July Short term and extended term fraud alerts, Short term and extended term active duty alerts,

Transcription

1 FEDERAL AND STATE IDENTITY THEFT PROTECTION LAWS Elizabeth A. Huber, Esq. Hudson Cook, LLP 2361 Rosecrans Ave., Suite 355 El Segundo, CA Telephone Fax July 2004 NEW FEDERAL IDENTITY THEFT PROTECTION LAWS The Fair and Accurate Credit Transactions Act of 2003 ( FACT Act )1 brought to the national scene identity theft protection laws for all consumers. The FACT Act includes not only an indefinite extension of certain preemptions of state law that were due to sunset as of December 31, 2003, but also significant amendments to the Fair Credit Reporting Act ( FCRA )2 adding a wide array of consumer protections, many focused on identity theft protection. The notable amendments to the FCRA include: Short term and extended term fraud alerts, Short term and extended term active duty alerts, Blocking information in a consumer s credit file resulting from identity theft, Providing a Summary of Rights of Identity Theft Victims, Releasing copies of business transaction records that are the result of identity theft, and Maintaining procedures by furnishers of credit information to prevent the reintroduction of inaccurate information in a consumer s credit file. Both before and subsequent to the passage of the FACT Act, state legislatures have been busy passing state identity theft protection laws. The focus of this paper is on those federal and state civil laws aimed at protecting consumers from, and providing aid subsequent to, an identity theft.3 1 Pub. L , 117 Stat. 1952, December 4, U.S.C et seq. 3 Under the FCRA as amended by the FACT Act, the term identity theft means a fraud committed using the identifying information of another person, subject to such further definition as the Federal Trade 2004 Hudson Cook, LLP Page 1

2 ONE-CALL FRAUD ALERTS Consumers may now place a 90-day fraud alert 4 with nationwide credit reporting agencies. Section 112 of the FACT Act added new Section 605A to the FCRA. Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer, who asserts in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft,5 a consumer reporting agency ( CRA )6 that maintains a file on the consumer and has received appropriate proof of the identity of the requester must (A) Include a fraud alert in the file of that consumer, and also provide that alert along with any credit score generated in using that file, for a period of not less than 90 days, beginning on the date of such request, unless the consumer or such representative requests that such fraud alert be removed before the end of such period, and the consumer reporting agency has received appropriate proof of the identity of the requester for such purpose; and (B) Refer the information regarding the fraud alert to each of the other nationwide consumer reporting agencies, in accordance with procedures developed under section 621(f).7 In any case in which a consumer reporting agency includes a fraud alert in the file of a consumer pursuant to the foregoing procedures, the consumer reporting agency must also disclose to the consumer that he or she may request a free copy of his or her credit file, and provide to the consumer all disclosures required to be made under FCRA Section 609, without charge to the consumer, not later than three business days after any Commission ( FTC ) may prescribe, by regulation. 15 U.S.C. 1681a(q)(3), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, A fraud alert means a statement in the consumer s credit file with a credit reporting agency that notifies all prospective users of a consumer report that the consumer may be a victim of fraud, including identity theft, and is presented in a manner that facilitates a clear and conspicuous view of the statement by any person requesting such a report. 15 U.S.C. 1681a(q)(2) as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, Identity Theft means a fraud committed using the identifying information of another person, subject to such further definition as the FTC may prescribe, by regulation. FCRA 603(q)(3) as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, The term consumer reporting agency that compiles and maintains files on a nationwide basis means a CRA that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer s creditworthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide: (1) Public record information; (2) Credit account information from persons who furnish that information regularly and in the ordinary course of business. FCRA 603(p), 15 U.S.C. 1681a(p). 7 FCRA 605A(a)(1) Hudson Cook, LLP Page 2

3 request.8 The consumer would seem to have some responsibility to review the credit report ordered to ensure that no information appears in the credit file that does not belong to the consumer. EXTENDED FRAUD ALERTS Consumers may only place an extended fraud alert on their credit file with a nationwide consumer reporting agency if they have filed an identity theft report. 9 Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer, who submits an identity theft report to a consumer reporting agency, if the agency has received appropriate proof of the identity of the requester, the agency must (A) Include a fraud alert in the file of that consumer, and also provide that alert along with any credit score generated in using that file, during the seven-year period beginning on the date of such request, unless the consumer or such representative requests that such fraud alert be removed before the end of such period and the agency has received appropriate proof of the identity of the requester for such purpose; (B) During the five-year period beginning on the date of such request, exclude the consumer from any list of consumers prepared by the consumer reporting agency and provided to any third party to [make a firm] offer credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer or such representative requests that such exclusion be rescinded before the end of such period; and (C) Refer the information regarding the extended fraud alert to each of the other nationwide consumer reporting agencies.10 8 FCRA 605A(a)(2). Section 211 of the FACT Act adds a new subsection (d), Free Disclosures in Connection with Fraud Alerts, to Section 612 of the FCRA. Upon the request of a consumer, a nationwide consumer reporting agency must make all disclosures pursuant to FCRA Section 609, without charge to the consumer. 9 Identity Theft Report has the meaning given that term by rule of the Commission, and means, at a minimum, a report (A) that alleges an identity theft; (B) that is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service, or such other government agency deemed appropriate by the Commission; and (C) the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. FCRA 603(q)(4), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(b)(1) Hudson Cook, LLP Page 3

4 As is the case with the one-call, 90-day fraud alert, a consumer has a right to obtain a free credit report. In any case in which a consumer reporting agency includes a fraud alert in the file of a consumer, the consumer reporting agency must disclose to the consumer that the consumer may request two free copies of his or her credit file during the 12-month period beginning on the date on which the extended fraud alert was included in the files; and provide to the consumer all disclosures required to be made under FCRA Section 609, without charge to the consumer, not later than three business days after any request.11 ACTIVE DUTY ALERTS The process for active duty alerts 12 works similarly to that for one-call and extended fraud alerts, discussed above. Upon the direct request of an active duty military consumer or an individual acting on behalf of or as a personal representative of an active duty military consumer, a nationwide consumer reporting agency that maintains a file on the active duty military consumer and has received appropriate proof of the identity of the requester must: (A) Include an active duty alert in the file of that active duty military consumer, and also provide that alert along with any credit score generated in using that file, during a period of not less than 12 months, or such longer period as the Commissioner shall determine, by regulation, beginning on the date of the request, unless the active duty military consumer or such representative requests that such fraud alert be removed before the end of such period, and the agency has receive appropriate proof of the identity of the requester for such purpose; (B) During the two-year period beginning on the date of request for an active duty alert, exclude the active duty military consumer from any list of consumers prepared by the consumer reporting agency and provided to any third party to [make a firm] offer of credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer requests that such exclusion be rescinded before the end of such period; and (C) Refer the information regarding the active duty alert to each of the other nationwide consumer reporting agencies FCRA 605A(b)(2). 12 Active Duty Alert means a statement in the file of a consumer that (A) notifies all prospective users of a consumer report relating to the consumer that the consumer is an active duty military consumer; and (B) is presented in a manner that facilitates a clear and conspicuous view of the statement described in (A) by any person requesting such consumer report. FCRA 603(q)(2), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(c) Hudson Cook, LLP Page 4

5 PROCEDURES, NOTIFICATION, DISCLOSURES AND VERIFICATION Each nationwide consumer reporting agency14 must establish policies and procedures (1) to comply with the foregoing one-call and extended fraud alerts and active duty alerts, and (2) that allow consumers and active duty military consumers to request initial, extended, or active duty alerts in a simple and easy manner, including by telephone.15 What about consumer credit reporting agencies other than nationwide consumer reporting agencies? If a consumer contacts any consumer reporting agency that is not a nationwide consumer reporting agency to communicate a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft, the agency must provide information to the consumer on how to contact the FTC and the nationwide consumer reporting agencies to obtain more detailed information and request alerts under this section.16 Resellers17 of credit file information also have responsibilities under this new section. A reseller must include in its consumer credit report any fraud alert or active duty alert placed in the consumer s file by another consumer reporting agency.18 Each fraud alert and active duty alert reported in or with a credit report by a consumer reporting agency must include information that notifies all prospective users that the consumer does not authorize the establishment of any new credit plan19 or extension of credit, other than under an existing open-end credit plan, in the name of the consumer, or issuance of an additional card on an existing credit account requested by a consumer, or any increase in credit limit on an existing credit account requested by a consumer, except in accordance with certain verification procedures.20 In connection with extended fraud alerts and active duty alerts, the consumer reporting agency must 14 See footnote FCRA 605A(d). 16 FCRA 605A(g). 17 Reseller means a consumer reporting agency that (1) assembles and merges information contained in the database of another consumer reporting agency or multiple consumer reporting agencies concerning any consumer for purposes of furnishing such information to any third party, to the extent of such activities; and (2) does not maintain a database of the assembled or merged information from which new consumer reports are produced. FCRA 603(u), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(f). 19 New credit plan means a new account under an open-end credit plan (as defined in section 103(i) of the Truth in Lending Act) or a new credit transaction not under an open-end credit plan. FCRA 603(q)(5), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(h)(1)(A), (2)(A) Hudson Cook, LLP Page 5

6 also include in the consumer report to a user a telephone number or other reasonable contact method designated by the consumer.21 No prospective user of a consumer report that includes an initial fraud alert or an active duty alert may establish a new credit plan or extension of credit, other than under an exiting open-end credit plan, in the name of the consumer, or issue an additional card on an existing credit account requested by a consumer, or grant any increase in credit limit on an existing credit account requested by a consumer, unless the user utilizes reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person making the request. If a consumer requesting the alert has specified a telephone number to be used for identity verification purposes, before authorizing any new credit plan or extension, a user of such consumer report must contact the consumer using that telephone number, or take reasonable steps to verify the consumer s identity and confirm that the application for a new credit plan is not the result of identity theft.22 No prospective user of a consumer report or of a credit score generated using the information in the file of a consumer that includes an extended fraud alert may establish a new credit plan or extension of credit, other than under an existing open-end credit plan, or issue an additional card on an existing credit account requested by a consumer, or any increase in credit limit on an existing credit account requested by a consumer, unless the user contacts the consumer in person or using the contact method provided by the consumer to confirm that the application for a new credit plan or increase in credit limit, or request for an additional card is not the result of identity theft.23 BLOCKING INFORMATION IN A CONSUMER CREDIT REPORT Section 152 of the FACT Act added to the FCRA the ability of the consumer to block information in a credit file that resulted from identity theft, thereby helping consumers recover their good credit standing. A consumer reporting agency must block the reporting of any information in the file of a consumer that the consumer identifies as information that resulted from an alleged identity theft, not later than four business days after the date of receipt of such consumer reporting agency of -- (1) Appropriate proof of the identity of the consumer; (2) A copy of an identity theft report; (3) The identification of such information by the consumer; and 21 FCRA 605(h)(2)(A). 22 FCRA 605A(h)(1)(B). 23 FCRA 605A(h)(2)(B) Hudson Cook, LLP Page 6

7 (4) A statement by the consumer that the information is not information relating to any transaction by the consumer.24 A consumer reporting agency must promptly notify the furnisher of information identified by the consumer that the information may be the result of identity theft, that an identity theft report has been filed, that a block has been requested under FCRA Section 605B, and of the effective dates of the block.25 PREEMPTION AND STATE BLOCKING PROVISIONS Existing provisions in California Civil Code Section contain instructions on blocking and unblocking credit files upon submission of a police report or investigative report from the California Department of Motor Vehicles that the consumer 24 FCRA 605B(a). A federal, state, or local law enforcement agency may access blocked information in a consumer file for which the agency could otherwise obtain access. FCRA 605B(f). 25 FCRA 605B(b). 26 If a consumer submits to a credit reporting agency a copy of a valid police report, or a valid investigative report made by a Department of Motor Vehicles investigator with peace officer status, filed pursuant to Section of the Penal Code, the consumer credit reporting agency shall promptly and permanently block reporting any information that the consumer alleges appears on his or her credit report as a result of a violation of Section of the Penal Code so that the information cannot be reported. The consumer credit reporting agency shall promptly notify the furnisher of the information that the information has been so blocked. Furnishers of information and consumer credit reporting agencies shall ensure that information is unblocked only upon a preponderance of the evidence establishing the facts required under paragraph (1), (2), or (3). The permanently blocked information shall be unblocked only if: (1) the information was blocked due to a material misrepresentation of fact by the consumer or fraud, or (2) the consumer agrees that the blocked information, or portions of the blocked information, were blocked in error, or (3) the consumer knowingly obtained possession of goods, services, or moneys as a result of the blocked transaction or transactions or the consumer should have known that he or she obtained possession of goods, services, or moneys as a result of the blocked transaction or transactions. If blocked information is unblocked pursuant to this subdivision, the consumer shall be promptly notified in the same manner as consumers are notified of the reinsertion of information pursuant to subdivision (c). The prior presence of the blocked information in the consumer credit reporting agency's file on the consumer is not evidence of whether the consumer knew or should have known that he or she obtained possession of any goods, services, or moneys. For the purposes of this subdivision, fraud may be demonstrated by circumstantial evidence. In unblocking information pursuant to this subdivision, furnishers and consumer credit reporting agencies shall be subject to their respective requirements pursuant to this title regarding the completeness and accuracy of information. Cal. Civ. Code (k). In unblocking information as described in subdivision (k), a consumer reporting agency shall comply with all requirements of this section and 15 U.S.C. Sec. 1681i relating to reinvestigating disputed information. In addition, a consumer reporting agency shall accept the consumer's version of the disputed information and correct or delete the disputed item when the consumer submits to the consumer reporting agency documentation obtained from the source of the item in dispute or from public records confirming that the report was inaccurate or incomplete, unless the consumer reporting agency, in the exercise of good faith and reasonable judgment, has substantial reason based on specific, verifiable facts to doubt the authenticity of the documentation submitted and notifies the consumer in writing of that decision, explaining its reasons for unblocking the information and setting forth the specific, verifiable facts on which the decision was based. Cal. Civ. Code (l) Hudson Cook, LLP Page 7

8 has been the subject of identity theft. Section is specifically carved out of preemption under subsection (b)(3) of FCRA Section 625. Several states have recently adopted consumer blocking procedures. Because these state laws have not been specifically carved out from the preemptions under FCRA Section 625, these laws will no longer be effective when the federal regulations become effective for FCRA Section 605B later in See Other State Identity Theft Protection Laws, infra. DECLINING TO BLOCK; RESCINDING OR CANCELING A BLOCK Under the new blocking provisions of the FCRA, a consumer reporting agency may decline to block, or may rescind any block, of information relating to a consumer, if the consumer reporting agency reasonably determines that: The information was blocked in error or a block was requested by the consumer in error; the information was blocked, or a block was requested by the consumer, on the basis of a material misrepresentation of fact by the consumer relevant to the request to block; or the consumer obtained possession of goods, services, or money as a result of the blocked transaction or transactions.28 If a block of information is declined or rescinded, the affected consumer must be notified promptly, in the same manner that pertains to notice to consumers upon reinsertion of disputed information.29 RESELLERS AND CHECK VERIFICATION COMPANIES The requirements to block a consumer s credit file, or portion thereof, alleged to be the result of identity theft, does not apply to a consumer reporting agency, if the consumer reporting agency is a reseller, and at the time the consumer makes a request, is not furnishing or reselling a consumer report concerning the information identified by the consumer, and the consumer reporting agency informs the consumer that the he or she may report the identity theft to the FTC to obtain consumer information regarding identity theft.30 The sole obligation of a reseller that actually has a credit file on the consumer is to block the consumer report maintained by it from any subsequent use if the consumer identifies information in the file that resulted from identity theft. In carrying out its obligation to block the file, the reseller must promptly provide a notice to the consumer of the decision to block the file. The notice sent by the reseller must contain the name, address, and telephone number of each consumer reporting agency from which the consumer information was obtained for resale See 16 CFR 602.1(c); 69 Fed. Reg. 6526, 6531, Feb. 11, FCRA 605B(c)(1). 29 FCRA 605B(c)(2). The provisions for notice upon reinsertion of disputed information are at FCRA 611(a)(5)(B). 30 FCRA 605B(d)(1). 31 FCRA 605B(d)(2) Hudson Cook, LLP Page 8

9 With certain limited exceptions, the requirements to block a consumer s credit file, or portion thereof, alleged to be the result of identity theft, also do not apply to a check services company, acting as such, which issues authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments. In any case, beginning four business days after receipt of a request to block the information, a check services company must not report to a nationwide consumer reporting agency any information identified in the subject identity theft report as resulting from identity theft.32 DUTIES OF FURNISHERS OF INFORMATION AND NOTIFICATION OF IDENTITY THEFT A person that furnishes information to any consumer reporting agency must have in place reasonable procedures to respond to any notification that it receives from a consumer reporting agency under FCRA Section 605B relating to information resulting from identity theft, to prevent that person from refurnishing such blocked information.33 If a consumer submits an identity theft report to a person who furnishes information to a consumer reporting agency at the address specified by that person for receiving such reports, and states that information maintained by such person that purports to relate to the consumer resulted from identity theft, the person may not furnish such information to any consumer reporting agency, unless the person subsequently knows or is informed by the consumer that the information is correct.34 The provisions of California Civil Code Section concerning the requirement that a consumer credit reporting agency maintain procedures to prevent the reintroduction of information that has been deleted because of its origin in a transaction entered into as a result of an identity thief35 are not preempted by the federal FCRA, because such provisions are specifically carved out under subsection (b)(3) of FCRA Section FCRA 605B(e). 33 FCRA 623(a)(6)(A). 34 FCRA 623(a)(6)(B). 35 Cal. Civ. Code (i) Hudson Cook, LLP Page 9

10 SUMMARY OF RIGHTS OF VICTIMS Section 152 of the FACT Act has added new subsection (d), Summary of Rights of Identity Theft Victims, to Section 609 of the FCRA. The FTC, in consultation with the Federal banking agencies and the National Credit Union Administration, are required to prepare a model summary of rights of consumers with respect to the procedures for remedying the effects of fraud or identity theft involving credit, an electronic fund transfer, or an account or transaction at or with a financial institution or other creditor.36 If a consumer contacts a consumer reporting agency and expresses a belief that he or she is a victim of identity theft involving credit, an electronic fund transfer, or an account or transaction at a financial institution or other creditor, a consumer reporting agency must provide to a consumer, beginning 60 days after the date on which the model summary of rights is released in final form, a summary of rights that contains all of the information required by the regulations.37 COPIES OF BUSINESS RECORDS FROM FRAUDULENT TRANSACTIONS Section 152 of the FACT Act also added subsection (e), Information Available to Victims, to Section 609 of the FCRA. For the purpose of documenting fraudulent transactions resulting from identity theft, not later than 30 days after the date of receipt of a request from a victim in accordance with specified procedures, and subject to verification of the identity of the victim and the claim of identity theft, a business entity that has: provided credit to, provided for consideration products, goods, or services to, accepted payment from, or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the victim s identity, must provide a copy of application and business transaction records in the control of the business entity, whether maintained by the business entity or by another person on behalf of the business entity, evidencing any transaction alleged to be a result of identity theft to the victim, any federal, state, or local government law enforcement agency or officer specified by the victim in such a request, or any law enforcement agency investigating the identity theft and authorized by the victim to take receipt of records provided under this subsection FCRA 609(d)(1). 37 FCRA 609(d)(2). 38 FCRA 609(e) Hudson Cook, LLP Page 10

11 PROHIBITION ON SALE OR TRANSFER OF DEBT One of the more onerous provisions dealing with the new identity theft provisions in FCRA is what happens to a transaction after it has been identified as the being initiated in connection with an identity theft of a consumer. A new provision has been added to the FCRA to prohibit the sale, transfer for consideration, or placement for collection of a debt when the holder thereof has been notified under the transaction has resulted from identity theft. However, the repurchase of a debt in any case in which the assignee of the debt requires such repurchase because the debt has resulted from identity theft is permitted, as is the securitization of a debt or the pledging of a portfolio of debt as collateral in connection with a borrowing or the transfer of debt as a result of a merger, acquisition, purchase and assumption transaction, or transfer of substantially all of the assets of an entity.39 California Civil Code restricting the sale of consumer debts identified to be the result of identity theft is preempted by the FCRA.41 RED-FLAG GUIDELINES The Federal banking agencies, the National Credit Union Administration, and the FTC must promulgate guidelines ( red-flag guidelines ) for use by certain banking agencies, the National Credit Union Administration and others subject to the jurisdiction of the FTC regarding identity theft with respect to those financial institutions account holders and customers.42 In so doing, the agencies must: (A) Prescribe regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or customers; and 39 FCRA 615(f). 40 Cal. Civ. Code (a) No creditor may sell a consumer debt to a debt collector, as defined in 15 U.S.C. Sec. 1692a, if the consumer is a victim of identity theft, as defined in Section , and with respect to that debt, the creditor has received notice pursuant to subdivision (k) of Section (b) Subdivision (a) does not apply to a creditor s sale of a debt to a subsidiary or affiliate of the creditor, if, with respect to that debt, the subsidiary or affiliate does not take any action to collect the debt. (c) For the purposes of this section, the requirement in 15 U.S.C. 1692a, that a person must use an instrumentality of interstate commerce or the mails in the collection of any debt to be considered a debt collector, does not apply. 41 FCRA 625(b)(5)(F). 42 FCRA 615(e)(1) Hudson Cook, LLP Page 11

12 (B) Prescribe regulations applicable to card issuers to ensure that, if a card issuer receives notification of a change of address for an existing account, and within a short period of time43 receives a request for an additional or replacement card for the same account, the card issuer may not issue the additional or replacement card, unless the card issuer, in accordance with reasonable policies and procedures (i) notifies the cardholder of the request at the former address of the cardholder and provides to the cardholder a means of promptly reporting incorrect address changes; (ii) notifies the cardholder of the request by such other means of communication as the cardholder and the card issuer previously agreed to; or (iii) uses other means of assessing the validity of the change of address, in accordance with reasonable policies and procedures established by the card issuer.44 In developing the guidelines required above, the agencies must consider including provisions that when a transaction occurs with respect to a credit or deposit account that has been inactive for more than two years, the creditor or financial institution must follow reasonable policies and procedures that provide for notice to be given to a consumer in a manner reasonably designed to reduce the likelihood of identity theft with respect to such an account.45 TRUNCATION OF DEBIT CARD AND CREDIT CARD NUMBERS In connection with retail transactions with consumers, commencing December 4, 2006, no person that accepts the electronic imprinting of credit cards or debit cards for the transaction of business will be permitted to print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.46 With respect to any cash register or other machine or device that electronically prints receipts for credit card or debit card transactions that is in use on or after January 1, 2005, the effective date of the new provision is December 4, California law47 in this regard will ultimately be preempted During at least the first 30 days after such notification is received. 44 FCRA 615(e)(1). At least a portion of Cal. Civ. Code will ultimately be preempted. FCRA 625(b)(5)(F). 45 Id. 46 FCRA 605(g). This new provision will not apply to the handwriting or imprinting of the card for the charge. 47 Cal. Civ. Code , Receipts: (a) Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit cards for the transaction of business shall print more than the last five digits of the credit card account number or the expiration date upon any receipt provided to the cardholder. (b) This section shall apply only to receipts that are electronically printed and shall not apply to transactions in which the sole means of recording the person s credit card number is by handwriting or by an imprint or copy of the credit card. (c) This section shall become operative on January 1, 2004, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is in use before January 1, (d) This section shall become operative on January 1, 2001, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is first put into use on or after January 1, Hudson Cook, LLP Page 12

13 DEBT COLLECTOR COMMUNICATIONS CONCERNING IDENTITY THEFT The FACT Act has added new subsection (g), Debt Collector Communications Concerning Identity Theft, to FCRA Section 615. If a person acting as a debt collector on behalf of a third party creditor or other user of a consumer report is notified that any information relating to a debt that the debt collector is attempting to collect may be fraudulent or may be the result of identity theft, the debt collector must notify the third party that the information may be fraudulent or may be the result of identity theft. Upon request of the consumer to whom the debt purportedly relates, the debt collector must provide to the consumer all information to which the consumer would otherwise be entitled if the consumer were not a victim of identity theft, but wished to dispute the debt under provisions of law applicable to that person.49 SELECTED CALIFORNIA IDENTITY THEFT PROTECTION LAWS PROVISIONS AIDING VICTIMS OF IDENTITY THEFT California s criminal law dealing with the unlawful use of personal identifying information 50 has been on the books for the past five years. That law makes it illegal for a person to willfully obtain personal identifying information of another without that person s consent and to use that information for any unlawful purpose.51 A key provision of the law gives the victim the right to obtain information without a subpoena from creditors and other service providers in order to attempt to identify the perpetrator. Effective January 1, 2004,52 the category of providers responsible for producing the records is expanded. If a person discovers that an application in his or her name for a loan, credit line or account, credit card, charge card, public utility service, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service has been filed with any person or entity by an unauthorized person, or that an 48 Section 113 of the FACT Act added subsection (g) on credit card and debit card number truncation to FCRA Section 605. These provisions are scheduled to become effective three years after date of enactment for machines and devices in use before January 1, 2005, and one year after date of enactment for machines and devices place din use after January 1, Preemption is at FCRA 625(b)(5). 49 FCRA 615(g). 50 Personal identifying information was originally defined as the person s name, address, telephone number, driver s license number, social security number, place of employment, employee identification number, mother s maiden name, demand deposit account number, savings account number or credit card number. This definition was expensed in 2002 to include health insurance identification, taxpayer identification, school identification, checking account number, PIN or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address or routing code, telecommunication identifying information or access device, information from a birth or death certificate. Cal. Pen. Code 530.5(b). 51 Cal. Pen. Code Hudson Cook, LLP Page 13

14 account in his or her name has been opened with a bank, trust company, savings association, credit union, public utility, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service provider by an unauthorized person, then, upon presenting to the person or entity with which the application was filed or the account was opened (1) a copy of the police report prepared pursuant to California Penal Code Section and (2) identifying information in the categories of information that the unauthorized person used to complete the application or to open the account, the person (or law enforcement officer specified by the person) is entitled to receive information related to the application or account. This includes the right of the victim to a obtain a copy of the application or application information and a record of transactions or charges associated with the application or account.53 The creditor or service provider may, before providing copies to a law enforcement officer, require that the victim to submit a signed and dated statement by which the victim (1) authorizes disclosure for a stated period, (2) specifies the name of the agency or department to which the disclosure is authorized, (3) identifies the types of records that the victim authorizes to be disclosed, (4) states that the victim s authorization may be revoked at any time.54 Two other bills passed in 2003 with reciprocal enactment provisions55 give rights to a victim to pursue an uncooperative creditor or service provider in connection with the records request. At the victim s request, the Attorney General, the district attorney, or the prosecuting city attorney may file a petition in court in the jurisdiction in which the victim resides to compel the attendance of the person or entity in possession of the records, and order the production of the requested records to the court. Further procedures apply.56 The definition of application as used in subdivision (a) of Penal Code Section is now defined as a new application for credit or service, the addition of authorized users to an existing account, the renewal of an existing account, or any other changes made to an existing account. 57 In addition to any other civil remedy the victim is entitled to, as a result of the creditor or service provider having failed to produce the records, the victim may bring a 52 Stats. 2003, ch. 90, A.B Expanded categories of service providers shown in italics. Cal. Pen. Code 530.8(a). 54 Cal. Pen. Code 530.8(c). 55 Both S.B. 602 and S.B. 684 contain operative provisions dependent upon the other being enacted first. Both were signed and chaptered on the same day S.B. 602 was chaptered as Chapter 533, and S.B. 684 was chaptered as Chapter 534, meaning that the amendments of S.B. 684 prevail. Since the language is identical in both bills, little, if anything, is lost in the interpretation. 56 Cal. Pen. Code 530.8(d)(1). 57 Cal. Pen. Code 530.8(e)(1) Hudson Cook, LLP Page 14

15 civil action against the creditor or service provider for damages, injunctive relief, or equitable relief, and a penalty of $100 per day for noncompliance, plus attorneys fees.58 Section of the Penal Code, and similar provisions in Section applicable to credit card issuers, Financial Code Section 4002 applicable to supervised financial organizations, and Financial Code Section applicable to California Finance Lender licensees, will ultimately be preempted by the record production provisions of the FCRA.59 APPLICANT OR PURCHASER VERIFICATION PROCEDURES In an effort to stem the flow of merchandise, including automobiles, into the hands of perpetrators using false identification, an ambitious verification procedure was adopted effective January 1, 2002, that required any person who uses a consumer credit report in connection with a credit transaction, and who discovered that the address on the consumer credit report did not match the address of the consumer requesting or being offered credit, to take specific steps to communicate to the person whose information was being unlawfully used.60 The law was amended in September to clarify the requirements for verification, and to add some additional responsibilities for creditors. Any person who uses a consumer credit report in connection with the approval of credit based on an application for an extension of credit, and who discovers that the address on the credit application does not match, within a reasonable degree of certainty, the address or addresses listed on the consumer credit report, must take reasonable steps to verify the accuracy of the address provided on the application to confirm that the extension of credit is not the result of identity theft Cal. Pen. Code 530.8(d)(2). 59 FCRA 625(b)(3). 60 Cal. Civ. Code (a). 61 Stats. 2002, ch These provisions may only be partially preempted by amendments to the FCRA made by the FACT Act. See FCRA 625(b)(3). The FACT Act Section 315 added a similar provision to the FACT 605(h): Notice of Discrepancy in Address. -- In General. If a person has requested a consumer report relating to a consumer from a consumer reporting agency described in section 603(p), the request includes an address for the consumer that substantially differs from the addresses in the file of the consumer, and the agency provides a consumer report in response to the request, the consumer reporting agency shall notify the requester of the existence of the discrepancy. (2) Regulations. (A) Regulations Required. The Federal banking agencies, the National Credit Union Administration, and the Commission shall jointly, with respect to the entities that are subject to their respective enforcement authority under section 621, prescribe regulations providing guidance regarding reasonable policies and procedures that a user of a consumer report should employ when such user has received a notice of discrepancy under paragraph (1). (B) Policies and Procedures to be Included. The regulations prescribed under subparagraph (A) shall describe reasonable policies and procedures for use by a user of a consumer report (i) to form a reasonable believe that the user knows the identity of the person to whom the consumer report pertains; and (ii) if the user establishes a continuing relationship with the consumer, and the user regularly and in the ordinary course of 2004 Hudson Cook, LLP Page 15

16 Effective January 1, 2004,63 in addition to checking the address to match that shown on the consumer credit report, the creditor must also check the consumer s first and last name and social security number In a separate, but related, provision of the Credit Reporting Agencies Act, effective July 1, 2004, any person who uses a consumer credit report in connection with the approval of credit based on an application for an extension of credit, or with the purchase, lease or rental of goods or non-credit-related services and who receives notification of a security alert pursuant to the security alert 64 provisions, may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-creditrelated services without taking reasonable steps to verify the consumer s identity, in order to ensure that the application for an extension of credit or for the purchase, lease or rental of goods or noncredit related services is not the result of identity theft.65 If the consumer has placed a statement with the security alert in his or her credit file requesting that identity be verified by calling a specified telephone number, any person who receives that statement with the security alert in a consumer s credit file must take reasonable steps to verify the identity of the consumer by contacting the consumer using the specified telephone number prior to lending money, extending credit, or completing the purchase of the goods or services.66 The written disclosure provided by consumer credit reporting agencies to consumers in connection with their rights has been amended to take these new steps into account. The new language in the written disclosure is: Recipients of your credit report are required to take reasonable steps, including contacting you at the telephone number you may provide with your security alert, to verify your identity prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or services. The security alert may prevent credit, loans, and services from being approved in your name without your consent. 67 business furnishes information to the consumer reporting agency from which the notice of discrepancy pertaining to the consumer was obtained, to reconcile the address of the consumer with the consumer reporting agency by furnishing such address to such consumer reporting agency as part of information regularly furnished by the user for the period in which the relationship is established. Proposed effective date December 1, Stats. 2003, ch See discussion on page 19, infra. 65 Cal. Civ. Code (g) as amended by Stats. 2003, ch. 907, S.B Id. 67 Cal. Civ. Code (f) as amended by Stats. 2003, ch. 907, S.B Hudson Cook, LLP Page 16

17 CREDIT CARD ISSUERS, TELEPHONE CORPORATIONS, AND CHANGE OF ADDRESS REQUESTS A credit card change of address notice process for California consumers has been in effect since July 1, A credit card issuer that mails an offer or solicitation to a consumer for a credit card and, in response, receives a completed application for that credit card that lists an address that is different from the address on the offer or solicitation, must verify the change of address by contacting the person to whom the solicitation or offer was mailed.68 If the issuer fails to verify the consumer, and an unauthorized use of the card results, the person to whom the offer or solicitation was sent will not be liable.69 This section also requires a card issuer who receives a written or oral request for a change of the cardholder s billing address, and then receives a written or oral request for an additional credit card within 10 days after the requested address change, to verify the change of address.70 As of January 1, 2004, a new section is added to Title 1.82, Business Records, of Part 4 of Division 3 of the Civil Code.71 It also requires any credit card issuer that receives a change of address request, other than for a correction of a typographical error, from a cardholder who orders a replacement credit card within 60 days before or after that request is received, to send to that cardholder a change of address notification addressed to the cardholder at the cardholder s previous address of record. If the replacement credit card is requested prior to the effective date of the change of address, the notification must be sent within 30 days of the change of address request. If the replacement credit card is requested after the effective date of the change of address, the notification must be sent within 30 days of the request for the replacement credit card.72 These new verification procedures in Title 1.82 (above) also contain a peculiar provision applicable to businesses (telephone corporations73 such as SBC or Verizon) that provide telephone accounts. If such a business receives a change of address request, other than for a correction of a typographical error, from an accountholder who orders new service, it must, within 30 days of a request for new service, send to the accountholder a change of address notification that is addressed to the previous address of record Cal. Civ. Code (a). 69 Cal. Civ. Code (b). 70 Cal. Civ. Code (c). 71 Stats. 2003, ch. 533, S.B Cal. Civ. Code b(a). 73 A telephone corporation is any person owning, controlling, operating, or managing any telephone line for compensation in the state. Cal. Pub. Ut. Code Cal. Civ. Code b(b) Hudson Cook, LLP Page 17

18 The notification under either of the above provisions may be given by telephone or if the card issuer or business entity reasonably believes that it has the current telephone number and address for the cardholder or accountholder who has requested a change of address. If the notification is in writing, it may not contain the cardholder s or accountholder s account number, social security number, or other personal identifying information.75 The card issuer or business entity is not required to give the change of address notification when a change of address is made in person by one who presents valid identification, or made by telephone and the requester has provided a unique alphanumeric password.76 MORE ON SECURITY ALERTS AND SECURITY FREEZES The California Civil Code provision concerning the ability of a person to place a security alert on his or her credit file with a credit reporting agency77 has been amended to provide for some hefty statutory penalties for a violation.78 A California consumer may place a security alert on his or her credit file by making a request in writing or by calling a toll-free, 24/7 telephone number. A security alert notifies a recipient of the credit report that the consumer may be the victim of identity theft. The alert may remain in place for at least 90 days, but the consumer has a right to request a renewal of the alert Cal. Civ. Code b(c). 76 Cal. Civ. Code b(d). 77 Cal. Civ. Code added by Stats. 2003, ch. 720, effective January 1, 2002, operative July 1, Stats. 2003, ch. 907, S.B. 25. Stats. 2003, ch. 533, S.B. 602 makes similar changes, but contains a reciprocal operative factor dependent upon enactment after S.B. 25, which did not occur. Nevertheless, the statutory penalty added by S.B. 602 in amended Civ. Code (h) does become effective January 1, 2004, and is repealed upon the operative date of the amendments contained in S.B. 25, July 1, Cal. Civ. Code (a), (c) Hudson Cook, LLP Page 18

19 Effective January 1, 2004, the consumer credit reporting agency must notify the consumer who has requested a security alert of the expiration date of the alert. Any consumer credit reporting agency that recklessly, willfully, or intentionally fails to place a security alert will be liable for a penalty of up to $2,500 and in addition, reasonable attorneys fees.80 In any case, it appears that ultimately, California s provisions for security alerts will be preempted by the FACT Act amendments to the FCRA.81 Also effective January 1, 2004, a consumer credit reporting agency may charge a small fee (vs. reasonable fee ) not to exceed $10 for placing a security freeze for a consumer, or removal of the freeze, or temporary lift of the freeze for a specific period of time, and a fee not to exceed $12 for a temporary lift of a freeze for a specific party.82 CONFIDENTIALITY OF DRIVER S LICENSE INFORMATION A new Title is added to Part 4, Division 3 of the Civil Code concerning the confidentiality of driver s license information.83 A business (commercial enterprise) may swipe a driver s license or DMV-issued identification card in an electronic device for specified purposes, but may not retain or use that information except as otherwise provided. A violation of this title constitutes a misdemeanor punishable by imprisonment in a county jail for up to a year, or by a fine of not more than $10,000, or by both. Purposes for which a business may swipe a driver s license or DMV-issued identification card are: (1) to verify age or the authenticity of the driver s license or identification card; (2) to comply with a legal requirement to record, retain or transmit that information; (3) to transmit information to a check service company for the purpose of approving negotiable instruments, electronic funds transfers, or similar methods of payment, provided that only the name and ID number from the card may be used or retained by the check service company; or (4) to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse or material misrepresentation.84 CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS A person or entity must not (1) publicly post or display in any manner an individual s social security number, (2) print the individual s social security number on any card required for the individual to access products or services, (3) require an individual to transmit the social security number over the Internet, unless the connection 80 Cal. Civ. Code (g) and (h). 81 See FCRA 625(b)(5)(B). 82 Cal. Civ. Code amended by Stats. 2003, ch. 533, S.B Stats. 2003, ch. 533, S.B. 602, effective January 1, Cal. Civ. Code Hudson Cook, LLP Page 19

20 is secure or the social security number is encrypted, (4) require an individual to use a social security number to access an Internet Website unless a password or unique personal ID number or other authentication is also required, or (5) print an individual s social security number on any materials mailed to the individual, unless state or federal law requires it.85 Notwithstanding this prohibition, a financial institution may, prior to July 1, 2004, print the individual s social security number on any account statement or similar document mailed to that individual if the social security number is provided in connection with a transaction governed by the National Automated Clearing House Association Rules, or a transaction initiated by a federal governmental entity through an automated clearing house network.86 A person or entity that has used, prior to July 1, 2002, an individual s social security number in a manner inconsistent with the foregoing may continue using it in that manner after July 1, 2002 provided certain procedures are followed: The use of the social security number is continuous. If the use is stopped for any reason, this exception will not apply. The individual is provided an annual disclosure that informs him or her of the right to stop the use of the social security number in a manner prohibited by the rules above. A written request by an individual to stop the use of his or her social security number in a manner prohibited by the rules above is implemented within 30 days of receipt of the request, without charge. The person or entity does not deny services to the individual because of his or her request.87 Based on an amendment adopted in 2003, if a state or local agency has used, prior to January 1, 2004, an individual s social security number in a manner inconsistent with the rules above, it may continue doing so in that manner on or after January 1, 2004, provided the procedures outlined above are followed. Operative dates are also extended for a variety of other institutions Cal. Civ. Code (a). 86 Cal. Civ. Code , as amended by Stats. 2003, ch. 907, S.B Cal. Civ. Code (c). 88 Stats. 2003, ch. 907, S.B. 25. Those institutions are: (1) the University of California, January 1, 2004, for the first three provisions, and January 1, 2005, for the last two; (2) the Franchise Tax Board, January 1, 2007; (3) the California community college districts, January 1, 2007; (4) the California State University System, July 1, 2005; (5) the California Student Aid Commission and its auxiliary organization, January 1, 2004, for the first three provisions, and January 1, 2005, for the last two Hudson Cook, LLP Page 20