I've heard that no one or organization is allowed to keep other people's financial records for a certain number of years or something. It prevents people who have failed once in their life to get back up, despite settling all their debts. In short, its sort of like discrimination.

In this defamation context however, I do think CTOS is not responsible for blacklisting, they merely provide the information. This is why the above rule is in place, not to allow companies to provide such information so others can use it to blacklist.