There’s been a lot of talk about identity theft lately. Maybe you’ve even heard from customers affected by it. Your help can make a big difference. In fact, did you know that your business is required to provide identity theft victims with copies of records relating to the theft?
The Fair Credit Reporting Act (FCRA) Section 609(e) requires you to provide identity theft victims – or law enforcement at the victim’s request – with a copy of records relating to the theft. Following a written request from an identity theft victim, you must provide the records within 30 days, free of charge and without a subpoena. This is sometimes called “the business records turnover provision.”
Identity theft victims may need the records to document the crime or clear up their good name. You want to help them and you know you need to comply with the law. So, make sure you have policies in place for responding to victims’ requests for records.
Based on what we’ve learned, here are a few things to keep in mind when responding to a business records turnover request
- Take stock. Know what types of records you have. Think about applications, account statements, receipts, customer service notes associated with a transaction, and records showing where merchandise was purchased or shipped. If you know what you have, then you can better ensure that victims are provided all types of records related to the identity theft
- Think broadly. The FCRA’s business record turnover provision applies to all different types of identity theft, including new accounts opened, as well as purchases on existing accounts. That’s why it’s important to evaluate your policies periodically to make sure they include new types of identity theft as they emerge.
- Don’t be afraid to duplicate. Under the FCRA you must provide records even if the victim has received the records before. Here’s an example: Suppose a victim sends in a request for records after receiving a late notice on a billing statement. What should you do? Produce all records related to the unauthorized charges, including copies of billing statements, even though the victim may have already received them. Why? Victims may not have kept the copies they previously received, especially if the identity theft happened some time ago. Denying the victim’s request because the victim previously had access to the records does not comply with Section 609(e).
You may be wondering if there’s any time you can refuse to provide records in response to a 609(e) request. If you’re not sure of the victim’s identity, the FCRA allows you to ask for proof of identity, such as a copy of a government-issued identification. You also may ask for proof of a claim of identity theft, such as an Identity Theft Report issued by the FTC or a police report. An FTC Identity Theft Report subjects the person filing the report to criminal penalties if the information is false, and businesses can treat it as they would a police report. After receiving those documents, if, in good faith, you can’t verify the victim’s identity or believe the request for records was based on a misrepresentation, you may decline to provide the records.
For more information about complying with 609(e), read Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
In reply to Agreed. Most apartment by Steven
When you report identity theft to IdentityTheft.gov, you can create an identity theft Report and a personal recovery plan. You can send a copy of your Report to credit bureaus with a request to remove fraudulent information from your credit report. Report identity theft and learn more at IdentityTheft.gov.