
    Andrew S. ROGERS, Plaintiff, v. KEFFER, INC., d/b/a Keffer Chrysler Jeep Dodge, SunTrust Bank, JPMorgan Chase Bank, National Association d/b/a Chase, Equifax Information Services, LLC, Experian Information Solutions, Inc., and Trans Union, LLC, Defendants.
    No. 5:16-CV-671-D
    United States District Court, E.D. North Carolina, Western Division.
    Signed 03/17/2017
    
      Joseph Z. Frost, Matthew W. Buckmil-ler, Stubbs & Perdue, P.A., Raleigh, NC, for Plaintiff.
    Brian A. Kahn, Anita M. Foss, McGuire-Woods, LLP, Christopher P. Raab, Boyd Alexander Correll, Jr., Caudle & Spears, P.A., Charlotte, NC, Brian David Darer, Michael J. Crook, Parker, Poe, Adams <& Bernstein, LLP, Joseph W. Williford, Kelly Street Brown, Nathan D. Childs, Young, Moore & Henderson, P.A., Raleigh, NC, Kendall W. Carter, King & Spalding LLP, Atlanta, GA, Paul L. Myers, Strasbruger & Price, LLP, Frisco, TX, for Defendants.
   ORDER

JAMES C. DEVER III, Chief United States District Judge

On June 3, 2016, Andrew Stutfield Rogers (“Rogers” or “plaintiff’) filed this action in Wake County Superior Court against Keffer, Inc., d/b/a Keffer Chrysler Jeep Dodge (“Keffer”), SunTrust Bank (“SunTrust”), Elite Skippers, Inc., (“Elite Skippers”), JPMorgan Chase Bank, National Association d/b/a Chase (“Chase”), Equifax Information Services LLC (“Equi-fax”), Experian Information Solutions, Inc., (“Experian”), and Trans Union LLC (“Trans Union”) (collectively, “defendants”) [D.E. 1-3]. On July 13,2016, Chase removed the action to this court based on federal-question jurisdiction [D.E. 1]. On August 12, 2016, Chase moved to dismiss counts one, three, four, and six [D.E. 32] and filed a memorandum in support [D.E. 33]. On August 12, 2016, Keffer moved to dismiss counts one, two, three, and six [D.E. 35] and filed a memorandum in support [D.E. 36]. On September 16, 2016, Rogers responded in opposition to Chase’s motion to dismiss [D.E. 43]. On September 30, 2016, Rogers responded in opposition to Keffer’s motion to dismiss [D.E. 45], On October 3, 2016, Chase replied [D.E. 46]. On October 20, 2016, Keffer replied [D.E. 47]. As explained below, Chase’s motion to dismiss is granted in part and denied in part, and Keffer’s motion to dismiss is granted in part and denied in part.

I.

Rogers is a resident of Wake County, North Carolina, whose identity was stolen. See Compl. [D.E. 1-3] ¶¶ 30, 50-58, 79-82. Before November 30, 2015, Rogers’s credit score exceeded 800. Id. ¶¶ 50, 134. Keffer is a North Carolina corporation with its principal place of business in Charlotte, North Carolina, where it operates a car dealership. Id. ¶¶4, 33. Chase is a bank that operates throughout the United States, with headquarters in Columbus, Ohio. Id. ¶¶ 17-18.

On November 30, 2015, an unknown person claiming to be “Andrew L. Rogers” (“the identity thief’) entered Keffer’s car dealership and sought to purchase a 2015 Dodge Challenger. Id. ¶¶ 50-52. The identity thief used Rogers’s social security number, his date of birth, and a driver’s license for an “Andrew Leon Rogers” who resided at “239 Sunset Drive, Rock Hill, South Carolina, 29730.” Id. ¶¶ 53-56. No such address exists. IcL ¶ 57. Rogers has not lived in South Carolina since 1992 and has never resided in Rock Hill, South Carolina. Id. ¶¶ 72-73.

The identity thief presented this false information to Keffer’s employees, who did not verify its authenticity before using Rogers’s social security number to access his credit report from Equifax, Experian, or Trans Union (“the credit reporting agencies” or “the CRAs”). Id. ¶¶ 58-60. Keffer does not require purchasers to show a valid social security card before Keffer requests a credit report. Id. ¶ 66. At least one CRA “failed to properly verify the identity of the consumer on whose behalf the report was purportedly requested” and to verify that the report had been requested for a proper purpose. Id. ¶ 64.

Keffer disclosed the contents of Rogers’s credit reports to the identity thief. Id. ¶ 68. Keffer then used the social security number the identity thief had provided to initiate six hard inquiries into Rogers’s credit report. Id. ¶69. Having obtained Rogers’s credit information, Keffer then assisted the identity thief in obtaining a car loan with Chase. Id. ¶¶ 70-71. Rogers already had an account with Chase. H. at ¶ 75. Chase extended a $27,995.00 car loan based on the loan application the identity thief and Keffer submitted. Id. ¶ 76. Chase did not speak to Rogers before extending the loan “and unilaterally changed [Rogers’s] street address in its own system.” Id. ¶75. Chase reported the loan to the CRAs. Id. ¶ 78.

On December 10, 2015, the identity thief returned to Keffer to obtain a second car, a 2012 Chrysler 300. Id. ¶¶ 79-80. The identity thief used the same false information he had used to obtain the 2015 Dodge Challenger Id. ¶ 81. Keffer initiated multiple hard inquiries against Rogers’s credit report and assisted the identity thief in securing a car loan with SunTrust for $29,928.99. Id. ¶ 84.

Rogers alleges that Keffer failed to conduct a reasonable investigation into the identity of the person seeking a car loan and failed to notice or properly respond to inconsistencies in the identity thief s information: that the identity thief used a different middle name; that the identity thief used a non-existent home address; that the identity thief s loan application to Sun-Trust contained numerous inconsistencies with Rogers’s credit report; that the loan application listed a non-operational phone number for “Access to Healthcare”; that the identity thief s loan application did not include an email address, driver’s license number, or the issuing state of a driver’s license; that the identity thief did not show a social security card; and that the loan application was “so shockingly bare and lacking in supporting documentation that no reasonable person could conclude that the application was a sufficient basis on which to loan $28,000.00.” Id. ¶ 85.

On December 30, 2015, Rogers received an email from Chase about Rogers’s new car loan. Id ¶88. Rogers then realized that someone obtained a fraudulent loan in his name. Rogers initiated a fraud alert, set a security freeze with the CRAs, and filed a police report with the Charlotte-Mecklenburg Police Department. Id. ¶¶ 89-92. Rogers also notified Chase that he had not requested or authorized the loan and that his identity had been stolen. Id. ¶ 93. Rogers continued to notify Chase via at least seven phone calls between January 11 and January 28, 2016. Id. ¶ 94. Rogers “spent hours on hold being bounced around between various departments within” Chase’s phone system, “losing precious working and leisure hours.” Id. ¶95. Rogers also sent Chase letters and emails on unspecified dates. Id ¶ 96. Chase, however, did not correct the information Chase had reported to the CRAs about the loan and continued to report to the CRAs that the loan was Rogers’s. Id. ¶¶ 97-98.

On January 14, 2016, Rogers learned from Keffer employee Mike Streng (“Streng”) that a second loan had been taken out in his name. Id ¶¶ 99-101, 104. During this conversation, Rogers told Streng that he would ask a detective from the Charlotte-Meeklenburg Police Department about the second loan, to which Streng replied:

Yeah, but, but, do this just, just to protect me, cause I’m, cause right now he’s working very closely with me [pause] to try to get this figured out, just tell him, you know, you got a contact from Sun-Trust or something and now you found out there’s a second one.

Id. ¶ 102 (alteration in original). Streng’s reply “caused [Rogers] increased stress, anxiety, and fear, as it caused [Rogers] to question the integrity of ... Keffer, who had [Rogers’s] sensitive personal information at its mercy.” Id ¶ 106.

On January 19, 2016, Rogers contacted SunTrust about the loan issued in his name. Id ¶ 109. Although Rogers repeatedly contacted SunTrust and “spent hours on hold” trying to resolve the issue, “again losing precious working and leisure hours,” “SunTrust continues to report the loan to [the] CRAs.” Id. ¶¶ 111-13.

By letter dated January 25, 2016, and mailed to Rogers, Chase demanded that Rogers pay $407.40. Id. ¶¶ 154-56. By letter dated January 28, 2016, and mailed to Rogers, Chase demanded that Rogers pay $413.40. Id. ¶ 157

On April 22, 2016, at 9:02 am, Rogers received a voicemail saying:

Andrew-Rogers give me a call back as soon as possible this is investigator Doug Smith, I am doing the investigation in reference to a case that you have been accused of, please return call back at 7062213446, ... I really need to talk to you, uh, as soon as possible. Thank you.

Id. ¶¶ 116-17. Also on April 22, 2016, at 9:11 am and 9:14 am, Rogers received identical text messages saying “Call the investigator smith asap 7062213446 on missing vehicle you have been accused we are needing location immediately.” Id. ¶ 118. Rogers spoke to Doug Smith (“Smith”) later that day. Id. ¶¶ 119-20. During the conversation the following exchange occurred:

[Rogers]: What is your association with the dealership?
[Smith]: OK. They hire us as to locate your whereabouts in reference to the property that they have been trying to retrieve back...
[Rogers]: OK.
[Smith]: ... umm, such as we, such as like bounty hunters, or, or the third party company that is essentially trying to retrieve the property for them.

Id. ¶120 (alterations in original). Smith never stated that he worked for a “debt collector” or that he was trying to collect a “debt.” Id. ¶ 121. Also on April 22, 2016, Rogers called Keffer and spoke with Keith Carpenter and asked whether Keffer had hired Smith. Id. ¶¶ 123-26. Carpenter confirmed that Keffer had hired a recovery company, Elite Skippers, to try and recover the vehicles that the identity thief had fraudulently purchased. Id. ¶ 126. Rogers’s contacts with Elite Skippers caused “emotional distress, outrage, stress, fear, anxiety, and confusion.” Id. ¶ 131.

Rogers’s credit report “still reflects six hard inquiries that [Rogers] did not authorize despite [Rogers’s] notice to all three ... CRAs.” Id ¶ 133. Rogers’s credit score has “fallen considerably” as a result of these inquiries, Id. ¶ 135.

On June 3, 2016, Rogers filed a six-count complaint in Wake County Superior Court [D.E. 1-3]. Count one alleges that Chase, Keffer, and Elite Skippers violated the North Carolina Unfair and Deceptive Trade Practices Act (“UDTPA”), N.C. Gen. Stat. §§ 76-1.1 et seq. Id. ¶¶ 138-60. Count two alleges that Chase, Kéffer, and Elite Skippers violated the North Carolina Debt Collection Act (“NCDCA”), N.C. Gen. Stat. §§ 76-50 through 75-59. Id. ¶¶ 151-79. Count three alleges that Chase, SunTrust, Keffer, and the CRAs violated the North Carolina Identity Theft Protection Act (“NCITPÁ”), N.C. Gen. Stat. §§ 75-60 et seq. Id. ¶¶ 180-202. Count four alleges that Chase and SunTrust defamed Rogers, Jd. ¶¶ 203-20. Count five alleges that Chase, SunTrust, and the CRAs violated the Fair Credit Reporting Act (“FCRA”) 15 U.S.C. §§ 1681 et seq. Id. ¶¶ 221-51. Count six alleges that Chase, Keffer, and Elite Skippers violated the Fair Debt Collection Practices Act (“FDCPA”), 15 U.S.C. § 1692 et seq. Id. ¶¶ 252-77.

On July 13,. 2016, Chase removed the case to this court based on federal-question jurisdiction and supplemental jurisdiction [D.E. 1]. See 28.U.S.C. §§ 1331, 1367. On August 12, 2016, Chase, moved to dismiss counts one, three, four, and six of Rogers’s complaint as they pertained to Chase [D.E. 32] and filed a memorandum in support- [D.E. 33]. Also on August 12, 2016, Keffer moved to dismiss counts one, two, three, and six as they pertained to Keffer [D,E. 35] and filed a memorandum in support [D.E. 36]. On September 16, 2016, Rogers responded in opposition to Chase’s motion to dismiss [D,E. 43]. On September 30, 2016, Rogers responded in opposition to Keffer’s motion to dismiss [D.E. 45]. On October 3, 2016, Chase replied. [D.E. 46], On October 20, 2016, Kef-fer replied [D.E. 47].

On October 27, 2016, Rogers voluntarily dismissed Elite Skippers as a defendant [D.E. 48] and voluntarily dismissed counts two and six against Keffer [D.E. 49]. On January 26, 2017, Rogers stipulated to dismissing Experian as a defendant [D.E. 54]. On February 28, 2017, Rogers notified the court that he had settled with Equifax and would be filing a stipulation of dismissal [D.E. 56].

II.

A motion to dismiss under Rule 12(b)(6) for “failure to state a claim upon which relief can be granted” tests the legal and factual sufficiency of the complaint. See Fed. R. Civ. P. 12(b)(6); Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007); Coleman v. Md. Court of Appeals, 626 F.3d 187, 190 (4th Cir. 2010), aff'd, 566 U.S. 30, 132 S.Ct. 1327, 182 L.Ed.2d 296 (2012); Giarratano v. Johnson, 521 F.3d 298, 302 (4th Cir. 2008); accord Erickson v. Pardus, 551 U.S. 89, 93-94, 127 S.Ct. 2197, 167 L.Ed.2d 1081 (2007) (per curiam). The court “accepts all well-pled facts as true and construes these facts in the light most favorable to the plaintiff in weighing the legal sufficiency of the complaint.” Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250, 255 (4th Cir. 2009). The court need not, however, accept as true a complaint’s “legal conclusions, elements of a cause of aption, and bare assertions devoid of further factual enhancement.” Id. To withstand a Rule 12(b)(6) motion, a pleading “must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quotation omitted); see Twombly, 550 U.S. at 570, 127 S.Ct. 1955; Giarratano, 521 F.3d at 302. Plaintiffs factual allegations must “nudge[ ] their claims,” Twombly, 550 U.S. at 570, 127 S.Ct. 1955, beyond the realm of “mere possibility” into “plausibility].” Iqbal, 556 U.S. at 678-79, 129 S.Ct. 1937.

In evaluating a motion to dismiss, the court looks to the complaint and materials attached to it. Philips v. Pitt Cty. Mem’l Hosp., 572 F.3d 176, 180 (4th Cir. 2009); Sec’y of State for Defence v. Trimble Navigation Ltd., 484 F.3d 700, 705 (4th Cir. 2007); Am. Chiropractic Ass’n v. Trigon Healthcare, Inc., 367 F.3d 212, 234 (4th Cir. 2004). A court also may take judicial notice of public records such as court documents without converting the motion to dismiss into a motion for summary judgment. See, e.g., Tellabs. Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007); Philips, 572 F.3d at 180.

This case requires the court to apply North Carolina law. In resolving any disputed issue of state law, the court must determine how the Supreme Court of North Carolina would rule. See, e.g., Twin City Fire Ins. Co. v. Ben Arnold-Sunbelt Beverage Co., 433 F.3d 365, 369 (4th Cir. 2005). If the state supreme court “has spoken neither directly nor indirectly on the particular issue before [the federal court, that court must] ... predict how [the state supreme] court would rule, if presented with the issue.” Id. (quotations omitted). In making that prediction, the court “may consider lower court opinions[,] .,. treatises, and the practices of other states.” Id. (quotation omitted). When predicting an outcome under state law, a federal court “should not create or expand [a] [s]tate’s public policy.” Time Warner Entm’t-Advance/Newhouse P’ship v. Carteret-Craven Elec. Membership Corp., 506 F.3d 304, 314 (4th Cir. 2007) (first alteration in original) (quotation omitted); see Wade v. Danek Med., Inc., 182 F.3d 281, 286 (4th Cir. 1999). Moreover, in predicting how the Supreme Court of North Carolina would address an issue, this court must “follow the decision of an intermediate state appellate court unless there is persuasive data that the highest court would decide differently.” Toloczko, 728 F.3d at 397-98.

III.

Chase moves to dismiss the UDTPA claim in count one, the NCITPA claim in count three, the defamation claim in count four, and the FDCPA claim in count six. See [D.E. 32], Rogers bases his UDTPA claim against Chase in count one on two sets of allegedly wrongful acts. First, Rogers cites “Chase’s repeated demands for payment on a debt that [Rogers] did not owe, despite multiple notifications from [Rogers] that the account was procured by fraud.” Compl. ¶ 144. Second, Rogers cites

Chase’s unreasonable delay in addressing [Rogers’s] identity theft concerns, including failing to take proper notes on [Rogers’s] account, failing to supervise its call center employees, failing to have adequate measures in place to address and correct accounts opened through identity theft and fraud, its failure to timely remove the fraudulent account from [Rogers’s] record, and its continued reporting of the false account information to CRAs.

Id. Rogers bases his NCITPA claim against Chase in count three on Chase’s failure to notify Rogers of a “breach” that occurred when Rogers’s personal information was disclosed to the identity thief. Id. 1Í191. Rogers bases his defamation claim against Chase in count four on Chase’s reporting the fraudulent car loan to credit reporting agencies. Id. ¶ 204. Rogers bases his FDCPA claim in count six on the demand letters Chase sent on January 25 and 28, 2016. Id. ¶¶ 264-75.

Keffer moves to dismiss the UDTPA claim in count one and the NCITPA claim in count three. Rogers bases his UDTPA claim against Keffer on three allegedly wrongful acts: a Keffer employee’s request that Rogers lie to police regarding his identity theft, a failure to reasonably investigate the veracity of the identity thiefs loan application, and a failure to verify the identity thiefs identity. Id. ¶ 144. Rogers bases his NCITPA claim on Keffer’s disclosure of Rogers’s social security number to banks and CRAs without Rogers’s written consent or authorization, and on Keffer’s failure to notify Rogers of the “breach” that resulted in unauthorized individuals accessing his social security number. Id. ¶¶ 184-85,190-191.

A.

Chase argues that the FCRA preempts Rogers’s claims in counts one and four. The FCRA contains two preemption provisions, 15 U.S.C. §§ 1681h(e) and 1681t(b)(l)(F). Under 15 U.S.C. § 1681h(e)

Except as provided in sections 1681n and 1681 of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to section 1681g, 1681h, or 1681m of this title, or based on information disclosed by a user of a consumer report to or for a consumer against whom the user has taken adverse action, based in whole or in part on the report except as to false information furnished with malice or willful intent to injure such consumer.

Section. 1681h(e) requires a “two-step inquiry.” See Ross v. Fed. Deposit Ins. Corp., 625 F.3d 808, 814 (4th Cir. 2010). A court first asks “whether the claim falls within the scope of § 1681h(e)” and second asks “whether the ‘malice or willful intent to injure’ exception to the general bar against state law actions applies.” Id.

As for the first step, the preemption provision applies when a consumer has sued “any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to section 1681g, 1681h, or 1681m of this title, or based on information disclosed by a user of a consumer report to or for a consumer against whom the user has taken adverse action.” 15 U.S.C. § 1681h(e). “Sections 1681g and 1681h ... apply only to [credit reporting agencies].” Ross, 625 F.3d at 814. Chase is not a credit reporting agency. See 15 U.S.C. § 1681a(f). Section 1681m applies to users of consumer reports who take “adverse action” against the consumer on the basis of the consumer reports. Rogers does not allege that Chase took any adverse action against him on the basis of a consumer report. Cf. 15 U.S.C. § 1681a(k) (defining “adverse action”).

Section 1681h(e) also applies to state-law suits “based on information disclosed by a user of a consumer report to or for- a consumer against whom the user has taken adverse action, based in ’whole or in part on the report.” 15 U.S.C. § 1681h(e) (emphasis added). Rogers does not allege that Chase took any adverse action against him based in whole or in part on a consumer report. Rather, Rogers alleges that Chase failed to implement systems for removing a fraudulently obtained loan from its records and reported that fraudulently obtained loan to credit reporting agencies. The loan’s tangential relationship to a credit report—that the loan was initially opened “on [Rogers’s] credit report”—does not mean that Chase took adverse action based on that credit report when it later failed to correct the fraudulently obtained loan in its internal record-keeping system or reported the fraudulently obtained loan to credit reporting agencies. See Compl. ¶ 71; cf. 15 U.S.C. § 1681a(k) (defining “adverse action”). Likewise,. Chase’s attempts to collect on the fraudulently obtained loan were not adverse actions based on a credit report. Thus, Rogers’s UDTPA claim in count one and his defamation claim in count four do not fall within the scope of section 1681h(e).

Under 15 U.S.C. § 1681t(b), specifically § 1681t(b)(l)(F),

No requirement or prohibition may be imposed under the laws of any state ... with respect to any subject matter regulated under ... section 1681s-2 of this title, relating to the responsibilities of persons who furnish information to consumer reporting agencies....

“Section 1681s-2 describes the responsibilities of those who report credit information to CRAs.” Ross, 625 F.3d at 813. Under section 1681s-2, those who report credit information to credit reporting agencies have a duty to furnish accurate information, “which includes correcting any errors in reporting.” Id.; 15 U.S.O. § 1681s-2(a)(l)-(2). Section 1681s-2(b) also states that persons providing information to credit reporting agencies have a duty to investigate any disputed information and to correct any errors. See Ross, 625 F.3d at 813. When a North Carolina UDTPA claim “concerns [a bank’s] reporting of-inaccurate credit information to CRAs, an area regulated in great detail under § 1681s-2(a)-(b),” that claim is preempted under section 1681t(b). Id. Thus, Rogers’s claim in count one that Chase violated the UDT-PA is preempted under section 1681t(b) insofar as it concerns Chase’s inaccurate reporting of a loan to credit reporting agencies and alleged failures to properly investigate and correct erroneous information. See id. Those allegations “relate to the responsibilities of persons who furnish information” under section 1681s-2. See id. (quoting 15 U.S.C. § 1681t(b)(l)(F)). Likewise, Rogers’s defamation claim in count four against Chase is preempted because it concerns reporting inaccurate credit information to credit reporting agencies, which section 1681s-2 regulates.

Rogers’s UDTPA claim is not preempted insofar as it concerns the collection letters Chase sent to Rogers on January .25 and 28, 2016, because that portion of the claim is unrelated to the FCRA. Moreover, Chase does not mention this theory of relief in support of its motion to dismiss or in its reply. See [D.E. 33, 46]. Accordingly, Rogers’s UDTPA claim in count one survives against Chase as to this theory of relief.

B.

As for the UDTPA claim in count one against Keffer, to state a UDTPA claim' under North Carolina law Rogers must plausibly allege that (1) Keffer committed an unfair or deceptive act or practice, (2) the act or practice was in or affecting commerce, and (3) the act proximately caused injury to Rogers. See N.C. Gen. Stat. §§ 75-1.1, 75-16; Bumpers v. Cmty., Bank of N. Va., 367 N.C. 81, 88, 747 S.E.2d 220, 226 (2013); Walker v. Fleetwood Homes of N.C., Inc., 362 N.C. 63, 71-72, 653 S.E.2d 393, 399 (2007); Dalton v. Camp, 353 N.C. 647, 656, 548 S.E.2d 704, 711 (2001); RD & J Props, v. Lauralea-Dilton Enters., LLC, 165 N.C. App. 737, 748, 600 S.E.2d 492, 500 (2004). An act is deceptive if it has a tendency or capacity to deceive. Dalton, 353 N.C. at 656, 548 S.E.2d at 711; Marshall v. Miller, 302 N.C. 539, 548, 276 S.E.2d 397, 403 (1981). An act is unfair “when it offends established public policy, ... is immoral, unethical, oppressive, unscrupulous, or substantially injurious to consumers,” or “amounts to an inequitable assertion of ... power or position.” Carcano v. JBSS, LLC, 200 N.C.App. 162, 172, 684 S.E.2d 41, 50 (2009) (quotation and emphasis omitted). “Whether an act or practice is unfair or deceptive under the UDTPA is a question of law for the court.” Kelly v. Georgia-Pacific, LLC, 671 F.Supp.2d 785, 799 (E.D.N.C. 2009) (collecting cases); see Tucker v. Boulevard At Piper Glen LLC, 150 N.C.App. 150, 153, 564 S.E.2d 248, 250 (2002); Eastover Ridge, L.L.C. v. Metric Constructors. Inc., 139 N.C.App, 360, 363, 533 S.E.2d 827, 830 (2000). “[S]ome type of egregious or aggravating circumstances must be alleged” to make out a UDTPA claim. Dalton, 353 N.C. 647, 548 S.E.2d at 711 (quotation omitted) (emphasis in original).

Rogers alleges that Keffer’s failures “to act as a reasonably prudent auto dealership and loan application preparer would under the same circumstances” and to “verify the [identity thief s] true identity” are unfair or deceptive trade practices. Compl. ¶ 144. The alleged failure to act as-a reasonably prudent auto dealership is á legal -conclusion, and Rogers’s allegation appears, to be based on Keffer allegedly overlooking numerous inconsistencies in the identity thiefs loan application. See id. ¶85. Rogers cites Talbert v. Mauney, 80 N.C.App. 477, 481, 343 S.E.2d 5, 8 (1986), for the proposition that “wrongful and intentional .harm to [a plaintiffs] credit rating and business prospects” qualifies as an unfair or decéptive trade practice. But Rogers has not alleged that Keffer intended to harm his credit rating or business prospects. Rather, Rogers alleges that Keffer overlooked numerous inconsistencies in verifying the identity thiefs loan application. Rogers cites no case suggesting that negligently failing to verify the identity of a customer who a business assists in preparing a loan application qualifies as an unfair or deceptive act. Rogers also offers no reason to believe that failing to notice or understand the significance of inconsistencies between Rogers’s credit report and the identity thiefs loan application offends North Carolina’s established public policy, that such a failure is immoral, unethical, oppressive, or unscrupulous, or that such a failure amounts to an inequitable assertion of bargaining power. Rogers also does not argue that Keffer violated any statutory duty when assisting in preparing the identity thiefs loan application. Moreover, Rogers has not plausibly alleged that Keffer’s failure to catch the identity thief was accompanied by egregious or aggravating circumstances. Thus, Keffer’s negligent failures were not unfair or deceptive trade practices.

Rogers also alleges that one of Kef-fer’s employees instructed Rogers to -lie to the police about his identity theft.. See Compl. ¶ 102. Rogers states a plausible UDTPA claim that this conduct was an unfair or deceptive trade practice and that he has suffered emotional distress as a result. Thus, this claim in count one against Keffer survives.

C.

As for Rogers’s NCITPA claim against Keffer in count three, the NCITPA provides a cause of action under the UDTPA when a business “intentionally disclose[s] an individual’s social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable'diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual’s social security' number.” N.C. Gen. Stat. § 75-62(a)(6). Rogers’s NCITPA claim arises from Keffer disclosing his social security number, which the identity thief provided to Keffer, Chase, SunTrust, and the CRAs. Compl. ¶¶ 184-85.

Under N.C. Gen. Stat. § 75-62(b)(1), a defendant may not be held liable if a plaintiffs social security number was disclosed because it was “included in an application or in documents related ,to an enrollment process, or to establish, amend, or terminate an account, contract, or policy.” Under N.C. Gen. Stat. § 75-62(b)(4), a defendant is not liable under the NCITPA for “the collection, use, or release of a social security number to ... obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act.” Another exception under the NCITPA applies when a social security number is disclosed for “the opening of an account or the provision of or payment for a product or service authorized by an individual.”. N.C. Gen. Stat. § 75-62(b)(3) (emphasis added). Unlike the exception in subsection (b)(3), the exceptions in subsections (b)(1) and (b)(4) do not mention the individual’s authorization. Thus, the exceptions in subsections (b)(1) and (b)(4) apply whether or not the individual authorized the initial transaction.

When Keffer provided Rogers’s social security number to the CRAs, Keffer released a social security number to “obtain a credit report from ... a consumer reporting agency.” See id. § 75-62(b)(4). Accordingly, the exception in subsection (b)(4) applies to Keffer. Rogers does not plausibly allege that Keffer, as opposed to the identity thief himself, provided Rogers’s social security number to Chase and SunTrust in the loan applications. See Compl. ¶¶ 71, 81-82. But even if Keffer did provide Rogers’s social security number to Chase and SunTrust, Keffer did so to establish an account within the meaning of N.C. Gen. Stat. § 75-62(b)(l). Therefore, Rogers’s claims against Keffer of improper disclosure fall within the NCITPA’s exceptions, and those claims fail.

The NCITPA also provides a cause of action under the UDTPA for failing to notify the victim of a security breach. N.C. Gen. Stat. § 75-65. “Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license ... shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach.... ” N.C. Gen. Stat. § 75-65(b). The NCITPA defines a security breach as

An incident of unauthorized access to and acquisition of unencrypted and un-redacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.

N.C. Gen. Stat. § 75-61(14). A plaintiff must bring a claim for a violation of the NCITPA under the UDTPA and must show “(1) an unfair act (2) in or affecting commerce (3) proximately causing injury.” Reid v. Ayers, 138 N.C. App. 261, 266, 531 S.E.2d 231, 235 (2000).

Rogers argues that a security breach occurred when Keffer disclosed Rogers’s social security number to Chase, SunTrust, and the CRAs. [D.E. 45] 19-21. Keffer responds that, even if the alleged acts violated the NCITPA, the violation did not proximately cause any injury to Rogers because Keffer only learned that Rogers’s identity had been stolen when Rogers told Keffer on October 30, 2014. In response, Rogers argues that he suffered injury because on October 30, 2014, Rogers only knew about the first fraudulent transaction which resulted in the loan from Chase and that he did not learn about the second fraudulent transaction involving SunTrust until January 14, 2015. See Compl. ¶ 100. Had Keffer promptly informed Rogers, Rogers alleges he would not have had to pay a $30 fee to pull his credit report for a second time. Id. ¶ 197. Rogers also alleges damages in the form of unspecified “expenses associated with safeguarding his identity” and with hiring a lawyer. Id. ¶ 200.

Keffer responds that Rogers’s decision to pay $30 was purely voluntary because the CRAs were required to provide free credit reports after a fraud alert had been placed in Rogers’s file. See 15 U.S.C. § 1681c-l(a)(2). As for the unspecified expenses required to protect Rogers’s identity, even if Rogers was forced to incur expenses as a result of having his identity stolen, he identifies no logical reason that any expense could have been avoided had Keffer notified him of the second fraudulent loan 15 days earlier, on December 30, 2014.

The court concludes that Rogers has failed to plead that he suffered any damages as a proximate result of Keffer’s alleged NCITPA violation for failing to notify him of a security breach. Thus, Rogers’s NCITPA claim in count three against Kef-fer fails.

D.

As for Rogers’s NCITPA claim against Chase in count three, Rogers’s complaint does not identify any information that an unauthorized party accessed. Moreover, Chase did not provide Rogers’s social security humber to anyone. Rather, it received a loan application with Rogers’s social security number and provided a loan on that basis. Even if Chase’s receipt of a fraudulent loan application including Rogers’s personal information constituted an “incident of unauthorized access to and acquisition of’ Rogers’s personal information “where illegal use of the personal information has occurred or is reasonably likely to occur or creates a material risk of harm to a consumer,” Rogers has failed to plausibly allege that he suffered any injury due to Chase’s failure to notify him of the breach. See N.C. Gen. Stat. § 75-65(a). Under the NCITPA, a business is only required to provide notice “following discovery or notification of the breach.” Id. § 75—65(a)-(b) Here, Rogers does not allege that Chase discovered or was notified that the loan application was fraudulent before Rogers notified Chase. See Compl. ¶¶ 88-94. Furthermore, Rogers does not allege that he suffered any damages from Chase’s failure to notify Rogers of the security breach of which Rogers was already aware. Thus, Rogers’s NCITPA claim in count three against Chase fails.

E.

As for the FDCPA claim in count six, Rogers must plausibly allege that (1) he was the object of collection activity arising from a “consumer debt” as defined by the FDCPA, (2) the defendant is a “debt collector” as defined by the FDCPA, and (3) the defendant engaged in an act or omission prohibited by the FDCPA. Boo-sahda v. Providence Dane LLC, 462 Fed.Appx. 331, 333 n.3 (4th Cir. 2012) (per curiam) (unpublished); Hardin v. Bank of Am., N.A., No. 7:16-CV-75-D, 2017 WL 44709, *4 (E.D.N.C. Jan, 3, 2017) (unpublished); Campbell, 73 F.Supp.3d at 648; Johnson v. BAC Home Loans Servicing, LP, 867 F.Supp.2d 766, 776 (E.D.N.C. 2011).

Rogers fails to plausibly allege that Chase meets the FDCPA’s definition of a debt collector. The FDCPA “defines a debt coliector as (1) a person whose principal purpose is to collect debts; (2) a person who regularly collects debts owed to another; or (3) a person who collects.its own debts, using a name other -than its own as if it were a debt collector.” Henson v. Santander Consumer USA. Inc., 817 F.3d 131, 136 (4th Cir. 2016) (emphasis omitted). A “debt” under the FDCPA is “any obligation, or alleged obligation of a consumer to pay money.” 15 U.S.C. § 1692a(5).

Rogers offers the bare legal conclusion that Chase is “considered [a] ‘debt collector ]’ as that term is defined under 15 U.S.C. § 1696a(6),” because it- “used an instrumentality of interstate commerce to attempt to collect an alleged debt.” Compl. ¶ 45. Rogers does not plausibly allege that Chase’s principal purpose was to collect debts, that Chase regularly collects debts owed to another, or that Chase collected its own debts using a name other than its own. as if it were a debt collector. Henson, 817 F.3d at 136. Rather, Rogers alleges that Chase is a national banking association that provides “retail and commercial banking services to individuals and businesses throughout the United States,” Compl. ¶¶ 17-18, and the documents attached to Rogers’s complaint show that Chase did not attempt to collect a debt using another name as if it were a debt collector. Id. Exs. 1 & 2. Because Chase is not a debt collector as defined in 15 U.S.C. § ;1692a(6),. Rogers’s. FDCPA claim in count six against Chase fails.

IV.

In sum, Chase’s motion to dismiss [D.E. 32] is GRANTED in part and' DENIED in part, and Keffer’s motion to dismiss [D.E. 35] is GRANTED in part and DENIED in part. Chase’s motion to dismiss is DENIED as to the UDTPA claim in count one arising from improper collection letters, and is otherwise GRANTED. Keffer’s motion to dismiss is DENIED as to the UDTPA claim in count one arising from Streng’s request that Rogers lie to the police, and is otherwise GRANTED.

SO ORDERED. This 17th day of March 2017. 
      
      . A hard inquiry occurs when a financial institution requests a credit report when making a credit decision and may lower a person’s credit score. See Consumer Financial Protection Bureau, What's a credit inquiry?, Ask CFPB, http://www.consumerfinance.gov/ askc:fpb/1317/whats-a-credit-inquiry.html (accessed Mar. 17, 2017).
     
      
      . North Carolina does not have a mechanism to certify questions of state law to its Supreme Court, See Town of Nags Head v. Toloczko, 728 F.3d 391, 397-98 (4th Cir. 2013),
     
      
      . Keffer also moved to dismiss the claims in counts two and six, but Rogers voluntarily dismissed those claims; therefore, those claims against Keffer are no longer in the case, and Keffer’s motion is moot as to those claims.
     
      
      . Because Rogers’s claims do not "meet the steps of the § 1681h(e) analysis," the court "need not address” any "alleged conflict between § 1681h(e)and§ 1681t(b)(l)(F)." Ross, 625 F.3d at 814 n.*. '
     
      
      . Rogers argues that the exception in subsec-. tion (b)(4) does not apply. Specifically, Rogers argues that Keffer did not provide the information "pursuant to the Fair Credit Reporting Act” because the CRAs would not have had a permissible purpose for reporting Rogers’s credit information when Rogers himself was not involved in the transaction, The permissible-purpose test depends on what the credit reporting agency "has reason to believe,” and this court predicts that the Supreme Court of North Carolina would not hold that the exception in subsection (b)(4) protects furnishers of information inconsistently depending on what information the CRA knew. See 15 U.S.C. § 168lb(a)(3). In any event, Keffer reported the information to the CRAs, and nothing in Rogers's complaint suggests that the CRAs lacked a reason to believe that Keffer “intend[ed] to use the information in connection with a credit transaction involving the consumer on whom the information [was] to be furnished and involving the extension of credit to ... the consumer.” 15 U.S.C. § 168lb(a)(3)(A). Therefore, the CRAs had a permissible purpose for providing the credit information, and Keffer provided Rogers’s social security number pursuant to the Fair Credit Reporting Act.
     
      
      . In responding to Keffer’s motion to dismiss, Rogers argues for the first time that he suffered damages from Keffer’s failure to notify him of the security breach in the form of decreased efficiency in Rogers’s attempts to address the fraudulently issued loans with Chase and SunTrust. Rogers did not include this allegation in the complaint and may not use his brief opposing Keffer's motion to dismiss to amend his complaint. See Campbell v. Wells Fargo Bank, N.A., 73 F.Supp.3d 644, 652 (E.D.N.C. 2014) (collecting cases).
     