Briefing Paper on Identity Theft and Related Topics for Volunteer

advertisement
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 1
This paper compiles and summarizes information from various resources and is intended
to help you quickly gain basic knowledge needed to make presentations to students. I have
attached copies of some of the resources I have used and included a bibliography. The articles
attached may be copywritten and are not to be publicly circulated or reproduced without the
permission of the copyright holders, except as may be stated in them.
This paper is for your use only. It is not to be made publicly available without my
permission. I does not create any attorney client relationship. The sources for this briefing paper
are either cited herein or are listed in the bibliography.
This paper covers the subject in a great deal more detail than may be prudent in dealing
with students at this level. Nevertheless, you may find yourself being asked questions on the
subject and I would hope this briefing paper would assist you in answering those questions.
In footnotes or text, I will refer to various sources in the bibliography by shorthand
identification. Please refer to the bibliography for that purpose. Much of this paper is drawn from
a recent article I have posted for the benefit of clients, and is therefore in the first person.
!
What is Identity Theft and how widespread is it?
According to Consumer Reports, citing a recent survey by the Center for Social and Legal
Research, seven million persons were victims of identity theft in 2002. “Stop thieves from
stealing you”, Consumer Reports, October 2003. The personal and financial cost is large, and
growing. It amounts to millions of dollars in lost money and time with the average victim losing
$800 and spending two years clearing his or her name and credit record. “Stop thieves from
stealing you”, Consumer Reports, October 2003. Id. Many times, the victims do not learn of the
crime for a year or more. Id.
Identity theft occurs when someone fraudulently uses your name, identifying data and credit to
borrow money, buy merchandise or services in your name. If the perpetrator has obtained a new
credit card or otherwise borrowed money in your name, odds are you won’t learn about it until he
or she has run up a large balance, because the criminal will have made sure that the statements go
to another address than yours.
The key to this crime is your personal private information, especially your Social Security
number, birthdate, existing credit card or bank account information, driver’s license numbers,
mother’s maiden name, to cite the most common examples. See FTC Website on Identity Theft,
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 2
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm.
Sometimes, this information comes from the identity thief stealing it from financial institutions,
merchants, credit bureaus, or government. Just as often it comes because you, the victim, are
careless or duped by elaborate schemes into letting your information go. Through a scheme
called “phishing”, you receive a very official looking email warning you that your bank or other
account has been compromised, or needs to be verified. You are asked to click on a link,
supposedly to go to the supposed sender, to reply. In fact, that link does something quite
different, and may result in you unknowingly downloading a malicious computer program (called
a Trojan Horse) that tracks and sends out a record of what you are typing (called “keyboard
logging”) or finds and sends out confidential information off your computer, without your
knowledge. See Privacy Rights Clearinghouse website, http://www.privacyrights.org/index.htm
!
What indicators are there that one is a victim of identity theft?
Usually, the first indication is suspicious activity in a bank account or credit card
account. Sometimes the first hint is when a collector tracks you down. Because the perpetrators
want you to remain ignorant of what they are doing, they will often use a false address so that
you do not receive notice.
Under the New Jersey Identity Theft Protection Act, discussed below, businesses and
agencies need to promptly report thefts of personal information. This prompt reporting will help
provide you an early alert to possible trouble. This change is a major improvement.
What should students do to minimize the threats?
The following information is compiled from a variety of sources, cited herein or in the
bibliography. Some of the ideas are my own.
!
Don’t let others have or use your accounts. I and others have often seen clients whose
problems stemmed from letting a boyfriend etc. have a PIN number, use a credit card or
bank account. In one instance I know about, the husband was intercepting the mail, and
opening credit card accounts in the wife’s name without her knowledge. Another
common scenario is co-signing a car loan or mortgage.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 3
!
Maintain physical security of your important information.
This seems obvious, but you should safeguard your driver’s license and other government
ID at all times. Lock desks, cabinets, and safes containing such information in your office and
home. Memorize your Social Security number and do not carry your Social Security number with
you in your wallet, or keep a copy of it in your wallet or purse.
!
Don’t give away information.
Never disclose your Social Security number, account number or credit card PIN numbers, birth
date, driver’s license number or mother’s maiden name unless you initiated the transaction. On
paper documents, don’t include such data unless required to do so on an official application for
employment, financing, or insurance. (Ask employers, schools, and financial institutions to offer
alternatives.).
No legitimate bank or lender will ever ask for such information over the phone, or via email.
IF YOU DIDN’T MAKE THE CALL OR ONLINE PURCHASE, OR ISSUE THE EMAIL,
DON’T GIVE OUT THE INFORMATION.
!
Protect information on your computer, and safeguard yourself when online.
Author’s Note: You will be talking to kids who have a surprising level of computer
literacy. This information is helpful for you to have knowledge of what you are talking
about, but unless, like me, you are an “amateur computer geek”, stay away from any
technical details you do not know about. Just provide the basic warnings and confess
your ignorance where appropriate. This segment is compiled from personal experience
and knowledge, as well as recommendations on the cited locations.
!
See the FTC web site, http://onguardonline.gov. This very valuable site contains tips on
ways to safeguard yourself when you are online. OnguardOnline is a partnership between
the FTC, other federal agencies, and the technology industry. The site offers advice on
identity theft, phishing, spyware, spam, online shopping, and other pertinent computer
topics.
!
Install firewalls, internet privacy and virus-detection software on your home computers
to discourage hackers from “tapping into” your computer via the Internet. Shutting off
computers when not in use is also helpful (although hackers in Eastern Europe or Russia
can be expected to work around the clock). Hackers use computer programs to “probe”
large numbers of internet addresses looking for “doors that are unlocked”. A firewall is
nothing more than a “lock”. It encourages the hacker to leave you alone.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
"
Page 4
More information than you need to know: Firewalls come in two types:
software and hardware. The hardware firewall can be as simple and inexpensive
as a “cable router” which is hooked up between your cable modem and your
computer. Through “network address translation”, (the technical details of which I
am ignorant), the cable router becomes the “computer” that a hacker sees when
she probes your site, but from your side, you are able transparently to access the
Internet. These routers typically have an “administrative password” that allows
you to control how the router works. You always want to change this password
from the default (usually “0000") to something else which is hard to crack. (See
“Use Good Passwords” below). To remember the password on the few occasions
you need it, you can write the password on a label on the bottom of the router
!
If you use a wireless network at home, make sure it is secure and shut it off when not in
use. Be especially careful when using wireless connections in public places or public
computers. Avoid using either for financial transactions, and if you do, be sure to log off
when done.
!
Deal only with reputable Web sites. Check privacy and security policies of Web sites
before making purchases, trading stocks, or banking online. A professional-looking Web
site is no guarantee of security. Don’t respond to unsolicited e-mail requests for personal
information. (See phishing, below)
!
Use good passwords. Password-protect your bank and brokerage accounts. Create
passwords at least eight characters long that use combinations of letters, punctuation and
numbers.
"
Hints: To make them hard to crack but easy to remember, develop an acronym
from a phrase you will remember, substituting 1 for “a”, 2 for “to”, 4 for “for”etc.
(eg. “to make them hard to crack!” becomes “2mth2c!”). Or intentionally misspell
words, use capital and lower case letters in unusual ways.
"
How to remember all those passwords. This is the usual reason why people use
few passwords or bad ones. Quick access to passwords near the computer is what
is needed. One solution is to keep a binder nearby with alphabetic dividers (with
a separate sheet for each website etc, kept in alphabetic order. The tradeoff in
security is obvious, but since it is not yet technically possible to “hack into” the
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 5
binder from your computer, the real problem is unauthorized people getting hold
of the binder and the records in it. This is less of a concern if the binder is made to
look innocuous, (ie “hidden in plain sight”). Another way is to create a passwordprotected file containing a listing of all passwords and a HIGHLY secure
password. The file should be given an innocuous-sounding name (Again, hidden
in plain sight: don’t label it “passwords”!) A third alternative is to use one of the
software firewall or “Internet Privacy” packages, that maintain for you a secure
location for all passwords.
!
Watch out for “phishing” and spyware. These are ways in which malicious programs
get installed on your computer which then operate as conduits, feeding information about
you back out over the Internet.
"
“Phishing” is done by very official-looking emails that either direct you to a
bogus site where you volunteer your password or other private information in the
mistaken belief you are providing it to your bank or other business you deal with.
Attached are copies of two recent emails I received. The one from Wells Fargo
(note the misspelling “Forgo”) is obvious. The Ebay one (I did have an ebay
account at one time) is less so. The point is that, although the text of the “link”
looks right, where you go or what happens when you click the link has nothing to
do with the label that you see. Sometimes the link takes you to a site which, upon
connection, downloads a program on your computer which then steals your data
or does something else equally undesireable.
Author note: This is very important for kids to know. Not being as jaded
and suspicious as we adults, they can easily be taken in by this type of
scam. This is also something that “hits them where they live”.
"
“Spyware” are little programs that get installed when you go to a website, and
make use of the fact that websites are supposed to communicate with and
download information on your computer (eg “cookies” which are the reason that
when you go back, the site “remembers” you). Mostly, these programs send out
“anonymous” information about your consumer preferences, based on where
users at your computer go on the internet. They also can bog down the computer.
However, they can include “keyloggers” which capture the keystrokes at your
computer including passwords and private information, then send these out
without your knowledge.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 6
Author note: I didn’t really think this happened. However, I set up my
software firewall to warn me whenever certain key information such as
specified account numbers and Social Security numbers was leaving my
computer. I was surprised when, twice, such warnings popped up at
times I was not sending that information out...
!
Report any suspicious activity right away. Always look at your bank statements or
credit card statements right away, and always question anything that does not look right.
Keep your charge receipts until the credit card bill comes in. That way, if the charge is
more than what you authorized, you can prove it.
"
Personal note. In one recent instance, a client of mine reported her car was
broken into, but her wallet, with all the cash still in it, was left on the ground
outside. Since nothing was stolen, she did not report the incident. However, the
thieves has copied down her credit card numbers and other important information.
Soon afterwards, they began a spending spree and she spent months trying to
straighten things out.
!
Shred or destroy all unused credit cards, all credit card offers or “convenience
checks”, and anything else with confidential information on it. A “pre-approved”
credit card application form with your name on it could be just the ticket for a thief to
steal your identity. Likewise, your credit card company may send you “balance transfer”
or “cash advance” checks attached to your statement. Always shred these. The best choice
is a “crosscut” shredder. For large volumes of paper, you should check your yellow pages
for a commercial company. In some areas, local governments sponsor annual “free
shredder” days as a public service. Before throwing out files containing Social Security
numbers, account numbers, and birth dates, shred them with a cross-cut shredder. Destroy
CDs or floppy disks containing sensitive data by shredding, cutting, or breaking them.
Use hard-drive shredding software or remove and destroy your hard drive before
discarding a computer. Just deleting files isn’t enough.
!
Watch your credit. Order copies of credit report every year from each of the three major
credit reporting agencies. Under FACTA, you are entitled to a free credit report once a
year. See PRC FACTA Article
!
Guard mail. Information can be stolen from your mail. Consider using a locked mailbox
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 7
or slot, a postal mailbox, or mailing directly at the post office. Consider paying bills
online as a way to avoid using the mail at all.
!
Guard your cards. Try not to let waiters, sales clerks, or gas-station attendants disappear
from view with your credit or debit card, to avoid “skimming.” Crooks can use a
handheld card reader to copy the information from your card’s magnetic strip.
!
Beware strange ATMs. Avoid using private or strange-looking automated teller
machines, because they may be rigged to skim data off your card’s magnetic strip. Six- or
seven-character PINs (personal identification numbers) are harder to crack than shorter
ones, but you may not be able to use them at machines abroad. See above about good
passwords.
!
Watch out for “shoulder surfers” when using pay phones or public Internet access; use
your free hand to shield the keypad. Don’t use cordless phones to conduct sensitive
financial or medical business, because eavesdroppers on other phones and those using
eavesdropping equipment may be able to overhear your conversations.
What steps should be taken if one is a victim of identity theft?
See “Take Charge:Fighting Back against Identity Theft”, FTC Website,
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm and the New Jersey Identity Theft webpage,
www.state.nj.us/identitytheft. Copy of the “Fighting Back” article is attached. Below is a brief
summary but the “Fighting Back” article is hard to beat.
!
!
!
!
!
Immediately file a police report. See New Jersey Identity Theft Protection Act, discussed
below, and get a copy..
Immediately contact all your credit card companies, banks etc. and order an “initial fraud
alert” good for 90 days.
Request a “security freeze” on your credit report. See discussion below of New Jersey
Identity Theft Protection Act.
If your driver’s license was stolen or the number obtained illegally, report this to the state
motor vehicle agency in question.
For bank or credit accounts, ask for new PIN numbers, and replacement accounts with
new numbers.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 8
!
If you do any of this by phone, take careful note of the date, time and person you spoke
to. Ask for an incident number and ask for an address, fax number and email address
where you can confirm your report. Then confirm each report.
!
Be sure to put everything in writing and keep careful records of all letters or emails and
any other dealings you have, especially those where the bank or lender agrees to credit
your account. Set up a filing system.
What Rights or Protections do consumers have?
!
Limitation of Liability Provisions under the federal Electronic Funds Transfer Act.
Most students are going to have ATM cards, if not credit cards. They need to know about
the importance of promptly reporting theft or loss of these items. The Electronic Funds
Transfer Act, 15 U.S.C 1693 et seq. and regulations under it provide important
protections where unauthorized use of a MAC card or other form of electronic transfer
(an “unauthorized electronic funds transfer”) takes place. (See footnote 3 for definition of
this term)1
a.
The student’s maximum loss is $50 or the amount or value obtained before the
bank gets notice of the unauthorized use, or of circumstances leading to a
reasonable belief the use was unauthorized.. 11 U.S.C. 1693g. except that
b.
If the student does not report loss or theft of a card within 2 business days after
learning about it, the exposure goes up to $500.00. Id..2
c.
And, if the student does not report an unauthorized transfer within 60 days after
the bank sends the statement on which the transfer appears, the liability is
unlimited. Id.
1
Separate rules apply to billing disputes for credit cards and some credit card companies
afford complete protection against loss or theft.
2
In extenuating circumstances such as extended travel or hospitalization, the 2 day
deadline can be increased to a “reasonable time under the circumstances.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
d.
2.
Page 9
If the student lets somone else use the card etc or her PIN number, she’s out of
luck. 3
Additional Rights under the New Jersey Identity Theft Protection Act, N.J.S.A.
56:11-44 et seq.
On January 1, 2006, the New Jersey Identity Theft Protection Act, [“ITPA”] goes into
effect. It contains several important provisions:
1.
Security Freezes. All consumer credit reporting agencies “CRA’s” must place a
“security freeze” on the consumer report of the consumer, upon written request, within
five business days. N.J.S.A. 56:11-46(b), and send the consumer written confirmation of
this within five business days after placing the freeze. Id. At the same time, the CRA
must gie the consumer a PIN or password to use in obtaining authorization for the release
of credit information. Id.
"Security freeze" means a notice placed in a consumer's consumer report, at the request of
the consumer and subject to certain exceptions, that prohibits the consumer reporting
agency from releasing the report or any information from it without the express
authorization of the consumer, but does not prevent a consumer reporting agency from
advising a third party that a security freeze is in effect with respect to the consumer
report. N.J.S.A. 56:11-30.
Once this happens, and until the consumer releases the freeze, the consumer has control
3
The term "unauthorized electronic fund transfer" means an electronic fund transfer from
a consumer's account initiated by a person other than the consumer without actual authority to
initiate such transfer and from which the consumer receives no benefit, but the term does not
include any electronic fund transfer (A) initiated by a person other than the consumer who was
furnished with the card, code, or other means of access to such consumer's account by such
consumer, unless the consumer has notified the financial institution involved that transfers by
such other person are no longer authorized, (B) initiated with fraudulent intent by the consumer
or any person acting in concert with the consumer, or (C) which constitutes an error committed
by a financial institution” 15 U.S.C.A. § 1693a(11)
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 10
of his/her credit report. Release of information can only be made by certified or overnight
mail or secure email, and by providing the PIN or password, and other information
“generally deemed sufficient to identify a person”. N.J.S.A. 56:11-46(d). These requests
must be acted on by the CRA within three business days. N.J.S.A. 56:11-46(e)
While the freeze is in place, the CRA may not chiange the consumer’s name, date of
birth, Social Security number or address on the credit report without sending written
confirmation to the consumer within 30 days. N.J.S.A. 56:11-47.
Wilful violations of these provisions expose the CRA to actual damages of $100-$1000
and punitive damages plus counsel fees and costs. N.J.S.A. 56:11-38 and 56:11-50.
Negligent violations expose the violator to actual damages, counsel fees and costs. Id.
This is in addition to remedies available under previous enactments for obtaining a
consumer report under false pretenses or knowingly without a permissible purpose.4
2.
Police must take police reports of identity theft. Local law enforcement agencies must
take any complaint of identity theft and provide the complainant a copy of the complaint,
even though “jurisdiction may lie elsewhere for investigation and prosecution of” the
crime. N.J.S.A. 2C:21-17.6(a). This is intended to prevent these agencies from refusing to
take such complaints as “a civil matter”.
3.
Prompt disclosure to consumers of any breach of security involving personal
information. Under N.J.S.A. 56:8-161 to 166, “Any business that conducts business in
New Jersey, or any public entity that compiles or maintains computerized records that
include personal information, shall disclose any breach of security of those computerized
records following discovery or notification of the breach to any customer who is a
resident of New Jersey whose personal information was, or is reasonably believed to have
been, accessed by an unauthorized person.” N.J.S.A. 56:8-163(a). This must be done “in
the most expedient time possible and without unreasonable delay” subject to certain
limitations. Id. A report must be made to law enforcement authorities before the report to
consumers. N.J.S.A. 56:8-163(b). Protected personal information includes “an
4
Under N.J.S.A. 56:11-38., any natural person who obtains a consumer report under false
pretenses or knowingly without a permissible purposes may be held liable for actual damages or
$1000, whichever is greater, plus punitive damages and counsel fees and costs.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 11
individual's first name or first initial and last name linked with any one or more of the
following data elements: (1) Social Security number; (2) driver's license number or State
identification card number; or (3) account number or credit or debit card number, in
combination with any required security code, access code, or password that would permit
access to an individual's financial account.” N.J.S.A. 56:8-161.
4.
All records of personal information must be destroyed when no longer in use. N.J.S.A.
56:8-162.
5.
Prohibited posting or display of Social Security numbers. Under N.J.S.A. 56:8-164,
no person, business or public agency may do any of the following, except as required by
other State or federal law:
(1) Publicly post or display... any four or more consecutive numbers taken from an
individual's Social Security number;
(2) Print an individual's Social Security number on any materials that are mailed
to the individual, unless State or federal law requires the Social Security number
to be on the document to be mailed;
(3) Print an individual's Social Security number on any card required for the
individual to access products or services provided by the entity;
(4) Intentionally communicate or otherwise make available to the general public
an individual's Social Security number;
(5) Require an individual to transmit his Social Security number over the Internet,
unless the connection is secure or the Social Security number is encrypted; or
(6) Require an individual to use his Social Security number to access an Internet
web site, unless a password or unique personal identification number or other
authentication device is also required to access the Internet web site.
6.
Consumer Fraud Remedies. Violations of the provisions concerning reporting security
breaches, non-disclosure of Social Security numbers, and requirements to destroy records
containing personal information are treated as violations of the Consumer Fraud Act,
which Act provides for treble damages and counsel fees. N.J.S.A. 56:8-166.
Briefing Paper on Identity Theft and Related Topics
for Volunteer Presenters of the
New Jersey Bankruptcy Law Foundation & HESAA
Joint Financial Literacy Project
By: Steven R. Neuner Esq.
Dated: December 19, 2005
Page 12
BIBLIOGRAPHY and SOURCES
“CU” and “ConsumerReports”-Consumer Union of U.S. Inc. See the August 2005 issue of
Consumer Reports for articles on Credit Scores. These resources are available for subscribers to
ConsumerReports.org their online resource. I have consulted the following articles:
November 2004: “Guarding your credit record”
October 2003: “Stop thieves from stealing you”
“FICO”- Fair Isaac Corporation. Website, www.myfico.com. Site contains lots of information
and financial calculators which demonstrate the costs of bad credit.
“FACTA”- The Fair and Accurate Credit Transaction Act of 2003, Pub. L 108-159, which added
new sections to the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. I relied on the
excellent article, attached hereto, from PRC entitled “FACTA, The Fair and Accurate Credit
Transactions Act: Consumers Win Some, Lose Some”
“Privacy Rights Clearinghouse” or “PRC” - a non-profit organization based in San Diego
California. Website: www.privacyrights.org
“PRC FACTA Article”–“Privacy Rights Clearninghouse, “FACTA, The Fair and Accurate
Credit Transactions Act: Consumers Win Some, Lose Some”, 2005, available online at
www.privacyrights.org/fs/fs6a-facta.htm
“FTC Take Charge”–“Take Charge: Fighting Back Against Identity Theft”
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
Attachment A: Sample “phishing” emails
Page 1 of 1
Dear Wells Forgo customer,
We recently reviewed your account, and suspect that your wellsfargo account account may have
been accessed by an unauthorized third party. Protecting the security of your account and of the
wellsfargo network is our primary concern. Therefore, as a preventative measure, we have
temporarily limited access to sensitive account features.
To restore your account access , please take the following steps to ensure that your account has
not been compromised:
1. Login to your wellsfargo account. In case you are not enrolled yet for Internet Banking, you will
have to use your Social Security Number as both your Personal ID and Password and fill in the
required information, including your name and account number.
2. Review your recent account history for any unauthorized withdrawals or deposits, and check your
account profile to make sure no changes have been made. If any unauthorized activity has taken
place on your account, report to wells fargo immediately.
To get started, please click the link below:
http://online.wellsfargo.com/signon
We apologize for any inconvenience this may cause, and appreciate your assistance in helping us
maintain the integrity of the entire Wells Fargo system. Thank your for your prompt attention to this
matter.
Sincerely,
Wells Fargo Team.
Please do not reply to this email. Mails sent to this address cannot be answered. For assistance, log
in to your wellsfargo account and choose the "Help" link in the header of any page.
Start your day with Yahoo! - make it your home page
about:blank
11/16/2005
PayPal
Page 1 of 1
PayPal Security Measures!
We are contacting you to remind you that: on 3 December 2005 our Account Review Team identified some
unusual activity in your account, one or more attempts to log in to your PayPal account from a foreign IP
address.
IP Address
Time
Country
80.53.1.130
December 2, 2005 15:05:08
PDT
Poland
80.53.255.174
December 2, 2005 15:07:58
PDT
Poland
141.85.99.169
December 3, 2005 15:13:09
PDT
Romania
141.85.99.169
December 3, 2005 21:28:08
PDT
Romania
195.61.146.130
December 3, 2005 21:33:43
PDT
Romania
In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your
account was limited. Your account access will remain limited until this issue has been resolved. To secure your account
and quickly restore full access, we may require some additional information from you.
To securely confirm your PayPal information please go directly to https://www.paypal.com/ log
in to your PayPal account and perform the steps necessary to restore your account access as
soon as possible or click bellow:
To continue your verification procedure click here
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your
PayPal account and choose the "Help" link in the footer of any page.
To receive email notifications in plain text instead of HTML, update your preferences here.
about:blank
12/5/2005
Attachment B:
“Stop-Think-Click, Seven Practices for Safer Computing”
OnGuardOnline.gov
STOP • THINK • CLICK
Seven Practices for Safer Computing
Access to information and entertainment, credit and financial services, products from every corner
of the world — even to your work — is greater than earlier generations could ever have imagined.
Thanks to the Internet, you can order books, clothes, or appliances online; reserve a hotel room
across the ocean; download music and games; check your bank balance 24 hours a day; or access
your workplace from thousands of miles away.
The flip-side, however, is that the Internet — and the anonymity it affords — also can give online
scammers, hackers, and identity thieves access to your computer, personal information, finances,
and more.
But with awareness as your safety net, you can minimize the chance of an Internet mishap. Being
on guard online helps you protect your information, your computer, even yourself. To be safer and
more secure online, adopt these seven practices.
1. Protect your personal information. It’s valuable.
Why? To an identity thief, your personal information can provide instant access to your financial
accounts, your credit record, and other assets.
If you think no one would be interested in your personal information, think again. The reality is
that anyone can be a victim of identity theft. In fact, according to a Federal Trade Commission
survey, there are almost 10 million victims every year. It’s often difficult to know how thieves
obtained their victims’ personal information, and while it definitely can happen offline, some
cases start when online data is stolen. Visit www.consumer.gov/idtheft to learn what to do if your
identity is stolen.
Unfortunately, when it comes to crimes like identity theft, you can’t entirely control whether you
will become a victim. But following these tips can help minimize your risk while you’re online:
• If you’re asked for your personal information — your name, email or home address,
phone number, account numbers, or Social Security number — find out how it’s going
to be used and how it will be protected before you share it. If you have children, teach
them to not give out your last name, your home address, or your phone number on the
Internet.
• If you get an email or pop-up message asking for personal information, don’t reply or
click on the link in the message. The safest course of action is not to respond to requests
for your personal or financial information. If you believe there may be a need for such
information by a company with whom you have an account or placed an order, contact
that company directly in a way you know to be genuine. In any case, don’t send your
personal information via email because email is not a secure transmission method.
OnGuardOnline.gov
STOP • THINK • CLICK
• If you are shopping online, don’t provide your personal or financial information through
a company’s website until have checked for indicators that the site is secure, like a lock
icon on the browser’s status bar or a website URL that begins “https:” (the “s” stands for
“secure”). Unfortunately, no indicator is foolproof; some scammers have forged security
icons.
• Read website privacy policies. They should explain what personal information the
website collects, how the information is used, and whether it is provided to third
parties. The privacy policy also should tell you whether you have the right to see what
information the website has about you and what security measures the company takes to
protect your information. If you don’t see a privacy policy — or if you can’t understand
it — consider doing business elsewhere.
2. Know who you’re dealing with.
And know what you’re getting into. There are dishonest people in the bricks and mortar world
and on the Internet. But online, you can’t judge an operator’s trustworthiness with a gut-affirming
look in the eye. It’s remarkably simple for online scammers to impersonate a legitimate business,
so you need to know whom you’re dealing with. If you’re shopping online, check out the seller
before you buy. A legitimate business or individual seller should give you a physical address and a
working telephone number at which they can be contacted in case you have problems.
Phishing: Bait or Prey?
“We suspect an unauthorized transaction on your account. To ensure that your
account is not compromised, please click the link below and confirm your identity.”
“Phishers” send spam or pop-up messages claiming to be from a business or organization that you
might deal with — for example, an Internet service provider (ISP), bank, online payment service,
or even a government agency. The message usually says that you need to “update” or “validate”
your account information. It might threaten some dire consequence if you don’t respond. The
message directs you to a website that looks just like a legitimate organization’s, but isn’t. The
purpose of the bogus site? To trick you into divulging your personal information so the operators
can steal your identity and run up bills or commit crimes in your name. Don’t take the bait:
never reply to or click on links in email or pop-ups that ask for personal information. Legitimate
companies don’t ask for this information via email. If you are directed to a website to update
your information, verify that the site is legitimate by calling the company directly, using contact
information from your account statements. Or open a new browser window and type the URL
into the address field, watching that the actual URL of the site you visit doesn’t change and is still
the one you intended to visit. Forward spam that is phishing for information to spam@uce.gov and
to the company, bank, or organization impersonated in the phishing email. Most organizations
have information on their websites about where to report problems.
OnGuardOnline.gov
STOP • THINK • CLICK
Free Software and File-Sharing: Worth the hidden costs?
Every day, millions of computer users share files online. File-sharing can give people
access to a wealth of information, including music, games, and software. How does
it work? You download special software that connects your computer to an informal
network of other computers running the same software. Millions of users could be
connected to each other through this software at one time. Often the software is free and easily
accessible.
But file-sharing can have a number of risks. If you don’t check the proper settings, you could allow
access not just to the files you intend to share, but also to other information on your hard drive,
like your tax returns, email messages, medical records, photos, or other personal documents. In
addition, you may unwittingly download pornography labeled as something else. Or you may
download material that is protected by the copyright laws, which would mean you could be
breaking the law.
If you decide to use file-sharing software, set it up very carefully. Take the time to read the End
User Licensing Agreement to be sure you understand and are willing to tolerate the side effects of
any free downloads.
Spyware
Many free downloads — whether from peers or businesses — come with potentially
undesirable side effects. Spyware is software installed without your knowledge or
consent that adversely affects your ability to use your computer, sometimes by
monitoring or controlling how you use it. To avoid spyware, resist the urge to install any software
unless you know exactly what it is. Your anti-virus software may include anti-spyware capability
that you can activate, but if it doesn’t, you can install separate anti-spyware software, and then use
it regularly to scan for and delete any spyware programs that may sneak onto your computer.
Email attachments and links: Legitimate or virus-laden?
Most viruses sent over email or Instant Messenger won’t damage your computer without your
participation. For example, you would have to open an email or attachment that includes a virus
or follow a link to a site that is programmed to infect your computer. So hackers often lie to get
you to open the email attachment or click on a link. Some virus-laden emails appear to come
from a friend or colleague; some have an appealing file name, like “Fwd: FUNNY” or “Per your
request!”; others promise to clean a virus off your computer if you open it or follow the link.
Don’t open an email or attachment — even if it appears to be from a friend or coworker — unless
you are expecting it or know what it contains. You can help others trust your attachments by
including a text message explaining what you’re attaching.
OnGuardOnline.gov
STOP • THINK • CLICK
3. Use anti-virus software and a firewall, and update both regularly.
Dealing with anti-virus and firewall protection may sound about as exciting as flossing your teeth,
but it’s just as important as a preventive measure. Having intense dental treatment is never fun;
neither is dealing with the effects of a preventable computer virus.
Anti-virus Software
Anti-virus software protects your computer from viruses that can destroy your data, slow your
computer’s performance, cause a crash, or even allow spammers to send email through your
account. It works by scanning your computer and your incoming email for viruses, and then
deleting them.
To be effective, your anti-virus software should update routinely with antidotes to the latest
“bugs” circulating through the Internet. Most commercial anti-virus software includes a feature to
download updates automatically when you are on the Internet.
WHAT TO LOOK FOR AND WHERE TO GET IT
You can download anti-virus software from the websites of software companies or buy
it in retail stores. Look for anti-virus software that:
• Recognizes current viruses, as well as older ones.
• Effectively reverses the damage.
• Updates automatically.
Firewalls
Don’t be put off by the word “firewall.” It’s not necessary to fully understand how it works; it’s
enough to know what it does and why you need it. Firewalls help keep hackers from using your
computer to send out your personal information without your permission. While anti-virus
software scans incoming email and files, a firewall is like a guard, watching for outside attempts to
access your system and blocking communications to and from sources you don’t permit.
Some operating systems and hardware devices come with a built-in firewall that may be shipped
in the “off ” mode. Make sure you turn it on. For your firewall to be effective, it needs to be set up
properly and updated regularly. Check your online “Help” feature for specific instructions.
If your operating system doesn’t include a firewall, get a separate software firewall that runs in
the background while you work, or install a hardware firewall — an external device that includes
firewall software. Several free firewall software programs are available on the Internet.
OnGuardOnline.gov
STOP • THINK • CLICK
ZOMBIE DRONES
Some spammers search the Internet for unprotected computers they can control and
use anonymously to send unwanted spam emails. If you don’t have up-to-date anti-virus
protection and a firewall, spammers may try to install software that lets them route email
through your computer, often to thousands of recipients, so that it appears to have come from
your account. If this happens, you may receive an overwhelming number of complaints from
recipients, and your email account could be shut down by your Internet Service Provider (ISP).
4. Be sure to set up your operating system and Web browser software properly, and update
them regularly.
Hackers also take advantage of Web browsers (like Internet Explorer or Netscape) and operating
system software (like Windows or Linux) that are unsecured. Lessen your risk by changing the
settings in your browser or operating system and increasing your online security. Check the
“Tools” or “Options” menus for built-in security features. If you need help understanding your
choices, use your “Help” function.
Your operating system also may offer free software “patches” that close holes in the system that
hackers could exploit. In fact, some common operating systems can be set to automatically
retrieve and install patches for you. If your system does not do this, bookmark the website for your
system’s manufacturer so you can regularly visit and update your system with defenses against
the latest attacks. Updating can be as simple as one click. Your email software may help you avoid
viruses by giving you the ability to filter certain types of spam. It’s up to you to activate the filter.
If you’re not using your computer for an extended period, turn it off or unplug it from the phone
or cable line. When it’s off, the computer doesn’t send or receive information from the Internet
and isn’t vulnerable to hackers.
5. Protect your passwords.
Keep your passwords in a secure place, and out of plain view. Don’t share your passwords on the
Internet, over email, or on the phone. Your Internet Service Provider (ISP) should never ask for
your password.
In addition, hackers may try to figure out your passwords to gain access to your computer. You can
make it tougher for them by:
• Using passwords that have at least eight characters and include numbers or symbols.
OnGuardOnline.gov
STOP • THINK • CLICK
• Avoiding common words: some hackers use programs that can try every word in the
dictionary.
• Not using your personal information, your login name, or adjacent keys on the
keyboard as passwords.
• Changing your passwords regularly (at a minimum, every 90 days).
• Not using the same password for each online account you access.
One way to create a strong password is to think of a memorable phrase and use the first letter
of each word as your password, converting some letters into numbers that resemble letters. For
example, “How much wood could a woodchuck chuck” would become HmWc@wcC.
6. Back up important files.
If you follow these tips, you’re more likely to be more secure online, free of interference from
hackers, viruses, and spammers. But no system is completely secure. If you have important files
stored on your computer, copy them onto a removable disc, and store them in a safe place.
7. Learn who to contact if something goes wrong online
Hacking or Computer Virus
If your computer gets hacked or infected by a virus:
• Immediately unplug the phone or cable line from your machine. Then scan your
entire computer with fully updated anti-virus software, and update your firewall.
• Take steps to minimize the chances of another incident.
• Alert the appropriate authorities by contacting:
º your ISP and the hacker’s ISP (if you can tell what it is). You can usually find
an ISP’s email address on its website. Include information on the incident from
your firewall’s log file. By alerting the ISP to the problem on its system, you can
help it prevent similar problems in the future.
º the FBI at www.ifccfbi.gov. To fight computer criminals, they need to hear
from you.
OnGuardOnline.gov
STOP • THINK • CLICK
Internet fraud
If a scammer takes advantage of you through an Internet auction, when you’re shopping online, or
in any other way, report it to the Federal Trade Commission, at ftc.gov. The FTC enters Internet,
identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online
database available to hundreds of civil and criminal law enforcement agencies in the U.S. and
abroad.
Deceptive Spam
If you get deceptive spam, including email phishing for your information, forward it to
spam@uce.gov. Be sure to include the full header of the email, including all routing information.
You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing
Working Group, a consortium of ISPs, security vendors, financial institutions and law
enforcement agencies, uses these reports to fight phishing.
Divulged Personal Information
If you believe you have mistakenly given your personal information to a fraudster, file a complaint
at ftc.gov, and then visit the Federal Trade Commission’s Identity Theft website at
www.consumer.gov/idtheft to learn how to minimize your risk of damage from a potential theft of
your identity.
PARENTS
Parental controls are provided by most ISPs, or are sold as separate software. Remember that
no software can substitute for parental supervision. Talk to your kids about safe computing
practices, as well as the things they’re seeing and doing online.
OnGuardOnline.gov provides practical tips from the federal government and
the technology industry to help you be on guard against Internet fraud, secure your
computer, and protect your personal information.
September 2005
OnGuardOnline.gov
Take Charge: Fighting Back Against Identity Theft
Page 1 of 18
GO
Search:
HOME | CONSUMERS | BUSINESSES | NEWSROOM | FORMAL | ANTITRUST | CONGRESSIONAL | ECONOMIC | LEGAL
Privacy Policy | About FTC | Commissioners | File a Complaint | HSR | FOIA | IG Office | En Español
Facts for Consumers
PDF Version
Take Charge: Fighting Back Against Identity Theft
(formerly: "ID Theft: When Bad Things Happen to Your Good Name")
To Print: Use File/Page Setup
in your browser to set page
margins to zero or your printer's
minimum margin settings.
TABLE OF CONTENTS
INTRODUCTION
STAYING ALERT
HOW IDENTITY THEFT OCCURS
z
z
If Your Personal Information Has Been Lost or Stolen
IDENTITY THEFT VICTIMS: IMMEDIATE STEPS
MINIMIZING RECURRENCES
z
z
z
z
z
z
z
z
z
Placing Fraud Alerts on Your Credit Report
Closing Accounts
Filing a Police Report
Filing a Complaint with the Federal Trade Commission
The Identity Theft Report
Tips For Organizing Your Case
Chart Your Course of Action
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
Bank Accounts and Fraudulent Withdrawals
Bankruptcy Fraud
Correcting Fraudulent Information in Credit Reports
Credit Cards
Criminal Violations
Debt Collectors
Driver's License
Investment Fraud
Mail Theft
Passport Fraud
Phone Fraud
Social Security Number Misuse
Student Loans
Tax Fraud
What To Do Today
Maintaining Vigilance
A Special Word About Social Security Numbers
The Doors and Windows are Locked, But...
APPENDIX
z
RESOLVING SPECIFIC PROBLEMS
Getting Your Credit Report
z
z
It's the Law
Federal
State
Instructions for Completing the ID Theft Affidavit
The ID Theft Affidavit
Annual Credit Report Request Form
The FTC's Privacy Policy
INTRODUCTION
In the course of a busy day, you may write a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax
returns, change service providers for your cell phone, or apply for a credit card. Chances are you don't give these everyday
transactions a second thought. But an identity thief does.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 2 of 18
Identity theft is a serious crime. People whose identities have been stolen can spend months or years and thousands of dollars
cleaning up the mess the thieves have made of a good name and credit record. In the meantime, victims of identity theft may lose
job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn't commit.
Humiliation, anger, and frustration are among the feelings victims experience as they navigate the process of rescuing their
identity.
Working with other government agencies and organizations, the Federal Trade Commission (FTC) has produced this booklet to
help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems
you may encounter on the way to clearing your name, and what to watch for in the future.
HOW IDENTITY THEFT OCCURS
I first was notified that someone had used my Social Security number for their taxes in February 2004. I also found
out that this person opened a checking account, cable and utility accounts, and a cell phone account in my name.
I'm still trying to clear up everything and just received my income tax refund after waiting four to five months. Trying
to work and get all this cleared up is very stressful.
From a consumer's complaint to the FTC, July 9, 2004
Despite your best efforts to manage the flow of your personal information or to keep it to yourself, skilled identity thieves may use
a variety of methods to gain access to your data.
How identity thieves get your personal information:
z
z
z
z
z
z
z
z
z
They get information from businesses or other institutions by:
{ stealing records or information while they're on the job
{ bribing an employee who has access to these records
{ hacking these records
{ conning information out of employees
They may steal your mail, including bank and credit card statements, credit card offers, new checks, and tax information.
They may rummage through your trash, the trash of businesses, or public trash dumps in a practice known as "dumpster
diving."
They may get your credit reports by abusing their employer's authorized access to them, or by posing as a landlord, employer,
or someone else who may have a legal right to access your report.
They may steal your credit or debit card numbers by capturing the information in a data storage device in a practice known as
"skimming." They may swipe your card for an actual purchase, or attach the device to an ATM machine where you may enter
or swipe your card.
They may steal your wallet or purse.
They may complete a "change of address form" to divert your mail to another location.
They may steal personal information they find in your home.
They may steal personal information from you through email or phone by posing as legitimate companies and claiming that you
have a problem with your account. This practice is known as "phishing" online, or pretexting by phone.
How identity thieves use your personal information:
z
z
z
z
z
z
z
z
z
z
They may call your credit card issuer to change the billing address on your credit card account. The imposter then runs up
charges on your account. Because your bills are being sent to a different address, it may be some time before you realize
there's a problem.
They may open new credit card accounts in your name. When they use the credit cards and don't pay the bills, the delinquent
accounts are reported on your credit report.
They may establish phone or wireless service in your name.
They may open a bank account in your name and write bad checks on that account.
They may counterfeit checks or credit or debit cards, or authorize electronic transfers in your name, and drain your bank
account.
They may file for bankruptcy under your name to avoid paying debts they've incurred under your name, or to avoid eviction.
They may buy a car by taking out an auto loan in your name.
They may get identification such as a driver's license issued with their picture, in your name.
They may get a job or file fraudulent tax returns in your name.
They may give your name to the police during an arrest. If they don't show up for their court date, a warrant for arrest is issued
in your name.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 3 of 18
If Your Personal Information Has Been Lost or Stolen
If you've lost personal information or identification, or if it has been stolen from you, taking certain steps quickly can minimize the
potential for identity theft.
Financial accounts: Close accounts, like credit cards and bank accounts, immediately. When you open new accounts, place
passwords on them. Avoid using your mother's maiden name, your birth date, the last four digits of your Social Security number
(SSN) or your phone number, or a series of consecutive numbers.
Social Security number: Call the toll-free fraud number of any of the three nationwide consumer reporting companies and place an
initial fraud alert on your credit reports. An alert can help stop someone from opening new credit accounts in your name. See
consumer reporting company contact information. For more information about fraud alerts, see the Fraud Alerts box.
Driver's license/other government-issued identification: Contact the agency that issued the license or other identification
document. Follow its procedures to cancel the document and to get a replacement. Ask the agency to flag your file so that no one
else can get a license or any other identification document from them in your name.
Once you've taken these precautions, watch for signs that your information is being misused. See STAYING ALERT.
If your information has been misused, file a report about the theft with the police, and file a complaint with the Federal Trade
Commission, as well. If another crime was committed for example, if your purse or wallet was stolen or your house or car was
broken into report it to the police immediately.
IDENTITY THEFT VICTIMS: IMMEDIATE STEPS
If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your
conversations and copies of all correspondence.
1. Place a fraud alert on your credit reports, and review your credit reports.
Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number
of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one
of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on
their versions of your report, too.
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374- 0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Once you place the fraud alert in your file, you're entitled to order free copies of your credit reports, and, if you ask, only the last
four digits of your SSN will appear on your credit reports.Once you get your credit reports, review them carefully. Look for inquiries
from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that
information, like your SSN, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate
information, get it removed. See Correcting Credit Reports to learn how. Continue to check your credit reports periodically,
especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred.
Fraud Alerts
There are two types of fraud alerts: an initial alert, and an extended alert.
z
z
An initial alert stays on your credit report for at least 90 days. You may ask that an initial fraud alert be
placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An
initial alert is appropriate if your wallet has been stolen or if you've been taken in by a "phishing" scam.
When you place an initial fraud alert on your credit report, you're entitled to one free credit report from each
of the three nationwide consumer reporting companies.
An extended alert stays on your credit report for seven years. You can have an extended alert placed
on your credit report if you've been a victim of identity theft and you provide the consumer reporting
company with an "identity theft report." When you place an extended alert on your credit report, you're
entitled to two free credit reports within twelve months from each of the three nationwide consumer reporting
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 4 of 18
companies. In addition, the consumer reporting companies will remove your name from marketing lists for
pre-screened credit offers for five years unless you ask them to put your name back on the list before then.
To place either of these alerts on your credit report, or to have them removed, you will be required to provide
appropriate proof of your identity: that may include your SSN, name, address and other personal information
requested by the consumer reporting company.
When a business sees the alert on your credit report, they must verify your identity before issuing you credit. As
part of this verification process, the business may try to contact you directly. This may cause some delays if
you're trying to obtain credit. To compensate for possible delays, you may wish to include a cell phone number,
where you can be reached easily, in your alert. Remember to keep all contact information in your alert current.
2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently.
Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT
originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by
certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your
correspondence and enclosures.
When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available
information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of
consecutive numbers.
If the identity thief has made charges or debits on your accounts, or on fraudulently opened accounts, ask the company for the
forms to dispute those transactions:
z
z
For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the
company doesn't have special forms, use the sample letter to dispute the fraudulent charges or debits. In either case, write to
the company at the address given for "billing inquiries," NOT the address for sending your payments.
For new unauthorized accounts, ask if the company accepts the ID Theft Affidavit. If not, ask the representative to send you
the company's fraud dispute forms. If the company already has reported these accounts or debts on your credit report, dispute
this fraudulent information. See Correcting Credit Reports to learn how.
Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the
disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear
on your credit report or you are contacted again about the fraudulent debt.
Proving You're a Victim
Applications or other transaction records related to the theft of your identity may help you prove that you are a
victim. For example, you may be able to show that the signature on an application is not yours. These
documents also may contain information about the identity thief that is valuable to law enforcement. By law,
companies must give you a copy of the application or other business transaction records relating to your identity
theft if you submit your request in writing. Be sure to ask the company representative where you should mail
your request. Companies must provide these records at no charge to you within 30 days of receipt of your
request and your supporting documents. You also may give permission to any law enforcement agency to get
these records, or ask in your written request that a copy of these records be sent to a particular law
enforcement officer.
The company can ask you for:
z
z
proof of your identity. This may be a photocopy of a government-issued ID card, the same type of
information the identity thief used to open or access the account, or the type of information the company
usually requests from applicants or customers, and
a police report and a completed affidavit, which may be the Identity Theft Affidavit or the company's own
affidavit.
3. File a report with your local police or the police in the community where the identity theft took place.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 5 of 18
Then, get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need
proof of the crime. If the police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another
jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the
police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check
www.naag.org for a list of state Attorneys General.
4. File a complaint with the Federal Trade Commission.
By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials
across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies
and companies for further action, as well as investigate companies for violations of laws the agency enforces.
You can file a complaint online at www.consumer.gov/idtheft. If you don't have Internet access, call the FTC's Identity Theft
Hotline, toll-free: 1-877-IDTHEFT (438-4338); TTY: 1-866-653- 4261; or write: Identity Theft Clearinghouse, Federal Trade
Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Be sure to call the Hotline to update your complaint if you have any additional information or problems.
The Identity Theft Report
An identity theft report may have two parts:
Part One is a copy of a report filed with a local, state, or federal law enforcement agency, like your local police department, your
State Attorney General, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no federal law
requiring a federal agency to take a report about identity theft; however, some state laws require local police departments to take
reports. When you file a report, provide as much information as you can about the crime, including anything you know about the
dates of the identity theft, the fraudulent accounts opened and the alleged identity thief.
Note: Knowingly submitting false information could subject you to criminal prosecution for perjury.
Part Two of an identity theft report depends on the policies of the consumer reporting company and the information provider (the
business that sent the information to the consumer reporting company). That is, they may ask you to provide information or
documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft.
They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended
fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The
consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft
report contains everything they need. They are entitled to take five days to review any information you give them. For example, if
you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked
you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as
incomplete; you will have to resubmit your identity theft report with the correct information.
You may find that most federal and state agencies, and some local police departments, offer only "automated" reports a report
that does not require a face-to-face meeting with a law enforcement officer. Automated reports may be submitted online, or by
telephone or mail. If you have a choice, do not use an automated report. The reason? It's more difficult for the consumer reporting
company or information provider to verify the information. Unless you are asking a consumer reporting company to place an
extended fraud alert on your credit report, you probably will have to provide additional information or documentation when you use
an automated report.
Tips For Organizing Your Case
Accurate and complete records will help you to resolve your identity theft case more quickly.
z
z
z
z
z
Have a plan when you contact a company. Don't assume that the person you talk to will give you all the
information or help you need. Prepare a list of questions to ask the representative, as well as information
about your identity theft. Don't end the call until you're sure you understand everything you've been told. If
you need more help, ask to speak to a supervisor.
Write down the name of everyone you talk to, what he or she tells you, and the date the conversation
occurred. Use Chart Your Course of Action to help you.
Follow up in writing with all contacts you've made on the phone or in person. Use certified mail, return
receipt requested, so you can document what the company or organization received and when.
Keep copies of all correspondence or forms you send.
Keep the originals of supporting documents, like police reports and letters to and from creditors; send copies
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
z
z
Page 6 of 18
only.
Set up a filing system for easy access to your paperwork.
Keep old files even if you believe your case is closed. Once resolved, most cases stay resolved, but
problems can crop up.
Chart Your Course of Action [PDF version of form]
Use this form to record the steps you've taken to report the fraudulent use of your identity. Keep this list in a safe place for
reference.
Nationwide Consumer Reporting Companies - Report Fraud
Consumer
Reporting
Company
Equifax
Experian
TransUnion
Phone Number
Date
Contacted
Contact
Person
Comments
Contact
Person
Comments
1-800-525-6285
1-888-EXPERIAN
(397-3742)
1-800-680-7289
Banks, Credit Card Issuers and Other Creditors
(Contact each creditor promptly to protect your legal rights.)
Creditor
Address and
Phone Number
Date
Contacted
Law Enforcement Authorities - Report Identity Theft
Agency/Department
Phone
Number
Date
Contacted
Contact
Person
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
Report
Number
Comments
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 7 of 18
RESOLVING SPECIFIC PROBLEMS
I received a copy of my credit report and saw about a half a dozen items that I didn't know anything about. It's
affected my credit rating so badly that I couldn't get a student loan. I didn't realize there was a problem until my
student loan application was denied.
From a consumer's complaint to the FTC, May 25, 2004
While dealing with problems resulting from identity theft can be time-consuming and frustrating, most victims can resolve their
cases by being assertive, organized, and knowledgeable about their legal rights. Some laws require you to notify companies
within specific time periods. Don't delay in contacting any companies to deal with these problems, and ask for supervisors if you
need more help than you're getting.
Bank Accounts and Fraudulent Withdrawals
Different laws determine your legal remedies based on the type of bank fraud you have suffered. For example, state laws protect
you against fraud committed by a thief using paper documents, like stolen or counterfeit checks. But if the thief used an electronic
fund transfer, federal law applies. Many transactions may seem to be processed electronically but are still considered "paper"
transactions. If you're not sure what type of transaction the thief used to commit the fraud, ask the financial institution that
processed the transaction.
Fraudulent Electronic Withdrawals
The Electronic Fund Transfer Act provides consumer protections for transactions involving an ATM or debit card, or another
electronic way to debit or credit an account. It also limits your liability for unauthorized electronic fund transfers.
You have 60 days from the date your bank account statement is sent to you to report in writing any money withdrawn from your
account without your permission. This includes instances when your ATM or debit card is "skimmed" that is, when a thief captures
your account number and PIN without your card having been lost or stolen.
If your ATM or debit card is lost or stolen, report it immediately because the amount you can be held responsible for depends on
how quickly you report the loss.
z
z
z
If you report the loss or theft within two business days of discovery, your losses are limited to $50.
If you report the loss or theft after two business days, but within 60 days after the unauthorized electronic fund transfer appears
on your statement, you could lose up to $500 of what the thief withdraws.
If you wait more than 60 days to report the loss or theft, you could lose all the money that was taken from your account after
the end of the 60 days.
Note: VISA and MasterCard voluntarily have agreed to limit consumers' liability for unauthorized use of their debit cards in most
instances to $50 per card, no matter how much time has elapsed since the discovery of the loss or theft of the card.
The best way to protect yourself in the event of an error or fraudulent transaction is to call the financial institution and follow up in
writing by certified letter, return receipt requested so you can prove when the institution received your letter. Keep a copy of the
letter you send for your records.
After receiving your notification about an error on your statement, the institution generally has 10 business days to investigate.
The institution must tell you the results of its investigation within three business days after completing it and must correct an error
within one business day after determining that it occurred. If the institution needs more time, it may take up to 45 days to complete
the investigation but only if the money in dispute is returned to your account and you are notified promptly of the credit. At the end
of the investigation, if no error has been found, the institution may take the money back if it sends you a written explanation. For
more information, see Electronic Banking and Credit, ATM and Debit Cards: What To Do If They're Lost or Stolen.
Fraudulent Checks and Other "Paper" Transactions
In general, if an identity thief steals your checks or counterfeits checks from your existing bank account, stop payment, close the
account, and ask your bank to notify Chex Systems, Inc. or the check verification service with which it does business. That way,
retailers can be notified not to accept these checks. While no federal law limits your losses if someone uses your checks with a
forged signature, or uses another type of "paper" transaction such as a demand draft, state laws may protect you. Most states
hold the bank responsible for losses from such transactions. At the same time, most states require you to take reasonable care of
your account. For example, you may be held responsible for the forgery if you fail to notify the bank in a timely manner that a
check was lost or stolen. Contact your state banking or consumer protection agency for more information.
You can contact major check verification companies directly for the following services:
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
z
z
Page 8 of 18
To request that they notify retailers who use their databases not to accept your checks, call:
{ TeleCheck at 1-800-710-9898 or 1-800-927-0188
{ Certegy, Inc. (previously Equifax Check Systems) at 1-800-437-5120
To find out if the identity thief has been passing bad checks in your name, call:
{ SCAN: 1-800-262-7771
If your checks are rejected by a merchant, it may be because an identity thief is using the Magnetic Information Character
Recognition (MICR) code (the numbers at the bottom of checks), your driver's license number, or another identification number.
The merchant who rejects your check should give you its check verification company contact information so you can
find out what information the thief is using. If you find that the thief is using your MICR code, ask your bank to close your checking
account, and open a new one. If you discover that the thief is using your driver's license number or some other identification
number, work with your DMV or other identification issuing agency to get new identification with new numbers. Once you
have taken the appropriate steps, your checks should be accepted.
Note:
z
z
z
The check verification company may or may not remove the information about the MICR code or the driver's
license/identification number from its database because this information may help prevent the thief from continuing to commit
fraud.
If the checks are being passed on a new account, contact the bank to close the account. Also contact Chex Systems, Inc., to
review your consumer report to make sure that no other bank accounts have been opened in your name.
Dispute any bad checks passed in your name with merchants so they don't start any collections actions against you.
Fraudulent New Accounts
If you have trouble opening a new checking account, it may be because an identity thief has been opening accounts in your
name. Chex Systems, Inc., produces consumer reports specifically about checking accounts, and as a consumer reporting
company, is subject to the Fair Credit Reporting Act. You can request a free copy of your consumer report by contacting Chex
Systems, Inc. If you find inaccurate information on your consumer report, follow the procedures under Correcting Credit Reports
to dispute it. Contact each of the banks where account inquiries were made, too. This will help ensure that any fraudulently
opened accounts are closed.
Chex Systems, Inc.: 1-800-428-9623; www.chexhelp.com
Fax: 602-659-2197
Chex Systems, Inc.
Attn: Consumer Relations
7805 Hudson Road, Suite 100
Woodbury, MN 55125
Where to Find Help
If you have trouble getting a financial institution to help you resolve your banking-related identity theft problems, including
problems with bank-issued credit cards, contact the agency that oversees your bank (see list below). If you're not sure which of
these agencies is the right one, call your bank or visit the National Information Center of the Federal Reserve System at
www.ffiec.gov/nic/ and click on "Institution Search."
Federal Deposit Insurance Corporation (FDIC) www.fdic.gov
The FDIC supervises state-chartered banks that are not members of the Federal Reserve System, and insures deposits at banks
and savings and loans.
Call the FDIC Consumer Call Center toll-free: 1-800-934-3342; or write: Federal Deposit Insurance Corporation, Division of
Compliance and Consumer Affairs, 550 17th Street, NW, Washington, DC 20429.
FDIC publications:
z
z
z
Classic Cons... And How to Counter Them
A Crook Has Drained Your Account. Who Pays?
Your Wallet: A Loser's Manual
Federal Reserve System (Fed) www.federalreserve.gov
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 9 of 18
The Fed supervises state-chartered banks that are members of the Federal Reserve System.
Call: 202-452-3693; or write: Division of Consumer and Community Affairs, Mail Stop 801, Federal Reserve Board, Washington,
DC 20551; or contact the Federal Reserve Bank in your area. The Reserve Banks are located in Boston, New York, Philadelphia,
Cleveland, Richmond, Atlanta, Chicago, St. Louis, Minneapolis, Kansas City, Dallas, and San Francisco.
National Credit Union Administration (NCUA) www.ncua.gov
The NCUA charters and supervises federal credit unions and insures deposits at federal credit unions and many state credit
unions.
Call: 703-518-6360; or write: Compliance Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.
Office of the Comptroller of the Currency (OCC) www.occ.treas.gov
The OCC charters and supervises national banks. If the word "national" appears in the name of a bank, or the initials "N.A." follow
its name, the OCC oversees its operations.
Call toll-free: 1-800-613-6743 (business days 9:00 a.m. to 4:00 p.m. CST); fax: 713-336-4301; or write: Customer Assistance
Group, 1301 McKinney Street, Suite 3710, Houston, TX 77010.
OCC publications:
z
z
z
Check Fraud: A Guide to Avoiding Losses
How to Avoid Becoming a Victim of Identity Theft
Identity Theft and Pretext Calling Advisory Letter 2001-4
Office of Thrift Supervision (OTS) www.ots.treas.gov
The OTS is the primary regulator of all federal, and many state-chartered, thrift institutions, including savings banks and savings
and loan institutions.
Call: 202-906-6000; or write: Office of Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.
Bankruptcy Fraud
U. S. Trustee (UST) www.usdoj.gov/ust
If you believe someone has filed for bankruptcy in your name, write to the U.S. Trustee in the region where the bankruptcy was
filed. A list of the U.S. Trustee Programs' Regional Offices is available on the UST website, or check the Blue Pages of your
phone book under U.S. Government Bankruptcy Administration.
In your letter, describe the situation and provide proof of your identity. The U.S. Trustee will make a criminal referral to law
enforcement authorities if you provide appropriate documentation to substantiate your claim. You also may want to file a
complaint with the U.S. Attorney and/or the FBI in the city where the bankruptcy was filed. The U.S. Trustee does not provide
legal representation, legal advice, or referrals to lawyers. That means you may need to hire an attorney to help convince the
bankruptcy court that the filing is fraudulent. The U.S. Trustee does not provide consumers with copies of court documents. You
can get them from the bankruptcy clerk's office for a fee.
Correcting Fraudulent Information in Credit Reports
The Fair Credit Reporting Act (FCRA) establishes procedures for correcting fraudulent information on your credit report and
requires that your report be made available only for certain legitimate business needs.
Under the FCRA, both the consumer reporting company and the information provider (the business that sent the information to
the consumer reporting company), such as a bank or credit card company, are responsible for correcting fraudulent information in
your report. To protect your rights under the law, contact both the consumer reporting company and the information provider.
Consumer Reporting Company Obligations
Consumer reporting companies will block fraudulent information from appearing on your credit report if you take the following
steps: Send them a copy of an identity theft report and a letter telling them what information is fraudulent. The letter also should
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 10 of 18
state that the information does not relate to any transaction that you made or authorized. In addition, provide proof of your identity
that may include your SSN, name, address, and other personal information requested by the consumer reporting company.
The consumer reporting company has four business days to block the fraudulent information after accepting your identity theft
report. It also must tell the information provider that it has blocked the information. The consumer reporting company may refuse
to block the information or remove the block if, for example, you have not told the truth about your identity theft. If the consumer
reporting company removes the block or refuses to place the block, it must let you know.
The blocking process is only one way for identity theft victims to deal with fraudulent information. There's also the "reinvestigation
process," which was designed to help all consumers dispute errors or inaccuracies on their credit reports. For more information on
this process, see How to Dispute Credit Report Errors and Your Access to Free Credit Reports, two publications from the FTC.
Information Provider Obligations
Information providers stop reporting fraudulent information to the consumer reporting companies once you send them an identity
theft report and a letter explaining that the information that they're reporting resulted from identity theft. But you must send your
identity theft report and letter to the address specified by the information provider. Note that the information provider may continue
to report the information if it later learns that the information does not result from identity theft.
If a consumer reporting company tells an information provider that it has blocked fraudulent information in your credit report, the
information provider may not continue to report that information to the consumer reporting company. The information provider also
may not hire someone to collect the debt that relates to the fraudulent account, or sell that debt to anyone else who would try to
collect it.
Sample Blocking Letter Consumer Reporting Company
Date
Your Name
Your Address
Your City, State, Zip Code
Complaint Department
Name of Consumer Reporting Company
Address
City, State, Zip Code
Dear Sir or Madam:
I am a victim of identity theft. I am writing to request that you block the following fraudulent information in my
file. This information does not relate to any transaction that I have made. The items also are circled on the
attached copy of the report I received. (Identify item(s) to be blocked by name of source, such as creditors or
tax court, and identify type of item, such as credit account, judgment, etc.)
Enclosed is a copy of the law enforcement report regarding my identity theft. Please let me know if you need
any other information from me to block this information on my credit report.
Sincerely,
Your name
Enclosures: (List what you are enclosing.)
Credit Cards
The Fair Credit Billing Act establishes procedures for resolving billing errors on your credit card accounts, including fraudulent
charges on your accounts. The law also limits your liability for unauthorized credit card charges to $50 per card. To take
advantage of the law's consumer protections, you must:
z
z
write to the creditor at the address given for "billing inquiries," NOT the address for sending your payments. Include your name,
address, account number, and a description of the billing error, including the amount and date of the error. See Sample Letter.
send your letter so that it reaches the creditor within 60 days after the first bill containing the error was mailed to you. If an
identity thief changed the address on your account and you didn't receive the bill, your dispute letter still must reach the
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 11 of 18
creditor within 60 days of when the creditor would have mailed the bill. This is one reason it's essential to keep track of your
billing statements, and follow up quickly if your bills don't arrive on time.
You should send your letter by certified mail, and request a return receipt. It becomes your proof of the date the creditor received
the letter. Include copies (NOT originals) of your police report or other documents that support your position. Keep a copy of your
dispute letter.
The creditor must acknowledge your complaint in writing within 30 days after receiving it, unless the problem has been resolved.
The creditor must resolve the dispute within two billing cycles (but not more than 90 days) after receiving your letter.
For more information, see Fair Credit Billing and Avoiding Credit and Charge Card Fraud, two publications from the FTC.
Sample Dispute Letter For Existing Accounts
Date
Your Name
Your Address
Your City, State, Zip Code
Your Account Number
Name of Creditor
Billing Inquiries
Address
City, State, Zip Code
Dear Sir or Madam:
I am writing to dispute a fraudulent (charge or debit) on my account in the amount of $______. I am a victim of
identity theft, and I did not make this (charge or debit). I am requesting that the (charge be removed or the debit
reinstated), that any finance and other charges related to the fraudulent amount be credited, as well, and that I
receive an accurate statement.
Enclosed are copies of (use this sentence to describe any enclosed information, such as a police report)
supporting my position. Please investigate this matter and correct the fraudulent (charge or debit) as soon as
possible.
Sincerely,
Your name
Enclosures: (List what you are enclosing.)
Criminal Violations
Procedures to correct your record within criminal justice databases can vary from state to state, and even from county to county.
Some states have enacted laws with special procedures for identity theft victims to follow to clear their names. You should check
with the office of your state Attorney General, but you can use the following information as a general guide.
If wrongful criminal violations are attributed to your name, contact the police or sheriff's department that originally arrested the
person using your identity, or the court agency that issued the warrant for the arrest. File an impersonation report with the
police/sheriff's department or the court, and confirm your identity: Ask the police department to take a full set of your fingerprints,
photograph you, and make a copies of your photo identification documents, like your driver's license, passport, or travel visa. To
establish your innocence, ask the police to compare the prints and photographs with those of the imposter.
If the arrest warrant is from a state or county other than where you live, ask your local police department to send the
impersonation report to the police department in the jurisdiction where the arrest warrant, traffic citation, or criminal conviction
originated.
The law enforcement agency should then recall any warrants and issue a "clearance letter" or "certificate of release" (if you were
arrested/booked). You'll need to keep this document with you at all times in case you're wrongly arrested again. Ask the law
enforcement agency to file the record of the follow-up investigation establishing your innocence with the district attorney's (D.A.)
office and/or court where the crime took place. This will result in an amended complaint. Once your name is recorded in a criminal
database, it's unlikely that it will be completely removed from the official record. Ask that the "key name" or "primary name" be
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 12 of 18
changed from your name to the imposter's name (or to "John Doe" if the imposter's true identity is not known), with your name
noted as an alias.
You'll also want to clear your name in the court records. To do so, you'll need to determine which state law(s) will help you with
this and how. If your state has no formal procedure for clearing your record, contact the D.A.'s office in the county where the case
was originally prosecuted. Ask the D.A.'s office for the appropriate court records needed to clear your name. You may need to hire
a criminal defense attorney to help you clear your name. Contact Legal Services in your state or your local bar association for
help in finding an attorney.
Finally, contact your state Department of Motor Vehicles (DMV) to find out if your driver's license is being used by the identity
thief. Ask that your files be flagged for possible fraud.
Debt Collectors
The Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that
a creditor has forwarded for collection, even if those bills don't result from identity theft.
You can stop a debt collector from contacting you in two ways:
z
z
Write a letter to the collection agency telling them to stop. Once the debt collector receives your letter, the company may not
contact you again with two exceptions: They can tell you there will be no further contact, and they can tell you that the debt
collector or the creditor intends to take some specific action.
Send a letter to the collection agency, within 30 days after you received written notice of the debt, telling them that you do not
owe the money. Include copies of documents that support your position. Including a copy (NOT original) of your police report
may be useful. In this case, a collector can renew collection activities only if it sends you proof of the debt.
If you don't have documentation to support your position, be as specific as possible about why the debt collector is mistaken. The
debt collector is responsible for sending you proof that you're wrong. For example, if the debt you're disputing originates from a
credit card you never applied for, ask for a copy of the application with the applicant's signature. Then, you can prove that it's not
your signature.
If you tell the debt collector that you are a victim of identity theft and it is collecting the debt for another company, the debt
collector must tell that company that you may be a victim of identity theft.
While you can stop a debt collector from contacting you, that won't get rid of the debt itself. It's important to contact the company
that originally opened the account to dispute the debt, otherwise that company may send it to a different debt collector, report it on
your credit report, or initiate a lawsuit to collect on the debt.
For more information, see Fair Debt Collection, a publication from the FTC.
Driver's License
If you think your name or SSN is being used by an identity thief to get a driver's license or a non-driver's ID card, contact your
state DMV. If your state uses your SSN as your driver's license number, ask to substitute another number.
Investment Fraud
U.S. Securities and Exchange Commission (SEC) www.sec.gov
The SEC's Office of Investor Education and Assistance serves investors who complain to the SEC about investment fraud or the
mishandling of their investments by securities professionals. If you believe that an identity thief has tampered with your securities
investments or a brokerage account, immediately report it to your broker or account manager and to the SEC.
You can file a complaint with the SEC's Complaint Center at www.sec.gov/complaint.shtml. Include as much detail as possible. If
you don't have Internet access, write to the SEC at: SEC Office of Investor Education and Assistance, 450 Fifth Street, NW,
Washington DC, 20549-0213. For answers to general questions, call 202-942-7040.
Mail Theft
U.S. Postal Inspection Service (USPIS) www.usps.gov/websites/depart/inspect
The USPIS is the law enforcement arm of the U.S. Postal Service, and investigates cases of identity theft. The USPIS has primary
jurisdiction in all matters infringing on the integrity of the U.S. mail. If an identity thief has stolen your mail to get new credit cards,
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 13 of 18
bank or credit card statements, pre-screened credit offers, or tax information, or has falsified change-of-address forms or obtained
your personal information through a fraud conducted by mail, report it to your local postal inspector.
You can locate the USPIS district office nearest you by calling your local post office, checking the Blue Pages of your telephone
directory, or visiting www.usps.gov/websites/depart/inspect.
Passport Fraud
United States Department of State (USDS) www.travel.state.gov/passport/passport_1738.html
If you've lost your passport, or believe it was stolen or is being used fraudulently, contact the USDS through their website, or call a
local USDS field office. Local field offices are listed in the Blue Pages of your telephone directory.
Phone Fraud
If an identity thief has established phone service in your name, is making unauthorized calls that seem to come from and are
billed to your cellular phone, or is using your calling card and PIN, contact your service provider immediately to cancel the account
and/or calling card. Open new accounts and choose new PINs. If you're having trouble getting fraudulent phone charges removed
from your account or getting an unauthorized account closed, contact the appropriate agency below.
z
z
For local service, contact your state Public Utility Commission.
For cellular phones and long distance, contact the Federal Communications Commission (FCC) at www.fcc.gov. The FCC
regulates interstate and international communications by radio, television, wire, satellite, and cable. Call: 1-888-CALL-FCC;
TTY: 1-888-TELL-FCC; or write: Federal Communications Commission, Consumer Information Bureau, 445 12th Street, SW,
Room 5A863, Washington, DC 20554. You can file complaints online at www.fcc.gov, or e-mail your questions to
fccinfo@fcc.gov.
Social Security Number Misuse
Social Security Administration (SSA) www.ssa.gov
If you have specific information of SSN misuse that involves the buying or selling of Social Security cards, may be related to
terrorist activity, or is designed to obtain Social Security benefits, contact the SSA Office of the Inspector General. You may file a
complaint online at www.socialsecurity.gov/oig, call toll-free: 1-800-269-0271, fax: 410-597-0118, or write: SSA Fraud Hotline,
P.O. Box 17768, Baltimore, MD 21235.
You also may call SSA toll-free at 1-800-772-1213 to verify the accuracy of the earnings reported on your SSN, request a copy of
your Social Security Statement, or get a replacement SSN card if yours is lost or stolen. Follow up in writing.
SSA publications:
z
z
z
SSA Fraud Hotline for Reporting Fraud
Social Security: Your Number and Card (SSA Pub. No. 05-10002)
Identity Theft And Your Social Security Number (SSA Pub. No. 05-10064)
Student Loans
Contact the school or program that opened the student loan to close the loan. At the same time, report the fraudulent loan to the
U.S. Department of Education. Call the Inspector General's Hotline toll-free at 1-800-MIS-USED; visit
www.ed.gov/about/offices/list/oig/hotline.html?src=rt; or write: Office of Inspector General, U.S. Department of Education, 400
Maryland Avenue, SW, Washington, DC 20202-1510.
Tax Fraud
Internal Revenue Service (IRS) www.treas.gov/irs/ci
The IRS is responsible for administering and enforcing tax laws. Identity fraud may occur as it relates directly to your tax records.
Visit www.irs.gov and type in the IRS key word “Identity Theft” for more information.
If you have an unresolved issue related to identity theft, or you have suffered or are about to suffer a significant hardship as a
result of the administration of the tax laws, visit the IRS Taxpayer Advocate Service website www.irs.gov/advocate/ or call tollfree: 1-877-777-4778.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 14 of 18
If you suspect or know of an individual or company that is not complying with the tax law, report it to the Internal Revenue Service
Criminal Investigation Informant Hotline by calling toll-free: 1-800-829-0433 or visit www.irs.gov and type in the IRS key word “Tax
Fraud.”
For More Information
Federal Trade Commission (FTC) www.ftc.gov
The FTC wants consumers and businesses to know about the importance of personal information privacy. To request free copies
of brochures, visit www.consumer.gov/idtheft or call 1-877-FTC-HELP (382-4357).
FTC publications:
z
z
z
z
z
z
z
z
z
z
z
z
ID Theft: What's It All About?
Avoiding Credit and Charge Card Fraud
Credit and ATM Cards: What to Do If They're Lost or Stolen
Credit Card Loss Protection Offers: They're The Real Steal
Electronic Banking
Fair Credit Billing
Your Access to Free Credit Reports
Fair Debt Collection
Getting Purse-onal: What To Do If Your Wallet or Purse Is Stolen
How to Dispute Credit Report Errors
Identity Crisis... What to Do If Your Identity Is Stolen
Identity Thieves Can Ruin Your Good Name: Tips for Avoiding Identity Theft
Department of Justice (DOJ) www.usdoj.gov
The DOJ and its U.S. Attorneys prosecute federal identity theft cases. Information on identity theft is available at
www.usdoj.gov/criminal/fraud/idtheft.html.
Federal Bureau of Investigation (FBI) www.fbi.gov
The FBI, a criminal law enforcement agency, investigates cases of identity theft. The FBI recognizes that identity theft is a
component of many crimes, including bank fraud, mail fraud, wire fraud, bankruptcy fraud, insurance fraud, fraud against the
government, and terrorism. Local field offices are listed in the Blue Pages of your telephone directory.
U.S. Secret Service (USSS) www.treas.gov/usss
The U.S. Secret Service investigates financial crimes, which may include identity theft. Although the Secret Service generally
investigates cases where the dollar loss is substantial, your information may provide evidence of a larger pattern of fraud requiring
their involvement. Local field offices are listed in the Blue Pages of your telephone directory.
Financial Crimes Division www.treas.gov/usss/financial_crimes.shtml
STAYING ALERT
Once resolved, most cases of identity theft stay resolved. But occasionally, some victims have recurring problems. To help stay
on top of the situation, continue to monitor your credit reports and read your financial account statements promptly and carefully.
You may want to review your credit reports once every three months in the first year of the theft, and once a year thereafter. And
stay alert for other signs of identity theft, like:
z
z
z
z
failing to receive bills or other mail. Follow up with creditors if your bills don't arrive on time. A missing bill could mean an
identity thief has taken over your account and changed your billing address to cover his tracks.
receiving credit cards that you didn't apply for.
being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason.
getting calls or letters from debt collectors or businesses about merchandise or services
you didn't buy.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 15 of 18
Getting Your Credit Report
Free Annual Credit Reports
A recent amendment to the federal Fair Credit Reporting Act requires each of the major nationwide consumer reporting
companies to provide you with a free copy of your credit reports, at your request, once every 12 months.
Free reports are being phased in during a nine-month period, rolling from states in the West to the states in the East. Beginning
September 1, 2005, free reports will be accessible to all Americans, regardless of where they live.
z
z
z
z
Consumers in the Western states - Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico,
Oregon, Utah, Washington, and Wyoming -can order their free reports beginning December 1, 2004.
Consumers in the Midwestern states - Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North
Dakota, Ohio, South Dakota, and Wisconsin -can order their free reports beginning March 1, 2005.
Consumers in the Southern states - Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma,
South Carolina, Tennessee, and Texas - can order their free reports beginning June 1, 2005.
Consumers in the Eastern states - Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey,
New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia - District of Columbia, Puerto
Rico, and all U.S. territories can order their free reports beginning September 1, 2005.
To order your free annual report from one or all the national consumer reporting companies, visit www.annualcreditreport.com,
call toll-free 877-322-8228, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request
Service, P.O. Box 105281, Atlanta, GA 30348-5281. The form is at the back of this brochure; or you can print it from
www.ftc.gov/credit. Do not contact the three nationwide consumer reporting companies individually. They provide free annual
credit reports only through www.annualcreditreport.com, 877-322-8228, and Annual Credit Report Request Service, P.O. Box
105281, Atlanta, GA 30348-5281.
For more information, see Your Access to Free Credit Reports, a publication from the FTC.
Other Consumer Rights to Free Reports
Under federal law, you're entitled to a free report if a company takes adverse action against you, such as denying your application
for credit, insurance, or employment, and you request your report within 60 days of receiving notice of the action. The notice will
give you the name, address, and phone number of the consumer reporting company. You're also entitled to one free report a year
if you're unemployed and plan to look for a job within 60 days; you're on welfare; or your report is inaccurate because of fraud.
Otherwise, a consumer reporting company may charge you up to $9.50 for another copy of your report within a 12-month period.
To buy a copy of your report, contact:
z
z
z
Equifax: 800-685-1111; www.equifax.com
Experian: 888-EXPERIAN (888-397-3742); www.experian.com
TransUnion: 800-916-8800; www.transunion.com
Under state law, consumers in Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont already have free
access to their credit reports.
MINIMIZING RECURRENCES
Last week I noticed that I was getting products in the mail that I hadn't ordered. Then I noticed charges on my
credit card statement that I hadn't made. I spent a whole day calling the vendors numbers listed on my statement
to let them know someone was using my credit card to make purchases without my permission. I don't know what
else this person may be doing with my accounts and/or my name, and I'm worried about that.
From a consumer's complaint to the FTC, January 7, 2004
When it comes to identity theft, you can't entirely control whether you will become a victim. But there are certain steps you can
take to minimize recurrences.
What To Do Today
z
Place passwords on your credit card, bank, and phone accounts. Avoid using easily available information like your mother's
maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
z
z
Page 16 of 18
When opening new accounts, you may find that many businesses still have a line on their applications for your mother's
maiden name. Ask if you can use a password instead.
Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in
your home.
Ask about information security procedures in your workplace or at businesses, doctor's offices or other institutions that collect
your personally identifying information. Find out who has access to your personal information and verify that it is handled
securely. Ask about the disposal procedures for those records as well. Find out if your information will be shared with anyone
else. If so, ask how your information can be kept confidential.
Active Duty Alerts for Military Personnel
If you are a member of the military and away from your usual duty station, you may place an active duty alert on
your credit reports to help minimize the risk of identity theft while you are deployed. Active duty alerts are in
effect on your report for one year. If your deployment lasts longer, you can place another alert on your credit
report.
When you place an active duty alert, you'll be removed from the credit reporting companies' marketing list for
pre-screened credit card offers for two years unless you ask to go back on the list before then.
See Consumer Reporting Companies for contact information. The process for getting and removing an alert,
and a business's response to your alert, are the same as that for an initial alert. See Fraud Alerts. You may use
a personal representative to place or remove an alert.
Maintaining Vigilance
z
z
z
z
z
z
z
z
Don't give out personal information on the phone, through the mail, or on the Internet unless you've initiated the contact or are
sure you know who you're dealing with. Identity thieves are clever, and have posed as representatives of banks, Internet
service providers (ISPs), and even government agencies to get people to reveal their SSN, mother's maiden name, account
numbers, and other identifying information. Before you share any personal information, confirm that you are dealing with a
legitimate organization. Check an organization's website by typing its URL in the address line, rather than cutting and pasting
it. Many companies post scam alerts when their name is used improperly. Or call customer service using the number listed on
your account statement or in the telephone book. For more information, see How Not to Get Hooked by a 'Phishing' Scam, a
publication from the FTC.
Treat your mail and trash carefully.
{ Deposit your outgoing mail in post office collection boxes or at your local post office, rather than in an unsecured mailbox.
Promptly remove mail from your mailbox. If you're planning to be away from home and can't pick up your mail, call the U.S.
Postal Service at 1-800-275-8777 to request a vacation hold. The Postal Service will hold your mail at your local post office
until you can pick it up or are home to receive it.
{ To thwart an identity thief who may pick through your trash or recycling bins to capture your personal information, tear or
shred your charge receipts, copies of credit applications, insurance forms, physician statements, checks and bank
statements, expired charge cards that you're discarding, and credit offers you get in the mail. To opt out of receiving offers
of credit in the mail, call: 1-888-5-OPTOUT (1-888-567-8688). The three nationwide consumer reporting companies use the
same toll-free number to let consumers choose not to receive credit offers based on their lists. Note: You will be asked to
provide your SSN which the consumer reporting companies need to match you with your file.
Don't carry your SSN card; leave it in a secure place.
Give your SSN only when absolutely necessary, and ask to use other types of identifiers. If your state uses your SSN as your
driver's license number, ask to substitute another number. Do the same if your health insurance company uses your SSN as
your policy number.
Carry only the identification information and the credit and debit cards that you'll actually need when you go out.
Be cautious when responding to promotions. Identity thieves may create phony promotional offers to get you to give them your
personal information.
Keep your purse or wallet in a safe place at work; do the same with copies of administrative forms that have your sensitive
personal information.
When ordering new checks, pick them up from the bank instead of having them mailed to your home mailbox.
A Special Word About Social Security Numbers
Your employer and financial institutions will need your SSN for wage and tax reporting purposes. Other
businesses may ask you for your SSN to do a credit check if you are applying for a loan, renting an apartment,
or signing up for utilities. Sometimes, however, they simply want your SSN for general record keeping.
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 17 of 18
Ifsomeone asks for your SSN, ask:
z
z
z
z
Why do you need my SSN?
How will my SSN be used?
How do you protect my SSN from being stolen?
What will happen if I don't give you my SSN?
If you don't provide your SSN, some businesses may not provide you with the service or benefit you want.
Getting satisfactory answers to these questions will help you decide whether you want to share your SSN with
the business. The decision to share is yours.
The Doors and Windows Are Locked, But . . .
You may be careful about locking your doors and windows, and keeping your personal papers in a secure place. Depending on
what you use your personal computer for, an identity thief may not need to set foot in your house to steal your personal
information. You may store your SSN, financial records, tax returns, birth date, and bank account numbers on your computer.
These tips can help you keep your computer - and the personal information it stores - safe.
z
z
z
z
z
z
z
Virus protection software should be updated regularly, and patches for your operating system and other software programs
should be installed to protect against intrusions and infections that can lead to the compromise of your computer files or
passwords. Ideally, virus protection software should be set to automatically update each week. The Windows XP operating
system also can be set to automatically check for patches and download them to your computer.
Do not open files sent to you by strangers, or click on hyperlinks or download programs from people you don't know. Be careful
about using file-sharing programs. Opening a file could expose your system to a computer virus or a program known as
"spyware," which could capture your passwords or any other information as you type it into your keyboard. For more
information, see File Sharing: A Fair Share? Maybe Not and Spyware, publications from the FTC.
Use a firewall program, especially if you use a high-speed Internet connection like cable, DSL or T-1 that leaves your computer
connected to the Internet 24 hours a day. The firewall program will allow you to stop uninvited access to your computer.
Without it, hackers can take over your computer, access the personal information stored on it, or use
it to commit other crimes.
Use a secure browser - software that encrypts or scrambles information you send over the Internet -to guard your online
transactions. Be sure your browser has the most up-to-date encryption capabilities by using the latest version available from
the manufacturer. You also can download some browsers for free over the Internet. When submitting information, look for the
"lock" icon on the browser's status bar to be sure your information is secure during transmission.
Try not to store financial information on your laptop unless absolutely necessary. If you do, use a strong password a
combination of letters (upper and lower case), numbers and symbols. A good way to create a strong password is to think of a
memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble
letters. For example, "I love Felix; he's a good cat," would become 1LFHA6c. Don't use an automatic log-in feature that saves
your user name and password, and always log off when you're finished. That way, if your laptop is stolen, it's harder for a thief
to access your personal information.
Before you dispose of a computer, delete all the personal information it stored. Deleting files using the keyboard or mouse
commands or reformatting your hard drive may not be enough because the files may stay on the computer's hard drive, where
they may be retrieved easily. Use a "wipe" utility program to overwrite the entire hard drive.
Look for website privacy policies. They should answer questions about maintaining accuracy, access, security, and control of
personal information collected by the site, how the information will be used, and whether it will be provided to third parties. If
you don't see a privacy policy - or if you can't understand it - consider doing business elsewhere.
For more information, see Site-Seeing on the Internet: A Traveler's Guide to Cyberspace, a publication from the FTC.
APPENDIX
It's The Law
Federal Law
The Identity Theft and Assumption Deterrence Act, enacted by Congress in October 1998 (and codified, in part, at 18 U.S.C.
§1028) makes identity theft a federal crime.
Under federal criminal law, identity theft takes place when someone "knowingly transfers, possesses or uses, without lawful
authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any
unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Take Charge: Fighting Back Against Identity Theft
Page 18 of 18
Under this definition, a name or Social Security number is considered a "means of identification." So is a credit card number,
cellular telephone electronic serial number, or any other piece of information that may be used alone or in conjunction with other
information to identify a specific individual.
Violations of the federal crime are investigated by federal law enforcement agencies, including the U.S. Secret Service, the FBI,
the U.S. Postal Inspection Service, and the Social Security Administration's Office of the Inspector General. Federal identity theft
cases are prosecuted by the U.S. Department of Justice.
For the purposes of the law, the FCRA defines identity theft to apply to consumers and businesses.
State Laws
Many states have passed laws making identity theft a crime or providing help in recovery from identity theft; others are
considering such legislation. Where specific criminal identity theft laws do not exist, the practices may be prohibited under other
laws. Contact your state Attorney General (for a list of state offices, visit www.naag.org) or local consumer protection agency for
laws related to identity theft, or visit www.consumer.gov/idtheft.
Instructions for Completing the ID Theft Affidavit/ID Theft Affidavit [PDF only]
Annual Credit Report Request Form [PDF only]
Privacy Policy
When you contact us with complaints or requests for information, you can do it online at www.consumer.gov/idtheft; by telephone,
toll-free at 1-877-ID-THEFT (438-4338); or by mail: Federal Trade Commission, Identity Theft Clearinghouse, 600 Pennsylvania
Avenue, NW, Washington, DC 20580. Before you contact us, there are a few things you should know.
We enter the information you send into the Identity Theft Clearinghouse, an electronic database. The Clearinghouse is a system
of records covered under the Privacy Act of 1974. In general, the Privacy Act prohibits unauthorized disclosures of the records it
protects. It also gives individuals the right to review records about themselves. Learn more about your Privacy Act rights and the
FTC's Privacy Act procedures by contacting the FTC's Freedom of Information Act Office: 202-326-2430;
www.ftc.gov/foia/privacy_act.htm.
The information you submit is shared with FTC attorneys and investigators. It also may be shared with employees of various
federal, state, or local law enforcement or regulatory authorities. The FTC also may share your information with some private
entities, such as consumer reporting companies and any companies you may have complained about, where it believes that doing
so might help resolve identity theft-related problems. You may be contacted by the FTC or any of the agencies or private entities
to whom your complaint has been referred. In some limited circumstances, including requests from Congress, the FTC may be
required by law to disclose information you submit.
You have the option to submit your information anonymously. However, if you do not provide your name and contact information,
law enforcement agencies and other organizations will not be able to contact you for more information to help in identity theft
investigations and prosecutions.
1-877-ID-THEFT (1-877-438-4338)
www.consumer.gov/idtheft
The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide
information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit
www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing,
identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil
and criminal law enforcement agencies in the U.S. and abroad.
February 2005
HOME | CONSUMERS | BUSINESSES | NEWSROOM | FORMAL | ANTITRUST | CONGRESSIONAL | ECONOMIC | LEGAL
Privacy Policy | About FTC | Commissioners | File a Complaint | HSR | FOIA | IG Office | En Español
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
12/19/2005
Attachment D:
“FACTA, The Fair and Accurate Credit Transactions Act:
Consumers Win Some, Lose Some”
Privacy Rights Clearinghouse, copywritten material distributable for non-profit
educational use only.
www.privacyrights.org/fs/fs6a-facta.htm
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 1 of 13
Fact Sheet 6(a):
Facts on FACTA
Copyright © 2004-2005.
Privacy Rights Clearinghouse / UCAN
April 2005.
3100 - 5th Ave., Suite B
San Diego, CA 92103
Voice: (619) 298-3396
Fax: (619) 298-5681
Web: www.privacyrights.org
Contact Us:
www.privacyrights.org/inquiryform.html
HOME
FACTA, The Fair and Accurate Credit Transactions Act:
Consumers Win Some, Lose Some
1. Introduction
2. Help for Identity Theft Victims
2A. Free Credit Reports
2B. Fraud Alerts and Active Duty Alerts
2C. Truncation: Credit Cards, Debit Cards, Social Security Numbers
2D. Information Available to Victims
2E. Collection Agencies
2F. Red Flags
2G. Disposal of Consumer Reports
3. Notice of Consumer Rights
4. Credit Scores
5. Disputing Inaccurate Information
6. Negative Information in a Consumer Report
7. Medical Information and Consumer Reports
8. Nationwide Specialty Consumer Reporting Agencies
9. Workplace Investigations
10. Information Sharing Among Affiliates – Opt-Out for Marketing
11. Risk-Based Pricing
12. FACTA Studies
13. References
1. Introduction
The Fair and Accurate Credit Transaction Act of 2003, Pub. L. 108-159, 111 Stat. 1952.,
(FACTA) added new sections to the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.,
(FCRA) intended primarily to help consumers fight the growing crime of identity theft. Accuracy,
privacy, limits on information sharing, and new consumer rights to disclosure are included in
FACTA.
This is all good news for consumers. However, consumers came out on the losing end when
Congress virtually barred states from adopting stronger laws. 1
As of this writing, some new sections of FACTA are already in effect. Other sections will be
effective only after federal agencies solicit public comment and then adopt final regulations. In
addition to the Federal Trade Commission (www.ftc.gov), the federal financial agencies have
jurisdiction and are involved in writing regulations to implement FACTA.2
As of this writing, some new sections of FACTA are already in effect. Other sections will be
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 2 of 13
effective only after federal agencies solicit public comment and then adopt final regulations. In
addition to the Federal Trade Commission (www.ftc.gov), the federal financial agencies have
jurisdiction and are involved in writing regulations to implement FACTA.
Generally, those FACTA provisions without a specific effective date will be effective December
1, 2004.
This guide is intended only as a brief summary of the new FACTA provisions. There are as yet
many details to be decided through regulations. We will revise and update these sections as
final federal regulations are published.
2. Help for Identity Theft Victims
The crime of identity theft has continued to grow at epidemic proportions. Several widely
reported surveys on the number of identity theft victims were released as Congress went into
final hearings on FCRA amendments. A shocking report released by the Federal Trade
Commission in September 2003 estimated that nearly 10 million people were victims of identity
theft in 2002 alone. To see the FTC’s analysis and other surveys on identity theft released in
the latter half of 2003, see the PRC publication, How Many Identity Theft Victims Are There?,
www.privacyrights.org/ar/idtheftsurveys.htm.
In response to new findings about identity theft, Congress adopted a number of FCRA
provisions aimed at prevention and help for victims. The Federal Trade Commission recently
published a revised guide for identity theft victims which includes new FACTA provisions. This
guide, titled Take Charge: Fighting Back Against Identity Theft, can be found at
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
A. Free Reports
Consumer advocates have long encouraged you to monitor your credit report as a way to
detect identity theft. The standard advice was to request a copy of your credit report once a
year from each of the three national credit bureaus: Experian, TransUnion, and Equifax. Until
now, you usually had to pay up to $9.50 to get a copy of your report from each of these credit
bureaus.
Recognizing the benefit of self-monitoring, Congress adopted a new rule that allows you a free
copy of your credit report annually from each of the “big three.” (FCRA sec. 612 (a)(1)(A)&(B))
Congress left it to the Federal Trade Commission (FTC), through regulations, to set up the
procedure for obtaining your free reports.
When can I order my free credit report?
That depends on where you live. The rules on free credit reports are among the first
regulations adopted by the FTC. The procedure established by the FTC calls for a phase-in,
starting with the Western states, in December 2004. If you live on the East Coast, your right to
a free credit report will not take effect until September 2005. Here’s the phase-in schedule:
December 1, 2004: Alaska, Arizona, California, Colorado, Hawaii, Idaho,
Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming.
March 1, 2005: Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri,
Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin.
June 1, 2005: Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana,
Mississippi, Oklahoma, South Carolina, Tennessee, and Texas.
September 1, 2005: Connecticut, Delaware, District of Columbia, Maine,
Maryland, Massachusetts, New Hampshire, New Jersey, New York, North
Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia,
Puerto Rico, and all U.S. territories.
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 3 of 13
To order your free reports when they become available in your state, go to
www.annualcreditreport.com where you can order your reports directly or download the Annual
Credit Report Request form to mail in your request. You can also call 877-322-8228. The
World Privacy Forum has released a study that indicates that privacy-conscious consumers
may be better served by ordering their credit reports by phone or mail rather than online. See
www.worldprivacyforum.org/calldontclick.html for more details. And for more information about
access to free credit reports, see the Federal Trade Commission's Facts for Consumers at
www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.
Even now, you are entitled to a free copy of your credit report if you live in one of seven states.
Those states are: Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and
Vermont.
Am I still entitled to a free credit report if I am unemployed?
Yes, and for other reasons as well. You can still get a free copy of your credit report if you
certify to the credit reporting agency that:
You are unemployed and intend to apply for employment in the 60-day period
beginning on the date you make the certification.
Or you receive public welfare assistance.
Or you believe your file contains inaccurate information due to fraud.
FACTA also gives you new rights to a free credit report if you are a victim of identity theft. For
more on this, see Section 2B below on fraud and active duty alerts.
In addition to free credit reports, FACTA gives you the right to one free report annually from a
consumer reporting agency that compiles reports on employment, medical records, check
writing, insurance, and housing rental history. For more on what FACTA calls “nationwide
specialty consumer reporting agencies,” see Section 8 below.
To review public comments submitted to the FTC from consumer advocates, industry
representatives, and others in response to the free credit report rule, see:
www.ftc.gov/os/comments/factafcr/index.html For the final “free credit report” rule published by
the FTC on June 24, 2004, see www.ftc.gov/os/2004/06/040624factafreeannualfrn.pdf
B. Fraud Alerts and Active Duty Alerts
If you are the victim of identity theft, FACTA gives you the right to contact a credit reporting
agency to flag your account. This new procedure, called a “fraud alert,” is already available by
law to consumers in some states. And, the three major credit bureaus, Experian, TransUnion,
and Equifax, have already voluntarily adopted this as standard procedure. To place a fraud
alert, you must provide proof of your identity to the credit bureau. The fraud alert is initially
effective for 90 days, but may be extended, at your request, for seven years.
FACTA also creates a new kind of alert, an active duty alert, that allows active duty military
personnel to place a notation on their credit report as a way to alert potential creditors to
possible fraud. While on duty outside the country, military members are particularly vulnerable
to identity theft and lack the means to monitor credit activity. An active duty alert is maintained
in the file for at least 12 months.
If a fraud alert or active duty alert is placed on your credit report, any business that is asked to
extend credit to you must contact you at a telephone number you provide or take other
“reasonable steps” to see that the credit application was not made by an identity thief. New
FACTA provisions also allow you to “block” certain items on your credit report that resulted
from identity theft. Like the fraud alert, “blocking” was already an option for consumers in some
states. With FACTA, Congress has made “blocking” the national standard.
FACTA gives you the right to a free copy of your credit report when you place a fraud alert.
With the extended alert (seven years), you are entitled to two free copies of your report during
the 12-month period after you place the alert.
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 4 of 13
Congress directed the FTC to issue regulations to fine-tune procedures for fraud alerts and
active duty alerts. Significant portions of this rulemaking include adopting a definition of
“identity theft” as well as standards for what constitutes “proper identity” required to place a
fraud alert or active duty alert.
The FTC proposed regulations to implement the alert sections of FACTA were published on
April 21, 2004. www.ftc.gov/opa/2004/04/factafrn0421.htm To see comments submitted in
response to this proposal, go to www.ftc.gov/os/comments/factaidt/index.htm The PRC joined
Consumers Union and other consumer organizations in commenting on this proposal.
www.ftc.gov/os/comments/factaidt/EREG-000002.htm
C. Truncation: Credit Cards, Debit Cards, Social Security Numbers
Receipts that include full account numbers and expiration dates are a gold mine for identity
thieves. In some states, full printing of this information is already prohibited. For the future,
FACTA sets a national standard for truncation of card information.
FACTA says receipts for credit and debt card transactions may not include more than the last
five digits of the card number or expiration date. However, the effective date of this provision is
a long way off, and there are a couple of loopholes:
This section does not apply to receipts for which the sole means of recording a
credit or debt card number is by handwriting or by an imprint or copy of the card.
For machines in use before January 1, 2005, the merchant has three (3) years to
comply.
For machines in use after January 1, 2005, the merchant has one (1) year to
comply.
Another FACTA section allows consumers who request a copy of their file to also request that
the first 5 digits of their Social Security number (or similar identification number) not be
included in the file. This section takes effect December 1, 2004.
D. Information Available to Victims
For victims, obtaining copies of the imposter’s account application and transactions is an
important step toward regaining financial health. Effective June 1, 2004, a business that
provides credit or products and services to someone who fraudulently uses your identity must
give you copies of documents such as applications for credit or transaction records. The
business must also provide copies of documents to any Federal, state, or local law
enforcement agency you specify.
To obtain information, you must supply proof of your identity. Usually this would be the same
type of identifying information necessary to open an account. The business may ask you to
provide a police report and an identity theft affidavit. For a copy of the FTC’s fraud affidavit,
see www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf. You must also:
Make your request in writing.
Mail the request to the business at an address it specifies.
If the business asks, include relevant information about dates and account
numbers.
Are there reasons a business would not have to give me this information?
Yes, there are some exceptions. A business does not have to provide this information if:
There is not a "high degree of confidence" in your true identity.
The request contains a misrepresentation of fact.
The information is Internet navigational data or similar information about a
person's visit to a web site or online service.
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 5 of 13
Can I sue a business for not turning information over to me?
The business can be sued only by a government agency. And the business cannot be held
civilly liable if it makes a “good faith” effort to comply.
E. Collection Agencies
A call from a collection agency is often the first sign of trouble for an identity theft victim. Under
FACTA, if you are contacted by a collection agency about a debt that resulted from the theft of
your identity, the collector must so inform the creditor. You are entitled to receive all
information about this debt (such as applications, account statements, late notices from the
creditor) that you would be entitled to see if the debt were actually yours. In addition, FACTA
now says that a creditor, once notified that the debt is the work of an identity thief, cannot sell
the debt or place it for collection. The new sections relating to collection of debt are effective
December 1, 2004.
For more on collection agencies, see Debt Collection Practices: When Hardball Tactics Go
Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm.
F. Red Flags
Financial institutions must adopt procedures designed to spot identity theft before it occurs.
Certain events such as a change of address, a request for a replacement credit card, or efforts
to reactivate a dormant credit card account may signal a potential fraud. Consumer advocates
have long pointed out that consumers can only go so far in protecting against identity theft,
and that much of the problem lies with lax procedures on the part of business.
FACTA requires the FTC and the federal banking agencies to adopt regulations that establish
guidelines. As of this writing, “red flag” regulations have not been published for public
comment. The FTC and the banking agencies have existing security guidelines and
regulations adopted under the Gramm-Leach-Bliley Act, 15 USC §6801-6809). In October
2003, the banking agencies published proposed regulations to establish guidelines for notice
to customers of a security breach. The PRC’s comments to these proposed regulations can be
found at, www.privacyrights.org/ar/secybreach.htm
Once final, FACTA’s “red flag” regulations along with the agencies’ existing security
regulations should provide greater protection for consumer data.
G. Disposal of Consumer Reports
In the past, the practice known as “dumpster diving” has provided identity thieves with a wealth
of personal data. Irresponsible information disposal by businesses has been cited in numerous
instances of fraud. Now, under new FACTA provisions, consumer reporting agencies and any
business that uses a consumer report must adopt procedures for proper disposal.
The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA)
have published proposed regulations to implement the new FACTA Disposal Rule. To see the
comments submitted by the PRC and other consumer organizations in response to these rule
proposals, see:
www.privacyrights.org/ar/NCUADocDisposal.htm;
www.privacyrights.org/ar/FTC-DocDisposal.htm,
www.privacyrights.org/ar/FDIC-DocDisposal.htm
3. Notice of Consumer Rights
Reporting agencies have a new obligation to give identity theft victims a notice of rights. This
includes, among other things, notice of: (1) the right to file a fraud alert, (2) the right to block
information in a report that resulted from fraud, and (3) the right to obtain copies of documents
used to commit fraud. This new notice of rights is in addition to a general notice of rights
already required by earlier FCRA amendments. The FTC has issued proposed regulations and
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 6 of 13
a sample copy of the identity theft rights. www.ftc.gov/os/2004/07/040709fcrafrnfinal.pdf Under
the FTC’s proposal, consumers who report fraud to a consumer reporting agency will receive
the special victims’ notice of rights. The comment period ends August 16, 2004.
4. Credit Scores
It has become increasingly common for lenders to make decisions based upon a “score.” Until
recently, consumers did not have access to their score or information about the factors that
made up the score. Common sense says a series of late payments can lead to a bad credit
rating. However, a “score” is determined by other factors as well, and to give you the chance to
improve your score, you should know how the score is calculated.
Even if you do not have a history of late payments, your score may be lowered if your credit
card balance is close to the limit or if you are just starting out with using credit. If you are
looking for a car loan or thinking of refinancing your mortgage, it is a good idea to check your
score before you apply for new credit.
What is a credit score?
FACTA defines a “credit score” as:
A numerical value or categorization derived from a statistical tool or modeling system used by
a person who makes or arranges a loan to predict the likelihood of certain credit behaviors,
including default (and the numerical value or the categorization derived from such analysis
may also be referred to as a “risk predictor” or “risk score” (FCRA §609(f)(2))
The definition does not include a mortgage score. FACTA provides separate requirements for
scores generated for home loans and mortgage lenders. (FCRA §609(g))
Under new FACTA provisions, consumers may request a credit score including an explanation
of the factors that went into computing the score. Consumers will be charged a “reasonable”
fee, which is to be determined by regulations to be later published by the FTC. The FTC is
currently conducting a study of scores used for credit and insurance purposes as well as a
number of other studies required by FACTA. www.ftc.gov/opa/2004/06/fyi0437.htm
For more on credit scores:
See the FTC publication,
www.ftc.gov/bcp/conline/pubs/credit/scoring.htm.
Visit the web site for Fair Isaac, the company that originally developed the credit
scoring model, www.myfico.com
For information on credit scores used by insurers, see the PRC publication, CLUE
and You: How Insurers Size You Up, www.privacyrights.org/fs/fs26-CLUE.htm
5. Disputing Inaccurate Information
By its very name, the Fair and Accurate Credit Transactions Act places new emphasis on
accuracy of information in consumer reports. In a recent study, the U.S. Public Interest
Research Group (USPIRG) found that one in four credit reports contain serious errors. To read
the PIRG Report, go to: http://uspirg.org/uspirgnewsroom.asp?
id2=13650&id3=USPIRGnewsroom&. For other studies on credit reports, see Section 12 at the
end of this guide.
Previously, disputes about the accuracy of information in a consumer report had to be made
directly to the consumer reporting agency. Under new FACTA provisions, a consumer may
dispute inaccurate information directly with a “furnisher,” that is, a creditor that is a financial
institution. Upon notice of disputed information, the furnisher must investigate and cannot
report negative information while the investigation is pending.
Furnishers notified that information is the result of identify theft must not report that information
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 7 of 13
to a consumer reporting agency. Consumers must now also be given notice before negative
information is reported to a consumer reporting agency.
The new obligations for furnishers of information should be effective December 1, 2004, after
final regulations are published. The FTC is currently soliciting public comment on revisions to
existing directives for furnishers of information. www.ftc.gov/opa/2004/07/factasum.htm
6. Notice of Negative Information
The number one tip for detecting identity theft is to check your credit report. Erroneous
information about late payments and collection actions is what you don’t want to see. Like a lot
of people, ordering your credit report is probably high on your “to do” list, but it never seems to
get to the top of that list.
FACTA now requires creditors to give you what might be called an “early warning” notice. This
notice could alert you that something is amiss with an account. However, the notice is not a
substitute for your own close monitoring of credit reports, bank accounts, and credit card
statements. And, you may have to look closely to even see this new notice.
Starting in December 2004 a financial institution that extends credit must send you a notice
before or no later than 30 days after negative information is furnished to a credit bureau.
Negative information includes late payments, missed payments, partial payments, or any other
form of default on the account.
Does this apply only to my accounts with a bank?
No. A “financial institution” has the same meaning as under the Gramm-Leach-Bliley Act. In
addition to a bank, this can mean a merchant that extends credit to you or a collection agency
that routinely reports information to a credit bureau. For more on non-bank entities that are
considered “financial institutions,” see the FTC publication, How To Comply with the Privacy of
Consumer Financial Information Rule of the Gramm-Leach-Bliley Act,
www.ftc.gov/bcp/conline/pubs/buspubs/glblong.htm
Do I get a notice every time the account is delinquent?
It’s a one-time notice as long as the late payment or other negative information has to do with
the same account. After the one-time notice, the financial institution can continue to report
negative information about the same account. For example, if you are late on your credit card
payment three months straight, you are only entitled to the notice either before or within 30
days after the first late payment is reported.
Will I receive a separate notice or registered letter?
You will almost certainly not receive a registered letter. FACTA requires the financial institution
to give you this notice along with “any notice of default, any billing statement, or any other
materials provided to [you].” The one place the notice cannot appear is in the Truth in Lending
Act notice you get when you first open an account. The notice must be “clear and
conspicuous,” but need not be in bold or enlarged type.
The Federal Reserve Board (www.federalreserve.gov) was directed by Congress to write
sample notices for financial institutions. The Board has finalized the regulation, at
www.federalreserve.gov/BoardDocs/Press/bcreg/2004/200406082/default.htm. The sample
notices adopted by the Federal Reserve Board are short and to the point:
Notice before negative information is reported:
We may report information about your account to credit bureaus.
Late payments, missed payments, or other defaults on your account
may be reflected in your credit report.
Notice after negative information is reported:
We have told a credit bureau about a late payment, missed payment
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 8 of 13
or other default on your account. This information may be reflected
in your credit report.
Will the notice let me know when I’m a victim of identity theft?
Not always. When an imposter opens up a new credit account in your name, the thief usually
establishes an address different from yours. The address might be a post office box or a
vacant apartment used as a mail-pickup by the thief. When the imposter fails to pay on the
credit card account, which is usually the case, the creditor will send the warning notice to the
address associated with the account. And that is not your address. So you will be in the dark
about the impending negative notice to your credit report.
The negative information will be recorded in your credit report. That is why we emphasize the
importance of ordering your credit report at least once a year. If you are a victim of identity
theft, you will learn of it on your credit report.
As you learned in Section 2.A above, FACTA gives consumers the ability to obtain one free
credit report per year from each of the three credit bureaus. The major reason the law requires
credit bureaus to provide free annual credit reports is so individuals can check for identity theft.
We strongly encourage you to take advantage of this provision of FACTA. To learn when you
can order your free report, go back to Section 2.A for the roll-out schedule.
In short, you should not be lulled into a false sense of security just because a creditor must
send you a notice before posting negative information to your credit report. Identity thieves
operate in various ways. They might attempt to take over your existing accounts. And they
might open up new accounts unbeknownst to you. Your best defense against fraud is always
close and frequent review of your credit reports and your monthly credit card and bank account
statements.
7. Medical Information and Consumer Reports
If you’re like most people, privacy of your medical information is a top priority. A major concern
is that medical information may be used when you apply for a job or refinance your mortgage.
Even when medical information is protected in one area, it may still be disclosed through other
means.
A good example of this is the credit report. A collection action noted on a credit report that
names a medical facility as creditor could inadvertently reveal an underlying medical condition.
This is a significant threat since the Federal Reserve Board found in a 2003 study that over
half the collections reported on credit reports are for medical debt. To read this study, see An
Overview of Consumer Data and Credit Reporting,
www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf
Under a new FACTA provision, consumer reporting agencies may not report the name,
address, and telephone number of any medical creditor unless the information is provided in
codes that do not identify or infer the provider of care or the individual’s medical condition. This
does not apply to insurance companies selling other than property and casualty insurance.
(FCRA §605(a)(6))
Another section of FACTA says a creditor may not obtain or use medical information to make
credit decisions. (FCRA §604(g)(2)). But, there are exceptions, and federal banking agencies
were directed to issue regulations to cover uses of medical information to protect “legitimate
operational, transactional, risk, consumer, and other needs.” (FCRA §604(g)(5)(A))
The banking agencies published regulations for comment on medical information and credit.
However, the regulations are not final as of this writing. To see the comments submitted by the
PRC in response, see www.privacyrights.org/ar/MedFACTA.htm.
Is my consent needed to disclose medical information to an employer?
Yes. Even before FACTA, your consent was required to disclose medical information to an
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 9 of 13
employer or for credit or insurance. Now, under FACTA, your consent to use medical data for
employment and credit purposes must be specific and in writing. Further, the consent request
must use “clear and conspicuous language” about how the information will be used. FACTA
also requires that the medical information requested for employment or credit purposes be
“relevant.” (FCRA §605(a)(6)) The same standard does not apply to insurance.
8. Nationwide Specialty Consumer Reporting Agencies
Consumer reports are generally thought to mean “credit” reports issued by one of the three
national credit bureaus: Experian, TransUnion, or Equifax. However, consumer reports may
also be issued for purposes other than credit applications. The FCRA also covers reports for
insurance, employment, check writing and housing rental history. (FCRA sec. 612 (a)(1)(C))
Such reports are quite common and a number of companies now specialize in providing reports
for these specific purposes.
FACTA defines companies that issue non-credit reports as a “nationwide specialty consumer
reporting agency” when reports relate to:
Medical records or payments.
Residential or tenant history.
Check writing history.
Employment history.
Insurance claims.
Starting in December 2004, consumers may request a free report annually for any of the
specialty CRAs.
The FTC has declined to publish a list of companies that meet the definition of “nationwide
specialty consumer reporting agencies.” For some specialties such as employment and rental
history, there are many companies that meet the definition of consumer reporting agency and
that follow the FCRA. Other specialties are dominated by one or two companies.
Medical Records: Medical Information Bureau (www.mib.com) For more on the MIB,
see PRC Fact Sheet 8, How Private is my Medical Information,
http://www.privacyrights.org/fs/fs8-med.htm
Insurance Reports: ChoicePoint's CLUE (www.choicetrust.com) and Insurance
Services Office ISO A-PLUS Report, (www.iso.com/offices_contacts/index.html). For
more on insurance reports, see PRC Fact Sheet 26, CLUE and You: How Insurers Size
You Up, www.privacyrights.org/fs/fs26-CLUE.htm
Check Writing History, ChexSystems (www.chexsystems.com). To order your report,
visit www.consumerdebit.com/consumerinfo/us/en/chexsystems/report/index.htm
9. Workplace Investigations
FACTA sets a new standard for what the law calls "employee misconduct investigations."
What is an "employee misconduct investigation"?
This is an investigation conducted by a third-party your employer may hire if the employer
suspects you of:
Misconduct relating to your employment.
A violation of federal, state, or local laws or regulations.
A violation of any preexisting written policies of the employer.
Noncompliance with the rules of a self-regulatory organization, that, for example,
oversees the securities and commodity futures industry.
Why was this change made to the FCRA?
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 10 of 13
This section was adopted to make it clear that employers do not have to get permission to
conduct a misconduct investigation. Prior to this, FTC staff issued an opinion letter, the socalled Vail Letter (www.ftc.gov/os/statutes/fcra/vail.htm), that said the disclosure and consent
requirement of FCRA applies even when an employee is suspected of misconduct and the
employer hires an outside investigator. Employers objected to this interpretation of the law
because they felt that obtaining consent would tip off the employee to an investigation. (Note:
California law already includes an exception for workplace misconduct investigations.
www.privacyrights.org/fs/fs16a-califbck.htm.)
If my employer suspects me of misconduct, what does this mean for me?
It means your employer does not have to give you notice and get your permission to conduct a
misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the
employer hires an outside party to conduct the investigation.
It also means you will not receive a notice of your rights as others who are subject to a
standard employment background check normally would. If, at the end of the investigation, the
employer decides to take some action against you, you receive the "adverse action" notice
only after the action has been taken.
You will receive only a "summary" of the investigation report, but not the more detailed report
that may include sources.
Who will see the investigation report?
The report may be communicated to:
The employer or its agent.
Any federal or state officer, agency or department, or any officer, agency or
department of a unit of general local government.
Any self-regulatory organization with regulatory authority over the activities of the
employer or the employee.
Others, as otherwise required by law; or
A government agency, in accordance with an existing FCRA section that allows a
consumer reporting agency to disclose personal identifying information to a
government agency.
Can I dispute the findings?
Not under the FCRA dispute procedure. That is because this new section on workplace
misconduct investigations was established by removing this type of investigation from the
definition of "consumer report." Thus, the usual protections that apply to a consumer report
conducted for employment purposes do not apply to workplace misconduct investigations. If
you find yourself in this position, you will probably want to seek the advice of an employment
law attorney.
10. Information Sharing Among Affiliates – Opt-Out for Marketing
FACTA will give consumers a new opt-out to stop a corporation’s affiliates from sharing
consumer data for marketing purposes. This opt-out is in addition to the existing opt-out
choices for information shared with third-party non-affiliates and an existing opt-out under the
FCRA.
For more on the existing opt-outs, see PRC Fact Sheet 24, Protecting Financial Privacy in the
New Millennium: The Burden Is on You, www.privacyrights.org/fs/fs24-finpriv.htm and Fact
24a, Financial Privacy: How to Read Your Opt-Out Notices, www.privacyrights.org/fs/fs24aoptout.htm.
Existing provisions of the FCRA allow affiliates to share information about your “experience
and transactions” But that section of the FCRA enables you to stop affiliates from sharing
information about your “credit-worthiness,” also sometimes called “application information.”
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 11 of 13
FACTA does not change these procedures, but adds a new opt-out choice to stop information
sharing among affiliates when the purpose is for marketing. You now have the ability to
prevent the affiliate receiving your information to solicit you for its products and services.
The FTC and the federal banking agencies have proposed regulations to create this new optout procedure. www.ftc.gov/opa/2004/06/factaaffiliate.htm
How and when will I be able to opt-out?
The details will be known only after the agencies issue final regulations. An important question
for the agencies is whether this new opt-out will be included in a separate notice or whether it
will be included along with the notice already required. The section of FACTA that establishes
the affiliate opt-out provision allows the notice to be included with other notices. The statute
also specifies that the notice should be “concise” and “simple.” In addition, this opt-out is in
effect for five years, with another five-year extension available.
To help prevent confusion, we believe the FTC and banking agencies should move forward in
considering a short form opt-out that includes all consumer choices. To read the comments
provided by the PRC and other consumer organizations on a short form notice, visit these web
pages: www.privacyrights.org/ar/ftc-noticeANPR.htm, and
www.privacyrights.org/ar/GLBshort.htm
Does this change the right of California consumers?
No. California law on financial privacy, SB1, took effect July 1, 2004. Its provisions on opting
out of affiliate sharing are stronger than federal law. SB1 enables individuals to opt-out of most
sharing of customer data among a corporation’s affiliates, not just for marketing.
The affiliate sharing opt-out provision of the California law was challenged by an industry
lawsuit, although to date, the law has been upheld by a US District Court. The decision is on
appeal to the Ninth Circuit Court of Appeals. www.privacyrights.org/ar/SB1decision.htm
11. Risk-Based Pricing
The amount you pay in interest can vary greatly. If you have a poor credit history, you will
usually have to pay a higher rate than people with a good history of repayments. Like
everyone else, you probably receive direct mail or other solicitations quoting exceptionally low
interest rates. But, if you apply for the loan or credit card, the interest rate may end up being
several points higher than originally quoted.
A new section of FACTA (FCRA §615(h)) says you must receive a notice if you are offered
credit on terms that are “materially” less favorable than others you received from the creditor.
In short, this covers the situation where you apply for a loan and, although you get the loan,
you have to pay a higher interest rate than most people because of something in your credit
history. If this happens, you are entitled to notice plus a free copy of your credit report.
The FTC and the banking agencies will address the details of this notice requirement through
rulemaking. Regulations to implement §615(h)) have not yet been published as of this writing.
However, this notice requirement appears in a recent FTC proposal to amend notice consumer
reporting agencies are required to make to “users” of consumer reports.
www.ftc.gov/os/2004/07/040709fcraappxh.pdf
12. FACTA Studies
The FTC and other federal agencies have been directed by Congress to conduct several
studies of the credit reporting industry. The results of these studies, when combined with
earlier studies (see Section 13 below), may help to improve reporting accuracy and consumer
awareness. The FTC is currently seeking public comment as part of the studies. The topics
under consideration are:
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 12 of 13
Same Report Study (Should a consumer who receives an "adverse action"
receive the same copy of the consumer report obtained by the "user?")
Accuracy Study.
Agency Information Collection Activities Study
Credit and Insurance Score Study
For more about these studies, visit the FTC web site at www.ftc.gov/os/statutes/fcrajump.htm
13. References
Federal Law
The Fair Credit Reporting Act, as amended by FACTA.
http://www.ftc.gov/os/statutes/031224fcra.pdf
H.R. 2622
http://thomas.loc.gov/cgi-bin/query/D?c108:6:./temp/~c108dhfyQ2:
This is the version of the House of Representatives Bill that was passed by
Congress and signed by the President.
H.R. 2622 (To view all versions)
http://thomas.loc.gov/cgi-bin/query
Gramm-Leach-Bliley Act, 15 USC §6801-6809,
www4.law.cornell.edu/uscode/15/6801.html
PRC Publications
How Private is My Credit Report?
www.privacyrights.org/fs/fs6-crdt.htm
How Private Is My Medical Information?
www.privacyrights.org/fs/fs8-med.htm
Employment Background Checks:A Jobseeker's Guide,
www.privacyrights.org/fs/fs16-bck.htm
Coping with Identity Theft: Reducing the Risk of Fraud,
www.privacyrights.org/fs/fs17-it.htm
Identity Theft: What to Do if It Happens to You,
www.privacyrights.org/fs/fs17a.htm
Financial Privacy: How to Read Your "Opt-Out" Notices,
www.privacyrights.org/fs/fs24a-optout.htm
CLUE and You: How Insurers Size You Up
www.privacyrights.org/fs/fs26-CLUE.htm
Debt Collection Practices: When Hardball Tactics Go Too Far,
www.privacyrights.org/fs/fs27-debtcoll.htm
Other Studies of Interest
One in Four Credit Reports Contains Errors Serious Enough To Wreak Havoc for
Consumers, U.S. PIRG, June 17, 2004, http://uspirg.org/uspirgnewsroom.asp?
id2=13650&id3=USPIRGnewsroom&
An Overview of Consumer Data and Credit Reporting, Board of Governors of the
Federal Reserve, Feb. 2003,
www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf
Credit Score Accuracy and Implications for Consumers, Consumer Federation of
America, December 17, 2002,
www.consumerfed.org/121702CFA_NCRA_Credit_Score_Report_Final.pdf
Consumers Lack Essential Knowledge, and Strongly Support New Protections, on
Credit Reporting and Credit Scores, Consumer Federation of America Survey, July 28,
2003,
www.consumerfed.org/072803creditscores.html
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Facts on FACTA, the Fair and Accurate Credit Transactions Act
Page 13 of 13
Additional Resources
Analysis of the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No.
108-159 (2003), National Consumer Law Center,
www.nclc.org/initiatives/facta/nclc_analysis.shtml
After the FACT Act: What States Can Still Do to Prevent Identity Theft,
Consumers Union,
www.consumersunion.org/pub/core_financial_services/000756.html
Federal Trade Commission, FCRA Homepage, FACT Act Actions,
www.ftc.gov/os/statutes/fcrajump.htm
Federal Trade Commission, Identity Theft Homepage,
www.consumer.gov/idtheft/
1 For more on the subject of state preemption, see the analysis of the National Consumer Law Center
www.nclc.org/initiatives/facta/nclc_analysis.shtml) as well as a separate analysis by Consumers Union
(www.consumersunion.org/pub/core_financial_services/000756.html)
2 The financial agencies are: Office of Comptroller of Currency (www.occ.treas.gov ); Office of Thrift Supervision (www.ots.treas.gov); Federal Deposit
Insurance Corporation (www.fdic.gov); Federal Reserve Board (www.federalreserve.gov); and the National Credit Union Administration
(www.ncua.gov).
The Privacy Rights Clearinghouse developed this guide with funding from
the Rose Foundation Consumer Privacy Rights Fund.
HOME
TOP
Copyright © 2004-2005. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit,
educational purposes only. For distribution of this fact sheet, see our copyright and reprint guidelines. The text of this document may not be
altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as
legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may
vary. Overall, our fact sheets are applicable to consumers nationwide.
http://www.privacyrights.org/fs/fs6a-facta.htm
12/19/2005
Download