Most businesses are already familiar with the Fair Credit Reporting Act (“FCRA”) and the various requirements to protect the fairness, accuracy, and privacy of consumer credit information. However, a recent FTC enforcement action against the retailer Kohl’s Department Store, Inc. (“Kohl’s”) has brought a rarely used provision of the statute to light.
This provision—codified at 15 U.S.C. § 1681g(e)—requires businesses to provide, upon request, certain records about commercial transactions to potential victims of identity theft. The FTC’s complaint against Kohl’s is the first time it has alleged a violation of this provision. Risk professionals and businesses should take notice whenever the FTC announces new areas of enforcement, as it could signal greater scrutiny by the agency. This case is no exception. The following is a short summary of Section 1681g(e), the basis for the FTC’s claims against Kohl’s and the resulting settlement, and key considerations for businesses in light of the Kohl’s case.
15 U.S.C. § 1681g(e) Requires Businesses To Give Victims Of Identity Theft Information About Fraudulent Transactions.
The Fair and Accurate Credit Transactions Act (“FACTA”) which amended the FCRA in December 2003, was intended to enhance consumer protections, especially in relation to identity theft. The most well-known provision of FACTA provides consumers with free access to their credit reports annually. FACTA also added Section 1681g(e),which requires that if a business has provided credit to or entered into a commercial transaction with a person who has allegedly committed identity theft, then the business must provide a copy of certain records upon request to (a) the victim of the alleged identity theft or (b) any law enforcement agency or office authorized by the victim to receive the records. 15 U.S.C. § 1681g(e)(1). The business must provide those records “not later than 30 days after the date of receipt of a request from a victim.” Id. In other words, when a consumer spots unauthorized charges or lines of credit and requests copies of records to establish the charges are not theirs, the business must comply.
Before providing the requested records, the business must both verify the identity of the victim and receive evidence that a claim of identity theft has been made, using the criteria the statute sets forth. Id. at § 1681g(e)(2). The statute also specifies how a victim must make their request (in writing and mailed to an address set by the business) and that the information required by the statute must be provided without charge to the victim. Id. at § 1681g(e)(3)-(4).
Kohl’s Alleged Violations Of Section 1681g(e).
According to the FTC’s Complaint filed in the Eastern District of Wisconsin on June 8, 2020, Kohl’s internal policies between February 2017 and April 2019 prohibited giving the required statutory records directly to identity theft victims. Prior to February 2017 and again after April 2019, Kohl’s policy allowed victims to receive the records they requested. But beginning in February 2017, Kohl’s would only “share information identifying the identify thief with law enforcement or with a victim’s attorney.” Subsequently, Kohl’s decided it would only give the records and other details regarding transactions at issue in response to a request directly from law enforcement. In other words, even though the statute refers to requests from “victims,” the only requests Kohl’s would recognize were those from law enforcement. The FTC claimed these policies were clear violations of Section 1681g(e)’s requirements to provide records and to do so within 30 days of a request. Id. at ¶¶ 24-29. The Complaint further alleged that Kohl’s actions also constituted unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act.
The Settlement.
The Court entered a stipulated order settling the Complaint on June 10, 2020 (“Order”). The Order includes a permanent injunction against violating Section 1681g(e), civil penalties of $220,000 for violating the FCRA, a requirement that Kohl’s provide notice to potential victims of the settlement, and a requirement that Kohl’s establish an extensive compliance program regarding Section 1681g(e) requests. The notice provisions require Kohl’s to establish a website within 30 days informing potential victims of their rights under the law. It also gives Kohl’s just 14 days to either provide the requested records to all victims who previously made requests or to notify such prior victims that Kohl’s would provide the requested records upon receipt of identity verification information.
The Kohl’s Settlement Highlights Key Considerations For Businesses.
Is Section 1681g(e) limited to credit reporting agencies?
No. The provision here applies to any business that has “provided credit to, provided for consideration products, goods, or services to, accepted payment from, or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the means of identification of the victim.” 15 U.S.C. ¶ 1681g(e)(1). In other words, if your business engages in a commercial transaction with someone who has used the identification or financial information of another without their authority, then the law will likely apply to you.
How likely is the FTC to bring similar enforcement actions in the future?
Obviously, the Kohl’s case is a sample-size of one and should not be seen as a trend towards greater FTC enforcement in this area. However, the issue is now clearly on the FTC’s radar. Additionally, the FTC will view the Kohl’s case as providing notice to other businesses about the need to comply with Section 1681g(e). This means that in any future enforcement actions the FTC may seek more onerous relief, including higher civil penalties.
Is my business even aware of the requirement to provide information to potential victims of identity fraud?
Given the lack of prior enforcement, it is possible that risk professionals have not considered whether their business has addressed the requirements of Section 1681g(e). The Kohl’s case is a great opportunity to confirm that your business has a method whereby potential identity theft victims can make requests for their relevant records. Additionally, you should confirm that you have a basic process and standards in place for confirming the identity of potential victims and providing them with the requested information, all within the 30-day deadline set by law.
What sort of records should my business keep to reduce the likelihood of FTC inquiry?
While it may be impossible to prevent the FTC from making an inquiry, having easily accessible and organized records showing your business complies with Section 1681g(e) will go a long way towards short-circuiting a full FTC investigation. The Kohl’s Order helpfully lays out a roadmap for the types of records that the FTC would want to see. Consider retaining records showing:
· All written consumer complaints relating to requests for records under Section 1681g(e) as well as any response;
· Each request for records covered by Section 1681g(e) including the date you received each request and the type of information the victim provided to verify their identity;
· The information you provided, if anything, in response to the request and the timing of the response; and,
· The reasons for any denial of a request under Section 1681g(e).