ORDER
Pending before the Court is Defendant’s Motion for Summary Judgment. For the reasons stated below, the motion is denied.
I. Standard of Review
Summary judgment is appropriate where “there is no genuine issue as to any material fact.” Fed.R.Civ.P. 56(c). A genuine issue exists if “the evidence is such that a reasonable jury could return a verdict for the nonmoving party,” and material facts are those “that might affect the outcome of the suit under the governing law.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A fact is “material” if, under the applicable substantive law, it is “essential to the proper disposition of the claim.” Id. An issue of fact is “genuine” if “there is sufficient evidence on each side so that a rational trier of fact could resolve the issue either way.” Id. Thus, the “mere scintilla of evidence” in support of the nonmoving party’s claim is insufficient to survive summary judgment. Id. at 252, 106 S.Ct. 2505. However, in evaluating a motion for summary judgment, “the evi*1004dence of the nonmoving party is to be believed, and all justifiable inferences are to be drawn in his favor.” Id. at 255, 106 S.Ct. 2505. Further, a court must “not weigh the evidence^ make credibility determinations,] or determine the truth of the matter” at the summary judgment stage, but may only determine whether there is a genuine issue for trial. Abdul-Jabbar v. General Motors Corp., 85 F.3d 407, 410 (9th Cir.1996); Balint v. Carson City, Nevada, 180 F.3d 1047, 1054 (9th Cir.1999); see also Self-Realization Fellowship Church v. Ananda Church of Self-Realization, 206 F.3d 1322, 1328 (9th Cir. 2000) (recognizing that on a motion for summary judgment, “a district court is entitled neither to assess the weight of the conflicting evidence nor to make credibility determinations”).
II. Factual Background
A. Overview
In 2001, the state of Arizona prosecuted an individual for molesting the daughter of Plaintiff Christopher Centuori (“Centuori”). The state called him to testify as an eyewitness to the crime. Attorneys from the Pima County Public Defender (“Public Defender”) obtained Centuori’s credit report in an attempt to impeach his credibility on the theory that his poor credit history created a financial motive to testify against the criminal defendant (who was later convicted).
In January 2004, Centuori filed suit against Experian, the Public Defender, Merchants Information Solutions, Inc. (“MIS”) and various individuals alleging they violated the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq. Centuori alleges the Public Defender willfully violated the FCRA when it obtained his credit report, and that the credit agencies failed to comply with the FCRA when they willfully and/or negligently provided the Public Defender with Plaintiffs credit report.1 Before the Court is defendant Experian’s Motion for Summary Judgment on Counts One and Two2 of the First Amended Complaint.
B. Background
On June 26,1987, TRW, Inc. (Experian’s predecessor) and Credit Data Southwest (“CDS”) (MIS’ predecessor) entered into an agreement allowing CDS to store its records of Arizona consumers in TRW’s database of consumer credit records.3 Customers of MIS would obtain those credit histories by accessing Experian’s database. MIS certified to Experian that it would conduct its business in strict accordance with all state and federal laws, including the FCRA. Experian required MIS to investigate prospective subscribers to ensure they met specific compliance requirements; it also supplied MIS with news on changes in the law, offered training, and invited MIS’s representatives to conferences.
In 1998, MIS entered into an agreement with the Public Defender to supply credit histories. The Public Defender signed a “Permissible Purpose Certificate,” which listed the permissible and impermissible purposes4 to access a credit history under *1005the FCRA. Neither MIS nor the Public Defender forwarded the application or resulting agreement to Experian. MIS billed the Public Defender for services, although Experian provided MIS with details on the Public Defender’s access to Experian’s database.
C. The Public Defender Obtains Direct Internet Access to Experian’s Database
Until 2001, the Public Defender could access Experian’s database only through a dial-up computer connected to MIS, or by faxing or telephoning MIS with its request.5 However, in 2001, Experian decided to offer MIS customers direct Internet access to its database of more than 200 million consumer credit histories, which included the records of Arizona consumers. Offering Internet access to MIS’ customers (and others) would increase profits for Experian, and allow it to expand its market. Switching from phone lines to the Internet would cut costs of five to seven cents per minute, which in the aggregate would save Experian millions of dollars. The new Internet interface would be more user-friendly, and allow Experian to spend less on customer training.
By granting direct Internet access to the database it exclusively controlled, Ex-perian believed that a specific contractual relationship would be created between Ex-perian and the Public Defender. Therefore, Experian’s internal policies dictated it would need to obtain a three-way agreement between the Public Defender, MIS and Experian. Experian policy states that, “A fundamental aspect of enabling access to Experian’s data is to ensure that access requests are properly validated and authorized before access is provided.” Debra Allen, Experian’s manager .of the Security Administration Group (“SAG”), stated in a deposition that it was her office’s “responsibility to grant the access [to customers such as the Public Defender] and to monitor the activities.” Experian itself required the Public Defender to assert that it “acknowledges and agrees that it is responsible for all activities of Subscriber’s employees in utilizing Internet access,” and Experian retained the right to grant or revoke access at “its sole discretion.” Because Experian was now actively providing the Public Defender access to its database of consumer credit histories, Ex-perian included a clause that provided indemnity to Experian by the Public Defender. Finally, Experian’s application form, completed by the Public Defender, stated that Experian “is responsible for processing all requests to establish Internet access accounts for Subscribers through Experian’s existing E-Commerce applications.”
Experian has a policy against allowing “private investigators” or attorneys (other than those involved in debt collection) to access its credit history reports because of a “high risk” that they would access credit reports for impermissible purposes. However, Experian generally would not screen applications for direct Internet access for permissible purpose, though the staff knew it should raise a flag if an application came from a “private investigator.” Karl A. La-sky of the Public Defender’s office returned the signed application forms to Ex-perian. On each form, he identified the “Company Name” as “Pima County Public Defender” and his job title as “Chief Criminal Investigator.” Plaintiffs expert stat*1006ed the applicant’s job title and employer name should have been sufficient notice that there was no permissible purpose to access credit records, and an indicator that Experian should have conducted an in-depth investigation.6 Experian issued the unique user ID and password to Lasky of the Public Defender’s office.
At the time the Public Defender submitted its application, Experian had assigned only two employees to process about 200 Internet access applications per day. These two employees had only high school diplomas, were not trained in the definition of “permissible purpose” under the FCRA, and were not required to review application forms for signs that an applicant might be seeking to access credit reports for. impermissible purposes. Furthermore, Experian did not attempt to independently verify that any customer, including the Public Defender, had a permissible purpose to obtain consumer credit reports, relying only on the verification it assumed that MIS had previously conducted. Essentially, Experian’s primary independent effort to verify that applicants would be accessing credit histories for a permissible purpose was to cross-reference the applicant with a list of names previously approved by MIS. Experian did audit MIS twice — in 1993 and 1998 — but did not review each application approved by MIS over the years.
D. The Public Defender’s Alleged Im- . permissible Access of Plaintiffs Credit History
On January 9, 2002 and August 6, 2002, the Public Defender accessed Experian’s consumer credit database through the Ex-perian website to obtain a full credit report on Plaintiff.7 The Public Defender said it obtained the report on January 9th for “Collection Purposes,” and on August 6th as a “Government Fee for Service,” both of which are facially proper purposes under the FCRA, 15 U.S.C. § 1681b. Even though the invoice for these services were prepared by MIS, Experian directly provided Plaintiffs credit report to the Public Defender through its Internet database based on Experian’s prior approval of the Public Defender’s application.
In 2002, Plaintiff learned that the Public Defender had obtained his credit history when prior to the criminal trial, he was interviewed by an investigator and an attorney from the Public Defender regarding his credit history. During the criminal trial, the Public Defender questioned Plaintiff about his finances. On September 25, 2002, MIS asked the Public Defender to explain why it had requested and how it had used Plaintiffs credit report.8 Lasky wrote back on October 2, 2002, stating that it had obtained Plaintiffs credit report because his weak financial status “may have been a motivating factor driv*1007ing the victim’s family to support prosecution of our client.” MIS did not investigate the incident further, and it did not suspend or terminate the services of the Public Defender. Experian was unaware the Public Defender had accessed Plaintiffs credit history for an impermissible purpose until it was served with this lawsuit.
Plaintiff is seeking emotional distress damages caused by Experian’s willful and/or negligent failure to properly screen the Public Defender’s access to its database. Plaintiff emphasized in his deposition that confronting the disclosure of his credit report was a major distraction and forced him to be “on the defensive ... during a time period I needed to be strong for my family,” especially his daughter, and it “sapped me of resources for various, various reasons and it made me less effective in dealing with the most important matter at hand, which was to provide emotional support and strength to my family.” He also testified that dealing with the disclosure of his credit history negatively affected his relationship with his children, and that he worried that his confidential information would fall into the hands of a member of the criminal defendant’s family who had been convicted of identity theft. When the Public Defender aired its theory that Plaintiff had fabricated the allegation of his daughter’s molestation to obtain money from the criminal defendant, he felt high levels of stress. However, Plaintiff never discussed the access to his credit report with his psychological counselor.
III. Discussion
A. Liability
In enacting the FCRA, Congress set a high standard of behavior for credit reporting agencies to follow because “[tjhere is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” 15 U.S.C. § 1681(a)(4) (emphasis added). Plaintiff alleges that Experian willfully and/or negligently failed to comply with the FCRA, 15 U.S.C. §§ 1681n and 1681o, when it granted the Public Defender direct Internet access to its credit history database for an impermissible purpose. If Experian “knowingly and intentionally perform[ed] an act that violated the FCRA, either knowing that the action violated the rights of consumers or in reckless disregard of those rights,” it is liable under 15 U.S.C. § 1681n for willfully violating Plaintiffs rights. Reynolds v. Hartford Financial Services Group, Inc., 435 F.3d 1081, 1099 (9th Cir.2006). Mere negligence is not willful. Id. at 1097. Furthermore, Experian is not liable if “it has diligently and in good faith attempted to fulfill its statutory obligations.” Id. at 1099.
Experian argues it is entitled to summary judgment because evidence of the procedures in place regulating MIS’ granting of access to customers such as the Public Defender forecloses the possibility of a jury concluding that Experian acted willfully, recklessly and/or negligently. However, the “reasonableness of the procedures [implemented under the FCRA] and whether the agency followed them will be jury questions in the overwhelming majority of cases.” Guimond v. Trans Union Credit Information Co., 45 F.3d 1329, 1333 (9th Cir.1995). Therefore, summary judgment is inappropriate on the theory that Experian’s procedures were reasonable.
Experian’s own policies explained the importance of establishing a direct relationship with a customer before offering direct Internet access to its credit history database, stating that a “fundamental aspect of enabling access to Experian’s data is to ensure that access requests are prop*1008erly validated and authorized before access is provided.” In deciding whether to grant Internet access directly to MIS’ customers, Experian merely assumed that MIS’ prior screening was adequate to conclude the Public Defender would only access its credit reports for permissible purposes. However, relying on another source to conduct verification, as Experian did in considering the Public Defender’s Internet access application, is not sufficient as a matter of law to avoid liability under the FCRA. “[T]he caselaw is clear that a reporting agency does not act reasonably under the FCRA by deferring entirely to another source of information. The grave responsibility imposed by [the FCRA] must consist of something more than merely parroting information received from other sources.” Soghomonian v. United States, 278 F.Supp.2d 1151, 1156 (E.D.Cal. July 29, 2003), citing Cushman v. Trans Union Corp., 115 F.3d 220, 225 (3d Cir.1997) (internal quotations omitted). Whether Experian’s deferral to MIS’ previous application screening of the Public Defender gave Experian reasonable grounds for believing that credit reports would be used only for permissible purposes is genuinely in dispute. Thus, summary judgment is inappropriate.
Furthermore, that at least some Experian staff were aware of the risk of granting access to investigators or attorneys is evidence that Experian understood it had a responsibility to assess applications independently, and not simply rely on MIS’s previous screening. Indeed, that Experian acknowledged in its policies and documents that it was establishing an independent relationship by granting Internet access to the Public Defender is evidence of the unreasonableness of relying on MIS’ previous screening. Establishing such an independent relationship would be meaningless if Experian did not independently review applications; otherwise, it could simply have notified MIS that it could offer this new service under the exact terms as it had previously. However, new terms, albeit similar ones, were required in Experian’s view. A jury could consider evidence of Experian’s belief that it needed to establish a specific contractual relationship with the Public Defender along with evidence of Experian’s apparent failure to screen the Public Defender’s application for permissible purpose, and decide that Experian willfully violated Plaintiffs rights under the FCRA.
When customers began accessing Experian’s database directly over the Internet, Experian saved significant amounts of money by eliminating phone line and training costs. Had Experian conducted rigorous screening, the cost of adding and training staff might have cut into its profits, a financial motive a jury could consider in assessing whether Experian willfully violated the FCRA. Furthermore, when customers previously requested credit histories by phone or fax, MIS staff would individually review the request, and each time there was the potential of recognizing that the Public Defender’s request was coming from an investigator at an attorney’s office, and thus that there was a “high risk” that the request was being made for an impermissible purpose. However, when Experian began distributing credit reports through an automated Internet protocol, the requests would no longer be reviewed by a person. Given the elimination of this human failsafe, a reasonable jury could conclude that Experian had a heightened responsibility to review applications and that relying on MIS’ previous approval process — one that would have allowed occasional request reviews by people — was reckless or negligent.
Despite its “grave responsibility” to protect consumer privacy, Experian did not train, instruct or expect its staff to review the applications for even facial signs of impermissible use, even though the forms *1009reviewed contained listings for the name of the agency seeking access and the-job title of the specific person seeking database access — clear and specific warning signals that something was amiss and that an investigation was needed. Indeed, Experian’s own policies specifically- prohibit granting access to private investigators or attorneys not engaged in collection work because of the “high risk” that they would violate the FCRA. Yet, the application forms in question were clearly marked as coming from the “chief criminal investigator” (which a jury could reasonably understand to be a “private investigator,” per Experian’s policy) working for the “Pima County Public Defender” (which is clearly an attorney’s office unlikely to be involved in collections). Nonetheless, even though Experian staff knew they should raise a flag when applications arrived from private investigators, it failed to do so in this case.
Given that Experian assigned only two staff members — neither of whom had more than a high school education or any training on permissible purposes under the FCRA — to review 200 applications per day, a jury could conclude that Experian acted recklessly by failing to grant its staff sufficient time to carefully review the applications in accordance with its grave responsibility to uphold the rights of consumers. A jury could further conclude that Experian was therefore reckless. See Reynolds at 1099 (“A company will not have acted in reckless disregard of a consumer’s rights if it has diligently and in good faith attempted to fulfill its statutory obligations ... ”).
Experian argues that even if it had been monitoring the Public Defender’s access, it would still not be liable because the Public Defender offered a facially permissible explanation when it requested and received Plaintiffs credit history. Experian cites Greenhouse v. TRW, Inc., 1998 WL 61037, at *2,, 1998 U.S. Dist. LEXIS 1973, at *7 (E.D.La. Feb. 12, 1998), for the proposition that if a “consumer reporting agency has reason to believe that the user had a permissible purpose in obtaining [a credit report], there is no FCRA violation.” However, in Greenhouse, there was no evidence that the entity requesting the report was doing so for an impermissible purpose; here, there is evidence that Experian negligently and/or willfully failed to comply with the FCRA because it has a policy against granting access to attorneys and investigators, along with Plaintiffs expert who testified an application from an attorney or investigator should have triggered an investigation. Because Experian approved the Public Defender’s application for direct Internet access to its credit history database, despite the fact that a criminal investigator with a public defender’s office would ostensibly have no permissible purpose to access credit reports, a jury could conclude that Experian acted recklessly.
Furthermore, there is sufficient evidence that Experian acted recklessly by devoting so few resources to reviewing applications, hiring underqualified staff, and failing to train them in the “grave responsibilities” óf the FCRA. See Levine v. World Financial Network National Bank, 437 F.3d 1118, 1121 (11th Cir.2006) (rejecting contention that a credit reporting agency’s duty is only to assure that credit report requests are made for a facially permissible purpose “notwithstanding any reasonable grounds to believe that the request is instead made for an impermissible purpose”). Furthermore, as there is sufficient evidence to allow a jury to conclude that Experian acted recklessly, there obviously is sufficient evidence that it also acted negligently.9
*1010B. Damages
If Defendant is found to have violated 15 U.S.C. § 1681o (negligent failure), it will be liable to Plaintiff for: (i) actual damages and (ii) costs of the action and attorney’s fees. If Defendant is found to have violated § 1681 n (willful or reckless failure), it would be liable for: (i) actual damages, or damages not less than $100 and not more than $1,000, for each violation; (ii) punitive damages; and (iii) costs of the action and attorney’s fees.
Plaintiff claims damages stemming from emotional distress caused by Experian’s willful or negligent failure to properly screen the Public Defender’s application for access to its credit history database, leading to the Public Defender’s impermissible access of Plaintiffs credit history. Plaintiff is also seeking punitive damages under the claim that Experian willfully violated the FCRA. To survive summary judgment on an emotional distress claim under the FCRA, Plaintiff must “submit evidence that reasonably and sufficiently explains the circumstances of his injury and does not resort to mere conclusory statements.” McKeown v. Sears Roebuck & Co., 335 F.Supp.2d 917, 932 (W.D.Wis.2004) (internal citations and quotations omitted) (holding that plaintiff submitted sufficient evidence of emotional distress to survive summary judgment). Furthermore, “a plaintiff must support a claim for damages based on emotional distress with something more than his or her own conclusory allegations.” Myers v. Bennett Law Offices, 238 F.Supp.2d 1196 (D.Nev.2002) (holding plaintiffs conclusory statements in affidavits to be insufficient as a matter of law to support an award for emotional distress), citing Cousin v. Trans Union Corp., 246 F.3d 359, 371 (5th Cir.2001). Here, Plaintiff does not merely state his emotional distress injury in conclusory terms, but instead offers sufficient evidence of the entire context in which the disclosure occurred, what the emotional injuries were, and how they were caused by the disclosure.
Defendant argues Plaintiff cannot show that Experian is liable for damages allegedly suffered in this case. Plaintiff did not suffer a denial of credit, a lowering of his credit score, or a financial loss because of the improper access of his credit report, but these are not prerequisites for recovering emotional distress damages under 15 U.S.C. §§ 1681 n or 1681o. Guimond v. Trans Union Credit Information Co., 45 F.3d 1329, 1333 (9th Cir.1995); see also Myers v. Bennett Law Offices, 238 F.3d 1068, 1074 (9th Cir.2000) (holding that violations of FCRA “are akin to invasion of *1011privacy cases,” in which the “primary damage is the mental distress from having been exposed to public view.”). As such, even accepting Defendant’s argument as true on this issue, Plaintiffs FCRA claim for emotional distress survives summary judgment.
Defendant also argues that whatever harm Plaintiff suffered was caused either by witnessing his daughter’s molestation, or by the Public Defender’s promoting the argument that he had a financial motive to accuse the criminal defendant. However, there is sufficient evidence in the record suggesting that Plaintiff suffered emotional distress, which was caused, at least in part, by Experian’s willful and/or negligent failure to adequately review the Public Defender’s 2001 application for direct Internet access to Experian’s database. For example, Plaintiff testified that the divulgence of his credit history “sapped me of resources for various, various reasons and it made me less effective in dealing with the most important matter at hand, which was to provide emotional support and strength to my family.” He testified that the credit disclosure negatively affected his relationship with his children, and he was worried that his credit history might fall into the hands of a member of the criminal defendant’s family who had been convicted of identity theft. The disclosure and resultant allegation of an improper financial motive to testify against the criminal defendant created high levels of stress. Although it was the Public Defender, and not Experian, that made the allegation about Plaintiff, a jury could conclude that this allegation would never have been made had the initial credit disclosure not been made.10
Experian also argues that Plaintiff cannot collect punitive damages — to which he would be entitled if he shows a willful violation under § 1681n — because he stated during his deposition that “I don’t believe [Experian is] intentionally trying to harm me.” However, the statutory requirement of willfulness does not require proof of an intent to cause harm, but only an intent to fail to comply with the FCRA. See § 1681n(a) (“Any person who willfully fails to comply with any requirement imposed under [the FCRA] with respect to a consumer is liable to that consumer ... ”). Furthermore, under § 1681n, Experian will be liable even if it did not “intentionally” violate the FCRA, but only did so recklessly. Reynolds at 1099.
Defendant’s Motion for Summary Judgment on the issue of damages is denied.
IV. Conclusion
Accordingly, IT IS HEREBY ORDERED as follows:
(1) Defendant’s Motion for Summary Judgment is denied.
(2) The parties shall file a Joint Proposed Pretrial Order and any Motions in Limine within 30 days of the filing date of this Order. See Scheduling Order.
(3) Alternatively, if the parties so choose, they may engage in a settlement conference with a Magistrate Judge at no cost to the parties. If the parties choose this option, they should contact the Court which can set up the conference and stay the remaining deadlines.