Under the 2003 amendments to the
Fair Credit Reporting Act section 609(e), identity theft victims are
entitled to get from businesses a copy of the application or
other business transaction records relating to their identity
theft free of charge. Businesses must provide these records
within 30 days of receipt of the victim’s request. Businesses
must also provide these records to any law enforcement agency
which the victim authorizes.
Businesses may select a specific address to which requests from
victims must be mailed. If the business does not have a high
degree of confidence that it knows the victim, before providing
the records, the business may ask victims for:
(1) proof of identity
which may be a government issued ID card, the same type of
information the identity thief used to open or access the
account, or the type of information the business is currently
requesting from applicants or customers
and
(2) a police report
and a completed affidavit which may be either the
FTC Identity Theft Affidavit
or the business’s own affidavit.
This FCRA provision does not require a business to change its
current information or record retention procedures. A business
may decline to provide the records if, in good faith, it
determines that this FCRA provision does not require disclosure,
the business entity does not have a high degree of confidence in
knowing the true identity of the requester after reviewing the
proof of identity provided by the requester, the requester has
made a misrepresentation of fact relevant to the request, or the
information requested is Internet navigational data or similar
information about a person’s visit to a website or online
service.
Although a
business may not deny disclosure of these records based on
Subtitle A of title V of Public Law 106-102, the business may
deny disclosure if it is otherwise prohibited under other
provisions of state or federal law. |