By Cierra D. Newman – Hudson Cook
In June, a large retailer settled claims by the Federal Trade Commission (FTC) alleging that the retailer violated the Fair Credit Reporting Act (FCRA) by refusing to provide victims of identity theft with complete records of questionable transactions.
As part of the settlement, the retailer agreed to an injunction requiring it to comply with Section 609(e) of the FCRA and pay a $220,000 civil money penalty.
The FCRA spells out rights for victims of identity theft and responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records relating to the theft of their identity. Under Section 609(e), businesses-including auto dealers-are required to provide an identity theft victim with application and business transaction records evidencing any transaction that the victim alleges to be the result of identity theft, subject to limited exceptions. Businesses must provide those records no later than 30 days after the date of receipt of a request from a victim with appropriate proof of identity and proof of a claim of identity theft.
Recognizing that millions of Americans have been victims of identity theft, Congress added this requirement to ensure that companies provide victims of identity theft with application and business transaction records about fraudulent transactions made in their names in a timely manner. As a result, when a consumer contacts an auto dealership alleging that someone has fraudulently used the consumer’s identity, the dealership should consider the following information to ensure that it complies with Section 609(e):
Who must comply with Section 609(e)?
A. Most businesses, including auto dealerships, must comply. The law applies to any business that has provided credit, goods, or services to, accepted payment from, or otherwise entered into a transaction with someone believed to have fraudulently used another person’s identification. For example, if your business opened an account in the victim’s name or performed an inquiry or extended credit to someone misusing the victim’s identity, you may be required to provide the records relating to the transaction to the identity theft victim or the law enforcement officer acting on that victim’s behalf.
Q. What documents must my business provide?
A. Your business must provide application and business transaction records, maintained either by your business or by another entity on your business’s behalf, that support any transaction alleged to be a result of identity theft. Records like invoices, credit applications, or account statements may help victims document the fraudulent transaction and provide useful evidence about the identity thief.
Q. What are the procedures for requesting these materials?
A. Requests for documents must be submitted in writing. Your business may specify an address to receive these requests. You may ask victims to provide relevant information, like the transaction date or account number, if they know it. You also can require that victims provide: (1) proof of identity,
like a government-issued ID card, the same type of information the identity thief used to open the account, or the type of information you currently request from applicants; (2) a police report; and (3) a completed affidavit. Victims can use the FTC’s Identity Theft Report, available at IdentityTheft.gov, or another affidavit you accept.
Q. Is it ever appropriate not to provide documents?
A. You can refuse to provide the records if you determine in good faith that: (1) you cannot verify the true identity of the person asking for the information; (2) the request for the information is based on a misrepresentation; or (3) the information requested is Internet navigational data or similar information about a person’s visit to a website or online service.
Identity theft victims are entitled to ask businesses for a copy of transaction records. As the FTC sounds a warning, businesses should evaluate their current policies and procedures and consider whether those procedures are in accordance with the FCRA and other applicable laws.
Cierra D. Newman is an associate in the Washington, D.C., office of Hudson Cook, LLP She can be reached at 202.420.1705 or by email at email@example.com.