Last week, the FTC announced a record-setting fine of $20m against Vivint Smart Home.  That announcement discussed how the FTC’s complaint alleged FCRA violations in that the company “improperly obtaining credit reports in order to qualify potential customers for financing for its smart home monitoring and security products. The FTC also alleged that Vivint violated the FTC’s Red Flags Rule by failing to implement an identity theft prevention program, which is required of certain companies that regularly use or obtain credit reports.”

In an FTC blog post from Leslie Fair,

There’s a certain irony in the FTC’s record-setting $20 million settlement with Vivint Smart Home, a national seller of smart home technology platforms, including security devices and monitoring services. One purpose of the company’s products is to help residents ensure that people at their front door are who they say they are. But according to the FTC, Vivint engaged in some identity deception of its own. For example, when a prospective customer couldn’t qualify for financing, the FTC says Vivint’s sales representatives found another person with a similar name and then qualified the customer using that person’s credit report. The complaint charges that Vivint violated the Fair Credit Reporting Act, the FTC Act, and the Red Flags Rule.

When Andrew Smith, the then-head of the FTC’s BCP spoke at CDIA’s annual law and industry conference last summer, he mentioned how the FTC would be taking a deeper look at Red Flags Rules violations.  This case is the realization of his comment.

Interestingly, Commissioner (and Bureau director-designate) Chopra wrote separately for several reasons.  Among them was this comment:

The FTC is currently battling its most serious credibility crisis in decades. Too many of the agency’s enforcement actions provide no help whatsoever and do nothing to deter misconduct. This action is a step in the right direction, as victims will actually receive help.

Across the agency’s work, Commissioners must do more to address the financial incentives that fuel wrongdoing, particularly when it comes to misuse and abuse of personal data. The Commission’s status quo approach to data protection enforcement is not working, and Commissioners will need to continuously examine ways to work with partners to better detect, deter, and prevent abuse by bad actors.