
    Lynn A. KODRICK Plaintiff, v. Cheryl L. FERGUSON and Accubanc Mortgage, Defendants.
    No. 98 C 576.
    United States District Court, N.D. Illinois, Eastern Division.
    Feb. 16, 1999.
    Peter W. Andjelkovich, Bradley J. Wart-man, Peter Andjelkovich & Assoc., Chicago, IL, for Lynn A. Kodrick.
    Patrick T. Driscoll, Jr., Patrick T. Dris-coll, Jr., P.C., Chicago, IL, for Cheryl L. Ferguson.
    Steven Jay Teplinsky, Adam Carl Smedstad, Michael, Best & Friedrich, Chicago, IL, for Accubanc Mortgage.
   MEMORANDUM AND ORDER

MORAN, Senior District Judge.

Plaintiff Lynn Kodrick (Kodrick) has filed a two-count claim against Cheryl Ferguson (Ferguson) and Ferguson’s former employer Accubanc Mortgage (Accubanc) seeking damages under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. The complaint charges, inter alia, that Accubanc was negligent in complying with the FCRA when it did not prevent Ferguson from using Accubanc facilities to obtain Kodrick’s credit report under false pretenses. For the purpose of deciding Accubanc’s motion to dismiss the plaintiffs well-pleaded allegations are accepted as true, as are all reasonable inferences therefrom. Dawson v. General Motors, 977 F.2d 369, 372 (7th Cir.1992). The motion may be granted only where it appears beyond doubt that the plaintiff can prove no set of facts in support of her claim which would entitle her to relief. Conley v. Gibson, 355 U.S. 41, 45-46, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957). Even so, because we do not believe Accubanc can be held liable under the FCRA for Ferguson’s actions, we grant the motion to dismiss counts I and II as against Accubanc.

Background

As a senior loan officer at Accubanc, Ferguson was authorized to obtain and review the confidential credit histories of Accubanc’s customers. On two occasions in 1997, Ferguson used that authority to obtain a copy of plaintiffs credit report, ostensibly to process a real estate loan. Kodriek, however, had not applied for any loan, nor did she have any business relationship with Accubanc whatsoever. In fact, the real reason Ferguson wanted the information is that Kodriek is now married to Ferguson’s ex-husband.

Both parties acknowledge that Ferguson acted without the express approval of her supervisors at Accubanc. There is also no suggestion in the pleadings that liability must be imputed to Accubanc because Ferguson’s high rank makes her Accu-banc’s alter ego. See Burlington Industries, Inc. v. Ellerth, 524 U.S. 742, -, 118 S.Ct. 2257, 2267, 141 L.Ed.2d 633 (1998) (discussing § 219(2)(a) of the Restatement (2d) of Agency (1957)). Instead, plaintiff argues that Accubanc is liable because its negligence allowed “its authorized agent and officer to use its facilities to obtain credit reports under false pretenses” (plf s mem. in opp. at 2) To determine whether this allegation is sufficient to state a claim under the Fair Credit Reporting Act, we must review both the text and the purpose of the statute.

a. Fair Credit Reporting Act

The Fair Credit Reporting Act was passed in 1968 as Title VI of the Consumer Credit Protection Act. Pub.L.No. 90-321, Title VI, § 602, codified as amended by Pub.L.No. 91-508, Title VI, § 601, 84 Stat. 1128 (1970) at 15 U.S.C. § 1681 et seq. It was designed to “insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” 15 U.S.C. § 1681(a). Section 1681(b) further provides that

[i]t is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.

The principle vehicle for accomplishing this goal was the enumeration of permissible circumstances under which consumer reporting agencies (CRAs) could furnish confidential consumer reports. Section § 1681b(a) contains the exclusive list of permissible purposes, including employment prescreening, § 1681b(a)(3)(B); responses to a court order, § 1681b(a)(l); compliance with the written instructions of the consumer, § 1681b(a)(2); and where the user has a “legitimate business need in connection with a business transaction that is initiated by the consumer,” § 1681b(a)(3)(F)(i). Litigation under this section has focused on the credit agency’s knowledge as to whether the requesting party sought the information for permissible purposes. See, e.g., Heath v. Credit Bureau of Sheridan, Inc., 618 F.2d 693, 696 (10th Cir.1980) (finding that judicial inquiry into credit reporting agency motives was necessary component of § 1681b analysis, and holding that union member stated claim for relief against credit bureau on theory that it had delivered consumer report knowing that union had requested report for the impermissible purpose of humiliating its member). The FCRA also created civil liability for both negligent and willful violations of the Act, § 1681n-o, and provided a criminal penalty not to exceed $5000, one-year imprisonment, or both, for persons who obtain consumer information under false pretenses, § 1681q.

Notwithstanding these initial restrictions, rapidly evolving computer technology and an explosion in available consumer credit over the past two decades contributed to what one member of Congress referred to as an “Orwellian nightmare of erroneous and unknowingly disseminated credit reports” (140 Cong. Rec. H9797-05, H9810 (statement of Rep. Kennedy)). Thus, after much congressional debate and input from both consumer advocates and the credit industry, Congress passed the Consumer Credit Reporting Reform Act of 1996 (Reform Act) “to improve both the accuracy and privacy of consumer reports” {id.; Title II, Subtitle D, Chapter 1, of the Omnibus Consolidated Appropriations Act for Fiscal Year 1997, Pub.L.No.104-208, 110 Stat. 3009-426 (enacted Sept. 30, 1996; effective Sept. 30, 1997), codified as amended at 15 U.S.C. § 1681 et seq). The Reform Act gives the FTC expanded civil' enforcement authority over credit bureaus and information providers, regulates when CRAs may charge consumers a fee for credit reports, and expands the required disclosures to consumers when they are denied credit or employment based on a third party’s report. The maximum sentence under the criminal provision was increased to two years, a new civil liability provision was created for those who obtain a report under false pretenses, and an attorney’s fee provision was included to deter the filing of frivolous lawsuits.

In addition to strengthening the penalty provisions, the amendments also changed the language of the existing civil liability provisions, replacing “[a]ny consumer reporting agency or user of information which is negligent in failing to comply with any requirement” with “[a]ny person who is negligent in failing to comply with any requirement” (§ 1681o (emphasis added); see Reform Act, Pub.L.No. 104-208, Div. A., Title II, § 2412(a) to (c), (e)(1)). The term “person” is now defined at § 1681a(b) as “any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.”

Analysis

Plaintiff argues that the altered language of the civil liability provisions evinces a congressional desire to hold corporations liable for the violative activity of their employees (plfs mem. in opp. at 7). That is one possible interpretation’.- The practical implication of this change,, in any case, is to immediately focus our analysis on whether the FCRA imposed a “requirement,” i.e. a duty, on the defendant that has been negligently violated. Hansen v. Morgan, 582 F.2d 1214, 1219 (9th Cir.1978) (“The crucial issue is what constitutes ‘any requirement imposed under this subchap-ter’ for purposes of § 1681n and § 1681o.”). If an entity negligently fails to comply with such a requirement, it will be liable whether or not it is classified as a “credit reporting agency” or a “user.” Thus, we must decide whether the FCRA established a duty on the part of Aecubanc to prevent its employees from obtaining credit reports for personal use.

The FCRA does not explicitly impose requirements on “subscribers,” i.e. those individuals or companies, like Accubanc, who contract with credit reporting agencies for the right to regularly access consumer information. There is no language in the statute, for example, requiring subscribers to limit requisition access to supervisors or other employees with special training regarding permissible purposes. Plaintiff contends that it is the new language in § 1681b(f) that imposes a duty on Accubanc to prevent willful violations (plf s mem. in opp. at 5). This new provision provides that “[a] person shall not use or obtain a consumer report for any purpose unless' (1) the consumer report is obtained for a purpose for which it is authorized to be furnished under this section; and (2) the purpose is certified in accordance with § 1681e of this title by a prospective user of the report through a general or specific certification”. 15 U.S.C. § 1681b(f). In the context of this motion no one disputes that Ferguson obtained the report herself, falsely certified the permissible purpose, and used the report for personal reasons. The question then is whether her unauthorized actions are also imputed to Accubanc such that the corporation itself has “obtained a consumer report” for an impermissible purpose and without the appropriate certification. Or, stated another way, is Accubanc deemed a “user” or “obtainer” any time its facilities are used to obtain a report?

This, of course, is an agency question on which the statute remains silent. What do we take from this silence? Would Congress have wanted us to apply agency principles to determine employer liability here? If so, would it want the courts to create a uniform body of law on subscriber liability or instead rely on the agency law as it exists in the state forum? Or does the fact that the statute fills the agency gap as to other “requirements” suggest that Congress did not want to subject subscribers to this form of strict liability?

Where courts have addressed agency gaps in other statutes, they have often disagreed regarding the judiciary’s role. In Jansen v. Packaging Corp. of America, 123 F.3d 490 (7th Cir.1997), judgment aff'd. Burlington Industries, Inc. v. Ellerth, 524 U.S. 742, 118 S.Ct. 2257, 141 L.Ed.2d 633 (1998), Judge Easterbrook postulated that “when a federal statute is silent, we obtain the necessary rule from state law, unless application of state law would undermine a federal norm.” Jansen, at 553 (Easterbrook, J. concurring) (citing Atherton v. FDIC, 519 U.S. 213, 218, 117 S.Ct. 666, 670, 136 L.Ed.2d 656 (1997)). Judge Posner disagreed, noting that “[t]here is no novelty in formulating federal principles of agency law in interpreting federal statutes that are silent on agency.” Jansen, at 507 (Posner, J. concurring) (citing Central States Trucking Co. v. J.R. Simplot Co., 965 F.2d 431 (7th Cir.1992); U.S. v. Balistrieri, 981 F.2d 916, 930 (7th Cir.1992)). In Burlington, 118 S.Ct. at 2265, the Supreme Court agreed with Judge Posner to the extent that they saw a congressional instruction implicit in Title VII to create a federal common law on sexual harassment in the workplace. As the Court had explained earlier in Atherton, “Whether latent federal power should be exercised to displace state law is primarily a decision for Congress, not the federal courts. Wallis v. Pan American Petroleum Corp., 384 U.S. 63, 68, 86 S.Ct. 1301, 1304, 16 L.Ed.2d 369 (1966). Nor does the existence of related federal statutes automatically show that Congress intended courts to create federal common-law rules, for Congress acts ... against the background of the total corpus juris of the states.... Id. at 68, 86 S.Ct. at 1304.... Consequently, we must decide whether the application of state-law standards of care to such banks would conflict with, and thereby significantly threaten, a federal policy or interest.” Atherton, 519 U.S. at 218, 117 S.Ct. at 670 (internal quotations omitted).

Those few courts confronted with the agency gaps left by the FCRA have applied these general principles inconsistently. In Taylor v. Checkrite, Ltd., 627 F.Supp. 415, 417 n. 2 (S.D.Ohio 1986), the court explicitly relied on Ohio law rather than federal common law because there “[wa]s no clear indication Congress sought to replace state agency law with federal law in the area of consumer credit regulation or that there [wa]s an overwhelming need for a single national definition of agent for the purpose of these statutes.” In the pre-amendment case law on the FCRA, general agency principles often operated in the background to define who was a “user” subject to the civil liability provisions. In Hansen, the court established the rule that the term “user” refers not only to the ultimate destination of a credit report but also encompasses the person who acquires it for another. Hansen v. Morgan, 582 F.2d 1214 (9th Cir.1978). The Hansen court held the subscriber liable where the owner and principal stockholder of the subscribing jewelry store obtained a credit report on a congressional candidate at the behest of his political opponents. In Boothe v. TRW Credit Data, 557 F.Supp. 66, 71 (S.D.N.Y.1982), the subscriber was found to be a “user” where the vice-president of the subscriber obtained the report knowing of the impermissible purposes. See also Scott v. Real Estate Finance Group, 956 F.Supp. 375, 384 (E.D.N.Y.1997) (holding that subscriber could be liable as “user” where owner of subscriber obtained report for real estate agent knowing that subscriber had no business relationship with consumer). In Austin v. BankAmerica Service Corp., 419 F.Supp. 730, 734 (N.D.Ga.1974), and Northrop v. Hoffman of Simsbury, Inc., 134 F.3d 41, 49 (2d Cir.1997), it was held that “whether an employee may be held liable as a ‘user of information’ under § 1681n for a violation of § 1681q depends on whether the employee impermissibly obtained credit information for personal purposes, or merely in the ordinary course of employment.” In other words, an employee who obtains a report on the instructions of a culpable employer will be shielded from liability under the FCRA if, and only if, she “had no independent interest in the reports [she] obtained on behalf of [her] employer.” Yohay v. City of Alexandria Employees Credit Union, Inc., 827 F.2d 967, 973 (4th Cir.1987) (holding subscriber liable where subscriber’s manager authorized request for credit report to help subscriber’s secretary-treasurer and subscriber’s attorney in custody battle). It thus appears that in most pre-amendment case law, the corporate subscriber was only found to be a “user” where a high-ranking officer acting as the company’s alter ego obtained the report knowing of the impermissible end use. The lone exception is Northrop where the court deemed the subscribing auto dealership a “user” on the basis that it

is clearly a party that in the ordinary course of business would have occasion to request and receive credit reports from consumer reporting agencies for the permissible purposes described in section 1681b. It is therefore precisely the sort of party that would be expected to “use” credit reports under the Act. Presumably, it was by virtue of Hoffman’s being in this position that the individual defendants were able to obtain plaintiffs credit report from a consumer reporting agency. Whatever other types of parties Congress had in mind when it included the term “users of information” in § 1681n, we are convinced that Hoffman — a prototypical “user” of credit reports — qualifies.

Northrop, 134 F.3d at 49. It is important to remember, however, that this holding came in the context of a pre-amendment determination as to whether the subscriber was a user such that it could be found liable under § 1681n. As the Hoffman court warned in a footnote, “We express no conclusions regarding any liability that may be imposed upon any of the corporate or individual defendants based not on their own status as ‘users of information’ but on their responsibility for any violations by other defendants.” Hoffman, 134 F.3d at 49 n. 12.

This year, on facts very similar to this case, the Sixth Circuit relied on agency principles abstracted in the Restatement to find that a corporate subscriber could be held liable for its employee’s personal misappropriation of a confidential credit report. Jones v. Federated Financial Reserve Corp., 144 F.3d 961 (6th Cir.1998). In Jones, the court determined that a principal may be liable for an agent’s violation of the FCRA under the theory of apparent authority. Under this theory, “vicarious ‘liability is based upon the fact that the agent’s position facilitates the consummation of the fraud, in that from the point of view of the third person the transaction seems regular on its face and the agent appears to be acting in the ordinary course of the business provided to him.’ ” Id. at 965, quoting American Soc’y of Mechanical Eng’rs, Inc. v. Hydrolevel Corp., 456 U.S. 556, 566-567, 102 S.Ct. 1935, 72 L.Ed.2d 330 (1982); see also Yohay, 827 F.2d at 973. Under this form of strict liability the principal is responsible, “irrespective of whether the agent acted for his own purposes rather than those of his principal.” Jones, 144 F.3d at 965 (citing Restatement (2d) Agency § 262). In Burlington, a Title VII case decided one month after Jones, the Supreme Court clarified that “as a general rule, apparent authority is relevant where the agent purports to exercise a power which he or she does not have, as distinct from where the agent threatens to misuse actual power...” Burlington, 524 U.S. at -, 118 S.Ct. at 2267-2268. Where “a party seeks to impose vicarious liability based on an agent’s misuse of delegated authority, the Restatement’s aided in the agency relation rule, rather than the apparent authority rule, appears to be the appropriate form of analysis.” Id. (emphasis added). “This exception embraces a narrower concept that holds the employer liable only if the tort was accomplished by an instrumentality, or through conduct associated with the agency status.” Smith v. Metropolitan School Dist., Perry Township, 128 F.3d 1014, 1029 (7th Cir.1997), cert. denied, - U.S. -, 118 S.Ct. 2367, 141 L.Ed.2d 736 (1998).

To summarize, if we follow the lead of the court in Checkrite, we would fill the agency gap here with state law and hold Accubanc liable only if Illinois common law on agency would impose liability in these circumstances. If we follow the lead of the Sixth Circuit in Jones v. Federated, we would create new federal common law and infer that the FCRA imposes strict liability on subscribers when an employee obtains a report for personal use by falsely certifying a permissible purpose. We believe neither approach is the correct one here. Recent legislative history and the new preemption provisions contained in the Reform Act indicate that Congress sought to develop uniform national standards. The text and structure of the FCRA, moreover, indicate that Congress carefully located the penalty for impermissible use — and thus the duty to prevent it — with the industry players best able to correct the systemic problems: consumer reporting agencies and individuals who knowingly violate the law.

b. Federal Preemption of State Law and Legislative History

The 1996 amendments added two new preemption provisions which became effective September 30, 1997. The first preempts certain state causes of action arising out of the disclosure of confidential consumer information. 15 U.S.C. § 1681h(e), as amended by Pub.L.No. 104-208, Div. A, Title II § 2408; see Stevenson v. Employers' Mutual Ass’n, 960 F.Supp. 141 (N.D.Ill.1997). The second gives industry an eight-year preemption from state laws regulating the acquisition and disclosure of consumer credit information, even where the state laws provide greater protection for consumers. 15 U.S.C. § 1681t. Acknowledging that the preemption debate had been “contentious,” Representative Kennedy explained that “[t]his compromise provision is the product of a careful effort to balance industry’s desire for nationwide uniformity with States’ vital interest in protecting their citizens... [T]he 8-year preemption mandated by this bill will test the viability of a uniform national standard. If after 8 years the Federal law is not adequately protecting consumers, then I would expect States to step in once again and do the job.” 140 Cong. Rec. H9810; see also id. at H9810 (remarks of Rep. McCandless: “I think that 8 years is long enough to foster national uniformity, but not too long to stifle State ingenuity.”); id. at H9811 (remarks of Rep. Thomas: “We have compromised on the preemption issue so companies will not have to comply with a patchwork of State laws.”); id. at H9815 (remarks of Rep. Castle: “Equally as important, this compromise will not place an unfair regulatory burden on companies that provide credit to consumers.... This federal preemption will allow business to comply with one law on credit reports rather than a myriad of State laws”). Though of course this legislative history is not binding on this court, we believe it indicates that Congress did not intend that we establish differing rules for subscribers based on the agency law in each forum.

c. The FCRA Text and Legislative Scheme

The text, stated purpose, structure, and legislative history all suggest that Congress wanted to place the responsibility for breaches of confidentiality primarily on the credit reporting agencies. Even there, they did not provide strict liability for all violations. Although we agree in theory with the Jones court that the “aided in the agency relation” rule could be useful in this context where an employee’s authorization to obtain credit reports facilitates an invasion of a consumer’s privacy, we do not believe the statute allows us to overlay this theory of vicarious liability. -There is not silence on agency altogether; the silence here is in the form of an absence of an affirmative duty imposed on employers of rogue “users.”

We believe § 1681e is the provision that best illuminates the scope of civil liability under § 1681o. Entitled Compliance Procedures, section (a) provides as follows:

(a) Identity and purposes of credit users.
Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of section 1681c of this title and to limit the furnishing of consumer reports to the purposes listed under section 1681b of this title. These procedures shall require that prospective users.of the information identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report. No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 1681b of this title.

Note that the reasonable procedures requirement is imposed specifically on CRAs, even though the language of § 1681b focuses on permissible uses. As the court in Wiggins v. Philip Morris, Inc., 853 F.Supp. 470, 481-482 (D.D.C.1994), explained:

With the enactment of the FCRA, Congress sought to create reasonable procedures regarding the dissemination and use of consumer information. In attempting to achieve its goal, Congress emplaced a detailed statutory framework, setting levels of culpability and punishment and numerous procedural devices aimed at nonjudicial resolution of claims under the Act... [T]he Act imposes different obligations upon consumer reporting agencies that provide consumer credit information and users of consumer reports. Compare 15 U.S.C.A. §§ 1681c-1681e (1982) %úth id. § 1681m. Users have a limited responsibility. Under the Act, the primary duty assigned to users of consumer information is mandatory disclosure to a consumer of the name and address of the consumer reporting agency that provided a report when the consumer is adversely affected by the dissemination of information provided for employment purposes.... On the other hand, consumer reporting agencies were charged with several responsibilities. The Act requires consumer reporting agencies to maintain and follow a myriad of reasonable compliance and accuracy policies and to follow strict procedures in cases of disputed accuracy. If litigants were allowed to use § 1985(3) to compel users of consumer reports to comply with the duties imposed upon consumer reporting agencies via a federal conspiracy statute (and vice versa), then these litigants would be able to circumvent the intent of Congress and the purpose of the Act.

When Judge Shadur recently refused to infer a credit agency’s right to contribution from the user, he quoted extensively from Wiggins and noted that the structure of the FCRA negated any argument that would permit the credit agency to “shunt the responsibility that Congress has expressly imposed on it onto the less culpable user of its flawed report.” Kay v. First Continental Trading, Inc., 966 F.Supp. 753, 754-755 (N.D.Ill.1997). Similarly, we do not believe Congress intended us to infer from § 1681b(f) that subscribers have a duty to prevent willful violations, given that it has expressly placed that responsibility with the credit agencies.

The statutory scheme is straightforward. First, it places the primary obligation to prevent misuse with the CRA by requiring reasonable procedures to avoid furnishing reports for impermissible purposes, and imposing civil liability for negligent or willful non-compliance. Second, it establishes a certification scheme to help the CRA red flag suspect requests and identify those who repeatedly obtain consumer reports for impermissible purposes. If verification uncovers improper requests by a subscriber or a subscriber’s employee, the CRA would presumably alter its contractual relationship to account for the heightened risk of its own liability: it could add indemnification language, move from a general certification to a specific certification, or terminate access altogether. Even reasonable CRA procedures, however, cannot catch violations if individual certification documents provide false information, and so the FCRA imposes criminal penalties on those who use false pretenses to obtain reports. 15 U.S.C. § 1681q; see Hansen, 582 F.2d at 1220 (“[T]he objectives of the act could be defeated if users could obtain information from consumer reporting agencies under false pretenses with impunity. Even consumer reporting agencies acting in complete good faith cannot prohibit illicit use of consumer information if users are not bound to obtain consumer reports only for permissible purposes. § 1681q is a response to this concern.”). Finally, the amended statute “allows a consumer to learn who has seen his or her report, and why, to help prevent unauthorized uses of that report.” 140 Cong. Rec. 59797-05, H9810 (Remarks of Rep. Kennedy). “It appears that Congress was meticulous in its enactment of the FCRA. The culpability, liability, remedy, and enforcement provisions demonstrate Congress’s effort at creating a comprehensive statutory scheme.” Wiggins v. Philip Morris, Inc., 853 F.Supp. at 482. The scheme does not impose strict liability on subscribers.

It goes without saying that Congress knows how to provide for vicarious liability when it so chooses. Section 20(a) of the Securities Exchange Act of 1934, codified at 15 U.S.C. § 78t(a), is particularly instructive given that stock brokers have access to information and instrumentalities because of their agency relation which can facilitate intentional torts against unwitting consumers. Congress could have adopted the controlling person standard to govern subscriber liability. Alternatively, Congress had the model provided by developing case law on Title VII, another context in which the agency relation often facilitates a private tort. See Burlington, 118 S.Ct. at 2270 (holding that an employer is subject to vicarious liability for an actionable hostile environment created by a supervisor with authority over an employee, unless the employer can prove that it exercised reasonable care to prevent and correct sexually harassing behavior). Again, such a scheme might be quite productive in this context, creating the right incentives for prevention and training while ensuring that employers who act responsibly will not be held liable for the secret behavior of rogue employees. Indeed, it may be the case that our holding today uncovers a gap in the protection afforded to consumers by the FCRA. It may mean that the deep pockets of corporations who benefit from access to these reports will not be available to compensate victims for the breach of their privacy. We leave it to Congress, however, to fill any such gap. As the law is currently written, Kodrick has not stated a cognizable claim against Accubanc.

Plaintiff echoes the concern of the Jones court that, under our interpretation, “because a company like Federated [or Accubanc] can act only through its agents, it is difficult to imagine a situation in which a company would ever be found to have willfully violated the statute directly by obtaining a credit report for an impermissible purpose.” Jones at 966. We make two observations. First, the congressional scheme would not be undermined if a corporate subscriber were never held directly liable for its employee’s violation. The deterrence comes in the form of the credit agency’s obligations to check up on users and the stiff civil and criminal penalties placed on an individual who uses or obtains a report for impermissible purposes. Second, where an employee’s rank is such that he or she acts as the subscriber’s alter ego, the case law reviewed above proves that a corporate subscriber can be held liable for noncompliance. An official corporate policy in violation of the FCRA can also subject a corporation to liability. See Mathews v. GEICO, 23 F.Supp.2d 1160 (S.D.Cal.1998) (holding that employer’s official policy to make adverse employment decisions based upon credit reports without providing required notice to affected applicants violated specific requirement imposed by FCRA).

We emphasize that our holding is confined to the facts alleged by the plaintiff. This is not a case where company supervisors knew their, facilities were being used to obtain reports for impermissible purposes. Nor is there any allegation that Accubanc recklessly gave access to its credit bureau facilities to employees who would not need to conduct credit checks to carry-out work within their job description. We make no comment as to when a corporation could be held liable under those circumstances. We hold only that a subscriber is not liable under § 1681n or § 1681o for its employee’s unauthorized willful violations of the Fair Credit Reporting Act, where the employee of the subscriber obtained the report under false pretenses and for personal use without the express or implied approval of her supervisors.

Conclusion

For the foregoing reasons, we grant Ac-cubanc’s motion to dismiss Counts I and II. 
      
      . See Northrop v. Hoffman of Simsbury, Inc., 134 F.3d 41, 48 n. 9 (2d Cir.1997) (discussing several possible interpretations).
     
      
      . Plaintiff also asserts that it is the criminal penalty provision at § 1681q that imposes on Accubanc "an affirmative duty to refrain from allowing its agents and officers from willfully obtaining credit reports under false pretenses" (plf’s mem. in opp. at 12). She provides no support for this proposition and there is nothing in the text to support such an interpretation. While the pre-amendment case law disagreed as to whether § 1681q also created a private cause of action under § 1681o or § 1681n against those who obtained a consumer report under false pretenses, the new knowing non-compliance provision at § 1681n(b) appears to clarify congressional intent on this question. That is not the issue presented in this case, however.
     
      
      . Although the reference to "user” was eliminated from the civil liability provisions, the term is still used throughout the statute. "Using” a consumer information report, however, is generally distinguished from "obtaining” or "procuring” a report. For example, § 1681b establishes that employment screening is a permissible purpose for which a credit report may be furnished, and § 168 lb(b) enumerates the special "[c]onditions for furnishing and using consumer reports for employment purposes.” The text of § 168lb(b) establishes that the person who "obtains” the report has certification duties, as does the reporting agency who furnishes the report. It also establishes that the person who "pro-curéis]” a report or "cause[s] a report to be procured” has disclosure duties, as does any person who takes adverse action based on information in the report. A second example appears in § 1681e(e), which provides that "a person may not procure a consumer report for purposes of reselling the report... unless the person discloses to the consumer reporting agency that originally furnishes the report (A) the identity of the end-user of the report. .. and (B) which permissible purpose under section 1681b of this title for which the report is furnished to the end-user.” Thus, the statute assigns unique responsibilities to those who furnish reports, to those who obtain or procure the reports, and to those who use them.
     
      
      . The general rule is that an employer will not be liable for the torts of his servants acting outside the scope of their employment. Restatement (2d) Agency § 219(2).
     
      
      . As amended by the Reform Act, § 1681h(e) establishes that
      Except as provided in sections 168In and 1681o of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to section 1681 g, 1681h, or 1681m of this title, or based on information disclosed by a user of a consumer report to or for a consumer against whom the user has taken adverse action, based in whole or in part on the report except as to false information furnished with malice or intent to injure such consumer.
     
      
      . It is worth noting that the comprehensive overhaul of the FCRA in 1996 did not amend the purpose statement in § 1681(b) which clearly emphasizes that the goal is to get credit reporting agencies to adopt reasonable procedures. See Ippolito v. WNS, Inc., 864 F.2d 440, 448 (7th Cir.1988).
     
      
      . The FCRA also includes a companion provision confirming an affirmative defense to civil liability. Entitled "reasonable procedures to assure compliance,” § 1681m(c) provides that "No person shall be held liable for any violation of this section if he shows by a preponderance of the evidence that at the time of the alleged violation he maintained reasonable procedures to assure compliance with the provisions of this section.” Several courts have held that this provision does not impose an affirmative requirement on a user that would form a basis for civil liability. See Wiggins v. District Cablevision, Inc., 853 F.Supp. 484, 491 (D.D.C.1994).
     
      
      . See FTC Commentary on the FCRA, 16 CFR Ch. 1, Pt. 600, App., sec. 607(2) Procedures to Avoid Reporting for Impermissible Purposes, subsections (A) — (C).
     
      
      . Id., subsection (D) (“Where doubt arises concerning any user's compliance with its contractual certification, a consumer reporting agency must take steps to insure compliance, such as requiring a separate, advance certification for each report it furnishes that user, or auditing that user to verify that it is obtaining reports only for permissible purposes. A consumer reporting agency must cease furnishing consumer reports to users who repeatedly request consumer reports for impermissible purposes.”); Id., subsection (E) ("If a subscriber has inadvertently sought reports for impermissible purposes or its employee has obtained reports without a permissible purpose, it would be appropriate for the consumer reporting agency to alter the subscriber’s means of access, and require an individual written certification of the permissible purpose for each report requested or randomly verify such purposes.”) (emphasis added). There is no comparable guideline for subscribers.
     
      
      .Were we to infer strict liability we would be imposing a greater burden on subscribers than that which the statute explicitly imposes on CRAs.
     
      
      . Section 20(a) of the 1934 Act establishes liability as follows:
      Every person who, directly or indirectly, controls any person liable under any provision of this chapter or of any rule or regulation thereunder shall also be liable jointly and severally with and to the same extent as such controlled person to any person to whom such controlled person is liable, unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of action. 15 U.S.C. § 78t. "Thus, once controlling-person status is shown, a broker-dealer would be liable for its employee's acts under Section 20(a) if it did not maintain a reasonably adequate system of internal supervision and control over the registered representative or did not enforce with any reasonable diligence such system." Harrison v. Dean Witter Reynolds, Inc., 974 F.2d 873, 881 (7th Cir.1992) (internal citations omitted), cert. denied, 509 U.S. 904, 113 S.Ct. 2994, 125 L.Ed.2d 688 (1993).
     
      
      . Plaintiff contends that her complaint is sufficient to plead Accubanc’s knowledge as to the impermissible request. She relies primarily, however, on agency principles rather than facts to establish that knowledge. Plaintiff's memo, in opp. at 2, 12. This begs the question as to whether agency principles can be used to establish strict liability under the FCRA. She also pleads that Ferguson was a "Senior Loan Officer” and thereafter the complaint refers to her as an "officer” of Accubanc. Without more in the pleadings, we are hesitant to conclude that plaintiff's use of the term "officer” indicates that she believes Ferguson's rank was high enough to make her Accubanc's alter ego.
     
      
      . Although plaintiff notes that Ferguson twice used the facilities improperly, this hardly demonstrates Accubanc’s "careless” attitude toward FCRA requirements. In Yohay, 827 F.2d at 974, for example, the court noted that the subscriber "had not posted any guidelines to users of the computer informing them of the circumstances under which such credit information could be obtained... Indeed the Credit Union had posted the code which provided access to the computer system, enabling anyone with the physical opportunity to use the system to access CBI's files.” Such a policy would almost invite violations. We need not consider the implications of such apparently reckless behavior, however, for there is no allegation in the pleadings that such a policy facilitated the breach of Kodrick's privacy.
     