Guide to Computer Law—Number 275
Practitioner’s Perspective
by Holly K. Towle, J.D.
Complying with the New Federal
Identity Theft Law
The recent Fair and Accurate Credit Transactions Act of 2003 (FACT)
requires essentially every business to establish procedures to respond to
victims seeking information about identity theft transactions.
FACT becomes effective in a series of staggered dates ranging from March
31, 2004 to December 1, 2004. FACT at least impacts every business that:
Holly K. Towle is a
partner with Kirpatrick &
Lockhart Preston Gates
Ellis LLP (K&L Gates), an international law firm,
and chair of the firm’s E-merging Commerce
group. Holly is located in the firm’s Seattle
office and is the coauthor of The Law of
Electronic Commercial Transactions (2003,
A.S. Pratt & Sons). Holly.Towle@KLgates.com,
206-623-7580.
is notified by a consumer that he or she may be a victim of identity
theft;
uses a consumer report (a/k/a credit report) for any reason, such
as checking a new employee or tenant’s background or deciding to
extend credit or provide goods or services;
furnishes information to a credit bureau (a/k/a consumer reporting
agency) or is one;
shares consumer information with affiliates;
sells, transfers or places for collection, debt involving identity theft;
electronically prints receipts showing credit or debit card numbers or
expiration dates; or
uses credit scores, makes offers to prescreened customers, or uses
medical information.
The new obligations vary depending upon the nature of the business and
recently issued or upcoming, voluminous regulations. It is safe to say now,
however, that essentially every business must put into place procedures
for verifying and providing information to alleged victims of identity
theft. Although state law is significantly preempted by FACT, states are
continuing to legislate in areas that are not preempted (and areas that are).
Some of that legislation makes failure to adhere to certain “identity theft”
rules an unfair act.
Practitioner’s Perspective appears periodically
in the monthly ReportLetter of the CCH Guide to
Computer Law. Various practitioners provideindepth analyses of significant issues and trends.
What Is Identity Theft? The term refers to a variety of federal and state
crimes (over 180 federal criminal statutes alone), all of which include
“stealing” someone’s personal identifying information in order to conduct
a transaction or crime in that person’s name. A classic case is using
information in a lost or stolen wallet to transact business as the person
who lost the wallet. The thief uses the victim’s personal information to
take funds from bank accounts, to obtain telephone or other services, to run
up debts, or to commit crimes. Meanwhile, the individual victim is seen
as the wrongdoer and must prove that he or she did not actually engage
in the transaction. Proving that involves gathering a lot of information
and that is why FACT has such a widespread impact: essentially every
business must supply certain information to the true victim – but it may not
CCH GUIDE TO COMPUTER LAW
supply it to someone else (such as another potential identity
thief). Accordingly, FACT includes significant verification
obligations and many other rules designed to aid the victim
whose identity has been stolen. There is another victim, of
course—the business duped into dealing with the thief, but
that victim is not the focus of FACT.
Note that the victim whose identity is stolen is not liable
for the thief’s transactions and may be a stranger to, not a
customer of, the duped business. This can have unexpected
consequences. For example, privacy policies stating that
a business will share a customer’s information only with
the customer, service providers, or regulators may be
out of compliance with FACT. That business must share
information about the victim with the victim, but the victim
is not a customer (the thief was the customer).
Further Details About FACT:
If a consumer has placed a “fraud” or “active duty”
alert in their credit bureau file, a business receiving
a report may not proceed with certain transactions until
it has taken certain steps described in the statute, such as
contacting the consumer by telephone.
Persons furnishing information to credit bureaus must
establish new procedures to respond to notice of
identity theft and avoid “repollution” of the consumer’s
file; they are also required to engage directly with
consumers in dispute resolution procedures when
applicable.
No one who accepts credit cards or debit cards may
electronically print more than the last five digits of the
card number or the expiration date upon any receipt
provided at the point of the sale or transaction.
Consumers have significant new rights, including a right
to receive a “risk-based pricing notice” when any user
of a consumer report extends credit (a broadly defined
term perhaps including delayed payment for goods or
services) to one consumer on material terms that are
NUMBER 275
not as favorable as those used for most other customers
(such as using a report to require a deposit from some
customers before rendering services).
Users of medical information from consumer reports
are subject to new rules regarding the consent the
consumer must supply, and creditors may not use
medical information to determine eligibility for credit.
Subject to exceptions, anyone receiving consumer
information from affiliates may not use it for marketing
solicitations unless clear and conspicuous disclosure
(with detailed requirements) is made that the
information will be shared and the consumer is
provided an “opt-out” opportunity.
Certain businesses who furnish “negative” information
about an individual to a credit bureau must provide written
notice to the individual that the institution will do
so or has done so. Businesses covered are “financial
institutions” as broadly defined in the Gramm
Leach Bliley Act (which covers more than financial
institutions).
Employers investigating employee misconduct are assisted
by FACT. It amends the Fair Credit Reporting Act,
which required notice prematurely alerting the
employee being investigated. Under FACT, this notice
can be delayed, subject to limitations.
This is only the tip of the iceberg: FACT is 61 pages
of small print with seven titles, and most provisions
contemplate issuance of detailed regulations. However,
there are some immediate things clients should do. FACT
allows businesses to provide an address for receiving
certain notices, such as notice of identity theft from a
victim. The business may also stipulate (within limits)
what identification or other information will be required
by it before delivering information to that victim. Every
business ought to take advantage of these and other
provisions that allow the business to create a practical
compliance structure.