Peter Dwyer was unaware that his bank account balances had been obtained, and he was upset that the information had been obtained because he expected that his bank account information would be kept confidential by the bank. (Dwyer Test.)
Bruce Rogal is married to Phyllis Rogal. In June of 1996 Mr. Rogal had a checking account with U.S. Trust but he could not recall what the balance of that account was. He testified that such would have been a joint account with his wife Phyllis.
Mr. Rogal did not at any time authorize U.S. Trust to release his bank account information to anyone. Mr. Rogal had never heard of Source One or Peter Easton, and did not authorize them to obtain his private financial information.
Mr. Rogal does not know why the financial asset information of he and his wife was researched. Mr. Rogal did not authorize anyone to release or obtain the private bank account information of he and his wife, and he had expected that this information would be kept confidential.
In June of 1996, there was no pending litigation at the time against Mr. Rogal or his wife, and there were no outstanding judgments or obligations.
Mr. Rogal's reaction to the fact that his bank account information had been obtained and sold in June of 1996 was "revulsion." He does not know whether he suffered any financial losses on account of the defendants' conduct, but he does know that he "suffered a loss of his financial privacy."
Use of Credit Reports by Source One
Equifax Consumer Information Services ("Equifax") is a consumer credit report agency that provides reports of consumer credit history ("credit reports") to its clients. Equifax's business practices are governed, in part, by the Fair Credit Reporting Act. That Act sets forth the purposes for which Equifax is permitted to release credit reports to others. Those purposes, generally, are (a) extending credit, (b) collection, (c) employment, and (d) licensing. 15 U.S.C. § 1681, et. seq.
To guard against undue risk of credit report misuse, Equifax has a policy not to serve certain categories of businesses. These include private investigators and firms that obtain credit reports simply for re-sale of financial information to others, rather than for collection of its own accounts or for credit transactions with consumers. This policy has been continuously in effect since 1974. When opening an account, Equifax informs its prospective customers of the legal and permissible purposes for the use of credit reports, and requires the customer to certify specifically the purpose for which the customer intends to use the credit reports.
On or about April 21 1992, Easton and Source One opened an account with Equifax. Easton represented to Equifax that "credit reports will be used for collection purposes only." He also represented that Source One "will use the reports for locating judgment debtor's and their assets for collection of judgments." Finally, Easton represented that "consumer reports will only be obtained for the . . . specific permissible purpose and for no other purpose . . . [i]n connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of the credit to, or review or collection of an account of the consumer . . ."
Equifax sent Source One regular monthly invoices from the initiation of the account to the termination of the account by Equifax in September 1996. These invoices reliably record Source One's use of credit reports by date, time, name of consumer and the nature of the credit report obtained. The term "ACROFILE" when used in the invoice is the Equifax acronym for a credit report; "i" means an individual report; "j" means a joint account; and "s" indicates that a search for an account was made but was not found; "DTC" means a detect search or a search for a social security number. (Tr. Exs. 43 and 44)
Source One obtained the credit reports of Bruce Rogal, Edward Cohen and Seth Cohen for use in obtaining additional private financial information concerning the Cohens and Rogal for the sale of such information to Amaral. This use of consumer reports was not in accordance with the permissible purposes to which Easton certified he would limit his use of credit reports.
In August 1996, Equifax received a complaint from a consumer about misuse of his credit report by Source One. Equifax investigated the complaint, and asked Source One to provide additional information about the reasons for its use of ten credit reports (selected as an audit sample). Source One failed to respond as to nine of the credit reports, and failed to demonstrate a permissible purpose for the tenth. Equifax terminated Source One's account on September 2, 1996, concluding that Source One was using credit reports for questionable purposes.
A chart in evidence (Tr. Ex. 70) prepared by the Commonwealth and based on invoices from Equifax to Source One notes in red ink where Equifax invoices showed that Source One had obtained an Equifax credit report, and notes in blue ink where Equifax records showed that a report had been sought but not obtained.
Thus, it is clear that Source One obtained numerous credit reports from Equifax and sought many more. The invoices also show the precise dates and times that such credit reports were sought and obtained by Source One.
Telephone Records of Source One
The telephone records of Source One for the period in question reveal and corroborate numerous calls by Source One to Equifax followed closely by calls to banks in Massachusetts, including BankBoston, FCS, and USTrust. When these records are compared to the information contained in Amaral's records a sampling shows that some of these calls were made shortly faxes sent by Amaral and preceded shortly return faxes from Source One to Amaral.
Evidence was received over objection relating to a time period beyond that of the events alleged in the complaint and relating to transactions outside of Massachusetts. This evidence was received for the limited purpose that it might tend to show the defendants were familiar with the technique of using ruses and false pretenses in order to obtain personal financial information. It was also received on the issue of remedy as tending to show a continuing course of conduct requiring injunctive relief and civil penalties to control. From this evidence the court finds as follows:
Until late August, 1999, one John McCloskey ("McCloskey") was a security officer with Fidelity Security Services, Inc., a subsidiary company of FMR ("Fidelity"). At Fidelity, McCloskey's responsibilities included investigation of unauthorized access to Fidelity customer information and private financial information relating to Fidelity customers.
Fidelity policies prohibit the release of any account or other information, including an account number, account balances, or the existence of any Fidelity accounts, to a non-customer unless Fidelity is required to do so by subpoena or Fidelity has the written consent of the account holder to release the information to a designated individual. Employees are informed of these policies and trained to implement them.
Fidelity customers are investors and their accounts relate to stocks, bonds and mutual funds. Fidelity customers receive regular statements of their account activity in the same manner that bank account holders receive periodic statements.
Fidelity verifies that a request for Fidelity account information is being made by either the account holder or the account holder's designee, in the following ways:
a. If the request is made in writing, the name and address of the person requesting the information would be required to match up with the name and address of the account holder, according to Fidelity's records.
b. If the request were made by telephone, Fidelity's telephone operators receive a prompt asking the operators to enter both the account holder's social security number and the account holder's personal identification number ("PIN").
Without information provided as described, Fidelity account information is not released.
Fidelity receives a large volume of telephone calls from customers, and maintains several telephone call centers linked to "800 numbers" service these calls. Fidelity has in place policies to protect the unauthorized release of customer information and private financial information, and trains its telephone representatives to verify that the caller is actually a Fidelity customer, in the manner described above.
In April 1998, the on-site security official at Fidelity's Blue Ash, Kentucky call center informed McCloskey that the call center had been receiving several suspicious telephone inquiries from a person claiming to be a Fidelity compliance officer named "Gary Sullivan." (McCloskey Testimony.)
Fidelity "800" numbers are routed to various call centers, and callers to the Blue Ash call center, and to other call centers are informed that calls are recorded. This warning is conveyed to callers before the recording begins. Additionally, the Fidelity 800 telephone numbers "capture" the source telephone number so that a reliable log of the telephone numbers from which callers phone Fidelity (the "originating number") is generated. This log is called the OCDD system.
McCloskey requested the tape recordings of the suspicious "Gary Sullivan" calls received by the Blue Ash call center, and he listened to them. Because two such calls were received on May 21, 1998, and McCloskey knew the duration of the calls, he was able, using the OCDD system, to determine a narrow number of possible originating numbers.
McCloskey narrowed this number of possible originating numbers by ruling out authorized callers. In this process, he dialed the number of one of the possible originating numbers — 914-724-3007. This is the telephone number of Source One. McCloskey heard the answering machine or voice mail message of Source One and recognized the voice to be the same voice as that on the tape recordings of the "Gary Sullivan" calls that he had heard. He did not block his telephone to disable any caller identification function. This would allow Easton, if he had caller i.d., to return the call even though McClosky did not leave his number.
Within twenty minutes after placing these calls to Source One, McCloskey received a voice mail message from "Peter Easton" at "Source One." When McCloskey heard the message, he recognized the voice as being the same as that on the tape recordings of the "Gary Sullivan" calls to Fidelity.
McCloskey, again using the OCDD report, determined that other calls originating at Source One came to Fidelity in previous months. Obtaining tape recordings of some of those calls, McCloskey again recognized the voice as the same as that on the tape recordings of the "Gary Sullivan" calls to Fidelity, the Source One voice mail greeting, and McCloskey's voice mail reply from "Peter Easton at Source One."
At that point in his investigation, McCloskey requested that a sample of five to six additional calls with the same phone number (914-724-3007) be provided to him from the period from approximately April to August 1998. After receiving those tapes, McCloskey determined that in each of the calls, the same voice as McCloskey heard on the May 21, 1998 tapes — that of Peter Easton's — was heard either impersonating "Gary Sullivan" or "Dan Kennedy" or a Fidelity account holder.
McCloskey determined that Source One and Peter Easton do not have accounts with Fidelity, that Source One was calling Fidelity for improper purposes, and that Easton was impersonating Fidelity compliance officers and Fidelity account holders. McCloskey also determined that in 1998 Fidelity received over 100 calls originating at Source One, and in 1997, at least 30 calls to Fidelity originated at Source One. Neither Source One nor Easton have an account at Source One.
At trial Amaral identified the voice on the tapes as that of Peter Easton, the man he had dealt with at Source One on the telephone.
General Finding Regarding Methods Employed by Source One to Obtain and Sell Private Financial Information
From the great weight of the evidence and reasonable inferences therefrom I find and conclude that Peter Easton and Source One engaged regularly in a course of conduct by which Easton would receive requests for personal financial data about targeted individuals from Amaral and Davis. He would satisfy these requests on numerous occasions by utilizing his privileges as a customer of a credit reporting agency, Equifax, to get the names of banks or other financial institutions at which the target had accounts. He would then contact those banks or institutions and pretend to be the customer or someone authorized to obtain such information such as a bank employee. When he was successful in obtaining the information he would transmit it back to Amaral in Massachusetts, and charge a fee, which he was subsequently paid.
The Conduct of Easton and Source One Was Unfair and Deceptive and Violated G.L.c. 93A
Chapter 93A, section 2(a) declares unlawful any "unfair or deceptive acts or practices in the conduct of any trade or commerce." Although the statute does not specifically define those terms, the accompanying subsections permit courts to interpret them in light of Federal Trade Commission (FTC) statutes and regulations and empowers the Attorney General to make additional rules not inconsistent with those of the FTC. G.L.ch. 93A, § 2(b)-(c) (1999). In this way, "unfair and deceptive acts" have come to stand for actions that "fail to comply with existing statutes, rules, regulations or laws, meant for the protection of the public's health, safety, or welfare promulgated by the Commonwealth or any political subdivision thereof . . ." and those that "violate the Federal Trade Commission Act, the Federal Consumer Protection Act, and other federal consumer protection statutes. . . ." 940 CMR § 3.16(3)-(4) (1999); see also PMP Associates, Inc. v. Globe Newspaper Co., 366 Mass. 593, 596 (1975) (approving and applying other, less specific factors that the FTC also uses to discern unfairness). Violations of these prevailing societal norms form the essence of liability under Chapter 93A.
Even where a specific statute or regulation is not violated the court should discover and make explicit "those unexpressed standards of fair dealing which the conscience of the community may progressively develop." Commonwealth v. DeCotis, 366 Mass. 234, 242 (1974).(citations omitted).
The court is persuaded and finds and rules that obtaining private financial information by pretext for the re-sale to others in the circumstances found here constitutes unfair and deceptive acts in trade or commerce. This finding and ruling is consistent with the views of the FTC. See, In the Matter of Touch Tone Information, Inc. No. 982-3619, http://www.ftc.gov/os/1999/9904/ majoritystatement.htm; Prepared Statement of the FTC, "Obtaining Confidential Financial Information by Pretexting," U.S. House of Representatives Committee on Banking and Financial Services, July 28, 1998.
The conduct of the defendants also clashes with the norms established by the Fair Credit Reporting Act ("FCRA") 15 U.S.C. § 1681, et. seq. Under that Act a consumer reporting agency may only furnish a consumer report for limited "permissible purposes," such as in response to a court order, a request of the consumer, or in certain situations related to a credit transaction with the consumer, employment purposes, underwriting of insurance, eligibility for certain licenses, or certain other "legitimate business need[s]." 15 U.S.C. § 1681b. A person may not knowingly and willfully obtain a consumer report under false pretenses, nor obtain a credit report for an impermissible purpose. Civil and criminal sanctions apply to an "agency or user of information which wilfully fails to comply with any requirement" under FCRA. 15 U.S.C. § 1681b. See, also, 15 U.S.C. § 1681q. Massachusetts law closely tracks FCRA. G.L.c. 93, § 50, et. seq.
FCRA was amended, effective September 30, 1997, and additional restrictions on the use of credit reports were imposed. The FCRA provisions discussed here were those in effect at the time of the defendants' conduct.
Obtaining a consumer report for an impermissible purpose under the FCRA, without disclosing that impermissible purpose, constitutes obtaining the report under false pretenses. Ali v. Vikar Management Ltd., 994 F. Supp. 492, 498 (S.D. N Y 1998). In their bank searches, the defendants repeatedly used credit reports for the purpose of developing additional private financial information about consumers, where the defendants had no knowledge of the reason for or purpose of the search. This is not a permissible purpose under FCRA.
By falsely representing to Equifax that credit reports would be used only in connection with credit transactions involving the consumer, Easton falsely stated his purpose for using credit reports, and by obtaining credit reports to use for obtaining additional private financial information in order to sell such information to others, the defendants violated 15 U.S.C. § 1681b, 15 U.S.C. § 1681q and G.L.c. 93, § 50, et. seq.
Even assuming the defendants could show that in some cases the consumers' information was provided to attorneys for use in litigation, the defendants' use of consumer credit reports violated FCRA. Duncan v. Handmaker, 149 F.3d 424 (6th Cir. 1998) (attorney use of credit report in litigation not permissible purpose); Bakker v. McKinnon, 152 F.3d 1007 (8th Cir. 1998) (same); Mone v. Dranow, 945 F.2d 306 (9th Cir. 1991) (same). cf. Korotki v. Attorney Services Corporation, Inc., 931 F. Supp. 1269 (D. Md. 1996) (undisputed debt and credit transaction distinguished from Mone). In any event they did not so demonstrate in this case.
Similar norms are established under G.L.c. 167B, § 16, under which no person may "disclose information regarding any account or electronic fund transfer to any person," except under certain limited circumstances, such as with the consent of the consumer or pursuant to a lawful subpoena. Chapter 167B defines "account" as "demand deposit, negotiable withdrawal order account, savings deposit, share account or other consumer asset account . . . established primarily for personal, family or household purposes, but such term does not include an account held by a financial institution pursuant to a bona fide trust agreement." Defendants' sale of the private account information to its clients constitutes a disclosure of "information regarding any account or electronic fund transfer to any person" under G.L.c. 167B, § 16.
Section 16 contains nine exceptions to the prohibition of the disclosure of account information or electronic fund transfer information, none of which applies to defendant's conduct.
Other norms are established by our common law and statutory protections protecting individual against unreasonable invasions of privacy. Because of the private nature of the financial information, and the fraudulent conduct used to obtain it, defendants have caused an unreasonable, substantial, or serious interference with the privacy of the account holders, in violation of G.L.c. 214, § 1B.
Defendant knew while he was dealing with Amaral and Davis that his actions were unlawful and unfair and deceptive acts or practices. In particular he had a copy of the complaint of the Commonwealth against Bearak and shared it with Amaral. He falsely assured Amaral that he was not using the methods which have been proven he was using. These false assurances are evidence that he was aware of the illegal nature of his activities, and the court so finds.
No defenses are asserted by defendants that they do not have sufficient contacts with Massachusetts to justify the assertion of jurisdiction by our courts, nor would such defenses be successful. The actions of the defendants had a substantial impact on residents of the Commonwealth of Massachusetts, even though the conduct of the defendants originated outside of Massachusetts. A substantial number of the persons who were targets of investigation by Amaral and Davis were Massachusetts residents. A substantial number of defendant's deceptive inquiries were to banks in Massachusetts, wherein resided the private financial information of the Massachusetts targets of the defendant's inquiries.
The language of G.L.c. 93A, 11 limiting claims under section 11 to actions or transactions occurring "primarily and substantially within the commonwealth" is not directly applicable to this enforcement action by the attorney general which falls under section 4 which contains no such language.
Although individuals in Massachusetts did not lose money or property, this is not an action to recover damages on their behalf. Rather, it is an enforcement action in the public interest under G.L.c. 93A, 4. The requirements of G.L.c. 93A, 9 that a consumer seeking damages must show that he has been "injured" are not implicated. In any event, if proof of "injury" is required the court is satisfied that the impact on individual consumers who testified in this case and who learned that their private financial information had been obtained by surreptitious means and sold have been injured in the sense required by section 9.
Defendants Requests for Findings of Fact and Rulings of Law
The court notes as follows in response those requests for findings of fact of the defendants which have not specifically been the subject of the foregoing findings and rulings: It is irrelevant whether or not the private financial information provided was true and accurate. It is also irrelevant that others in the information brokerage business may use similar tactics to obtain private information. Furthermore it is not relevant that the defendants had no dealings with individual consumers.
As to defendants requests for rulings of law the court notes as follows:
"Defendants' Proposed Rulings of Law
Count I — G.L.c. 93A
1. The Attorney General has not promulgated any regulations regarding the business of the defendants."
Denied as irrelevant.
"2. There is no current Massachusetts laws regulating the business of the defendants."
"3. The defendants have not violated any law in the conduct of their business."
"4. The defendants have not committed unfair or deceptive acts or practices in the conduct of their business within the meaning of G.L.c. 93A."
"5. The defendants did not know nor should they have known that any method, act or practice employed was a violation of G.L.c. 93A, § 2 and, therefore, cannot be subject to civil penalties under G.L.c. 93A, § 4 and cannot be required to pay the reasonable costs of investigation and litigation."
"Count II — G.L.c. 214, § 1B
6. The Attorney General has no standing or authority to bring an action under G.L. 214, § 1B."
Denied as irrelevant.
"7. The right of privacy recognized and conferred by statute under G.L.c. 214, § 1B is a personal right of an individual and the cause of action created by the statute to enforce such right and award damages may be maintained only by the individual."
Denied as irrelevant.
"8. The right to privacy statute, G.L.c. 214, § 1B does not give the Attorney General authority to bring a cause of action under the statute."
Denied as irrelevant.
"9. Count II alleging violation of G.L.c. 214, § 1B is, therefore, dismissed as a matter of law."
"10. Furthermore, a bank customer has no expectation of privacy in the contents of checks, deposit slips and other banking documents. United States v. Miller, 425 U.S. 435, 442 (1975)."
Denied as irrelevant.
"11. Bank records are instruments of commercial transactions and are the business records of the bank rather than a bank customer's private records or information. Miller, 425 U.S. at 440."
Denied as irrelevant.
"12. A bank customer has no inherent right to assert either ownership, possession, or control over the release of a bank's records of his transactions. Id.; Clayton Brokerage Co., Inc. v. Clement, 87 F.R.D. 569, 571 (1980)."
Denied as irrelevant.
"13. No Massachusetts court has recognized an expectation of privacy in financial records."
Denied as irrelevant.
"Count III — G.L.c. 167B
"14. G.L.c. 167B, § 22 authorizes the Attorney General, at the request of the commissioner of banks to bring an action for injunctive relief in the name of the Commonwealth against a person in violation of the chapter."
Denied as irrelevant.
"15. The statute provides a civil penalty for violation of the terms of an injunction or other order issued but not for violation of the statute itself. The statute does not provide for any other civil remedy either personal or through the Attorney General."
Denied as irrelevant.
"16. Count III does not allege a violation of an injunction or order issued pursuant to G.L.c. 167B, therefore a civil penalty may not be assessed."
Denied as irrelevant.
"17. Furthermore, the Commonwealth has not shown by a preponderance of credible evidence that the defendants violated the statute."
Easton knew or should have known that obtaining private financial information by conduct including the unauthorized review of consumer credit reports and false statements to financial institutions and others, and the sale the private financial information, violated G.L.c. 93A. Accordingly, Easton and Source One Associates, Inc. are liable for payment to the Commonwealth of civil penalties, and its costs of investigation, including attorneys fees. G.L.c. 93A, § 4.
2. Each transaction in which the defendants sold the private financial information of others constitutes at least one separate violation of G.L.c. 93A, § 2 because each instance involved the unfair sale of private financial information and/or deceptive conduct to obtain such information. The Court may impose a separate civil penalty for each such separate violation. G.L.c. 93A, § 4; Commonwealth v. Fall River Motor Sales, Inc., 409 Mass. 302, 313-314 (1991); Commonwealth v. Am-Can Enterprises, Inc., Appeals Court No. 97-P-476 (July 21, 1999).
3. A review of the evidence leads the court to conclude that Source One and Easton committed at least 1,000 separate sales of information to Amaral and Davis which would justify the imposition of a maximum civil penalty of $5,000,000 at $5,000 per violation.
4. In deciding on an appropriate civil penalty the court takes into consideration the bad faith of the defendant, the injury to the public, the defendant's ability to pay, the benefits derived by the defendant and the necessity to vindicate the authority of the Commonwealth. Commonwealth v. Fall River Motor Sales, 409 Mass. 302, 311 (1991). Here there is ample evidence that the defendant consciously knew he was acting in bad faith in obtaining the information by deceit that he sold to others. The injury to the public was severe. In an age of computer databases and electronic retrieval of sensitive information the public is justly concerned that the privacy of personal information be protected. The public should be able to have confidence that personal information remain private. Although damage to any individual may not be quantifiable with precision that damage was real and substantial.
The defendant was in business for a profit. Defendants presented no evidence of any inability to pay an appropriate penalty. He collected at least $43,350 from Amaral in revenue. He had no documents at the time of his deposition of any consequence relating to his business which leads the court to infer that documents reflecting his operations were either destroyed or not kept.
A substantial civil penalty is also warranted to vindicate the authority of the Commonwealth. The kind of injury done in this case to individuals is not likely to be vindicated by individual claims. A penalty paid to the Commonwealth vindicates the role and authority of the Commonwealth to protect the public in cases of this kind.
Accordingly, taking all the foregoing factors into consideration the court concludes that a civil penalty in the amount of $500,000 should be imposed on the defendants, jointly and severally, in this case.
The Commonwealth is to submit affidavits within 14 days of the date hereof showing and supporting the reasonable costs of investigation and litigation of this violation, including reasonable attorneys fees, with service on counsel for the defendants. The clerk will schedule a hearing relating to the award of such costs and fees.
The preliminary injunction now in force shall be entered as a final injunction.
By the Court
____________________ Gordon L. Doerfer, J