*1003 Floyd W. Bybee, Floyd W. Bybee PLLC, Michael Carey Shaw, Michael C. Shaw PLLC, Richard Anthony Dillenburg, Richard A. Dillenburg PC, Tempe, AZ, for Plaintiff.

Andi Kendrick Wang, Jones Day, Los Angeles, CA, Timothy Joel Eckstein, Osborn Maledon PA, Phoenix, AZ, for Defendants.

ORDER

JORGENSON, District Judge.

Pending before the Court is Defendant's Motion for Summary Judgment. For the reasons stated below, the motion is denied.

I. Standard of Review

Summary judgment is appropriate where "there is no genuine issue as to any material fact." Fed.R.Civ.P. 56(c). A genuine issue exists if "the evidence is such that a reasonable jury could return a verdict for the nonmoving party," and material facts are those "that might affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A fact is "material" if, under the applicable substantive law, it is "essential to the proper disposition of the claim." Id. An issue of fact is "genuine" if "there is sufficient evidence on each side so that a rational trier of fact could resolve the issue either way." Id. Thus, the "mere scintilla of evidence" in support of the nonmoving party's claim is insufficient to survive summary judgment. Id. at 252, 106 S.Ct. 2505. However, in evaluating a motion for summary judgment, "the evidence *1004 of the nonmoving party is to be believed, and all justifiable inferences are to be drawn in his favor." Id. at 255, 106 S.Ct. 2505. Further, a court must "not weigh the evidence[, make credibility determinations,] or determine the truth of the matter" at the summary judgment stage, but may only determine whether there is a genuine issue for trial. Abdul-Jabbar v. General Motors Corp., 85 F.3d 407, 410 (9th Cir.1996); Balint v. Carson City, Nevada, 180 F.3d 1047, 1054 (9th Cir.1999); see also Self-Realization Fellowship Church v. Ananda Church of Self-Realization, 206 F.3d 1322, 1328 (9th Cir. 2000) (recognizing that on a motion for summary judgment, "a district court is entitled neither to assess the weight of the conflicting evidence nor to make credibility determinations").

II. Factual Background

A. Overview

In 2001, the state of Arizona prosecuted an individual for molesting the daughter of Plaintiff Christopher Centuori ("Centuori"). The state called him to testify as an eyewitness to the crime. Attorneys from the Pima County Public Defender ("Public Defender") obtained Centuori's credit report in an attempt to impeach his credibility on the theory that his poor credit history created a financial motive to testify against the criminal defendant (who was later convicted).

In January 2004, Centuori filed suit against Experian, the Public Defender, Merchants Information Solutions. Inc. ("MIS") and various individuals alleging they violated the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq. Centuori alleges the Public Defender willfully violated the FCRA when it obtained his credit report, and that the credit agencies failed to comply with the FCRA when they willfully and/or negligently provided the Public Defender with Plaintiffs credit report.^[1] Before the Court is defendant Experian's Motion for Summary Judgment on Counts One and Two^[2] of the First Amended Complaint.

B. Background

On June 26, 1987, TRW, Inc. (Experian's predecessor) and Credit Data Southwest ("CDS") (MIS' predecessor) entered into an agreement allowing CDS to store its records of Arizona consumers in TRW's database of consumer credit records.^[3] Customers of MIS would obtain those credit histories by accessing Experian's database. MIS certified to Experian that it would conduct its business in strict accordance with all state and federal laws, including the FCRA. Experian required MIS to investigate prospective subscribers to ensure they met specific compliance requirements; it also supplied MIS with news on changes in the law, offered training, and invited MIS's representatives to conferences.

In 1998, MIS entered into an agreement with the Public Defender to supply credit histories. The Public Defender signed a "Permissible Purpose Certificate," which listed the permissible and impermissible purposes^[4] to access a credit history under *1005 the FCRA. Neither MIS nor the Public Defender forwarded the application or resulting agreement to Experian. MIS billed the Public Defender for services, although Experian provided MIS with details on the Public Defender's access to Experian's database.

C. The Public Defender Obtains Direct Internet Access to Experian's Database

Until 2001, the Public Defender could access Experian's database only through a dial-up computer connected to MIS, or by faxing or telephoning MIS with its request.^[5] However, in 2001, Experian decided to offer MIS customers direct Internet access to its database of more than 200 million consumer credit histories, which included the records of Arizona consumers. Offering Internet access to MIS' customers (and others) would increase profits for Experian, and allow it to expand its market. Switching from phone lines to the Internet would cut costs of five to seven cents per minute, which in the aggregate would save Experian millions of dollars. The new Internet interface would be more user-friendly, and allow Experian to spend less on customer training.

By granting direct Internet access to the database it exclusively controlled, Experian believed that a specific contractual relationship would be created between Experian and the Public Defender. Therefore, Experian's internal policies dictated it would need to obtain a three-way agreement between the Public Defender, MIS and Experian. Experian policy states that, "A fundamental aspect of enabling access to Experian's data is to ensure that access requests are properly validated and authorized before access is provided." Debra Allen, Experian's manager of the Security Administration Group ("SAG"), stated in a deposition that it was her office's "responsibility to grant the access [to customers such as the Public Defender] and to monitor the activities." Experian itself required the Public Defender to assert that it "acknowledges and agrees that it is responsible for all activities of Subscriber's employees in utilizing Internet access," and Experian retained the right to grant or revoke access at "its sole discretion." Because Experian was now actively providing the Public Defender access to its database of consumer credit histories, Experian included a clause that provided indemnity to Experian by the Public Defender. Finally, Experian's application form, completed by the Public Defender, stated that Experian "is responsible for processing all requests to establish Internet access accounts for Subscribers through Experian's existing E-Commerce applications."

Experian has a policy against allowing "private investigators" or attorneys (other than those involved in debt collection) to access its credit history reports because of a "high risk" that they would access credit reports for impermissible purposes. However, Experian generally would not screen applications for direct Internet access for permissible purpose, though the staff knew it should raise a flag if an application came from a "private investigator." Karl A. Lasky of the Public Defender's office returned the signed application forms to Experian. On each form, he identified the "Company Name" as "Pima County Public Defender" and his job title as "Chief Criminal Investigator." Plaintiffs expert stated *1006 the applicant's job title and employer name should have been sufficient notice that there was no permissible purpose to access credit records, and an indicator that Experian should have conducted an indepth investigation.^[6] Experian issued the unique user ID and password to Lasky of the Public Defender's office.

At the time the Public Defender submitted its application, Experian had assigned only two employees to process about 200 Internet access applications per day. These two employees had only high school diplomas, were not trained in the definition of "permissible purpose" under the FCRA, and were not required to review application forms for signs that an applicant might be seeking to access credit reports for impermissible purposes. Furthermore, Experian did not attempt to independently verify that any customer, including the Public Defender, had a permissible purpose to obtain consumer credit reports, relying only on the verification it assumed that MIS had previously conducted. Essentially, Experian's primary independent effort to verify that applicants would be accessing credit histories for a permissible purpose was to cross-reference the applicant with a list of names previously approved by MIS. Experian did audit MIS twice — in 1993 and 1998 — but did not review each application approved by MIS over the years.

D. The Public Defender's Alleged Impermissible Access of Plaintiffs Credit History

On January 9, 2002 and August 6, 2002, the Public Defender accessed Experian's consumer credit database through the Experian website to obtain a full credit report on Plaintiff.^[7] The Public Defender said it obtained the report on January 9th for "Collection Purposes," and on August 6th as a "Government Fee for Service," both of which are facially proper purposes under the FCRA, 15 U.S.C. § 1681b. Even though the invoice for these services were prepared by MIS, Experian directly provided Plaintiffs credit report to the Public Defender through its Internet database based on Experian's prior approval of the Public Defender's application.

In 2002, Plaintiff learned that the Public Defender had obtained his credit history when prior to the criminal trial, he was interviewed by an investigator and an attorney from the Public Defender regarding his credit history. During the criminal trial, the Public Defender questioned Plaintiff about his finances. On September 25, 2002, MIS asked the Public Defender to explain why it had requested and how it had used Plaintiffs credit report.^[8] Lasky wrote back on October 2, 2002, stating that it had obtained Plaintiffs credit report because his weak financial status "may have been a motivating factor driving *1007 the victim's family to support prosecution of our client." MIS did not investigate the incident further, and it did not suspend or terminate the services of the Public Defender. Experian was unaware the Public Defender had accessed Plaintiffs credit history for an impermissible purpose until it was served with this lawsuit.

Plaintiff is seeking emotional distress damages caused by Experian's willful and/or negligent failure to properly screen the Public Defender's access to its database. Plaintiff emphasized in his deposition that confronting the disclosure of his credit report was a major distraction and forced him to be "on the defensive ... during a time period I needed to be strong for my family," especially his daughter, and it "sapped me of resources for various, various reasons and it made me less effective in dealing with the most important matter at hand, which was to provide emotional support and strength to my family." He also testified that dealing with the disclosure of his credit history negatively affected his relationship with his children, and that he worried that his confidential information would fall into the hands of a member of the criminal defendant's family who had been convicted of identity theft. When the Public Defender aired its theory that Plaintiff had fabricated the allegation of his daughter's molestation to obtain money from the criminal defendant, he felt high levels of stress. However, Plaintiff never discussed the access to his credit report with his psychological counselor.

III. Discussion

A. Liability

In enacting the FCRA, Congress set a high standard of behavior for credit reporting agencies to follow because "[t]here is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy." 15 U.S.C. § 1681(a)(4) (emphasis added). Plaintiff alleges that Experian willfully and/or negligently failed to comply with the FCRA, 15 U.S.C. §§ 1681n and 1681o, when it granted the Public Defender direct Internet access to its credit history database for an impermissible purpose. If Experian "knowingly and intentionally perform[ed] an act that violate[d] the FCRA, either knowing that the action violate[d] the rights of consumers or in reckless disregard of those rights," it is liable under 15 U.S.C. § 1681n for willfully violating Plaintiff's rights. Reynolds v. Hartford Financial Services Group, Inc., 435 F.3d 1081, 1099 (9th Cir.2006). Mere negligence is not willful. Id. at 1097. Furthermore, Experian is not liable if "it has diligently and in good faith attempted to fulfill its statutory obligations." Id. at 1099.

Experian argues it is entitled to summary judgment because evidence of the procedures in place regulating MIS' granting of access to customers such as the Public Defender forecloses the possibility of a jury concluding that Experian acted willfully, recklessly and/or negligently. However, the "reasonableness of the procedures [implemented under the FORA] and whether the agency followed them will be jury questions in the overwhelming majority of cases." Guimond v. Trans Union Credit Information Co., 45 F.3d 1329, 1333 (9th Cir.1995). Therefore, summary judgment is inappropriate on the theory that Experian's procedures were reasonable.

Experian's own policies explained the importance of establishing a direct relationship with a customer before offering direct Internet access to its credit history database, stating that a "fundamental aspect of enabling access to Experian's data is to ensure that access requests are properly *1008 validated and authorized before access is provided." In deciding whether to grant Internet access directly to MIS' customers, Experian merely assumed that MIS' prior screening was adequate to conclude the Public Defender would only access its credit reports for permissible purposes. However, relying on another source to conduct verification, as Experian did in considering the Public Defender's Internet access application, is not sufficient as a matter of law to avoid liability under the FCRA. "[T]he caselaw is clear that a reporting agency does not act reasonably under the FCRA by deferring entirely to another source of information. The grave responsibility imposed by [the FCRA] must consist of something more than merely parroting information received from other sources." Soghomonian v. United States, 278 F.Supp.2d 1151, 1156 (E.D.Cal. July 29, 2003), citing Cushman v. Trans Union Corp., 115 F.3d 220, 225 (3d Cir.1997) (internal quotations omitted). Whether Experian's deferral to MIS' previous application screening of the Public Defender gave Experian reasonable grounds for believing that credit reports would be used only for permissible purposes is genuinely in dispute. Thus, summary judgment is inappropriate.

Furthermore, that at least some Experian staff were aware of the risk of granting access to investigators or attorneys is evidence that Experian understood it had a responsibility to assess applications independently, and not simply rely on MIS's previous screening. Indeed, that Experian acknowledged in its policies and documents that it was establishing an independent relationship by granting Internet access to the Public Defender is evidence of the unreasonableness of relying on MIS's previous screening. Establishing such an independent relationship would be meaningless if Experian did not independently review applications; otherwise, it could simply have notified MIS that it could offer this new service under the exact terms as it had previously. However, new terms, albeit similar ones, were required in Experian's view. A jury could consider evidence of Experian's belief that it needed to establish a specific contractual relationship with the Public Defender along with evidence of Experian's apparent failure to screen the Public Defender's application for permissible purpose, and decide that Experian willfully violated Plaintiff's rights under the FCRA.

When customers began accessing Experian's database directly over the Internet, Experian saved significant amounts of money by eliminating phone line and training costs. Had Experian conducted rigorous screening, the cost of adding and training staff might have cut into its profits, a financial motive a jury could consider in assessing whether Experian willfully violated the FCRA. Furthermore, when customers previously requested credit histories by phone or fax, MIS staff would individually review the request, and each time there was the potential of recognizing that the Public Defender's request was coming from an investigator at an attorney's office, and thus that there was a "high risk" that the request was being made for an impermissible purpose. However, when Experian began distributing credit reports through an automated Internet protocol, the requests would no longer be reviewed by a person. Given the elimination of this human failsafe, a reasonable jury could conclude that Experian had a heightened responsibility to review applications and that relying on MIS' previous approval process — one that would have allowed occasional request reviews by people — was reckless or negligent.

Despite its "grave responsibility" to protect consumer privacy, Experian did not train, instruct or expect its staff to review the applications for even facial signs of impermissible use, even though the forms *1009 reviewed contained listings for the name of the agency seeking access and the job title of the specific person seeking database access — clear and specific warning signals that something was amiss and that an investigation was needed. Indeed, Experian's own policies specifically prohibit granting access to private investigators or attorneys not engaged in collection work because of the "high risk" that they would violate the FCRA. Yet, the application forms in question were clearly marked as coming from the "chief criminal investigator" (which a jury could reasonably understand to be a "private investigator," per Experian's policy) working for the "Pima County Public Defender" (which is clearly an attorney's office unlikely to be involved in collections). Nonetheless, even though Experian staff knew they should raise a flag when applications arrived from private investigators, it failed to do so in this case.

Given that Experian assigned only two staff members — neither of whom had more than a high school education or any training on permissible purposes under the FCRA — to review 200 applications per day, a jury could conclude that Experian acted recklessly by failing to grant its staff sufficient time to carefully review the applications in accordance with its grave responsibility to uphold the rights of consumers. A jury could further conclude that Experian was therefore reckless. See Reynolds at 1099 ("A company will not have acted in reckless disregard of a consumer's rights if it has diligently and in good faith attempted to fulfill its statutory obligations ...").

Experian argues that even if it had been monitoring the Public Defender's access, it would still not be liable because the Public Defender offered a facially permissible explanation when it requested and received Plaintiffs credit history. Experian cites Greenhouse v. TRW, Inc., 1998 WL 61037, at *2, 1998 U.S. Dist. LEXIS 1973, at *7 (E.D.La. Feb. 12, 1998), for the proposition that if a "consumer reporting agency has reason to believe that the user had a permissible purpose in obtaining [a credit report], there is no FCRA violation." However, in Greenhouse, there was no evidence that the entity requesting the report was doing so for an impermissible purpose; here, there is evidence that Experian negligently and/or willfully failed to comply with the FCRA because it has a policy against granting access to attorneys and investigators, along with Plaintiffs expert who testified an application from an attorney or investigator should have triggered an investigation. Because Experian approved the Public Defender's application for direct Internet access to its credit history database, despite the fact that a criminal investigator with a public defender's office would ostensibly have no permissible purpose to access credit reports, a jury could conclude that Experian acted recklessly.

Furthermore, there is sufficient evidence that Experian acted recklessly by devoting so few resources to reviewing applications, hiring underqualified staff, and failing to train them in the "grave responsibilities" of the FCRA. See Levine v. World Financial Network National Bank, 437 F.3d 1118, 1121 (11th Cir.2006) (rejecting contention that a credit reporting agency's duty is only to assure that credit report requests are made for a facially permissible purpose "notwithstanding any reasonable grounds to believe that the request is instead made for an impermissible purpose"). Furthermore, as there is sufficient evidence to allow a jury to conclude that Experian acted recklessly, there obviously is sufficient evidence that it also acted negligently.^[9]

*1010 B. Damages

If Defendant is found to have violated 15 U.S.C. § 16810 (negligent failure), it will be liable to Plaintiff for: (i) actual damages and (ii) costs of the action and attorney's fees. If Defendant is found to have violated § 1681 n (willful or reckless failure), it would be liable for: (i) actual damages, or damages not less than $100 and not more than $1,000, for each violation; (ii) punitive damages; and (iii) costs of the action and attorney's fees.

Plaintiff claims damages stemming from emotional distress caused by Experian's willful or negligent failure to properly screen the Public Defender's application for access to its credit history database, leading to the Public Defender's impermissible access of Plaintiff's credit history. Plaintiff is also seeking punitive damages under the claim that Experian willfully violated the FCRA. To survive summary judgment on an emotional distress claim under the FCRA, Plaintiff must "submit evidence that reasonably and sufficiently explains the circumstances of his injury and does not resort to mere conclusory statements." McKeown v. Sears Roebuck & Co., 335 F.Supp.2d 917, 932 (W.D.Wis.2004) (internal citations and quotations omitted) (holding that plaintiff submitted sufficient evidence of emotional distress to survive summary judgment). Furthermore, "a plaintiff must support a claim for damages based on emotional distress with something more than his or her own conclusory allegations." Myers v. Bennett Law Offices, 238 F.Supp.2d 1196 (D.Nev.2002) (holding plaintiff's conclusory statements in affidavits to be insufficient as a matter of law to support an award for emotional distress), citing Cousin v. Trans Union Corp., 246 F.3d 359, 371 (5th Cir. 2001). Here, Plaintiff does not merely state his emotional distress injury in conclusory terms, but instead offers sufficient evidence of the entire context in which the disclosure occurred, what the emotional injuries were, and how they were caused by the disclosure.

Defendant argues Plaintiff cannot show that Experian is liable for damages allegedly suffered in this case. Plaintiff did not suffer a denial of credit, a lowering of his credit score, or a financial loss because of the improper access of his credit report, but these are not prerequisites for recovering emotional distress damages under 15 U.S.C. §§ 1681 n or 1681o. Guimond v. Trans Union Credit Information Co., 45 F.3d 1329, 1333 (9th Cir.1995); see also Myers v. Bennett Law Offices, 238 F.3d 1068, 1074 (9th Cir.2000) (holding that violations of FCRA "are akin to invasion of *1011 privacy cases," in which the "primary damage is the mental distress from having been exposed to public view."). As such, even accepting Defendant's argument as true on this issue, Plaintiff's FCRA claim for emotional distress survives summary judgment.

Defendant also argues that whatever harm Plaintiff suffered was caused either by witnessing his daughter's molestation, or by the Public Defender's promoting the argument that he had a financial motive to accuse the criminal defendant. However, there is sufficient evidence in the record suggesting that Plaintiff suffered emotional distress, which was caused, at least in part, by Experian's willful and/or negligent failure to adequately review the Public Defender's 2001 application for direct Internet access to Experian's database. For example, Plaintiff testified that the divulgence of his credit history "sapped me of resources for various, various reasons and it made me less effective in dealing with the most important matter at hand, which was to provide emotional support and strength to my family." He testified that the credit disclosure negatively affected his relationship with his children, and he was worried that his credit history might fall into the hands of a member of the criminal defendant's family who had been convicted of identity theft. The disclosure and resultant allegation of an improper financial motive to testify against the criminal defendant created high levels of stress. Although it was the Public Defender, and not Experian, that made the allegation about Plaintiff, a jury could conclude that this allegation would never have been made had the initial credit disclosure not been made.^[10]

Experian also argues that Plaintiff cannot collect punitive damages — to which he would be entitled if he shows a willful violation under § 1681n — because he stated during his deposition that "I don't believe [Experian is] intentionally trying to harm me." However, the statutory requirement of willfulness does not require proof of an intent to cause harm, but only an intent to fail to comply with the FCRA. See § 1681n(a) ("Any person who willfully fails to comply with any requirement imposed under [the FCRA] with respect to a consumer is liable to that consumer ..."). Furthermore, under § 1681n, Experian will be liable even if it did not "intentionally" violate the FCRA, but only did so recklessly. Reynolds at 1099.

Defendant's Motion for Summary Judgment on the issue of damages is denied.

IV. Conclusion

Accordingly, IT IS HEREBY ODERED as follows:

(1) Defendant's Motion for Summary Judgment is denied.

(2) The parties shall file a Joint Proposed Pretrial Order and any Motions in Linville within 30 days of the filing date of this Order. See Scheduling Order.

(3) Alternatively, if the parties so choose, they may engage in a settlement conference with a Magistrate Judge at no cost to the parties. If the parties choose this option, they should contact the Court which can set up the conference and stay the remaining deadlines.

NOTES

[1] Experian is the only remaining Defendant in this case because Plaintiff previously reached settlements with the other Defendants.

[2] Although the First Amended Complaint contains three counts, only Counts One and Two apply to Experian.

[3] The parties henceforth will be referred to by their present names.

[4] Under the FCRA, permissible purposes to access a credit report include: use in connection with a credit transaction; considering or evaluating employment; insurance underwriting; or an assessment of credit risk. 15 U.S.C. § 1681b(3).

[5] Requesting data from MIS by telephone or fax would require the completion of a form or a discussion with a service representative, which would provide another opportunity for a person at MIS to screen the Public Defender's request for permissible purpose, at least facially. The record is unclear on the extent to which the dial-up computer worked like a private Internet connection, and did not require any human interaction.

[6] Defendant objects to this expert testimony because, it argues, the expert's testimony is conclusory, unsupported, and otherwise inadmissible under Fed.R.Civ.P. 702. As indicated in its "Objections to Evidence," Defendant intends to file a comprehensive motion in limine to exclude this expert at trial. Defendant's objection is denied as moot because even without evidence from Plaintiff's expert, there is clearly other admissible evidence creating material issues of fact such that summary judgment must be denied. Further, the Court notes that contrary to Defendant's assertions, it preliminarily appears that Plaintiff's expert has a wealth of expertise in the area of credit reporting and would therefore be permitted to offer an expert opinion on the relevant issues.

[7] There is some indication that the Public Defender accessed Plaintiff's credit history a third time on an unspecified date in January 2002, but that is immaterial to the resolution of the Motion for Summary Judgment.

[8] The record is not clear on why MIS sought this explanation.

[9] In their pleadings regarding the Motion for Summary Judgment, the parties discussed at length the applicability of Wilson v. Sessoms, 1998 U.S. DIST LEXIS 8154 (M.D.N.C. Mar. 16, 1998). In Sessoms, which is not controlling, the district court granted summary judgment to the defendant credit agencies because there was insufficient evidence that Defendants were negligent. The credit agencies' customer was not a public defender, but rather a "skip-tracer," i.e., a private agent hired to locate consumers who had "skipped" on their loans; it is permissible under the FCRA to access credit reports for this purpose. The court held that as a matter of law Defendants could not be negligent because they had no reason to believe that the "skip-tracer" was involved in accessing credit reports for impermissible purposes. The instant case is distinguishable. This is not a case where there is no evidence that Experian should have had any reason to believe that the Public Defender was accessing credit reports for an impermissible purpose. Rather, there is evidence that the applications came from a criminal investigator working for a criminal attorney, which should have given Experian sufficient notice that the Public Defender might be intending to engage in impermissible activities. Experian's argument that it was not negligent as a matter of law because of its oversight of MIS is inapposite. The question, instead, is whether Experian itself was negligent when it failed to properly screen the Public Defender's application after establishing the new relationship to grant Internet access.

[10] Defendant notes that Plaintiff has been treated by a psychologist for the emotional distress suffered from watching his daughter's molestation, but that he never discussed with his counselor the access to his credit report. However, this is not dispositive that Plaintiff did not suffer the emotional distress he alleges.