July Short term and extended term fraud alerts, Short term and extended term active duty alerts,

Transcription

1 FEDERAL AND STATE IDENTITY THEFT PROTECTION LAWS Elizabeth A. Huber, Esq. Hudson Cook, LLP 2361 Rosecrans Ave., Suite 355 El Segundo, CA Telephone Fax July 2004 NEW FEDERAL IDENTITY THEFT PROTECTION LAWS The Fair and Accurate Credit Transactions Act of 2003 ( FACT Act )1 brought to the national scene identity theft protection laws for all consumers. The FACT Act includes not only an indefinite extension of certain preemptions of state law that were due to sunset as of December 31, 2003, but also significant amendments to the Fair Credit Reporting Act ( FCRA )2 adding a wide array of consumer protections, many focused on identity theft protection. The notable amendments to the FCRA include: Short term and extended term fraud alerts, Short term and extended term active duty alerts, Blocking information in a consumer s credit file resulting from identity theft, Providing a Summary of Rights of Identity Theft Victims, Releasing copies of business transaction records that are the result of identity theft, and Maintaining procedures by furnishers of credit information to prevent the reintroduction of inaccurate information in a consumer s credit file. Both before and subsequent to the passage of the FACT Act, state legislatures have been busy passing state identity theft protection laws. The focus of this paper is on those federal and state civil laws aimed at protecting consumers from, and providing aid subsequent to, an identity theft.3 1 Pub. L , 117 Stat. 1952, December 4, U.S.C et seq. 3 Under the FCRA as amended by the FACT Act, the term identity theft means a fraud committed using the identifying information of another person, subject to such further definition as the Federal Trade 2004 Hudson Cook, LLP Page 1

2 ONE-CALL FRAUD ALERTS Consumers may now place a 90-day fraud alert 4 with nationwide credit reporting agencies. Section 112 of the FACT Act added new Section 605A to the FCRA. Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer, who asserts in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft,5 a consumer reporting agency ( CRA )6 that maintains a file on the consumer and has received appropriate proof of the identity of the requester must (A) Include a fraud alert in the file of that consumer, and also provide that alert along with any credit score generated in using that file, for a period of not less than 90 days, beginning on the date of such request, unless the consumer or such representative requests that such fraud alert be removed before the end of such period, and the consumer reporting agency has received appropriate proof of the identity of the requester for such purpose; and (B) Refer the information regarding the fraud alert to each of the other nationwide consumer reporting agencies, in accordance with procedures developed under section 621(f).7 In any case in which a consumer reporting agency includes a fraud alert in the file of a consumer pursuant to the foregoing procedures, the consumer reporting agency must also disclose to the consumer that he or she may request a free copy of his or her credit file, and provide to the consumer all disclosures required to be made under FCRA Section 609, without charge to the consumer, not later than three business days after any Commission ( FTC ) may prescribe, by regulation. 15 U.S.C. 1681a(q)(3), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, A fraud alert means a statement in the consumer s credit file with a credit reporting agency that notifies all prospective users of a consumer report that the consumer may be a victim of fraud, including identity theft, and is presented in a manner that facilitates a clear and conspicuous view of the statement by any person requesting such a report. 15 U.S.C. 1681a(q)(2) as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, Identity Theft means a fraud committed using the identifying information of another person, subject to such further definition as the FTC may prescribe, by regulation. FCRA 603(q)(3) as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, The term consumer reporting agency that compiles and maintains files on a nationwide basis means a CRA that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer s creditworthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide: (1) Public record information; (2) Credit account information from persons who furnish that information regularly and in the ordinary course of business. FCRA 603(p), 15 U.S.C. 1681a(p). 7 FCRA 605A(a)(1) Hudson Cook, LLP Page 2

3 request.8 The consumer would seem to have some responsibility to review the credit report ordered to ensure that no information appears in the credit file that does not belong to the consumer. EXTENDED FRAUD ALERTS Consumers may only place an extended fraud alert on their credit file with a nationwide consumer reporting agency if they have filed an identity theft report. 9 Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer, who submits an identity theft report to a consumer reporting agency, if the agency has received appropriate proof of the identity of the requester, the agency must (A) Include a fraud alert in the file of that consumer, and also provide that alert along with any credit score generated in using that file, during the seven-year period beginning on the date of such request, unless the consumer or such representative requests that such fraud alert be removed before the end of such period and the agency has received appropriate proof of the identity of the requester for such purpose; (B) During the five-year period beginning on the date of such request, exclude the consumer from any list of consumers prepared by the consumer reporting agency and provided to any third party to [make a firm] offer credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer or such representative requests that such exclusion be rescinded before the end of such period; and (C) Refer the information regarding the extended fraud alert to each of the other nationwide consumer reporting agencies.10 8 FCRA 605A(a)(2). Section 211 of the FACT Act adds a new subsection (d), Free Disclosures in Connection with Fraud Alerts, to Section 612 of the FCRA. Upon the request of a consumer, a nationwide consumer reporting agency must make all disclosures pursuant to FCRA Section 609, without charge to the consumer. 9 Identity Theft Report has the meaning given that term by rule of the Commission, and means, at a minimum, a report (A) that alleges an identity theft; (B) that is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service, or such other government agency deemed appropriate by the Commission; and (C) the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. FCRA 603(q)(4), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(b)(1) Hudson Cook, LLP Page 3

4 As is the case with the one-call, 90-day fraud alert, a consumer has a right to obtain a free credit report. In any case in which a consumer reporting agency includes a fraud alert in the file of a consumer, the consumer reporting agency must disclose to the consumer that the consumer may request two free copies of his or her credit file during the 12-month period beginning on the date on which the extended fraud alert was included in the files; and provide to the consumer all disclosures required to be made under FCRA Section 609, without charge to the consumer, not later than three business days after any request.11 ACTIVE DUTY ALERTS The process for active duty alerts 12 works similarly to that for one-call and extended fraud alerts, discussed above. Upon the direct request of an active duty military consumer or an individual acting on behalf of or as a personal representative of an active duty military consumer, a nationwide consumer reporting agency that maintains a file on the active duty military consumer and has received appropriate proof of the identity of the requester must: (A) Include an active duty alert in the file of that active duty military consumer, and also provide that alert along with any credit score generated in using that file, during a period of not less than 12 months, or such longer period as the Commissioner shall determine, by regulation, beginning on the date of the request, unless the active duty military consumer or such representative requests that such fraud alert be removed before the end of such period, and the agency has receive appropriate proof of the identity of the requester for such purpose; (B) During the two-year period beginning on the date of request for an active duty alert, exclude the active duty military consumer from any list of consumers prepared by the consumer reporting agency and provided to any third party to [make a firm] offer of credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer requests that such exclusion be rescinded before the end of such period; and (C) Refer the information regarding the active duty alert to each of the other nationwide consumer reporting agencies FCRA 605A(b)(2). 12 Active Duty Alert means a statement in the file of a consumer that (A) notifies all prospective users of a consumer report relating to the consumer that the consumer is an active duty military consumer; and (B) is presented in a manner that facilitates a clear and conspicuous view of the statement described in (A) by any person requesting such consumer report. FCRA 603(q)(2), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(c) Hudson Cook, LLP Page 4

5 PROCEDURES, NOTIFICATION, DISCLOSURES AND VERIFICATION Each nationwide consumer reporting agency14 must establish policies and procedures (1) to comply with the foregoing one-call and extended fraud alerts and active duty alerts, and (2) that allow consumers and active duty military consumers to request initial, extended, or active duty alerts in a simple and easy manner, including by telephone.15 What about consumer credit reporting agencies other than nationwide consumer reporting agencies? If a consumer contacts any consumer reporting agency that is not a nationwide consumer reporting agency to communicate a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft, the agency must provide information to the consumer on how to contact the FTC and the nationwide consumer reporting agencies to obtain more detailed information and request alerts under this section.16 Resellers17 of credit file information also have responsibilities under this new section. A reseller must include in its consumer credit report any fraud alert or active duty alert placed in the consumer s file by another consumer reporting agency.18 Each fraud alert and active duty alert reported in or with a credit report by a consumer reporting agency must include information that notifies all prospective users that the consumer does not authorize the establishment of any new credit plan19 or extension of credit, other than under an existing open-end credit plan, in the name of the consumer, or issuance of an additional card on an existing credit account requested by a consumer, or any increase in credit limit on an existing credit account requested by a consumer, except in accordance with certain verification procedures.20 In connection with extended fraud alerts and active duty alerts, the consumer reporting agency must 14 See footnote FCRA 605A(d). 16 FCRA 605A(g). 17 Reseller means a consumer reporting agency that (1) assembles and merges information contained in the database of another consumer reporting agency or multiple consumer reporting agencies concerning any consumer for purposes of furnishing such information to any third party, to the extent of such activities; and (2) does not maintain a database of the assembled or merged information from which new consumer reports are produced. FCRA 603(u), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(f). 19 New credit plan means a new account under an open-end credit plan (as defined in section 103(i) of the Truth in Lending Act) or a new credit transaction not under an open-end credit plan. FCRA 603(q)(5), as added by Pub. L , 117 Stat. 1952, December 4, 2003, effective March 31, FCRA 605A(h)(1)(A), (2)(A) Hudson Cook, LLP Page 5

6 also include in the consumer report to a user a telephone number or other reasonable contact method designated by the consumer.21 No prospective user of a consumer report that includes an initial fraud alert or an active duty alert may establish a new credit plan or extension of credit, other than under an exiting open-end credit plan, in the name of the consumer, or issue an additional card on an existing credit account requested by a consumer, or grant any increase in credit limit on an existing credit account requested by a consumer, unless the user utilizes reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person making the request. If a consumer requesting the alert has specified a telephone number to be used for identity verification purposes, before authorizing any new credit plan or extension, a user of such consumer report must contact the consumer using that telephone number, or take reasonable steps to verify the consumer s identity and confirm that the application for a new credit plan is not the result of identity theft.22 No prospective user of a consumer report or of a credit score generated using the information in the file of a consumer that includes an extended fraud alert may establish a new credit plan or extension of credit, other than under an existing open-end credit plan, or issue an additional card on an existing credit account requested by a consumer, or any increase in credit limit on an existing credit account requested by a consumer, unless the user contacts the consumer in person or using the contact method provided by the consumer to confirm that the application for a new credit plan or increase in credit limit, or request for an additional card is not the result of identity theft.23 BLOCKING INFORMATION IN A CONSUMER CREDIT REPORT Section 152 of the FACT Act added to the FCRA the ability of the consumer to block information in a credit file that resulted from identity theft, thereby helping consumers recover their good credit standing. A consumer reporting agency must block the reporting of any information in the file of a consumer that the consumer identifies as information that resulted from an alleged identity theft, not later than four business days after the date of receipt of such consumer reporting agency of -- (1) Appropriate proof of the identity of the consumer; (2) A copy of an identity theft report; (3) The identification of such information by the consumer; and 21 FCRA 605(h)(2)(A). 22 FCRA 605A(h)(1)(B). 23 FCRA 605A(h)(2)(B) Hudson Cook, LLP Page 6

7 (4) A statement by the consumer that the information is not information relating to any transaction by the consumer.24 A consumer reporting agency must promptly notify the furnisher of information identified by the consumer that the information may be the result of identity theft, that an identity theft report has been filed, that a block has been requested under FCRA Section 605B, and of the effective dates of the block.25 PREEMPTION AND STATE BLOCKING PROVISIONS Existing provisions in California Civil Code Section contain instructions on blocking and unblocking credit files upon submission of a police report or investigative report from the California Department of Motor Vehicles that the consumer 24 FCRA 605B(a). A federal, state, or local law enforcement agency may access blocked information in a consumer file for which the agency could otherwise obtain access. FCRA 605B(f). 25 FCRA 605B(b). 26 If a consumer submits to a credit reporting agency a copy of a valid police report, or a valid investigative report made by a Department of Motor Vehicles investigator with peace officer status, filed pursuant to Section of the Penal Code, the consumer credit reporting agency shall promptly and permanently block reporting any information that the consumer alleges appears on his or her credit report as a result of a violation of Section of the Penal Code so that the information cannot be reported. The consumer credit reporting agency shall promptly notify the furnisher of the information that the information has been so blocked. Furnishers of information and consumer credit reporting agencies shall ensure that information is unblocked only upon a preponderance of the evidence establishing the facts required under paragraph (1), (2), or (3). The permanently blocked information shall be unblocked only if: (1) the information was blocked due to a material misrepresentation of fact by the consumer or fraud, or (2) the consumer agrees that the blocked information, or portions of the blocked information, were blocked in error, or (3) the consumer knowingly obtained possession of goods, services, or moneys as a result of the blocked transaction or transactions or the consumer should have known that he or she obtained possession of goods, services, or moneys as a result of the blocked transaction or transactions. If blocked information is unblocked pursuant to this subdivision, the consumer shall be promptly notified in the same manner as consumers are notified of the reinsertion of information pursuant to subdivision (c). The prior presence of the blocked information in the consumer credit reporting agency's file on the consumer is not evidence of whether the consumer knew or should have known that he or she obtained possession of any goods, services, or moneys. For the purposes of this subdivision, fraud may be demonstrated by circumstantial evidence. In unblocking information pursuant to this subdivision, furnishers and consumer credit reporting agencies shall be subject to their respective requirements pursuant to this title regarding the completeness and accuracy of information. Cal. Civ. Code (k). In unblocking information as described in subdivision (k), a consumer reporting agency shall comply with all requirements of this section and 15 U.S.C. Sec. 1681i relating to reinvestigating disputed information. In addition, a consumer reporting agency shall accept the consumer's version of the disputed information and correct or delete the disputed item when the consumer submits to the consumer reporting agency documentation obtained from the source of the item in dispute or from public records confirming that the report was inaccurate or incomplete, unless the consumer reporting agency, in the exercise of good faith and reasonable judgment, has substantial reason based on specific, verifiable facts to doubt the authenticity of the documentation submitted and notifies the consumer in writing of that decision, explaining its reasons for unblocking the information and setting forth the specific, verifiable facts on which the decision was based. Cal. Civ. Code (l) Hudson Cook, LLP Page 7

8 has been the subject of identity theft. Section is specifically carved out of preemption under subsection (b)(3) of FCRA Section 625. Several states have recently adopted consumer blocking procedures. Because these state laws have not been specifically carved out from the preemptions under FCRA Section 625, these laws will no longer be effective when the federal regulations become effective for FCRA Section 605B later in See Other State Identity Theft Protection Laws, infra. DECLINING TO BLOCK; RESCINDING OR CANCELING A BLOCK Under the new blocking provisions of the FCRA, a consumer reporting agency may decline to block, or may rescind any block, of information relating to a consumer, if the consumer reporting agency reasonably determines that: The information was blocked in error or a block was requested by the consumer in error; the information was blocked, or a block was requested by the consumer, on the basis of a material misrepresentation of fact by the consumer relevant to the request to block; or the consumer obtained possession of goods, services, or money as a result of the blocked transaction or transactions.28 If a block of information is declined or rescinded, the affected consumer must be notified promptly, in the same manner that pertains to notice to consumers upon reinsertion of disputed information.29 RESELLERS AND CHECK VERIFICATION COMPANIES The requirements to block a consumer s credit file, or portion thereof, alleged to be the result of identity theft, does not apply to a consumer reporting agency, if the consumer reporting agency is a reseller, and at the time the consumer makes a request, is not furnishing or reselling a consumer report concerning the information identified by the consumer, and the consumer reporting agency informs the consumer that the he or she may report the identity theft to the FTC to obtain consumer information regarding identity theft.30 The sole obligation of a reseller that actually has a credit file on the consumer is to block the consumer report maintained by it from any subsequent use if the consumer identifies information in the file that resulted from identity theft. In carrying out its obligation to block the file, the reseller must promptly provide a notice to the consumer of the decision to block the file. The notice sent by the reseller must contain the name, address, and telephone number of each consumer reporting agency from which the consumer information was obtained for resale See 16 CFR 602.1(c); 69 Fed. Reg. 6526, 6531, Feb. 11, FCRA 605B(c)(1). 29 FCRA 605B(c)(2). The provisions for notice upon reinsertion of disputed information are at FCRA 611(a)(5)(B). 30 FCRA 605B(d)(1). 31 FCRA 605B(d)(2) Hudson Cook, LLP Page 8

9 With certain limited exceptions, the requirements to block a consumer s credit file, or portion thereof, alleged to be the result of identity theft, also do not apply to a check services company, acting as such, which issues authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments. In any case, beginning four business days after receipt of a request to block the information, a check services company must not report to a nationwide consumer reporting agency any information identified in the subject identity theft report as resulting from identity theft.32 DUTIES OF FURNISHERS OF INFORMATION AND NOTIFICATION OF IDENTITY THEFT A person that furnishes information to any consumer reporting agency must have in place reasonable procedures to respond to any notification that it receives from a consumer reporting agency under FCRA Section 605B relating to information resulting from identity theft, to prevent that person from refurnishing such blocked information.33 If a consumer submits an identity theft report to a person who furnishes information to a consumer reporting agency at the address specified by that person for receiving such reports, and states that information maintained by such person that purports to relate to the consumer resulted from identity theft, the person may not furnish such information to any consumer reporting agency, unless the person subsequently knows or is informed by the consumer that the information is correct.34 The provisions of California Civil Code Section concerning the requirement that a consumer credit reporting agency maintain procedures to prevent the reintroduction of information that has been deleted because of its origin in a transaction entered into as a result of an identity thief35 are not preempted by the federal FCRA, because such provisions are specifically carved out under subsection (b)(3) of FCRA Section FCRA 605B(e). 33 FCRA 623(a)(6)(A). 34 FCRA 623(a)(6)(B). 35 Cal. Civ. Code (i) Hudson Cook, LLP Page 9

10 SUMMARY OF RIGHTS OF VICTIMS Section 152 of the FACT Act has added new subsection (d), Summary of Rights of Identity Theft Victims, to Section 609 of the FCRA. The FTC, in consultation with the Federal banking agencies and the National Credit Union Administration, are required to prepare a model summary of rights of consumers with respect to the procedures for remedying the effects of fraud or identity theft involving credit, an electronic fund transfer, or an account or transaction at or with a financial institution or other creditor.36 If a consumer contacts a consumer reporting agency and expresses a belief that he or she is a victim of identity theft involving credit, an electronic fund transfer, or an account or transaction at a financial institution or other creditor, a consumer reporting agency must provide to a consumer, beginning 60 days after the date on which the model summary of rights is released in final form, a summary of rights that contains all of the information required by the regulations.37 COPIES OF BUSINESS RECORDS FROM FRAUDULENT TRANSACTIONS Section 152 of the FACT Act also added subsection (e), Information Available to Victims, to Section 609 of the FCRA. For the purpose of documenting fraudulent transactions resulting from identity theft, not later than 30 days after the date of receipt of a request from a victim in accordance with specified procedures, and subject to verification of the identity of the victim and the claim of identity theft, a business entity that has: provided credit to, provided for consideration products, goods, or services to, accepted payment from, or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the victim s identity, must provide a copy of application and business transaction records in the control of the business entity, whether maintained by the business entity or by another person on behalf of the business entity, evidencing any transaction alleged to be a result of identity theft to the victim, any federal, state, or local government law enforcement agency or officer specified by the victim in such a request, or any law enforcement agency investigating the identity theft and authorized by the victim to take receipt of records provided under this subsection FCRA 609(d)(1). 37 FCRA 609(d)(2). 38 FCRA 609(e) Hudson Cook, LLP Page 10

11 PROHIBITION ON SALE OR TRANSFER OF DEBT One of the more onerous provisions dealing with the new identity theft provisions in FCRA is what happens to a transaction after it has been identified as the being initiated in connection with an identity theft of a consumer. A new provision has been added to the FCRA to prohibit the sale, transfer for consideration, or placement for collection of a debt when the holder thereof has been notified under the transaction has resulted from identity theft. However, the repurchase of a debt in any case in which the assignee of the debt requires such repurchase because the debt has resulted from identity theft is permitted, as is the securitization of a debt or the pledging of a portfolio of debt as collateral in connection with a borrowing or the transfer of debt as a result of a merger, acquisition, purchase and assumption transaction, or transfer of substantially all of the assets of an entity.39 California Civil Code restricting the sale of consumer debts identified to be the result of identity theft is preempted by the FCRA.41 RED-FLAG GUIDELINES The Federal banking agencies, the National Credit Union Administration, and the FTC must promulgate guidelines ( red-flag guidelines ) for use by certain banking agencies, the National Credit Union Administration and others subject to the jurisdiction of the FTC regarding identity theft with respect to those financial institutions account holders and customers.42 In so doing, the agencies must: (A) Prescribe regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or customers; and 39 FCRA 615(f). 40 Cal. Civ. Code (a) No creditor may sell a consumer debt to a debt collector, as defined in 15 U.S.C. Sec. 1692a, if the consumer is a victim of identity theft, as defined in Section , and with respect to that debt, the creditor has received notice pursuant to subdivision (k) of Section (b) Subdivision (a) does not apply to a creditor s sale of a debt to a subsidiary or affiliate of the creditor, if, with respect to that debt, the subsidiary or affiliate does not take any action to collect the debt. (c) For the purposes of this section, the requirement in 15 U.S.C. 1692a, that a person must use an instrumentality of interstate commerce or the mails in the collection of any debt to be considered a debt collector, does not apply. 41 FCRA 625(b)(5)(F). 42 FCRA 615(e)(1) Hudson Cook, LLP Page 11

12 (B) Prescribe regulations applicable to card issuers to ensure that, if a card issuer receives notification of a change of address for an existing account, and within a short period of time43 receives a request for an additional or replacement card for the same account, the card issuer may not issue the additional or replacement card, unless the card issuer, in accordance with reasonable policies and procedures (i) notifies the cardholder of the request at the former address of the cardholder and provides to the cardholder a means of promptly reporting incorrect address changes; (ii) notifies the cardholder of the request by such other means of communication as the cardholder and the card issuer previously agreed to; or (iii) uses other means of assessing the validity of the change of address, in accordance with reasonable policies and procedures established by the card issuer.44 In developing the guidelines required above, the agencies must consider including provisions that when a transaction occurs with respect to a credit or deposit account that has been inactive for more than two years, the creditor or financial institution must follow reasonable policies and procedures that provide for notice to be given to a consumer in a manner reasonably designed to reduce the likelihood of identity theft with respect to such an account.45 TRUNCATION OF DEBIT CARD AND CREDIT CARD NUMBERS In connection with retail transactions with consumers, commencing December 4, 2006, no person that accepts the electronic imprinting of credit cards or debit cards for the transaction of business will be permitted to print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.46 With respect to any cash register or other machine or device that electronically prints receipts for credit card or debit card transactions that is in use on or after January 1, 2005, the effective date of the new provision is December 4, California law47 in this regard will ultimately be preempted During at least the first 30 days after such notification is received. 44 FCRA 615(e)(1). At least a portion of Cal. Civ. Code will ultimately be preempted. FCRA 625(b)(5)(F). 45 Id. 46 FCRA 605(g). This new provision will not apply to the handwriting or imprinting of the card for the charge. 47 Cal. Civ. Code , Receipts: (a) Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit cards for the transaction of business shall print more than the last five digits of the credit card account number or the expiration date upon any receipt provided to the cardholder. (b) This section shall apply only to receipts that are electronically printed and shall not apply to transactions in which the sole means of recording the person s credit card number is by handwriting or by an imprint or copy of the credit card. (c) This section shall become operative on January 1, 2004, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is in use before January 1, (d) This section shall become operative on January 1, 2001, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is first put into use on or after January 1, Hudson Cook, LLP Page 12

13 DEBT COLLECTOR COMMUNICATIONS CONCERNING IDENTITY THEFT The FACT Act has added new subsection (g), Debt Collector Communications Concerning Identity Theft, to FCRA Section 615. If a person acting as a debt collector on behalf of a third party creditor or other user of a consumer report is notified that any information relating to a debt that the debt collector is attempting to collect may be fraudulent or may be the result of identity theft, the debt collector must notify the third party that the information may be fraudulent or may be the result of identity theft. Upon request of the consumer to whom the debt purportedly relates, the debt collector must provide to the consumer all information to which the consumer would otherwise be entitled if the consumer were not a victim of identity theft, but wished to dispute the debt under provisions of law applicable to that person.49 SELECTED CALIFORNIA IDENTITY THEFT PROTECTION LAWS PROVISIONS AIDING VICTIMS OF IDENTITY THEFT California s criminal law dealing with the unlawful use of personal identifying information 50 has been on the books for the past five years. That law makes it illegal for a person to willfully obtain personal identifying information of another without that person s consent and to use that information for any unlawful purpose.51 A key provision of the law gives the victim the right to obtain information without a subpoena from creditors and other service providers in order to attempt to identify the perpetrator. Effective January 1, 2004,52 the category of providers responsible for producing the records is expanded. If a person discovers that an application in his or her name for a loan, credit line or account, credit card, charge card, public utility service, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service has been filed with any person or entity by an unauthorized person, or that an 48 Section 113 of the FACT Act added subsection (g) on credit card and debit card number truncation to FCRA Section 605. These provisions are scheduled to become effective three years after date of enactment for machines and devices in use before January 1, 2005, and one year after date of enactment for machines and devices place din use after January 1, Preemption is at FCRA 625(b)(5). 49 FCRA 615(g). 50 Personal identifying information was originally defined as the person s name, address, telephone number, driver s license number, social security number, place of employment, employee identification number, mother s maiden name, demand deposit account number, savings account number or credit card number. This definition was expensed in 2002 to include health insurance identification, taxpayer identification, school identification, checking account number, PIN or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address or routing code, telecommunication identifying information or access device, information from a birth or death certificate. Cal. Pen. Code 530.5(b). 51 Cal. Pen. Code Hudson Cook, LLP Page 13

14 account in his or her name has been opened with a bank, trust company, savings association, credit union, public utility, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service provider by an unauthorized person, then, upon presenting to the person or entity with which the application was filed or the account was opened (1) a copy of the police report prepared pursuant to California Penal Code Section and (2) identifying information in the categories of information that the unauthorized person used to complete the application or to open the account, the person (or law enforcement officer specified by the person) is entitled to receive information related to the application or account. This includes the right of the victim to a obtain a copy of the application or application information and a record of transactions or charges associated with the application or account.53 The creditor or service provider may, before providing copies to a law enforcement officer, require that the victim to submit a signed and dated statement by which the victim (1) authorizes disclosure for a stated period, (2) specifies the name of the agency or department to which the disclosure is authorized, (3) identifies the types of records that the victim authorizes to be disclosed, (4) states that the victim s authorization may be revoked at any time.54 Two other bills passed in 2003 with reciprocal enactment provisions55 give rights to a victim to pursue an uncooperative creditor or service provider in connection with the records request. At the victim s request, the Attorney General, the district attorney, or the prosecuting city attorney may file a petition in court in the jurisdiction in which the victim resides to compel the attendance of the person or entity in possession of the records, and order the production of the requested records to the court. Further procedures apply.56 The definition of application as used in subdivision (a) of Penal Code Section is now defined as a new application for credit or service, the addition of authorized users to an existing account, the renewal of an existing account, or any other changes made to an existing account. 57 In addition to any other civil remedy the victim is entitled to, as a result of the creditor or service provider having failed to produce the records, the victim may bring a 52 Stats. 2003, ch. 90, A.B Expanded categories of service providers shown in italics. Cal. Pen. Code 530.8(a). 54 Cal. Pen. Code 530.8(c). 55 Both S.B. 602 and S.B. 684 contain operative provisions dependent upon the other being enacted first. Both were signed and chaptered on the same day S.B. 602 was chaptered as Chapter 533, and S.B. 684 was chaptered as Chapter 534, meaning that the amendments of S.B. 684 prevail. Since the language is identical in both bills, little, if anything, is lost in the interpretation. 56 Cal. Pen. Code 530.8(d)(1). 57 Cal. Pen. Code 530.8(e)(1) Hudson Cook, LLP Page 14

15 civil action against the creditor or service provider for damages, injunctive relief, or equitable relief, and a penalty of $100 per day for noncompliance, plus attorneys fees.58 Section of the Penal Code, and similar provisions in Section applicable to credit card issuers, Financial Code Section 4002 applicable to supervised financial organizations, and Financial Code Section applicable to California Finance Lender licensees, will ultimately be preempted by the record production provisions of the FCRA.59 APPLICANT OR PURCHASER VERIFICATION PROCEDURES In an effort to stem the flow of merchandise, including automobiles, into the hands of perpetrators using false identification, an ambitious verification procedure was adopted effective January 1, 2002, that required any person who uses a consumer credit report in connection with a credit transaction, and who discovered that the address on the consumer credit report did not match the address of the consumer requesting or being offered credit, to take specific steps to communicate to the person whose information was being unlawfully used.60 The law was amended in September to clarify the requirements for verification, and to add some additional responsibilities for creditors. Any person who uses a consumer credit report in connection with the approval of credit based on an application for an extension of credit, and who discovers that the address on the credit application does not match, within a reasonable degree of certainty, the address or addresses listed on the consumer credit report, must take reasonable steps to verify the accuracy of the address provided on the application to confirm that the extension of credit is not the result of identity theft Cal. Pen. Code 530.8(d)(2). 59 FCRA 625(b)(3). 60 Cal. Civ. Code (a). 61 Stats. 2002, ch These provisions may only be partially preempted by amendments to the FCRA made by the FACT Act. See FCRA 625(b)(3). The FACT Act Section 315 added a similar provision to the FACT 605(h): Notice of Discrepancy in Address. -- In General. If a person has requested a consumer report relating to a consumer from a consumer reporting agency described in section 603(p), the request includes an address for the consumer that substantially differs from the addresses in the file of the consumer, and the agency provides a consumer report in response to the request, the consumer reporting agency shall notify the requester of the existence of the discrepancy. (2) Regulations. (A) Regulations Required. The Federal banking agencies, the National Credit Union Administration, and the Commission shall jointly, with respect to the entities that are subject to their respective enforcement authority under section 621, prescribe regulations providing guidance regarding reasonable policies and procedures that a user of a consumer report should employ when such user has received a notice of discrepancy under paragraph (1). (B) Policies and Procedures to be Included. The regulations prescribed under subparagraph (A) shall describe reasonable policies and procedures for use by a user of a consumer report (i) to form a reasonable believe that the user knows the identity of the person to whom the consumer report pertains; and (ii) if the user establishes a continuing relationship with the consumer, and the user regularly and in the ordinary course of 2004 Hudson Cook, LLP Page 15

16 Effective January 1, 2004,63 in addition to checking the address to match that shown on the consumer credit report, the creditor must also check the consumer s first and last name and social security number In a separate, but related, provision of the Credit Reporting Agencies Act, effective July 1, 2004, any person who uses a consumer credit report in connection with the approval of credit based on an application for an extension of credit, or with the purchase, lease or rental of goods or non-credit-related services and who receives notification of a security alert pursuant to the security alert 64 provisions, may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-creditrelated services without taking reasonable steps to verify the consumer s identity, in order to ensure that the application for an extension of credit or for the purchase, lease or rental of goods or noncredit related services is not the result of identity theft.65 If the consumer has placed a statement with the security alert in his or her credit file requesting that identity be verified by calling a specified telephone number, any person who receives that statement with the security alert in a consumer s credit file must take reasonable steps to verify the identity of the consumer by contacting the consumer using the specified telephone number prior to lending money, extending credit, or completing the purchase of the goods or services.66 The written disclosure provided by consumer credit reporting agencies to consumers in connection with their rights has been amended to take these new steps into account. The new language in the written disclosure is: Recipients of your credit report are required to take reasonable steps, including contacting you at the telephone number you may provide with your security alert, to verify your identity prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or services. The security alert may prevent credit, loans, and services from being approved in your name without your consent. 67 business furnishes information to the consumer reporting agency from which the notice of discrepancy pertaining to the consumer was obtained, to reconcile the address of the consumer with the consumer reporting agency by furnishing such address to such consumer reporting agency as part of information regularly furnished by the user for the period in which the relationship is established. Proposed effective date December 1, Stats. 2003, ch See discussion on page 19, infra. 65 Cal. Civ. Code (g) as amended by Stats. 2003, ch. 907, S.B Id. 67 Cal. Civ. Code (f) as amended by Stats. 2003, ch. 907, S.B Hudson Cook, LLP Page 16

17 CREDIT CARD ISSUERS, TELEPHONE CORPORATIONS, AND CHANGE OF ADDRESS REQUESTS A credit card change of address notice process for California consumers has been in effect since July 1, A credit card issuer that mails an offer or solicitation to a consumer for a credit card and, in response, receives a completed application for that credit card that lists an address that is different from the address on the offer or solicitation, must verify the change of address by contacting the person to whom the solicitation or offer was mailed.68 If the issuer fails to verify the consumer, and an unauthorized use of the card results, the person to whom the offer or solicitation was sent will not be liable.69 This section also requires a card issuer who receives a written or oral request for a change of the cardholder s billing address, and then receives a written or oral request for an additional credit card within 10 days after the requested address change, to verify the change of address.70 As of January 1, 2004, a new section is added to Title 1.82, Business Records, of Part 4 of Division 3 of the Civil Code.71 It also requires any credit card issuer that receives a change of address request, other than for a correction of a typographical error, from a cardholder who orders a replacement credit card within 60 days before or after that request is received, to send to that cardholder a change of address notification addressed to the cardholder at the cardholder s previous address of record. If the replacement credit card is requested prior to the effective date of the change of address, the notification must be sent within 30 days of the change of address request. If the replacement credit card is requested after the effective date of the change of address, the notification must be sent within 30 days of the request for the replacement credit card.72 These new verification procedures in Title 1.82 (above) also contain a peculiar provision applicable to businesses (telephone corporations73 such as SBC or Verizon) that provide telephone accounts. If such a business receives a change of address request, other than for a correction of a typographical error, from an accountholder who orders new service, it must, within 30 days of a request for new service, send to the accountholder a change of address notification that is addressed to the previous address of record Cal. Civ. Code (a). 69 Cal. Civ. Code (b). 70 Cal. Civ. Code (c). 71 Stats. 2003, ch. 533, S.B Cal. Civ. Code b(a). 73 A telephone corporation is any person owning, controlling, operating, or managing any telephone line for compensation in the state. Cal. Pub. Ut. Code Cal. Civ. Code b(b) Hudson Cook, LLP Page 17

18 The notification under either of the above provisions may be given by telephone or if the card issuer or business entity reasonably believes that it has the current telephone number and address for the cardholder or accountholder who has requested a change of address. If the notification is in writing, it may not contain the cardholder s or accountholder s account number, social security number, or other personal identifying information.75 The card issuer or business entity is not required to give the change of address notification when a change of address is made in person by one who presents valid identification, or made by telephone and the requester has provided a unique alphanumeric password.76 MORE ON SECURITY ALERTS AND SECURITY FREEZES The California Civil Code provision concerning the ability of a person to place a security alert on his or her credit file with a credit reporting agency77 has been amended to provide for some hefty statutory penalties for a violation.78 A California consumer may place a security alert on his or her credit file by making a request in writing or by calling a toll-free, 24/7 telephone number. A security alert notifies a recipient of the credit report that the consumer may be the victim of identity theft. The alert may remain in place for at least 90 days, but the consumer has a right to request a renewal of the alert Cal. Civ. Code b(c). 76 Cal. Civ. Code b(d). 77 Cal. Civ. Code added by Stats. 2003, ch. 720, effective January 1, 2002, operative July 1, Stats. 2003, ch. 907, S.B. 25. Stats. 2003, ch. 533, S.B. 602 makes similar changes, but contains a reciprocal operative factor dependent upon enactment after S.B. 25, which did not occur. Nevertheless, the statutory penalty added by S.B. 602 in amended Civ. Code (h) does become effective January 1, 2004, and is repealed upon the operative date of the amendments contained in S.B. 25, July 1, Cal. Civ. Code (a), (c) Hudson Cook, LLP Page 18

19 Effective January 1, 2004, the consumer credit reporting agency must notify the consumer who has requested a security alert of the expiration date of the alert. Any consumer credit reporting agency that recklessly, willfully, or intentionally fails to place a security alert will be liable for a penalty of up to $2,500 and in addition, reasonable attorneys fees.80 In any case, it appears that ultimately, California s provisions for security alerts will be preempted by the FACT Act amendments to the FCRA.81 Also effective January 1, 2004, a consumer credit reporting agency may charge a small fee (vs. reasonable fee ) not to exceed $10 for placing a security freeze for a consumer, or removal of the freeze, or temporary lift of the freeze for a specific period of time, and a fee not to exceed $12 for a temporary lift of a freeze for a specific party.82 CONFIDENTIALITY OF DRIVER S LICENSE INFORMATION A new Title is added to Part 4, Division 3 of the Civil Code concerning the confidentiality of driver s license information.83 A business (commercial enterprise) may swipe a driver s license or DMV-issued identification card in an electronic device for specified purposes, but may not retain or use that information except as otherwise provided. A violation of this title constitutes a misdemeanor punishable by imprisonment in a county jail for up to a year, or by a fine of not more than $10,000, or by both. Purposes for which a business may swipe a driver s license or DMV-issued identification card are: (1) to verify age or the authenticity of the driver s license or identification card; (2) to comply with a legal requirement to record, retain or transmit that information; (3) to transmit information to a check service company for the purpose of approving negotiable instruments, electronic funds transfers, or similar methods of payment, provided that only the name and ID number from the card may be used or retained by the check service company; or (4) to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse or material misrepresentation.84 CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS A person or entity must not (1) publicly post or display in any manner an individual s social security number, (2) print the individual s social security number on any card required for the individual to access products or services, (3) require an individual to transmit the social security number over the Internet, unless the connection 80 Cal. Civ. Code (g) and (h). 81 See FCRA 625(b)(5)(B). 82 Cal. Civ. Code amended by Stats. 2003, ch. 533, S.B Stats. 2003, ch. 533, S.B. 602, effective January 1, Cal. Civ. Code Hudson Cook, LLP Page 19

20 is secure or the social security number is encrypted, (4) require an individual to use a social security number to access an Internet Website unless a password or unique personal ID number or other authentication is also required, or (5) print an individual s social security number on any materials mailed to the individual, unless state or federal law requires it.85 Notwithstanding this prohibition, a financial institution may, prior to July 1, 2004, print the individual s social security number on any account statement or similar document mailed to that individual if the social security number is provided in connection with a transaction governed by the National Automated Clearing House Association Rules, or a transaction initiated by a federal governmental entity through an automated clearing house network.86 A person or entity that has used, prior to July 1, 2002, an individual s social security number in a manner inconsistent with the foregoing may continue using it in that manner after July 1, 2002 provided certain procedures are followed: The use of the social security number is continuous. If the use is stopped for any reason, this exception will not apply. The individual is provided an annual disclosure that informs him or her of the right to stop the use of the social security number in a manner prohibited by the rules above. A written request by an individual to stop the use of his or her social security number in a manner prohibited by the rules above is implemented within 30 days of receipt of the request, without charge. The person or entity does not deny services to the individual because of his or her request.87 Based on an amendment adopted in 2003, if a state or local agency has used, prior to January 1, 2004, an individual s social security number in a manner inconsistent with the rules above, it may continue doing so in that manner on or after January 1, 2004, provided the procedures outlined above are followed. Operative dates are also extended for a variety of other institutions Cal. Civ. Code (a). 86 Cal. Civ. Code , as amended by Stats. 2003, ch. 907, S.B Cal. Civ. Code (c). 88 Stats. 2003, ch. 907, S.B. 25. Those institutions are: (1) the University of California, January 1, 2004, for the first three provisions, and January 1, 2005, for the last two; (2) the Franchise Tax Board, January 1, 2007; (3) the California community college districts, January 1, 2007; (4) the California State University System, July 1, 2005; (5) the California Student Aid Commission and its auxiliary organization, January 1, 2004, for the first three provisions, and January 1, 2005, for the last two Hudson Cook, LLP Page 20

21 Another restriction on the use of social security numbers was also added: A person or entity may not encode or embed a social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology in place of removing the social security number, as required by this section. 89 CONFIDENTIALITY OF TELEPHONE SUBSCRIBER S PERSONAL CALLING PATTERNS AND INFORMATION Although there has been little reported in connection with the disclosure of personal information of subscribers by telephone corporations, the California legislature continues to identify areas in which it anticipates exposure, and it must have decided that this is one of those areas.90 Subject to certain exceptions, no telephone or telegraph corporation may make available to any other person or corporation, without first obtaining the residential subscriber s consent, in writing, any of the following information: The subscriber s personal calling patterns, including any listing of the telephone or other access numbers called by the subscriber, but excluding the identification to the person called of the person calling and the telephone number from which the call was placed ( caller ID ) subject to certain restrictions, and also excluding billing information concerning the person calling which federal law or regulation requires a telephone corporation to provide to the person called. The residential subscriber s credit or other personal financial information, except when the corporation is ordered by the commission to provide this information to any electrical, gas, heat, telephone, telegraph, or water corporation, or centralized credit check system, for the purpose of determining the creditworthiness of new utility subscribers. The services which the residential subscriber purchases from the corporation or from independent suppliers of information services who use the corporation s telephone or telegraph line to provide service to the subscriber. Demographic information about individual residential subscribers, or aggregate information from which individual identities and characteristics have not been removed Stats. 2003, ch. 907, S.B. 25; Cal. Civ. Code (g). 90 Stats. 2003, ch. 533, S.B. 602, effective January 1, Cal. Pub. Ut. Code Hudson Cook, LLP Page 21

22 DEBT COLLECTION ACTIVITIES AND IDENTITY THEFT It appears that the following California Civil Code Section regarding cessation of collection activities upon notification of identity theft law is not preempted by the federal FCRA.92 Upon receipt from a debtor of all of the following, a debt collector must cease collection activities until completion of the review provided in subdivision (d) of California Civil Code Section : (1) A copy of a police report filed by the debtor alleging that the debtor is the victim of an identity theft crime, including, but not limited to, a violation of Section of the Cal. Penal Code, for the specific debt being collected by the debt collector.93 (2) The debtor s written statement that the debtor claims to be the victim of identity theft with respect to the specific debt being collected by the debt collector.94 The written statement described above must consist of at least one of the following: The FTC s Affidavit of Identity Theft. A written statement containing the content of the Identity Theft Victim s Fraudulent Account Information Request offered to the public by the California Office of Privacy Protection. A written statement that certifies that the representations are true, correct, and contain no material omissions of fact to the best knowledge and belief of the person submitting the certification. A person submitting the certification who declares as true any material matter that he or she knows to be false is guilty of a misdemeanor. The statement must contain or be accompanied by, the following, to the extent that an item listed below is relevant to the debtor s allegation of identity theft with respect to the debt in question: A statement that the debtor is a victim of identity theft. 92 FCRA 625(b)(5)(F) preempts state law that requires any conduct required by, among other subsections, subsection (g) of Section 615: If a person acting as a debt collector (as that term is defined in title VIII) on behalf of a third party that is a creditor or other user of consumer report is notified that any information relating to a debt that the person is attempting to collect may be fraudulent or may be the result of identity theft, that person shall (1) notify the third party that the information may be fraudulent or may be the result of identity theft; and (2) upon request of the consumer to whom the debt purportedly relates, provide to the consumer all information to which the consumer would otherwise be entitled if the consumer were not a victim of identity theft, but wishes to dispute the debt under provisions of law applicable to that person. The conduct required by FCRA 615(g) is to notify the third party and to provide information to the consumer. The conduct required by Cal. Civ. Code is to cease collection activities and review the identity theft report and affidavits submitted by the consumer before proceeding. 93 Cal. Civ. Code (a)(1). 94 Cal. Civ. Code (a)(2) Hudson Cook, LLP Page 22

23 A copy of the debtor s driver s license or identification card, as issued by the state. Any other identification document that supports the statement of identity theft. Specific facts supporting the claim of identity theft, if available. Any explanation showing that the debtor did not incur the debt. Any available correspondence disputing the debt after transaction information has been provided to the debtor. Documentation of the residence of the debtor at the time of the alleged debt. This may include copies of bills and statements, such as utility bills, tax statements, or other statements from businesses sent to the debtor, showing that the debtor lived at another residence at the time the debt was incurred. A telephone number for contacting the debtor concerning any additional information or questions, or direction that further communications to the debtor be in writing only, with the mailing address specified in the statement. To the extent the debtor has information concerning who may have incurred the debt, the identification of any person whom the debtor believes is responsible. An express statement that the debtor did not authorize the use of the debtor's name or personal information for incurring the debt. The certification required pursuant to this paragraph shall be sufficient if it is in substantially the following form: I certify the representations made are true, correct, and contain no material omissions of fact. (Date and Place) (Signature)95 OTHER STATE IDENTITY THEFT PROTECTION LAWS ALABAMA Although this law will most likely be preempted by the FACT Act amendments to the FCRA regarding the consumer s request to block certain information in a credit file,96 95 Cal. Civ. Code (b). 96 FCRA 625(b)(5)(C) Hudson Cook, LLP Page 23

24 Alabama has a provision that requires the blocking of information in a consumer s credit report within 30 days if the consumer submits to a consumer reporting agency a copy of a court order from an action that is the result of a criminal violation of the Alabama Consumer Identity Protection Act.97 The block on information may be rescinded only by a subsequent order from the court that originally issued the first order.98 A consumer harmed by an intentional or reckless violation of this provision may recover actual damages, injunctive relief, and an award of attorney s fees.99 COLORADO Colorado has adopted both a block of credit information provision, and an address verification for credit card offers provision, where the consumer accepting the offer lists a different address than that to which the offer was sent. A consumer reporting agency (other than a reseller) must, within 30 days after receipt of a police report or certified court order, permanently block the reporting of any information that a consumer identifies on his or her report as being subject to the police report or court order (the result of identity theft). The consumer must provide proof of the consumer s identification, and a copy of the police report or a certified court order.100 The consumer reporting agency must promptly notify the person who originally furnished the credit information that a police report or court order has been filed, that a block has been requested, and the effective date of the block.101 A consumer reporting agency may decline to block, or rescind any block, of consumer information if the sentencing court amends, dismisses or withdraws its court order, or if in the exercise of good faith and reasonable judgment, the consumer reporting agency believes: The information was blocked due to a misrepresentation of fact by the consumer relevant to the request to block; The consumer agrees that the blocked information or portions were blocked in error; The consumer knowingly obtained possession of goods, services or money as a result of the blocked transaction, or the consumer should have known that he or she obtained same as a result of the blocked transaction; or 97 Ala. Code 13A-8-200(b)(1). 98 Ala. Code 13A-8-200(b)(2). 99 Ala. Code 13A-8-200(b)(4). 100 Colo. Rev. Stat. Ann (1)(a). 101 Colo. Rev. Stat. Ann (1)(b) Hudson Cook, LLP Page 24

25 The consumer so requests in writing and presents proof the consumer s identity.102 If a block of credit information is declined or rescinded, the consumer reporting agency must promptly notify the consumer in the same manner as consumers are notified of the reinsertion of disputed information in a consumer credit file.103 For a willful violation of these provisions, a consumer reporting agency may be liable for three times the greater of the amount of actual damages or $1,000 for each unblocked entry in the consumer s file that is alleged to be unauthorized by the consumer, plus reasonable attorney s fees and costs. For a negligent violation the consumer reporting agency may be liable for the greater of actual damages or $1,000, plus reasonable attorney s fees and costs.104 A new provision is added to the Colorado Consumer Credit Code, effective July 1, A solicitor that makes a firm offer of credit for a lender credit card or a seller credit card to a consumer by mail, and receives an acceptance of that offer that lists the address of the consumer accepting the offer as different from the address to which the offer was sent must, prior to issuing the card, verify that the consumer accepting the offer is the same consumer to whom the offer was sent.106 Verify means the use of commercially reasonable efforts to ascertain that the consumer responding to a mail solicitation is the same consumer to whom the solicitation was directed. For these purposes, a solicitor is deemed to verify that the consumer accepting a mail solicitation is the same consumer to whom the solicitation was directed if: A consumer responding at a telephone number appearing in a publicly available director or database as the telephone number of the consumer to whom the solicitation was mailed identifies himself or herself as the consumer to whom the solicitation was mailed and acknowledges the consumer s acceptance of the solicitation; or A consumer presents the solicitor, including presentation by facsimile transmission or mail, the original or a copy of one or more documents, including a driver s license, social security card, passport, or any other identification document issued by a state or federal governmental agency that, on the fact of the 102 Colo. Rev. Stat. Ann (2)(a), (b). 103 Colo. Rev. Stat. Ann (3). 104 Colo. Rev. Stat. Ann (1), (2) Colo. H.B Colo. Rev. Stat. Ann (1) Hudson Cook, LLP Page 25

26 document(s) appears to confirm such consumer s identity as the consumer to whom a solicitation was mailed; or The solicitor verified by any means adopted in federal regulations, that the consumer accepting the solicitation is the consumer to whom the solicitation was directed; or The solicitor verified by any other means, that the standards and practices of the industry in which the solicitor is engaged would be deemed sufficient, that the consumer accepting the solicitation is the same consumer to whom the solicitation was sent.107 The block of certain information in a credit file law will ultimately be preempted by the FACT Act amendments to the FCRA.108 However, the rules for the verification of address under FCRA pertain to an address in a consumer report that is different than the address of the applicant or consumer submitted to the consumer reporting agency by a requester.109 Since the regulations that pertain to users of consumer reports and the verification process under the FCRA are not yet written,110 it is not known to what extent such will preempt state law. CONNECTICUT A person who believes he or she is a victim of a violation of Connecticut s criminal identity theft statute,111 may request a credit rating agency to block and not report information appearing on his or her credit report. The consumer must submit a written request to the credit rating agency, together with proof of the consumer s identity and a copy of the police report. Within 30 days of receipt of request, the credit rating agency (other than a reseller, a check services or fraud prevention services company, or a demand deposit account information service company) must block reporting the information that the consumer alleges appears on his or her credit report as a result of the identity theft. The credit rating agency must promptly notify the furnisher of the information that a police report has been filed, that a block has been requested, and the effective date of the block Colo. Rev. Stat. Ann (2)(c). 108 FCRA 625(b)(5)(C). 109 FCRA 605(h) 110 FCRA 615(e); FCRA 625(b)(5)(F). 111 Conn. Gen. Stat. 53a-129a. 112 Conn. S.B. 588, effective October 1, 2003, Hudson Cook, LLP Page 26

27 A credit rating agency may decline to block, or rescind a block, of consumer information if it believes in good faith and reasonable judgment based on specific, verifiable facts to doubt the authenticity of the consumer s report of identity theft. The credit rating agency may, in addition to reasons similar to those set forth for Colorado, above, decline to block or rescind a block of consumer information if the information was blocked due to fraud in which the consumer participated or of which the consumer had knowledge and which may be demonstrated by circumstantial evidence. If the credit rating agency declines to block or rescinds the block, it must promptly notify the consumer in the same manner as consumers are notified of the insertion of information following a dispute.113 A person who willfully violates the foregoing provisions will be fined not more than $100 for the first offense, and not more than $500 for a second offense, and will be fined not more than $1,000 or be imprisoned for not more than six months, or both, for each subsequent offense.114 A consumer who suffers actual damages may bring a civil action, and if he or she prevails, the court will award the greater of $1,000 or treble damages, together with reasonable attorney s fees and court costs.115 The same law that enacted the identity theft provisions, above, also added a requirement to truncate credit card and debit card numbers when printing receipts provided to cardholders. Effective on and after January 1, 2005, not more than the last five digits of the credit card or debt card number may be printed on any receipt printed electronically and provided to the cardholder. Also effective January 1, 2005, no person may publicly post or publicly display an individual s social security number.116 It appears that both the Connecticut blocking of certain information in a consumer s credit file law, above, and the credit card and debit card number truncation provisions, will be preempted by the FACT Act amendments to the FCRA.117 GEORGIA A consumer verification provision has been added to Georgia s unfair and deceptive practices statute.118 A credit card issuer who mails an unsolicited offer to apply for a credit card, and who receives by mail a completed application in response to the solicitation which lists an address that is not substantially the same as the address on the solicitation may not issue a credit card based on that application until steps have been 113 Id. 114 Conn. S.B. 588, effective October 1, 2003, Conn. S.B. 588, effective October 1, 2003, Conn. S.B. 588, effective October 1, 2003, 12, FCRA 625(b)(5)(A), (B) Ga. H.B. 656 enacted May 5, 2004, effective July 1, Hudson Cook, LLP Page 27

28 taken to verify the applicant s valid address, to the same extent required by the federal rules on customer verification.119 HAWAII Hawaii has taken steps to protect the individual s social security number.120 Hawaii s Uniform Information Practices Act applicable to governmental agencies has been amended to include as an example of information in which the individual has a significant privacy interest, an individual s social security number.121 Further, retail merchant clubs issuing club cards may not request in a club card application, or require as a condition of obtaining a club card, that the applicant provide any personal information except name, address, and telephone number. If the club card issuer requires a unique identifier to confirm the identity of the applicant, the club card issuer may ask for the last four digits of the applicant s social security number. With certain exceptions, club card issuers may not sell or share a club cardholder s name, address, telephone number, or any personal information to any unaffiliated third party.122 IDAHO A new chapter has been added to Idaho s Commercial Transactions Code.123 The new provision for placing a block on any portion of a consumer credit report that a consumer identifies is the result of Idaho s identity theft law generally tracks that recently adopted in other states. If a consumer submits to a consumer reporting agency a certified copy of a police report setting forth facts establishing probable cause of a violation of Idaho Code Section , the consumer reporting agency must, within 30 days of the receipt of the police report, permanently block or decline to block reporting any information that the consumer identifies on his or her credit report is the result of identity theft. The consumer reporting agency must promptly notify the furnisher of the information upon which a block has been requested, and the effective date of the block.124 As is the case with Colorado, the consumer reporting agency may decline to block or rescind a block based on certain reasons, and if the consumer reporting agency does so, it must notify the consumer of the reinsertion of the information. A consumer harmed by a violation of these provisions may maintain an action for legal damages and injunctive relief against the consumer reporting agency or the furnisher of the information, or both. A judgment in favor of the consumer will include an award of 119 Ga. Code (29.1); 31 U.S.C Hi. H.B. 2674, enacted May 29, 2004, effective July 1, Hi. Rev. Stat. 92F-14(b)(9) Hi. H.B. 2674, enacted May 29, 2004, , ch. 422, Id. Code [ ] Hudson Cook, LLP Page 28

29 attorney s fees in addition to other relief granted by the court.125 The process for the blocking of information in a consumer s credit file law will most likely be preempted by the FACT Act amendments to the FCRA.126 In addition, a merchant who accepts a payment card (credit card, charge card or debit card) for the transaction of business must not print more than the last five digits of the account number, or print the payment card s expiration date on an electronically printed receipt provided to the cardholder. This provision is effective January 1, 2004, for all machines that are first used on or after July 1, 2003, and effective January 1, 2005, for all machines that are first used before July 1, In addition to any other remedy available to the cardholder, a merchant that violates this section will be subject to a civil penalty of not more than $250 for the first violation, $1,000 for a second or subsequent violation.127 It appears that both the Idaho blocking of certain information in a consumer s credit file law, above, and the credit card and debit card number truncation provisions, will be preempted by the FACT Act amendments to the FCRA.128 ILLINOIS Illinois two companion bills pending. Illinois House Bill 5006 and Senate Bill 2639 would amend Illinois law129 to provide for security alert notices on consumer reports. In addition, House Bill 4712 would enact a law similar to California law imposing restrictions and prohibitions on the printing, posting or displaying of social security numbers, such as on materials mailed to consumers. INDIANA Indiana Senate Bill 379 recently added new provisions to prohibit state agencies from releasing an individual s social security number, unless authorized by federal or state law or a court order, or unless the individual expressly consents in writing to its disclosure.130 This new law also requires a state agency notify a state resident if the individual s name, and social security number or driver s license number or account or card numbers have been obtained in an unauthorized access of computerized data Id. 126 FCRA 625(b)(5)(C). 127 Id. Code FCRA 625(b)(5)(A), (B) ILCS 505/2MM. 130 Ind. Code , effective July 1, Ind. Code , effective July 1, Hudson Cook, LLP Page 29

30 LOUISIANA Louisiana s law pertaining to consumer credit reports has been significantly amended to add security freeze procedures.132 Existing law, which most likely will be subject to FCRA preemption, permits a consumer to request in writing or by telephone, with proper identification, that a 90-day security alert be placed on the consumer s credit file with the credit reporting agency. A nationwide credit reporting agency must maintain a toll-free, 24/7 number which may be used by consumers to request the security alert. When the credit reporting agency issues a consumer credit report, the security alert is also sent to the person requesting the report. At the termination of the security alert, the consumer may again place a security alert, and if the consumer does not, the alert expires. The consumer may request that a copy of the consumer s file be provided to the consumer. Resellers, check services, fraud prevention companies, deposit account information service companies, and banks need not comply with these requirements.133 A person who receives notification of a security alert in connection with a request for a consumer report for the approval of a credit-based application, a purchase, lease or rental agreements for goods, or for an application for a noncreditrelated service, must not lend money, extend credit or authorize an application without taking reasonable steps to verify the consumer s identity.134 If the consumer has included a telephone number with the security alert, the person who receives that number with a security alert in connection with a request for a consumer report must contact the consumer or take reasonable steps to very the consumer s identity and confirm hat the application for an extension of credit is not the result of financial theft before lending money, extending credit, or completing a transaction.135 New subsections L through Y have been added to Louisiana Rev. Stat. Section 3: effective January 30, 2005, that permit a consumer to place a security freeze on the consumer s credit file with a credit reporting agency. A credit reporting agency would have to place a hold on the consumer s credit file within seven days of receiving the written request of the consumer, sent via certified mail. An $8 charge may be made for placing the freeze, and the cost may increase each year for increases in the Consumer Price Index. The credit reporting agency is prohibited from releasing the consumer s credit report, although it is free to advise a third party that such a freeze is in place. The consumer may, with a unique personal identification number or password, authorize access to his or her credit file for a specific period of time. Parties who receive notification that a security freeze is in place when being asked to extend credit may treat the application as incomplete. Certain exceptions apply to the placement of the freeze, and to certain classes of persons who may obtain access to the consumer s credit report La. H.B. 623, effective January 30, La. Rev. Stat. 9:3571.1(H)-(L). 134 La. Rev. Stat. 9:3568(C). 135 Id Hudson Cook, LLP Page 30

31 even during the period of time there is a freeze in place. Actual out-of-pocket damages plus reasonable attorney s fees are recoverable as of January 1, Also, enacted last year137 is a provision that permits a person who has been the victim of identity theft to obtain from a creditor copies of the application information and transactional information, such as a copy of one or more monthly billing statements, prepared by a financial institution that the victim needs to undo the effects of the identity theft. Prior to providing the information to the victim, the creditor may require the victim submit a written and signed statement which provides information sufficient to verify the identity of the victim and the existence of an identity theft crime, including a copy of the police report and a copy of the victim s state-issued identification card.138 MAINE Maine House Bill 509 was recently enacted.139 A person, corporation or other entity may not, except as otherwise provided by federal or state law, deny goods or services to an individual because he or she refuses to provide a social security number.140 Several exceptions apply: For example, in order to obtain a consumer credit report from a credit reporting agency, a person, corporation or entity needs the individual s social security number; in order to extend credit, a supervised lender or supervised financial organization may require the individual s social security number; an insurance company needs an individual s social security number to process enrollment, coverage and claims; certain health care uses include the individual s social security number; landlords, employers, and volunteer service organizations conducting background checks also need the individual s social security number; and in some cases, the individual s number is needed to investigate a claim of fraud.141 MASSACHUSETTS House Bill 2921 is currently pending in the Massachusetts legislature. Several new sections would be added to Chapter 93, General Laws, pertaining to security freeze and fraud alert 142 as well as address discrepancy notification and verification of change of address in connection with an acceptance of a credit card solicitation Id LA H.B La. Rev. Stat. 9:3568(B) ME. H.P. 509, enacted January 29, 2004, effective July 30, Maine Rev. Stat. Ann. tit. 10, 1272-B(1). 141 Maine Rev. Stat. Ann. tit. 10, 1272-B(2). 142 Would add Sections 51B and 56 to Chapter 93, General Laws. 143 Would add Sections 51A and 115 to Chapter 93, General Laws Hudson Cook, LLP Page 31

32 Statutory civil penalties up to $5,000 for violation of the latter could be recovered in an action initiated by the Attorney General.144 MICHIGAN There are two bills pending in the Michigan legislature: Senate Bill 795 would enact the Social Security Number Privacy Act, and Senate Bill 798 would amend Michigan s Consumer Protection Act. If Senate Bill 795 is enacted, with certain exceptions, a person would be prohibited from publicly displaying or including in any document or information mailed or otherwise sent to an individual, if it is visible on or from the outside of the envelope, or disclosing to a third party, or requiring an individual to use or transmit over the internet or a computer network unless the connection is secure and the transmission is encrypted and a password is used, more than four digits of an individual s social security number. A person would be prohibited from using an individual s social security number as the primary identification number for the individual or his or her account. A person would be prohibited from including the social security number in any document or information mailed to the individual unless state or federal law requires it, or the document is sent as part of an application or enrollment process, or is sent to establish or terminate an account or policy. A knowing violation will subject a person to being convicted of a misdemeanor, and a fine of not more than $1,000, or imprisonment for not more than 93 days, or both. An individual may bring a civil action and recover actual damages or $1,000 whichever is greater, plus reasonable attorney s fees. Senate Bill 798 would add a new subsection (hh) to Michigan Comp. Laws , the Consumer Protection Act, to make it an unfair, unconscionable or deceptive method, act or practice in the conduct of trade or commerce for a person, with knowledge, to deny credit or public utility service to, or reduce the credit limit of, a consumer who is a victim of identity theft under the state s criminal Identity Theft Protection Act. NEW HAMPSHIRE New Hampshire House Bill 342, if enacted, would restrict the use and display of social security numbers. NEW JERSEY An existing law in New Jersey requires a consumer reporting agency to, at the request of the individual who has obtained an order from the court, notify creditors that 144 Would add Section 116 to Chapter 93, General Laws Hudson Cook, LLP Page 32

33 certain information has been deleted from the consumer s credit file as a result of the unlawful use of the victim s personal identifying information.145 New Jersey also has a pending bill aimed at notifying consumers whose nonpublic personal information maintained by a financial institution (as defined under Title V of the Gramm-Leach-Bliley Act) has been subjected to a compromise either by an employee of the financial institution, or through any unauthorized entry into the record of the institution.146 The financial institution would also be required to give assistance to the consumer, including correcting and updating information furnished to consumer credit reporting agencies, relating to such consumer. The financial institution must also reimburse the consumer for any losses the consumer incurred as a result of the compromise, including fees for obtaining, investigating and correcting the consumer report. The same bill would require an issuer of credit who receives a request for an additional card with respect to an existing account, not later than 30 days after receiving notification of a change of address of that account, to notify the cardholder at both the new address and the former address, and provide the cardholder a means of promptly reporting incorrect changes. A different bill, New Jersey Assembly Bill 2048, would also require notification, using a variety of methods, within 15 days to an individual if the New Jersey business that owns or licenses data that includes personal information experiences a breach of the security of the system, and the personal information was unencrypted and was acquired, or believed to have been acquired, by an unauthorized person. The bill also requires a business to take reasonable steps to destroy or arrange for the destruction of customer records which are to no loner be retained. NEW YORK New York Senate Bill 309 would prohibit any organization from selling, sharing, leasing, or trading an individual s social security number with any other person without informed written consent, except where required by state or federal law. Three bills, Assembly Bill 9184, Senate Bill 6739 and Senate Bill 7121, would impose notification requirements when a breach of the security of the computerized database systems occurs. Assembly Bill 3949 would permit a person to refuse to provide his or her social security number to another in order to obtain goods and services. PENNSYLVANIA Senate Bill 1070 would enact the Social Security Confidentiality Act, which would place prohibitions on certain activities involving social security numbers. The bill would also impose a duty to dispose of records containing social security numbers in a certain manner. 145 N.J. Stat. Ann. 2C: NJ A.B Hudson Cook, LLP Page 33

34 TEXAS Texas has recently adopted a variety of identity theft protection laws. First, not later than 24 hours after receiving a request, a consumer reporting agency must place a security alert on the consumer s credit file upon written or telephone request, with proper identification. The consumer may include a telephone number in such alert to be used by persons to verify the consumer s identity prior to entering into transactions. The security alert remains in place for 45 days, and may be renewed. At the end of the 45-day security alert, on written or telephone request, a consumer may obtain a copy of his or her consumer report.147 A consumer reporting agency must maintain a toll-free telephone number that consumers may use during normal business hours for the purpose of placing security alerts. At a minimum, an automated answering system must record requests during other than normal business hours, with calls returned to consumers within two hours of the next business day.148 When providing a consumer report, a consumer reporting agency shall notify such person that a security alert is in place, and include the telephone number provided by the consumer.149 The security alert provisions will be preempted by the FACT Act amendments to the FCRA.150 Consumers may also place a security freeze on their credit files with consumer reporting agencies. On written request sent by certified mail that includes proper identification and a copy of a valid police report, investigative report, or complaint made under Texas Penal Code Section 32.51, a consumer reporting agency must place a security freeze on a consumer s credit file not later than the fifth business day after the date it receives the request.151 The consumer reporting agency may charge up to $8 for placing a security freeze, which fee is adjusted according to the Consumer Price Index.152 The consumer reporting agency sends written confirmation within 10 days that the security freeze is being placed, along with information about the process of placing, removing and lifting the freeze, and provides the consumer with a unique personal identification number of password that the consumer may use to remove or temporarily 147 Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code FCRA 625(b)(5)(B). 151 Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code Hudson Cook, LLP Page 34

35 lift the freeze.153 Further provisions apply to the removal or temporary lifting of a security freeze.154 While a security freeze is in place, a consumer reporting agency must notify the consumer of any change in the consumer s name, date of birth, social security number or address within 30 days of the date the change is made. Material change of address confirmation must be sent to both the old address and the new address. 155 At the time a person requests a consumer report that has a security freeze, the credit reporting agency must notify such person that a security freeze is in effect.156 Certain entities are exempt from the security freeze provisions, for example, state or local governmental entities, child support agencies, Health and Human Services, the tax assessor-collector, resellers, persons obtaining lists of consumer names for purposes of making firm offers of credit, persons who administer a credit file monitoring subscription service, and check service or fraud prevention service companies, among others.157 A person that receives notification of a security alert in connection with a request for a consumer report for the approval of a credit-based application, an application for purchase, lease or rental for goods, or for an application for noncredit-related services, must not lend money, extend credit, or authorize the application without taking reasonable steps to verify the consumer s identity. If a telephone number is included with the security alert, the person must take reasonable steps to contact the consumer using that number before lending money, extending credit or completing the transaction.158 Texas has also adopted laws protecting sensitive personal numbers specifically, social security numbers, credit card numbers and debit card numbers. Except as may be permitted by the Social Security Administration or under other state or federal law, or for internal verification or administrative purposes, a person must not print an individual s social security number on a card or other device required to access a product or service. A person who violates this section is liable to the state for a civil penalty of up to $500 for each violation.159 In addition, a person that accepts a credit card of debit card for the transaction of business must not print more than the last four digits of the credit card or debit card account number or the month and year of the credit card s or debit card s 153 Id. 154 Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code , Tex. Bus. & Comm. Code Tex. Bus. & Comm. Code Hudson Cook, LLP Page 35

36 expiration date on an electronically printed receipt or other document that evidences the transaction and that is provided to the cardholder. This section also carries a civil penalty of up to $500 for each violation.160 The credit card and debit card number truncation provisions will be preempted by the FACT Act amendments to the FCRA.161 VERMONT New identity theft provisions have been added to Vermont s Fair Credit Reporting Act. Consumers who have been the victim of an identity theft 162 may request, via a writing sent certified mail to a credit reporting agency, that a security freeze be placed on their credit file.163 This would prevent the credit reporting agency from issuing a consumer report without the consumer s consent. Existing creditors may obtain consumer reports on a consumer, as can persons to whom the account is assigned for collection.164 The credit reporting agency may remove the freeze, with notice to the consumer, if it determines that the consumer s file was frozen due to a material misrepresentation by the consumer.165 WASHINGTON Washington Revised Code Section permits the consumer to submit a written request and a copy of a filed police report to have the credit reporting agency permanently block reporting information on the consumer that is the result of identity theft under the criminal statute.166 The consumer reporting agency must implement the block within 30 days of receipt of proof of the consumer s identification, and promptly notify the furnisher of the information that a police report has been filed, that a block of information has been requested, and the effective date of the block. A consumer reporting agency may decline to block or may rescind the block of consumer information if the consumer agrees, or if, in the exercise of good faith and reasonable judgment, it believes that the information was blocked due to a misrepresentation of fact by the consumer, the information was blocked in error, or the consumer knowingly obtained possession of goods, services or money as a result of the blocked transaction. If the consumer reporting agency declines to block or rescinds the block, it must provide a notice to the consumer. The process for the blocking of information in a consumer s 160 Id. 161 FCRA 625(b)(5)(A). 162 Identity theft means the unauthorized use of another person s personal identifying information to obtain credit, goods, services, money, or property. 9 V.S.A. 2480a(4). 163 Vermont H.B. 327, effective July 1, 2005, adding 9 V.S.A. 2480h-n. 164 Id. at 2480h(l)(1). 165 Id. at 2480h(g)(2). 166 Rev. Code Wash Hudson Cook, LLP Page 36

37 credit file law will most likely be preempted by the FACT Act amendments to the FCRA.167 Washington also has a provision that permits a victim of identity theft to obtain copies of relevant application and transaction information from a business that is alleged to have originated as the result of a potential or actual identity theft.168 The victim appears before any law enforcement agency, has impressions of fingerprints made (for Personal Identification only), and obtains a statement, printed in 12-point bold type, as follows: The person holding this statement has claimed to be a victim of identity theft. Pursuant to chapter 9.35 RCW, a business is required to provide this victim with copies of all relevant application and transaction information related to the transaction being alleged as a potential or actual identity theft. A business must provide this information once the victim makes a request in wiring, shows this statement, any government issued photo identification card, and a copy of a police report. * * * * * * 167 FCRA 625(b)(5)(C). 168 Rev. Code Wash Hudson Cook, LLP Page 37