JPMorgan Chase accuses TransUnion, others of stealing 'trade secrets'

JPMorgan Chase has sued TransUnion for what it calls an "elaborate, decade-long scheme" by Argus, a unit of TransUnion, to "secretly misappropriate JPM 'svaluable trade secret data." The "trade secret data" the bank refers to is anonymized credit card data. The case does not involve personally identifiable information.

In the lawsuit the New York bank filed against Chicago-based TransUnion last week in Delaware Federal District Court, it said Argus Information & Advisory Services collected the bank's credit card data while under contract as a data aggregator for the Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Reserve Bank of Philadelphia. Argus then, without permission and in violation of its contracts with those agencies, used that data in the benchmarking services it sells to other banks, according to the bank. The complaint also names Verisk Analytics, which bought Argus in 2012, as a defendant.

"While Argus did not have access to any of our customers' personally identifiable information, this data is valuable and competitively sensitive," said Seth Wheeler, Chase's chief data and analytics officer. "Argus used Chase's data for its own commercial gain, and it's time this pattern of behavior stops once and for all."

TransUnion's response is that all of this happened before it bought Argus with its acquisition of Verisk in April 2022.

"The matter relates to actions at Argus, a subsidiary of TransUnion, that precede TransUnion's acquisition of Argus," a spokesman said in an email. "We have brought Argus under the rigorous data governance standards that make TransUnion a leader in this space and are proud of the work we've done to strengthen Argus at TransUnion." Argus did not respond to a request for an interview.

The bank's case is bolstered by the fact that earlier this month, Argus agreed to pay $37 million to settle a civil investigation by the Department of Justice and other federal authorities accusing it of the same thing – using anonymized credit card data collected for government agencies in the benchmarking services it sells to credit card issuers, in violation of its government contracts.

In announcing its settlement with Argus, the Department of Justice said that from 2010 through 2020, Argus improperly accessed, used and retained anonymized credit card data that it received under its contracts with the OCC, the Federal Reserve Board and the Consumer Financial Protection Bureau. The contracts each restricted Argus' ability to use, disclose or distribute credit card data collected from banks for purposes other than the performance of the work under the government contracts.

But the company used this anonymized data to create synthetic data that it incorporated into the products and services it sold to some commercial customers, the DOJ said. The DOJ further alleged that Argus failed to disclose its improper access, use and retention of credit card data to the government and the extent to which it relied on synthetic data to its commercial clients. The government's claims were filed under the False Claims Act and the Financial Institutions Reform, Recovery and Enforcement Act of 1989.

The bank's case

"The $37 million settlement casts very powerful optics in favor of Chase," said Eugene Mar, partner at Farella, Braun and Martel. "However, unless the settlement came with an admission of liability from Argus, the court overseeing the Chase action may not permit the government settlement to be presented at trial because of its potential prejudice to Argus."

Nevertheless, some observers feel the bank has a strong case.

"The allegations underlying this case are shocking," said Michele Alt, co-founder and managing director at Klaros Group. Despite the fact that Argus' contracts with bank regulators restricted it from using, disclosing or distributing the credit card data for commercial purposes, Argus "allegedly repackaged the data and sold it to its commercial customers anyway. Wow."

The fact that Argus admitted to the regulators that it misused JPMorgan Chase's anonymized card data is "a pretty damning admission," Alt said. And the fact that it agreed to pay $37 million to settle a civil investigation by the Department of Justice on this same issue "is a pretty strong starting point for the JPMorgan Chase case." She expects other banks whose data was used by Argus will soon file their own suits or join this one.

"Argus' contract with the banking agencies was likely quite lucrative, as indicated by the $13.5 million in restitution the company must now pay to the government," Alt said. "Argus should have enjoyed that payday and stopped while it was ahead."

The case could have implications throughout the industry. There is a lucrative market for buying and selling credit card data, as well as other forms of financial data, to hedge funds, marketing firms and others that use it to understand market forces and trends. Banks, payment networks, co-branding companies, fintech companies and data brokers are all highly invested in this market.

And as the Consumer Financial Protection Bureau's implementation of the 1033 section of the Dodd Frank Act takes effect, consumer financial data of all kinds will flow more freely out of banks. All banks will be required to share customer account data with third parties as long as the customers allow it.

Does credit card data qualify as trade secrets?

An interesting aspect of this case is the bank's characterization of credit card data as "trade secrets."

According to JPMorgan Chase, the trade secrets Argus misappropriated include monthly detailed individual account-level data and compiled portfolio-level data that aggregates categories of credit card accounts.

"JPMC's exclusive use and access to this data concerning its credit card business give it a significant competitive advantage," the bank said in its complaint. According to the bank, this data can provide detailed insights into its customer base and business practices, including its rates and pricing. The data also lets JPMorgan Chase track market trends and opportunities for business growth. The bank does not sell this data to third parties, it said.

Under the Uniform Trade Secret Act's definition of a trade secret, the information that Argus acquired and misused probably does qualify as a trade secret because it is at least a compilation of information that is generally not available to the public, according to Mar.

"By filing this as a trade secret case, Chase's lawsuit actually shines an interesting light on who owns credit card transaction data," Mar said. "I believe the complaint asserts that the banks like Chase own credit card transaction data, but does an average user actually know that? Probably not."

Under the concept of open banking, in theory, consumers own their account data.

"The biggest impact I see from this case is that I expect all the companies in this ecosystem like banks, co-branded companies, data brokers, data aggregators, and data analytic companies to closely scrutinize their agreements to see what limits are placed on each other to use the credit card data," Mar said. "You could see more disputes among these players about one company improperly exceeding the scope of their agreements or misappropriating trade secrets in the form of compiled, synthesized, or aggregated credit card transaction data."