Under the 2003 amendments to the Fair Credit Reporting Act section 609(e), identity theft victims are entitled to get from businesses a copy of the application or other business transaction records relating to their identity theft free of charge. Businesses must provide these records within 30 days of receipt of the victim’s request. Businesses must also provide these records to any law enforcement agency which the victim authorizes.  

Businesses may select a specific address to which requests from victims must be mailed. If the business does not have a high degree of confidence that it knows the victim, before providing the records, the business may ask victims for: 

(1) proof of identity which may be a government issued ID card, the same type of information the identity thief used to open or access the account, or the type of information the business is currently requesting from applicants or customers 

            and 

(2) a police report and a completed affidavit which may be either the FTC Identity Theft Affidavit or the business’s own affidavit. 

This FCRA provision does not require a business to change its current information or record retention procedures. A business may decline to provide the records if, in good faith, it determines that this FCRA provision does not require disclosure, the business entity does not have a high degree of confidence in knowing the true identity of the requester after reviewing the proof of identity provided by the requester, the requester has made a misrepresentation of fact relevant to the request, or the information requested is Internet navigational data or similar information about a person’s visit to a website or online service. 

Although a business may not deny disclosure of these records based on Subtitle A of title V of Public Law 106-102, the business may deny disclosure if it is otherwise prohibited under other provisions of state or federal law.