By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 1

Transcription

1 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 1 This paper compiles and summarizes information from various resources and is intended to help you quickly gain basic knowledge needed to make presentations to students. I have attached copies of some of the resources I have used and included a bibliography. The articles attached may be copywritten and are not to be publicly circulated or reproduced without the permission of the copyright holders, except as may be stated in them. This paper is for your use only. It is not to be made publicly available without my permission. I does not create any attorney client relationship. The sources for this briefing paper are either cited herein or are listed in the bibliography. This paper covers the subject in a great deal more detail than may be prudent in dealing with students at this level. Nevertheless, you may find yourself being asked questions on the subject and I would hope this briefing paper would assist you in answering those questions. In footnotes or text, I will refer to various sources in the bibliography by shorthand identification. Please refer to the bibliography for that purpose. Much of this paper is drawn from a recent article I have posted for the benefit of clients, and is therefore in the first person.! What is Identity Theft and how widespread is it? According to Consumer Reports, citing a recent survey by the Center for Social and Legal Research, seven million persons were victims of identity theft in Stop thieves from stealing you, Consumer Reports, October The personal and financial cost is large, and growing. It amounts to millions of dollars in lost money and time with the average victim losing $800 and spending two years clearing his or her name and credit record. Stop thieves from stealing you, Consumer Reports, October Id. Many times, the victims do not learn of the crime for a year or more. Id. Identity theft occurs when someone fraudulently uses your name, identifying data and credit to borrow money, buy merchandise or services in your name. If the perpetrator has obtained a new credit card or otherwise borrowed money in your name, odds are you won t learn about it until he or she has run up a large balance, because the criminal will have made sure that the statements go to another address than yours. The key to this crime is your personal private information, especially your Social Security number, birthdate, existing credit card or bank account information, driver s license numbers, mother s maiden name, to cite the most common examples. See FTC Website on Identity Theft,

2 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 2 Sometimes, this information comes from the identity thief stealing it from financial institutions, merchants, credit bureaus, or government. Just as often it comes because you, the victim, are careless or duped by elaborate schemes into letting your information go. Through a scheme called phishing, you receive a very official looking warning you that your bank or other account has been compromised, or needs to be verified. You are asked to click on a link, supposedly to go to the supposed sender, to reply. In fact, that link does something quite different, and may result in you unknowingly downloading a malicious computer program (called a Trojan Horse) that tracks and sends out a record of what you are typing (called keyboard logging ) or finds and sends out confidential information off your computer, without your knowledge. See Privacy Rights Clearinghouse website, What indicators are there that one is a victim of identity theft? Usually, the first indication is suspicious activity in a bank account or credit card account. Sometimes the first hint is when a collector tracks you down. Because the perpetrators want you to remain ignorant of what they are doing, they will often use a false address so that you do not receive notice. Under the New Jersey Identity Theft Protection Act, discussed below, businesses and agencies need to promptly report thefts of personal information. This prompt reporting will help provide you an early alert to possible trouble. This change is a major improvement. What should students do to minimize the threats? The following information is compiled from a variety of sources, cited herein or in the bibliography. Some of the ideas are my own.! Don t let others have or use your accounts. I and others have often seen clients whose problems stemmed from letting a boyfriend etc. have a PIN number, use a credit card or bank account. In one instance I know about, the husband was intercepting the mail, and opening credit card accounts in the wife s name without her knowledge. Another common scenario is co-signing a car loan or mortgage.

3 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 3! Maintain physical security of your important information. This seems obvious, but you should safeguard your driver s license and other government ID at all times. Lock desks, cabinets, and safes containing such information in your office and home. Memorize your Social Security number and do not carry your Social Security number with you in your wallet, or keep a copy of it in your wallet or purse.! Don t give away information. Never disclose your Social Security number, account number or credit card PIN numbers, birth date, driver s license number or mother s maiden name unless you initiated the transaction. On paper documents, don t include such data unless required to do so on an official application for employment, financing, or insurance. (Ask employers, schools, and financial institutions to offer alternatives.). No legitimate bank or lender will ever ask for such information over the phone, or via . IF YOU DIDN T MAKE THE CALL OR ONLINE PURCHASE, OR ISSUE THE , DON T GIVE OUT THE INFORMATION.! Protect information on your computer, and safeguard yourself when online. Author s Note: You will be talking to kids who have a surprising level of computer literacy. This information is helpful for you to have knowledge of what you are talking about, but unless, like me, you are an amateur computer geek, stay away from any technical details you do not know about. Just provide the basic warnings and confess your ignorance where appropriate. This segment is compiled from personal experience and knowledge, as well as recommendations on the cited locations.! See the FTC web site, This very valuable site contains tips on ways to safeguard yourself when you are online. OnguardOnline is a partnership between the FTC, other federal agencies, and the technology industry. The site offers advice on identity theft, phishing, spyware, spam, online shopping, and other pertinent computer topics.! Install firewalls, internet privacy and virus-detection software on your home computers to discourage hackers from tapping into your computer via the Internet. Shutting off computers when not in use is also helpful (although hackers in Eastern Europe or Russia can be expected to work around the clock). Hackers use computer programs to probe large numbers of internet addresses looking for doors that are unlocked. A firewall is nothing more than a lock. It encourages the hacker to leave you alone.

4 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 4 " More information than you need to know: Firewalls come in two types: software and hardware. The hardware firewall can be as simple and inexpensive as a cable router which is hooked up between your cable modem and your computer. Through network address translation, (the technical details of which I am ignorant), the cable router becomes the computer that a hacker sees when she probes your site, but from your side, you are able transparently to access the Internet. These routers typically have an administrative password that allows you to control how the router works. You always want to change this password from the default (usually 0000") to something else which is hard to crack. (See Use Good Passwords below). To remember the password on the few occasions you need it, you can write the password on a label on the bottom of the router! If you use a wireless network at home, make sure it is secure and shut it off when not in use. Be especially careful when using wireless connections in public places or public computers. Avoid using either for financial transactions, and if you do, be sure to log off when done.! Deal only with reputable Web sites. Check privacy and security policies of Web sites before making purchases, trading stocks, or banking online. A professional-looking Web site is no guarantee of security. Don t respond to unsolicited requests for personal information. (See phishing, below)! Use good passwords. Password-protect your bank and brokerage accounts. Create passwords at least eight characters long that use combinations of letters, punctuation and numbers. " Hints: To make them hard to crack but easy to remember, develop an acronym from a phrase you will remember, substituting 1 for a, 2 for to, 4 for for etc. (eg. to make them hard to crack! becomes 2mth2c! ). Or intentionally misspell words, use capital and lower case letters in unusual ways. " How to remember all those passwords. This is the usual reason why people use few passwords or bad ones. Quick access to passwords near the computer is what is needed. One solution is to keep a binder nearby with alphabetic dividers (with a separate sheet for each website etc, kept in alphabetic order. The tradeoff in security is obvious, but since it is not yet technically possible to hack into the

5 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 5 binder from your computer, the real problem is unauthorized people getting hold of the binder and the records in it. This is less of a concern if the binder is made to look innocuous, (ie hidden in plain sight ). Another way is to create a passwordprotected file containing a listing of all passwords and a HIGHLY secure password. The file should be given an innocuous-sounding name (Again, hidden in plain sight: don t label it passwords!) A third alternative is to use one of the software firewall or Internet Privacy packages, that maintain for you a secure location for all passwords.! Watch out for phishing and spyware. These are ways in which malicious programs get installed on your computer which then operate as conduits, feeding information about you back out over the Internet. " Phishing is done by very official-looking s that either direct you to a bogus site where you volunteer your password or other private information in the mistaken belief you are providing it to your bank or other business you deal with. Attached are copies of two recent s I received. The one from Wells Fargo (note the misspelling Forgo ) is obvious. The Ebay one (I did have an ebay account at one time) is less so. The point is that, although the text of the link looks right, where you go or what happens when you click the link has nothing to do with the label that you see. Sometimes the link takes you to a site which, upon connection, downloads a program on your computer which then steals your data or does something else equally undesireable. Author note: This is very important for kids to know. Not being as jaded and suspicious as we adults, they can easily be taken in by this type of scam. This is also something that hits them where they live. " Spyware are little programs that get installed when you go to a website, and make use of the fact that websites are supposed to communicate with and download information on your computer (eg cookies which are the reason that when you go back, the site remembers you). Mostly, these programs send out anonymous information about your consumer preferences, based on where users at your computer go on the internet. They also can bog down the computer. However, they can include keyloggers which capture the keystrokes at your computer including passwords and private information, then send these out without your knowledge.

6 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 6 Author note: I didn t really think this happened. However, I set up my software firewall to warn me whenever certain key information such as specified account numbers and Social Security numbers was leaving my computer. I was surprised when, twice, such warnings popped up at times I was not sending that information out...! Report any suspicious activity right away. Always look at your bank statements or credit card statements right away, and always question anything that does not look right. Keep your charge receipts until the credit card bill comes in. That way, if the charge is more than what you authorized, you can prove it. " Personal note. In one recent instance, a client of mine reported her car was broken into, but her wallet, with all the cash still in it, was left on the ground outside. Since nothing was stolen, she did not report the incident. However, the thieves has copied down her credit card numbers and other important information. Soon afterwards, they began a spending spree and she spent months trying to straighten things out.! Shred or destroy all unused credit cards, all credit card offers or convenience checks, and anything else with confidential information on it. A pre-approved credit card application form with your name on it could be just the ticket for a thief to steal your identity. Likewise, your credit card company may send you balance transfer or cash advance checks attached to your statement. Always shred these. The best choice is a crosscut shredder. For large volumes of paper, you should check your yellow pages for a commercial company. In some areas, local governments sponsor annual free shredder days as a public service. Before throwing out files containing Social Security numbers, account numbers, and birth dates, shred them with a cross-cut shredder. Destroy CDs or floppy disks containing sensitive data by shredding, cutting, or breaking them. Use hard-drive shredding software or remove and destroy your hard drive before discarding a computer. Just deleting files isn t enough.! Watch your credit. Order copies of credit report every year from each of the three major credit reporting agencies. Under FACTA, you are entitled to a free credit report once a year. See PRC FACTA Article! Guard mail. Information can be stolen from your mail. Consider using a locked mailbox

7 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 7 or slot, a postal mailbox, or mailing directly at the post office. Consider paying bills online as a way to avoid using the mail at all.! Guard your cards. Try not to let waiters, sales clerks, or gas-station attendants disappear from view with your credit or debit card, to avoid skimming. Crooks can use a handheld card reader to copy the information from your card s magnetic strip.! Beware strange ATMs. Avoid using private or strange-looking automated teller machines, because they may be rigged to skim data off your card s magnetic strip. Six- or seven-character PINs (personal identification numbers) are harder to crack than shorter ones, but you may not be able to use them at machines abroad. See above about good passwords.! Watch out for shoulder surfers when using pay phones or public Internet access; use your free hand to shield the keypad. Don t use cordless phones to conduct sensitive financial or medical business, because eavesdroppers on other phones and those using eavesdropping equipment may be able to overhear your conversations. What steps should be taken if one is a victim of identity theft? See Take Charge:Fighting Back against Identity Theft, FTC Website, and the New Jersey Identity Theft webpage, Copy of the Fighting Back article is attached. Below is a brief summary but the Fighting Back article is hard to beat.! Immediately file a police report. See New Jersey Identity Theft Protection Act, discussed below, and get a copy..! Immediately contact all your credit card companies, banks etc. and order an initial fraud alert good for 90 days.! Request a security freeze on your credit report. See discussion below of New Jersey Identity Theft Protection Act.! If your driver s license was stolen or the number obtained illegally, report this to the state motor vehicle agency in question.! For bank or credit accounts, ask for new PIN numbers, and replacement accounts with new numbers.

8 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 8! If you do any of this by phone, take careful note of the date, time and person you spoke to. Ask for an incident number and ask for an address, fax number and address where you can confirm your report. Then confirm each report.! Be sure to put everything in writing and keep careful records of all letters or s and any other dealings you have, especially those where the bank or lender agrees to credit your account. Set up a filing system. What Rights or Protections do consumers have?! Limitation of Liability Provisions under the federal Electronic Funds Transfer Act. Most students are going to have ATM cards, if not credit cards. They need to know about the importance of promptly reporting theft or loss of these items. The Electronic Funds Transfer Act, 15 U.S.C 1693 et seq. and regulations under it provide important protections where unauthorized use of a MAC card or other form of electronic transfer (an unauthorized electronic funds transfer ) takes place. (See footnote 3 for definition of this term) 1 a. The student s maximum loss is $50 or the amount or value obtained before the bank gets notice of the unauthorized use, or of circumstances leading to a reasonable belief the use was unauthorized.. 11 U.S.C. 1693g. except that b. If the student does not report loss or theft of a card within 2 business days after learning about it, the exposure goes up to $ Id.. 2 c. And, if the student does not report an unauthorized transfer within 60 days after the bank sends the statement on which the transfer appears, the liability is unlimited. Id. 1 Separate rules apply to billing disputes for credit cards and some credit card companies afford complete protection against loss or theft. 2 In extenuating circumstances such as extended travel or hospitalization, the 2 day deadline can be increased to a reasonable time under the circumstances.

9 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 9 d. If the student lets somone else use the card etc or her PIN number, she s out of luck Additional Rights under the New Jersey Identity Theft Protection Act, N.J.S.A. 56:11-44 et seq. On January 1, 2006, the New Jersey Identity Theft Protection Act, [ ITPA ] goes into effect. It contains several important provisions: 1. Security Freezes. All consumer credit reporting agencies CRA s must place a security freeze on the consumer report of the consumer, upon written request, within five business days. N.J.S.A. 56:11-46(b), and send the consumer written confirmation of this within five business days after placing the freeze. Id. At the same time, the CRA must gie the consumer a PIN or password to use in obtaining authorization for the release of credit information. Id. "Security freeze" means a notice placed in a consumer's consumer report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing the report or any information from it without the express authorization of the consumer, but does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report. N.J.S.A. 56: Once this happens, and until the consumer releases the freeze, the consumer has control 3 The term "unauthorized electronic fund transfer" means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit, but the term does not include any electronic fund transfer (A) initiated by a person other than the consumer who was furnished with the card, code, or other means of access to such consumer's account by such consumer, unless the consumer has notified the financial institution involved that transfers by such other person are no longer authorized, (B) initiated with fraudulent intent by the consumer or any person acting in concert with the consumer, or (C) which constitutes an error committed by a financial institution 15 U.S.C.A. 1693a(11)

10 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 10 of his/her credit report. Release of information can only be made by certified or overnight mail or secure , and by providing the PIN or password, and other information generally deemed sufficient to identify a person. N.J.S.A. 56:11-46(d). These requests must be acted on by the CRA within three business days. N.J.S.A. 56:11-46(e) While the freeze is in place, the CRA may not chiange the consumer s name, date of birth, Social Security number or address on the credit report without sending written confirmation to the consumer within 30 days. N.J.S.A. 56: Wilful violations of these provisions expose the CRA to actual damages of $100-$1000 and punitive damages plus counsel fees and costs. N.J.S.A. 56:11-38 and 56: Negligent violations expose the violator to actual damages, counsel fees and costs. Id. This is in addition to remedies available under previous enactments for obtaining a consumer report under false pretenses or knowingly without a permissible purpose Police must take police reports of identity theft. Local law enforcement agencies must take any complaint of identity theft and provide the complainant a copy of the complaint, even though jurisdiction may lie elsewhere for investigation and prosecution of the crime. N.J.S.A. 2C: (a). This is intended to prevent these agencies from refusing to take such complaints as a civil matter. 3. Prompt disclosure to consumers of any breach of security involving personal information. Under N.J.S.A. 56:8-161 to 166, Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. N.J.S.A. 56:8-163(a). This must be done in the most expedient time possible and without unreasonable delay subject to certain limitations. Id. A report must be made to law enforcement authorities before the report to consumers. N.J.S.A. 56:8-163(b). Protected personal information includes an 4 Under N.J.S.A. 56:11-38., any natural person who obtains a consumer report under false pretenses or knowingly without a permissible purposes may be held liable for actual damages or $1000, whichever is greater, plus punitive damages and counsel fees and costs.

11 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 11 individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. N.J.S.A. 56: All records of personal information must be destroyed when no longer in use. N.J.S.A. 56: Prohibited posting or display of Social Security numbers. Under N.J.S.A. 56:8-164, no person, business or public agency may do any of the following, except as required by other State or federal law: (1) Publicly post or display... any four or more consecutive numbers taken from an individual's Social Security number; (2) Print an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed; (3) Print an individual's Social Security number on any card required for the individual to access products or services provided by the entity; (4) Intentionally communicate or otherwise make available to the general public an individual's Social Security number; (5) Require an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; or (6) Require an individual to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site. 6. Consumer Fraud Remedies. Violations of the provisions concerning reporting security breaches, non-disclosure of Social Security numbers, and requirements to destroy records containing personal information are treated as violations of the Consumer Fraud Act, which Act provides for treble damages and counsel fees. N.J.S.A. 56:8-166.

12 Briefing Paper on Identity Theft and Related Topics for Volunteer Presenters of the New Jersey Bankruptcy Law Foundation & HESAA Joint Financial Literacy Project By: Steven R. Neuner Esq. Dated: December 19, 2005 Page 12 BIBLIOGRAPHY and SOURCES CU and ConsumerReports -Consumer Union of U.S. Inc. See the August 2005 issue of Consumer Reports for articles on Credit Scores. These resources are available for subscribers to ConsumerReports.org their online resource. I have consulted the following articles: November 2004: Guarding your credit record October 2003: Stop thieves from stealing you FICO - Fair Isaac Corporation. Website, Site contains lots of information and financial calculators which demonstrate the costs of bad credit. FACTA - The Fair and Accurate Credit Transaction Act of 2003, Pub. L , which added new sections to the federal Fair Credit Reporting Act, 15 U.S.C et seq. I relied on the excellent article, attached hereto, from PRC entitled FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some Privacy Rights Clearinghouse or PRC - a non-profit organization based in San Diego California. Website: PRC FACTA Article Privacy Rights Clearninghouse, FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some, 2005, available online at FTC Take Charge Take Charge: Fighting Back Against Identity Theft

13 Attachment A: Sample phishing s

14 Page 1 of 1 Dear Wells Forgo customer, We recently reviewed your account, and suspect that your wellsfargo account account may have been accessed by an unauthorized third party. Protecting the security of your account and of the wellsfargo network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features. To restore your account access, please take the following steps to ensure that your account has not been compromised: 1. Login to your wellsfargo account. In case you are not enrolled yet for Internet Banking, you will have to use your Social Security Number as both your Personal ID and Password and fill in the required information, including your name and account number. 2. Review your recent account history for any unauthorized withdrawals or deposits, and check your account profile to make sure no changes have been made. If any unauthorized activity has taken place on your account, report to wells fargo immediately. To get started, please click the link below: We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire Wells Fargo system. Thank your for your prompt attention to this matter. Sincerely, Wells Fargo Team. Please do not reply to this . Mails sent to this address cannot be answered. For assistance, log in to your wellsfargo account and choose the "Help" link in the header of any page. Start your day with Yahoo! - make it your home page

15 PayPal about:blank Page 1 of 1 12/5/2005 PayPal Security Measures! We are contacting you to remind you that: on 3 December 2005 our Account Review Team identified some unusual activity in your account, one or more attempts to log in to your PayPal account from a foreign IP address. IP Address Time Country December 2, :05: PDT Poland December 2, :07: PDT Poland December 3, :13: PDT Romania December 3, :28: PDT Romania December 3, :33: PDT Romania In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you. To securely confirm your PayPal information please go directly to log in to your PayPal account and perform the steps necessary to restore your account access as soon as possible or click bellow: To continue your verification procedure click here Thank you for using PayPal! The PayPal Team Please do not reply to this . Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page. To receive notifications in plain text instead of HTML, update your preferences here.

16 Attachment B: Stop-Think-Click, Seven Practices for Safer Computing OnGuardOnline.gov

17 STOP THINK CLICK Seven Practices for Safer Computing Access to information and entertainment, credit and financial services, products from every corner of the world even to your work is greater than earlier generations could ever have imagined. Thanks to the Internet, you can order books, clothes, or appliances online; reserve a hotel room across the ocean; download music and games; check your bank balance 24 hours a day; or access your workplace from thousands of miles away. The flip-side, however, is that the Internet and the anonymity it affords also can give online scammers, hackers, and identity thieves access to your computer, personal information, finances, and more. But with awareness as your safety net, you can minimize the chance of an Internet mishap. Being on guard online helps you protect your information, your computer, even yourself. To be safer and more secure online, adopt these seven practices. 1. Protect your personal information. It s valuable. Why? To an identity thief, your personal information can provide instant access to your financial accounts, your credit record, and other assets. If you think no one would be interested in your personal information, think again. The reality is that anyone can be a victim of identity theft. In fact, according to a Federal Trade Commission survey, there are almost 10 million victims every year. It s often difficult to know how thieves obtained their victims personal information, and while it definitely can happen offline, some cases start when online data is stolen. Visit to learn what to do if your identity is stolen. Unfortunately, when it comes to crimes like identity theft, you can t entirely control whether you will become a victim. But following these tips can help minimize your risk while you re online: If you re asked for your personal information your name, or home address, phone number, account numbers, or Social Security number find out how it s going to be used and how it will be protected before you share it. If you have children, teach them to not give out your last name, your home address, or your phone number on the Internet. If you get an or pop-up message asking for personal information, don t reply or click on the link in the message. The safest course of action is not to respond to requests for your personal or financial information. If you believe there may be a need for such information by a company with whom you have an account or placed an order, contact that company directly in a way you know to be genuine. In any case, don t send your personal information via because is not a secure transmission method. OnGuardOnline.gov

18 STOP THINK CLICK If you are shopping online, don t provide your personal or financial information through a company s website until have checked for indicators that the site is secure, like a lock icon on the browser s status bar or a website URL that begins https: (the s stands for secure ). Unfortunately, no indicator is foolproof; some scammers have forged security icons. Read website privacy policies. They should explain what personal information the website collects, how the information is used, and whether it is provided to third parties. The privacy policy also should tell you whether you have the right to see what information the website has about you and what security measures the company takes to protect your information. If you don t see a privacy policy or if you can t understand it consider doing business elsewhere. 2. Know who you re dealing with. And know what you re getting into. There are dishonest people in the bricks and mortar world and on the Internet. But online, you can t judge an operator s trustworthiness with a gut-affirming look in the eye. It s remarkably simple for online scammers to impersonate a legitimate business, so you need to know whom you re dealing with. If you re shopping online, check out the seller before you buy. A legitimate business or individual seller should give you a physical address and a working telephone number at which they can be contacted in case you have problems. Phishing: Bait or Prey? We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity. Phishers send spam or pop-up messages claiming to be from a business or organization that you might deal with for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to update or validate your account information. It might threaten some dire consequence if you don t respond. The message directs you to a website that looks just like a legitimate organization s, but isn t. The purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name. Don t take the bait: never reply to or click on links in or pop-ups that ask for personal information. Legitimate companies don t ask for this information via . If you are directed to a website to update your information, verify that the site is legitimate by calling the company directly, using contact information from your account statements. Or open a new browser window and type the URL into the address field, watching that the actual URL of the site you visit doesn t change and is still the one you intended to visit. Forward spam that is phishing for information to [email protected] and to the company, bank, or organization impersonated in the phishing . Most organizations have information on their websites about where to report problems. OnGuardOnline.gov

19 STOP THINK CLICK Free Software and File-Sharing: Worth the hidden costs? Every day, millions of computer users share files online. File-sharing can give people access to a wealth of information, including music, games, and software. How does it work? You download special software that connects your computer to an informal network of other computers running the same software. Millions of users could be connected to each other through this software at one time. Often the software is free and easily accessible. But file-sharing can have a number of risks. If you don t check the proper settings, you could allow access not just to the files you intend to share, but also to other information on your hard drive, like your tax returns, messages, medical records, photos, or other personal documents. In addition, you may unwittingly download pornography labeled as something else. Or you may download material that is protected by the copyright laws, which would mean you could be breaking the law. If you decide to use file-sharing software, set it up very carefully. Take the time to read the End User Licensing Agreement to be sure you understand and are willing to tolerate the side effects of any free downloads. Spyware Many free downloads whether from peers or businesses come with potentially undesirable side effects. Spyware is software installed without your knowledge or consent that adversely affects your ability to use your computer, sometimes by monitoring or controlling how you use it. To avoid spyware, resist the urge to install any software unless you know exactly what it is. Your anti-virus software may include anti-spyware capability that you can activate, but if it doesn t, you can install separate anti-spyware software, and then use it regularly to scan for and delete any spyware programs that may sneak onto your computer. attachments and links: Legitimate or virus-laden? Most viruses sent over or Instant Messenger won t damage your computer without your participation. For example, you would have to open an or attachment that includes a virus or follow a link to a site that is programmed to infect your computer. So hackers often lie to get you to open the attachment or click on a link. Some virus-laden s appear to come from a friend or colleague; some have an appealing file name, like Fwd: FUNNY or Per your request! ; others promise to clean a virus off your computer if you open it or follow the link. Don t open an or attachment even if it appears to be from a friend or coworker unless you are expecting it or know what it contains. You can help others trust your attachments by including a text message explaining what you re attaching. OnGuardOnline.gov

20 STOP THINK CLICK 3. Use anti-virus software and a firewall, and update both regularly. Dealing with anti-virus and firewall protection may sound about as exciting as flossing your teeth, but it s just as important as a preventive measure. Having intense dental treatment is never fun; neither is dealing with the effects of a preventable computer virus. Anti-virus Software Anti-virus software protects your computer from viruses that can destroy your data, slow your computer s performance, cause a crash, or even allow spammers to send through your account. It works by scanning your computer and your incoming for viruses, and then deleting them. To be effective, your anti-virus software should update routinely with antidotes to the latest bugs circulating through the Internet. Most commercial anti-virus software includes a feature to download updates automatically when you are on the Internet. WHAT TO LOOK FOR AND WHERE TO GET IT You can download anti-virus software from the websites of software companies or buy it in retail stores. Look for anti-virus software that: Recognizes current viruses, as well as older ones. Effectively reverses the damage. Updates automatically. Firewalls Don t be put off by the word firewall. It s not necessary to fully understand how it works; it s enough to know what it does and why you need it. Firewalls help keep hackers from using your computer to send out your personal information without your permission. While anti-virus software scans incoming and files, a firewall is like a guard, watching for outside attempts to access your system and blocking communications to and from sources you don t permit. Some operating systems and hardware devices come with a built-in firewall that may be shipped in the off mode. Make sure you turn it on. For your firewall to be effective, it needs to be set up properly and updated regularly. Check your online Help feature for specific instructions. If your operating system doesn t include a firewall, get a separate software firewall that runs in the background while you work, or install a hardware firewall an external device that includes firewall software. Several free firewall software programs are available on the Internet. OnGuardOnline.gov

21 STOP THINK CLICK ZOMBIE DRONES Some spammers search the Internet for unprotected computers they can control and use anonymously to send unwanted spam s. If you don t have up-to-date anti-virus protection and a firewall, spammers may try to install software that lets them route through your computer, often to thousands of recipients, so that it appears to have come from your account. If this happens, you may receive an overwhelming number of complaints from recipients, and your account could be shut down by your Internet Service Provider (ISP). 4. Be sure to set up your operating system and Web browser software properly, and update them regularly. Hackers also take advantage of Web browsers (like Internet Explorer or Netscape) and operating system software (like Windows or Linux) that are unsecured. Lessen your risk by changing the settings in your browser or operating system and increasing your online security. Check the Tools or Options menus for built-in security features. If you need help understanding your choices, use your Help function. Your operating system also may offer free software patches that close holes in the system that hackers could exploit. In fact, some common operating systems can be set to automatically retrieve and install patches for you. If your system does not do this, bookmark the website for your system s manufacturer so you can regularly visit and update your system with defenses against the latest attacks. Updating can be as simple as one click. Your software may help you avoid viruses by giving you the ability to filter certain types of spam. It s up to you to activate the filter. If you re not using your computer for an extended period, turn it off or unplug it from the phone or cable line. When it s off, the computer doesn t send or receive information from the Internet and isn t vulnerable to hackers. 5. Protect your passwords. Keep your passwords in a secure place, and out of plain view. Don t share your passwords on the Internet, over , or on the phone. Your Internet Service Provider (ISP) should never ask for your password. In addition, hackers may try to figure out your passwords to gain access to your computer. You can make it tougher for them by: Using passwords that have at least eight characters and include numbers or symbols. OnGuardOnline.gov

22 STOP THINK CLICK Avoiding common words: some hackers use programs that can try every word in the dictionary. Not using your personal information, your login name, or adjacent keys on the keyboard as passwords. Changing your passwords regularly (at a minimum, every 90 days). Not using the same password for each online account you access. One way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, How much wood could a woodchuck chuck would become HmWc@wcC. 6. Back up important files. If you follow these tips, you re more likely to be more secure online, free of interference from hackers, viruses, and spammers. But no system is completely secure. If you have important files stored on your computer, copy them onto a removable disc, and store them in a safe place. 7. Learn who to contact if something goes wrong online Hacking or Computer Virus If your computer gets hacked or infected by a virus: Immediately unplug the phone or cable line from your machine. Then scan your entire computer with fully updated anti-virus software, and update your firewall. Take steps to minimize the chances of another incident. Alert the appropriate authorities by contacting: º your ISP and the hacker s ISP (if you can tell what it is). You can usually find an ISP s address on its website. Include information on the incident from your firewall s log file. By alerting the ISP to the problem on its system, you can help it prevent similar problems in the future. º the FBI at To fight computer criminals, they need to hear from you. OnGuardOnline.gov

23 STOP THINK CLICK Internet fraud If a scammer takes advantage of you through an Internet auction, when you re shopping online, or in any other way, report it to the Federal Trade Commission, at ftc.gov. The FTC enters Internet, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. Deceptive Spam If you get deceptive spam, including phishing for your information, forward it to [email protected]. Be sure to include the full header of the , including all routing information. You also may report phishing to [email protected]. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing. Divulged Personal Information If you believe you have mistakenly given your personal information to a fraudster, file a complaint at ftc.gov, and then visit the Federal Trade Commission s Identity Theft website at to learn how to minimize your risk of damage from a potential theft of your identity. PARENTS Parental controls are provided by most ISPs, or are sold as separate software. Remember that no software can substitute for parental supervision. Talk to your kids about safe computing practices, as well as the things they re seeing and doing online. OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. September 2005 OnGuardOnline.gov

24 Take Charge: Fighting Back Against Identity Theft Page 1 of 18 Search: GO HOME CONSUMERS BUSINESSES NEWSROOM FORMAL ANTITRUST CONGRESSIONAL ECONOMIC LEGAL Privacy Policy About FTC Commissioners File a Complaint HSR FOIA IG Office En Español Facts for Consumers PDF Version Take Charge: Fighting Back Against Identity Theft (formerly: "ID Theft: When Bad Things Happen to Your Good Name") To Print: Use File/Page Setup in your browser to set page margins to zero or your printer's minimum margin settings. TABLE OF CONTENTS INTRODUCTION HOW IDENTITY THEFT OCCURS STAYING ALERT Getting Your Credit Report If Your Personal Information Has Been Lost or Stolen IDENTITY THEFT VICTIMS: IMMEDIATE STEPS Placing Fraud Alerts on Your Credit Report Closing Accounts Filing a Police Report Filing a Complaint with the Federal Trade Commission The Identity Theft Report Tips For Organizing Your Case Chart Your Course of Action RESOLVING SPECIFIC PROBLEMS Bank Accounts and Fraudulent Withdrawals Bankruptcy Fraud Correcting Fraudulent Information in Credit Reports Credit Cards Criminal Violations Debt Collectors Driver's License Investment Fraud Mail Theft Passport Fraud Phone Fraud Social Security Number Misuse Student Loans Tax Fraud MINIMIZING RECURRENCES What To Do Today Maintaining Vigilance A Special Word About Social Security Numbers The Doors and Windows are Locked, But... APPENDIX It's the Law Federal State Instructions for Completing the ID Theft Affidavit The ID Theft Affidavit Annual Credit Report Request Form The FTC's Privacy Policy INTRODUCTION In the course of a busy day, you may write a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, change service providers for your cell phone, or apply for a credit card. Chances are you don't give these everyday transactions a second thought. But an identity thief does.

25 Take Charge: Fighting Back Against Identity Theft Page 2 of 18 Identity theft is a serious crime. People whose identities have been stolen can spend months or years and thousands of dollars cleaning up the mess the thieves have made of a good name and credit record. In the meantime, victims of identity theft may lose job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn't commit. Humiliation, anger, and frustration are among the feelings victims experience as they navigate the process of rescuing their identity. Working with other government agencies and organizations, the Federal Trade Commission (FTC) has produced this booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future. HOW IDENTITY THEFT OCCURS I first was notified that someone had used my Social Security number for their taxes in February I also found out that this person opened a checking account, cable and utility accounts, and a cell phone account in my name. I'm still trying to clear up everything and just received my income tax refund after waiting four to five months. Trying to work and get all this cleared up is very stressful. From a consumer's complaint to the FTC, July 9, 2004 Despite your best efforts to manage the flow of your personal information or to keep it to yourself, skilled identity thieves may use a variety of methods to gain access to your data. How identity thieves get your personal information: They get information from businesses or other institutions by: stealing records or information while they're on the job bribing an employee who has access to these records hacking these records conning information out of employees They may steal your mail, including bank and credit card statements, credit card offers, new checks, and tax information. They may rummage through your trash, the trash of businesses, or public trash dumps in a practice known as "dumpster diving." They may get your credit reports by abusing their employer's authorized access to them, or by posing as a landlord, employer, or someone else who may have a legal right to access your report. They may steal your credit or debit card numbers by capturing the information in a data storage device in a practice known as "skimming." They may swipe your card for an actual purchase, or attach the device to an ATM machine where you may enter or swipe your card. They may steal your wallet or purse. They may complete a "change of address form" to divert your mail to another location. They may steal personal information they find in your home. They may steal personal information from you through or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known as "phishing" online, or pretexting by phone. How identity thieves use your personal information: They may call your credit card issuer to change the billing address on your credit card account. The imposter then runs up charges on your account. Because your bills are being sent to a different address, it may be some time before you realize there's a problem. They may open new credit card accounts in your name. When they use the credit cards and don't pay the bills, the delinquent accounts are reported on your credit report. They may establish phone or wireless service in your name. They may open a bank account in your name and write bad checks on that account. They may counterfeit checks or credit or debit cards, or authorize electronic transfers in your name, and drain your bank account. They may file for bankruptcy under your name to avoid paying debts they've incurred under your name, or to avoid eviction. They may buy a car by taking out an auto loan in your name. They may get identification such as a driver's license issued with their picture, in your name. They may get a job or file fraudulent tax returns in your name. They may give your name to the police during an arrest. If they don't show up for their court date, a warrant for arrest is issued in your name.

26 Take Charge: Fighting Back Against Identity Theft Page 3 of 18 If Your Personal Information Has Been Lost or Stolen If you've lost personal information or identification, or if it has been stolen from you, taking certain steps quickly can minimize the potential for identity theft. Financial accounts: Close accounts, like credit cards and bank accounts, immediately. When you open new accounts, place passwords on them. Avoid using your mother's maiden name, your birth date, the last four digits of your Social Security number (SSN) or your phone number, or a series of consecutive numbers. Social Security number: Call the toll-free fraud number of any of the three nationwide consumer reporting companies and place an initial fraud alert on your credit reports. An alert can help stop someone from opening new credit accounts in your name. See consumer reporting company contact information. For more information about fraud alerts, see the Fraud Alerts box. Driver's license/other government-issued identification: Contact the agency that issued the license or other identification document. Follow its procedures to cancel the document and to get a replacement. Ask the agency to flag your file so that no one else can get a license or any other identification document from them in your name. Once you've taken these precautions, watch for signs that your information is being misused. See STAYING ALERT. If your information has been misused, file a report about the theft with the police, and file a complaint with the Federal Trade Commission, as well. If another crime was committed for example, if your purse or wallet was stolen or your house or car was broken into report it to the police immediately. IDENTITY THEFT VICTIMS: IMMEDIATE STEPS If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of all correspondence. 1. Place a fraud alert on your credit reports, and review your credit reports. Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. Equifax: ; P.O. Box , Atlanta, GA Experian: EXPERIAN ( ); P.O. Box 9532, Allen, TX TransUnion: ; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA Once you place the fraud alert in your file, you're entitled to order free copies of your credit reports, and, if you ask, only the last four digits of your SSN will appear on your credit reports.once you get your credit reports, review them carefully. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that information, like your SSN, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. See Correcting Credit Reports to learn how. Continue to check your credit reports periodically, especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred. Fraud Alerts There are two types of fraud alerts: an initial alert, and an extended alert. An initial alert stays on your credit report for at least 90 days. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial alert is appropriate if your wallet has been stolen or if you've been taken in by a "phishing" scam. When you place an initial fraud alert on your credit report, you're entitled to one free credit report from each of the three nationwide consumer reporting companies. An extended alert stays on your credit report for seven years. You can have an extended alert placed on your credit report if you've been a victim of identity theft and you provide the consumer reporting company with an "identity theft report." When you place an extended alert on your credit report, you're entitled to two free credit reports within twelve months from each of the three nationwide consumer reporting

27 Take Charge: Fighting Back Against Identity Theft Page 4 of 18 companies. In addition, the consumer reporting companies will remove your name from marketing lists for pre-screened credit offers for five years unless you ask them to put your name back on the list before then. To place either of these alerts on your credit report, or to have them removed, you will be required to provide appropriate proof of your identity: that may include your SSN, name, address and other personal information requested by the consumer reporting company. When a business sees the alert on your credit report, they must verify your identity before issuing you credit. As part of this verification process, the business may try to contact you directly. This may cause some delays if you're trying to obtain credit. To compensate for possible delays, you may wish to include a cell phone number, where you can be reached easily, in your alert. Remember to keep all contact information in your alert current. 2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently. Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures. When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers. If the identity thief has made charges or debits on your accounts, or on fraudulently opened accounts, ask the company for the forms to dispute those transactions: For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the company doesn't have special forms, use the sample letter to dispute the fraudulent charges or debits. In either case, write to the company at the address given for "billing inquiries," NOT the address for sending your payments. For new unauthorized accounts, ask if the company accepts the ID Theft Affidavit. If not, ask the representative to send you the company's fraud dispute forms. If the company already has reported these accounts or debts on your credit report, dispute this fraudulent information. See Correcting Credit Reports to learn how. Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear on your credit report or you are contacted again about the fraudulent debt. Proving You're a Victim Applications or other transaction records related to the theft of your identity may help you prove that you are a victim. For example, you may be able to show that the signature on an application is not yours. These documents also may contain information about the identity thief that is valuable to law enforcement. By law, companies must give you a copy of the application or other business transaction records relating to your identity theft if you submit your request in writing. Be sure to ask the company representative where you should mail your request. Companies must provide these records at no charge to you within 30 days of receipt of your request and your supporting documents. You also may give permission to any law enforcement agency to get these records, or ask in your written request that a copy of these records be sent to a particular law enforcement officer. The company can ask you for: proof of your identity. This may be a photocopy of a government-issued ID card, the same type of information the identity thief used to open or access the account, or the type of information the company usually requests from applicants or customers, and a police report and a completed affidavit, which may be the Identity Theft Affidavit or the company's own affidavit. 3. File a report with your local police or the police in the community where the identity theft took place.

28 Take Charge: Fighting Back Against Identity Theft Page 5 of 18 Then, get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. If the police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check for a list of state Attorneys General. 4. File a complaint with the Federal Trade Commission. By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces. You can file a complaint online at If you don't have Internet access, call the FTC's Identity Theft Hotline, toll-free: IDTHEFT ( ); TTY: ; or write: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC Be sure to call the Hotline to update your complaint if you have any additional information or problems. The Identity Theft Report An identity theft report may have two parts: Part One is a copy of a report filed with a local, state, or federal law enforcement agency, like your local police department, your State Attorney General, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no federal law requiring a federal agency to take a report about identity theft; however, some state laws require local police departments to take reports. When you file a report, provide as much information as you can about the crime, including anything you know about the dates of the identity theft, the fraudulent accounts opened and the alleged identity thief. Note: Knowingly submitting false information could subject you to criminal prosecution for perjury. Part Two of an identity theft report depends on the policies of the consumer reporting company and the information provider (the business that sent the information to the consumer reporting company). That is, they may ask you to provide information or documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft. They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft report contains everything they need. They are entitled to take five days to review any information you give them. For example, if you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as incomplete; you will have to resubmit your identity theft report with the correct information. You may find that most federal and state agencies, and some local police departments, offer only "automated" reports a report that does not require a face-to-face meeting with a law enforcement officer. Automated reports may be submitted online, or by telephone or mail. If you have a choice, do not use an automated report. The reason? It's more difficult for the consumer reporting company or information provider to verify the information. Unless you are asking a consumer reporting company to place an extended fraud alert on your credit report, you probably will have to provide additional information or documentation when you use an automated report. Tips For Organizing Your Case Accurate and complete records will help you to resolve your identity theft case more quickly. Have a plan when you contact a company. Don't assume that the person you talk to will give you all the information or help you need. Prepare a list of questions to ask the representative, as well as information about your identity theft. Don't end the call until you're sure you understand everything you've been told. If you need more help, ask to speak to a supervisor. Write down the name of everyone you talk to, what he or she tells you, and the date the conversation occurred. Use Chart Your Course of Action to help you. Follow up in writing with all contacts you've made on the phone or in person. Use certified mail, return receipt requested, so you can document what the company or organization received and when. Keep copies of all correspondence or forms you send. Keep the originals of supporting documents, like police reports and letters to and from creditors; send copies

29 Take Charge: Fighting Back Against Identity Theft Page 6 of 18 only. Set up a filing system for easy access to your paperwork. Keep old files even if you believe your case is closed. Once resolved, most cases stay resolved, but problems can crop up. Chart Your Course of Action [PDF version of form] Use this form to record the steps you've taken to report the fraudulent use of your identity. Keep this list in a safe place for reference. Nationwide Consumer Reporting Companies - Report Fraud Consumer Reporting Company Phone Number Date Contacted Contact Person Comments Equifax Experian EXPERIAN ( ) TransUnion Banks, Credit Card Issuers and Other Creditors (Contact each creditor promptly to protect your legal rights.) Creditor Address and Phone Number Date Contacted Contact Person Comments Law Enforcement Authorities - Report Identity Theft Agency/Department Phone Number Date Contacted Contact Person Report Number Comments

30 Take Charge: Fighting Back Against Identity Theft Page 7 of 18 RESOLVING SPECIFIC PROBLEMS I received a copy of my credit report and saw about a half a dozen items that I didn't know anything about. It's affected my credit rating so badly that I couldn't get a student loan. I didn't realize there was a problem until my student loan application was denied. From a consumer's complaint to the FTC, May 25, 2004 While dealing with problems resulting from identity theft can be time-consuming and frustrating, most victims can resolve their cases by being assertive, organized, and knowledgeable about their legal rights. Some laws require you to notify companies within specific time periods. Don't delay in contacting any companies to deal with these problems, and ask for supervisors if you need more help than you're getting. Bank Accounts and Fraudulent Withdrawals Different laws determine your legal remedies based on the type of bank fraud you have suffered. For example, state laws protect you against fraud committed by a thief using paper documents, like stolen or counterfeit checks. But if the thief used an electronic fund transfer, federal law applies. Many transactions may seem to be processed electronically but are still considered "paper" transactions. If you're not sure what type of transaction the thief used to commit the fraud, ask the financial institution that processed the transaction. Fraudulent Electronic Withdrawals The Electronic Fund Transfer Act provides consumer protections for transactions involving an ATM or debit card, or another electronic way to debit or credit an account. It also limits your liability for unauthorized electronic fund transfers. You have 60 days from the date your bank account statement is sent to you to report in writing any money withdrawn from your account without your permission. This includes instances when your ATM or debit card is "skimmed" that is, when a thief captures your account number and PIN without your card having been lost or stolen. If your ATM or debit card is lost or stolen, report it immediately because the amount you can be held responsible for depends on how quickly you report the loss. If you report the loss or theft within two business days of discovery, your losses are limited to $50. If you report the loss or theft after two business days, but within 60 days after the unauthorized electronic fund transfer appears on your statement, you could lose up to $500 of what the thief withdraws. If you wait more than 60 days to report the loss or theft, you could lose all the money that was taken from your account after the end of the 60 days. Note: VISA and MasterCard voluntarily have agreed to limit consumers' liability for unauthorized use of their debit cards in most instances to $50 per card, no matter how much time has elapsed since the discovery of the loss or theft of the card. The best way to protect yourself in the event of an error or fraudulent transaction is to call the financial institution and follow up in writing by certified letter, return receipt requested so you can prove when the institution received your letter. Keep a copy of the letter you send for your records. After receiving your notification about an error on your statement, the institution generally has 10 business days to investigate. The institution must tell you the results of its investigation within three business days after completing it and must correct an error within one business day after determining that it occurred. If the institution needs more time, it may take up to 45 days to complete the investigation but only if the money in dispute is returned to your account and you are notified promptly of the credit. At the end of the investigation, if no error has been found, the institution may take the money back if it sends you a written explanation. For more information, see Electronic Banking and Credit, ATM and Debit Cards: What To Do If They're Lost or Stolen. Fraudulent Checks and Other "Paper" Transactions In general, if an identity thief steals your checks or counterfeits checks from your existing bank account, stop payment, close the account, and ask your bank to notify Chex Systems, Inc. or the check verification service with which it does business. That way, retailers can be notified not to accept these checks. While no federal law limits your losses if someone uses your checks with a forged signature, or uses another type of "paper" transaction such as a demand draft, state laws may protect you. Most states hold the bank responsible for losses from such transactions. At the same time, most states require you to take reasonable care of your account. For example, you may be held responsible for the forgery if you fail to notify the bank in a timely manner that a check was lost or stolen. Contact your state banking or consumer protection agency for more information. You can contact major check verification companies directly for the following services:

31 Take Charge: Fighting Back Against Identity Theft Page 8 of 18 To request that they notify retailers who use their databases not to accept your checks, call: TeleCheck at or Certegy, Inc. (previously Equifax Check Systems) at To find out if the identity thief has been passing bad checks in your name, call: SCAN: If your checks are rejected by a merchant, it may be because an identity thief is using the Magnetic Information Character Recognition (MICR) code (the numbers at the bottom of checks), your driver's license number, or another identification number. The merchant who rejects your check should give you its check verification company contact information so you can find out what information the thief is using. If you find that the thief is using your MICR code, ask your bank to close your checking account, and open a new one. If you discover that the thief is using your driver's license number or some other identification number, work with your DMV or other identification issuing agency to get new identification with new numbers. Once you have taken the appropriate steps, your checks should be accepted. Note: The check verification company may or may not remove the information about the MICR code or the driver's license/identification number from its database because this information may help prevent the thief from continuing to commit fraud. If the checks are being passed on a new account, contact the bank to close the account. Also contact Chex Systems, Inc., to review your consumer report to make sure that no other bank accounts have been opened in your name. Dispute any bad checks passed in your name with merchants so they don't start any collections actions against you. Fraudulent New Accounts If you have trouble opening a new checking account, it may be because an identity thief has been opening accounts in your name. Chex Systems, Inc., produces consumer reports specifically about checking accounts, and as a consumer reporting company, is subject to the Fair Credit Reporting Act. You can request a free copy of your consumer report by contacting Chex Systems, Inc. If you find inaccurate information on your consumer report, follow the procedures under Correcting Credit Reports to dispute it. Contact each of the banks where account inquiries were made, too. This will help ensure that any fraudulently opened accounts are closed. Chex Systems, Inc.: ; Fax: Chex Systems, Inc. Attn: Consumer Relations 7805 Hudson Road, Suite 100 Woodbury, MN Where to Find Help If you have trouble getting a financial institution to help you resolve your banking-related identity theft problems, including problems with bank-issued credit cards, contact the agency that oversees your bank (see list below). If you're not sure which of these agencies is the right one, call your bank or visit the National Information Center of the Federal Reserve System at and click on "Institution Search." Federal Deposit Insurance Corporation (FDIC) The FDIC supervises state-chartered banks that are not members of the Federal Reserve System, and insures deposits at banks and savings and loans. Call the FDIC Consumer Call Center toll-free: ; or write: Federal Deposit Insurance Corporation, Division of Compliance and Consumer Affairs, th Street, NW, Washington, DC FDIC publications: Classic Cons... And How to Counter Them A Crook Has Drained Your Account. Who Pays? Your Wallet: A Loser's Manual Federal Reserve System (Fed)

32 Take Charge: Fighting Back Against Identity Theft Page 9 of 18 The Fed supervises state-chartered banks that are members of the Federal Reserve System. Call: ; or write: Division of Consumer and Community Affairs, Mail Stop 801, Federal Reserve Board, Washington, DC 20551; or contact the Federal Reserve Bank in your area. The Reserve Banks are located in Boston, New York, Philadelphia, Cleveland, Richmond, Atlanta, Chicago, St. Louis, Minneapolis, Kansas City, Dallas, and San Francisco. National Credit Union Administration (NCUA) The NCUA charters and supervises federal credit unions and insures deposits at federal credit unions and many state credit unions. Call: ; or write: Compliance Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, VA Office of the Comptroller of the Currency (OCC) The OCC charters and supervises national banks. If the word "national" appears in the name of a bank, or the initials "N.A." follow its name, the OCC oversees its operations. Call toll-free: (business days 9:00 a.m. to 4:00 p.m. CST); fax: ; or write: Customer Assistance Group, 1301 McKinney Street, Suite 3710, Houston, TX OCC publications: Check Fraud: A Guide to Avoiding Losses How to Avoid Becoming a Victim of Identity Theft Identity Theft and Pretext Calling Advisory Letter Office of Thrift Supervision (OTS) The OTS is the primary regulator of all federal, and many state-chartered, thrift institutions, including savings banks and savings and loan institutions. Call: ; or write: Office of Thrift Supervision, 1700 G Street, NW, Washington, DC Bankruptcy Fraud U. S. Trustee (UST) If you believe someone has filed for bankruptcy in your name, write to the U.S. Trustee in the region where the bankruptcy was filed. A list of the U.S. Trustee Programs' Regional Offices is available on the UST website, or check the Blue Pages of your phone book under U.S. Government Bankruptcy Administration. In your letter, describe the situation and provide proof of your identity. The U.S. Trustee will make a criminal referral to law enforcement authorities if you provide appropriate documentation to substantiate your claim. You also may want to file a complaint with the U.S. Attorney and/or the FBI in the city where the bankruptcy was filed. The U.S. Trustee does not provide legal representation, legal advice, or referrals to lawyers. That means you may need to hire an attorney to help convince the bankruptcy court that the filing is fraudulent. The U.S. Trustee does not provide consumers with copies of court documents. You can get them from the bankruptcy clerk's office for a fee. Correcting Fraudulent Information in Credit Reports The Fair Credit Reporting Act (FCRA) establishes procedures for correcting fraudulent information on your credit report and requires that your report be made available only for certain legitimate business needs. Under the FCRA, both the consumer reporting company and the information provider (the business that sent the information to the consumer reporting company), such as a bank or credit card company, are responsible for correcting fraudulent information in your report. To protect your rights under the law, contact both the consumer reporting company and the information provider. Consumer Reporting Company Obligations Consumer reporting companies will block fraudulent information from appearing on your credit report if you take the following steps: Send them a copy of an identity theft report and a letter telling them what information is fraudulent. The letter also should

33 Take Charge: Fighting Back Against Identity Theft Page 10 of 18 state that the information does not relate to any transaction that you made or authorized. In addition, provide proof of your identity that may include your SSN, name, address, and other personal information requested by the consumer reporting company. The consumer reporting company has four business days to block the fraudulent information after accepting your identity theft report. It also must tell the information provider that it has blocked the information. The consumer reporting company may refuse to block the information or remove the block if, for example, you have not told the truth about your identity theft. If the consumer reporting company removes the block or refuses to place the block, it must let you know. The blocking process is only one way for identity theft victims to deal with fraudulent information. There's also the "reinvestigation process," which was designed to help all consumers dispute errors or inaccuracies on their credit reports. For more information on this process, see How to Dispute Credit Report Errors and Your Access to Free Credit Reports, two publications from the FTC. Information Provider Obligations Information providers stop reporting fraudulent information to the consumer reporting companies once you send them an identity theft report and a letter explaining that the information that they're reporting resulted from identity theft. But you must send your identity theft report and letter to the address specified by the information provider. Note that the information provider may continue to report the information if it later learns that the information does not result from identity theft. If a consumer reporting company tells an information provider that it has blocked fraudulent information in your credit report, the information provider may not continue to report that information to the consumer reporting company. The information provider also may not hire someone to collect the debt that relates to the fraudulent account, or sell that debt to anyone else who would try to collect it. Sample Blocking Letter Consumer Reporting Company Date Your Name Your Address Your City, State, Zip Code Complaint Department Name of Consumer Reporting Company Address City, State, Zip Code Dear Sir or Madam: I am a victim of identity theft. I am writing to request that you block the following fraudulent information in my file. This information does not relate to any transaction that I have made. The items also are circled on the attached copy of the report I received. (Identify item(s) to be blocked by name of source, such as creditors or tax court, and identify type of item, such as credit account, judgment, etc.) Enclosed is a copy of the law enforcement report regarding my identity theft. Please let me know if you need any other information from me to block this information on my credit report. Sincerely, Your name Enclosures: (List what you are enclosing.) Credit Cards The Fair Credit Billing Act establishes procedures for resolving billing errors on your credit card accounts, including fraudulent charges on your accounts. The law also limits your liability for unauthorized credit card charges to $50 per card. To take advantage of the law's consumer protections, you must: write to the creditor at the address given for "billing inquiries," NOT the address for sending your payments. Include your name, address, account number, and a description of the billing error, including the amount and date of the error. See Sample Letter. send your letter so that it reaches the creditor within 60 days after the first bill containing the error was mailed to you. If an identity thief changed the address on your account and you didn't receive the bill, your dispute letter still must reach the

34 Take Charge: Fighting Back Against Identity Theft Page 11 of 18 creditor within 60 days of when the creditor would have mailed the bill. This is one reason it's essential to keep track of your billing statements, and follow up quickly if your bills don't arrive on time. You should send your letter by certified mail, and request a return receipt. It becomes your proof of the date the creditor received the letter. Include copies (NOT originals) of your police report or other documents that support your position. Keep a copy of your dispute letter. The creditor must acknowledge your complaint in writing within 30 days after receiving it, unless the problem has been resolved. The creditor must resolve the dispute within two billing cycles (but not more than 90 days) after receiving your letter. For more information, see Fair Credit Billing and Avoiding Credit and Charge Card Fraud, two publications from the FTC. Sample Dispute Letter For Existing Accounts Date Your Name Your Address Your City, State, Zip Code Your Account Number Name of Creditor Billing Inquiries Address City, State, Zip Code Dear Sir or Madam: I am writing to dispute a fraudulent (charge or debit) on my account in the amount of $. I am a victim of identity theft, and I did not make this (charge or debit). I am requesting that the (charge be removed or the debit reinstated), that any finance and other charges related to the fraudulent amount be credited, as well, and that I receive an accurate statement. Enclosed are copies of (use this sentence to describe any enclosed information, such as a police report) supporting my position. Please investigate this matter and correct the fraudulent (charge or debit) as soon as possible. Sincerely, Your name Enclosures: (List what you are enclosing.) Criminal Violations Procedures to correct your record within criminal justice databases can vary from state to state, and even from county to county. Some states have enacted laws with special procedures for identity theft victims to follow to clear their names. You should check with the office of your state Attorney General, but you can use the following information as a general guide. If wrongful criminal violations are attributed to your name, contact the police or sheriff's department that originally arrested the person using your identity, or the court agency that issued the warrant for the arrest. File an impersonation report with the police/sheriff's department or the court, and confirm your identity: Ask the police department to take a full set of your fingerprints, photograph you, and make a copies of your photo identification documents, like your driver's license, passport, or travel visa. To establish your innocence, ask the police to compare the prints and photographs with those of the imposter. If the arrest warrant is from a state or county other than where you live, ask your local police department to send the impersonation report to the police department in the jurisdiction where the arrest warrant, traffic citation, or criminal conviction originated. The law enforcement agency should then recall any warrants and issue a "clearance letter" or "certificate of release" (if you were arrested/booked). You'll need to keep this document with you at all times in case you're wrongly arrested again. Ask the law enforcement agency to file the record of the follow-up investigation establishing your innocence with the district attorney's (D.A.) office and/or court where the crime took place. This will result in an amended complaint. Once your name is recorded in a criminal database, it's unlikely that it will be completely removed from the official record. Ask that the "key name" or "primary name" be

35 Take Charge: Fighting Back Against Identity Theft Page 12 of 18 changed from your name to the imposter's name (or to "John Doe" if the imposter's true identity is not known), with your name noted as an alias. You'll also want to clear your name in the court records. To do so, you'll need to determine which state law(s) will help you with this and how. If your state has no formal procedure for clearing your record, contact the D.A.'s office in the county where the case was originally prosecuted. Ask the D.A.'s office for the appropriate court records needed to clear your name. You may need to hire a criminal defense attorney to help you clear your name. Contact Legal Services in your state or your local bar association for help in finding an attorney. Finally, contact your state Department of Motor Vehicles (DMV) to find out if your driver's license is being used by the identity thief. Ask that your files be flagged for possible fraud. Debt Collectors The Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that a creditor has forwarded for collection, even if those bills don't result from identity theft. You can stop a debt collector from contacting you in two ways: Write a letter to the collection agency telling them to stop. Once the debt collector receives your letter, the company may not contact you again with two exceptions: They can tell you there will be no further contact, and they can tell you that the debt collector or the creditor intends to take some specific action. Send a letter to the collection agency, within 30 days after you received written notice of the debt, telling them that you do not owe the money. Include copies of documents that support your position. Including a copy (NOT original) of your police report may be useful. In this case, a collector can renew collection activities only if it sends you proof of the debt. If you don't have documentation to support your position, be as specific as possible about why the debt collector is mistaken. The debt collector is responsible for sending you proof that you're wrong. For example, if the debt you're disputing originates from a credit card you never applied for, ask for a copy of the application with the applicant's signature. Then, you can prove that it's not your signature. If you tell the debt collector that you are a victim of identity theft and it is collecting the debt for another company, the debt collector must tell that company that you may be a victim of identity theft. While you can stop a debt collector from contacting you, that won't get rid of the debt itself. It's important to contact the company that originally opened the account to dispute the debt, otherwise that company may send it to a different debt collector, report it on your credit report, or initiate a lawsuit to collect on the debt. For more information, see Fair Debt Collection, a publication from the FTC. Driver's License If you think your name or SSN is being used by an identity thief to get a driver's license or a non-driver's ID card, contact your state DMV. If your state uses your SSN as your driver's license number, ask to substitute another number. Investment Fraud U.S. Securities and Exchange Commission (SEC) The SEC's Office of Investor Education and Assistance serves investors who complain to the SEC about investment fraud or the mishandling of their investments by securities professionals. If you believe that an identity thief has tampered with your securities investments or a brokerage account, immediately report it to your broker or account manager and to the SEC. You can file a complaint with the SEC's Complaint Center at Include as much detail as possible. If you don't have Internet access, write to the SEC at: SEC Office of Investor Education and Assistance, 450 Fifth Street, NW, Washington DC, For answers to general questions, call Mail Theft U.S. Postal Inspection Service (USPIS) The USPIS is the law enforcement arm of the U.S. Postal Service, and investigates cases of identity theft. The USPIS has primary jurisdiction in all matters infringing on the integrity of the U.S. mail. If an identity thief has stolen your mail to get new credit cards,

36 Take Charge: Fighting Back Against Identity Theft Page 13 of 18 bank or credit card statements, pre-screened credit offers, or tax information, or has falsified change-of-address forms or obtained your personal information through a fraud conducted by mail, report it to your local postal inspector. You can locate the USPIS district office nearest you by calling your local post office, checking the Blue Pages of your telephone directory, or visiting Passport Fraud United States Department of State (USDS) If you've lost your passport, or believe it was stolen or is being used fraudulently, contact the USDS through their website, or call a local USDS field office. Local field offices are listed in the Blue Pages of your telephone directory. Phone Fraud If an identity thief has established phone service in your name, is making unauthorized calls that seem to come from and are billed to your cellular phone, or is using your calling card and PIN, contact your service provider immediately to cancel the account and/or calling card. Open new accounts and choose new PINs. If you're having trouble getting fraudulent phone charges removed from your account or getting an unauthorized account closed, contact the appropriate agency below. For local service, contact your state Public Utility Commission. For cellular phones and long distance, contact the Federal Communications Commission (FCC) at The FCC regulates interstate and international communications by radio, television, wire, satellite, and cable. Call: CALL-FCC; TTY: TELL-FCC; or write: Federal Communications Commission, Consumer Information Bureau, th Street, SW, Room 5A863, Washington, DC You can file complaints online at or your questions to [email protected]. Social Security Number Misuse Social Security Administration (SSA) If you have specific information of SSN misuse that involves the buying or selling of Social Security cards, may be related to terrorist activity, or is designed to obtain Social Security benefits, contact the SSA Office of the Inspector General. You may file a complaint online at call toll-free: , fax: , or write: SSA Fraud Hotline, P.O. Box 17768, Baltimore, MD You also may call SSA toll-free at to verify the accuracy of the earnings reported on your SSN, request a copy of your Social Security Statement, or get a replacement SSN card if yours is lost or stolen. Follow up in writing. SSA publications: SSA Fraud Hotline for Reporting Fraud Social Security: Your Number and Card (SSA Pub. No ) Identity Theft And Your Social Security Number (SSA Pub. No ) Student Loans Contact the school or program that opened the student loan to close the loan. At the same time, report the fraudulent loan to the U.S. Department of Education. Call the Inspector General's Hotline toll-free at MIS-USED; visit or write: Office of Inspector General, U.S. Department of Education, 400 Maryland Avenue, SW, Washington, DC Tax Fraud Internal Revenue Service (IRS) The IRS is responsible for administering and enforcing tax laws. Identity fraud may occur as it relates directly to your tax records. Visit and type in the IRS key word Identity Theft for more information. If you have an unresolved issue related to identity theft, or you have suffered or are about to suffer a significant hardship as a result of the administration of the tax laws, visit the IRS Taxpayer Advocate Service website or call tollfree:

37 Take Charge: Fighting Back Against Identity Theft Page 14 of 18 If you suspect or know of an individual or company that is not complying with the tax law, report it to the Internal Revenue Service Criminal Investigation Informant Hotline by calling toll-free: or visit and type in the IRS key word Tax Fraud. For More Information Federal Trade Commission (FTC) The FTC wants consumers and businesses to know about the importance of personal information privacy. To request free copies of brochures, visit or call FTC-HELP ( ). FTC publications: ID Theft: What's It All About? Avoiding Credit and Charge Card Fraud Credit and ATM Cards: What to Do If They're Lost or Stolen Credit Card Loss Protection Offers: They're The Real Steal Electronic Banking Fair Credit Billing Your Access to Free Credit Reports Fair Debt Collection Getting Purse-onal: What To Do If Your Wallet or Purse Is Stolen How to Dispute Credit Report Errors Identity Crisis... What to Do If Your Identity Is Stolen Identity Thieves Can Ruin Your Good Name: Tips for Avoiding Identity Theft Department of Justice (DOJ) The DOJ and its U.S. Attorneys prosecute federal identity theft cases. Information on identity theft is available at Federal Bureau of Investigation (FBI) The FBI, a criminal law enforcement agency, investigates cases of identity theft. The FBI recognizes that identity theft is a component of many crimes, including bank fraud, mail fraud, wire fraud, bankruptcy fraud, insurance fraud, fraud against the government, and terrorism. Local field offices are listed in the Blue Pages of your telephone directory. U.S. Secret Service (USSS) The U.S. Secret Service investigates financial crimes, which may include identity theft. Although the Secret Service generally investigates cases where the dollar loss is substantial, your information may provide evidence of a larger pattern of fraud requiring their involvement. Local field offices are listed in the Blue Pages of your telephone directory. Financial Crimes Division STAYING ALERT Once resolved, most cases of identity theft stay resolved. But occasionally, some victims have recurring problems. To help stay on top of the situation, continue to monitor your credit reports and read your financial account statements promptly and carefully. You may want to review your credit reports once every three months in the first year of the theft, and once a year thereafter. And stay alert for other signs of identity theft, like: failing to receive bills or other mail. Follow up with creditors if your bills don't arrive on time. A missing bill could mean an identity thief has taken over your account and changed your billing address to cover his tracks. receiving credit cards that you didn't apply for. being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason. getting calls or letters from debt collectors or businesses about merchandise or services you didn't buy.

38 Take Charge: Fighting Back Against Identity Theft Page 15 of 18 Getting Your Credit Report Free Annual Credit Reports A recent amendment to the federal Fair Credit Reporting Act requires each of the major nationwide consumer reporting companies to provide you with a free copy of your credit reports, at your request, once every 12 months. Free reports are being phased in during a nine-month period, rolling from states in the West to the states in the East. Beginning September 1, 2005, free reports will be accessible to all Americans, regardless of where they live. Consumers in the Western states - Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming -can order their free reports beginning December 1, Consumers in the Midwestern states - Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin -can order their free reports beginning March 1, Consumers in the Southern states - Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas - can order their free reports beginning June 1, Consumers in the Eastern states - Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia - District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, To order your free annual report from one or all the national consumer reporting companies, visit call toll-free , or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box , Atlanta, GA The form is at the back of this brochure; or you can print it from Do not contact the three nationwide consumer reporting companies individually. They provide free annual credit reports only through , and Annual Credit Report Request Service, P.O. Box , Atlanta, GA For more information, see Your Access to Free Credit Reports, a publication from the FTC. Other Consumer Rights to Free Reports Under federal law, you're entitled to a free report if a company takes adverse action against you, such as denying your application for credit, insurance, or employment, and you request your report within 60 days of receiving notice of the action. The notice will give you the name, address, and phone number of the consumer reporting company. You're also entitled to one free report a year if you're unemployed and plan to look for a job within 60 days; you're on welfare; or your report is inaccurate because of fraud. Otherwise, a consumer reporting company may charge you up to $9.50 for another copy of your report within a 12-month period. To buy a copy of your report, contact: Equifax: ; Experian: 888-EXPERIAN ( ); TransUnion: ; Under state law, consumers in Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont already have free access to their credit reports. MINIMIZING RECURRENCES Last week I noticed that I was getting products in the mail that I hadn't ordered. Then I noticed charges on my credit card statement that I hadn't made. I spent a whole day calling the vendors numbers listed on my statement to let them know someone was using my credit card to make purchases without my permission. I don't know what else this person may be doing with my accounts and/or my name, and I'm worried about that. From a consumer's complaint to the FTC, January 7, 2004 When it comes to identity theft, you can't entirely control whether you will become a victim. But there are certain steps you can take to minimize recurrences. What To Do Today Place passwords on your credit card, bank, and phone accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers.

39 Take Charge: Fighting Back Against Identity Theft Page 16 of 18 When opening new accounts, you may find that many businesses still have a line on their applications for your mother's maiden name. Ask if you can use a password instead. Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in your home. Ask about information security procedures in your workplace or at businesses, doctor's offices or other institutions that collect your personally identifying information. Find out who has access to your personal information and verify that it is handled securely. Ask about the disposal procedures for those records as well. Find out if your information will be shared with anyone else. If so, ask how your information can be kept confidential. Active Duty Alerts for Military Personnel If you are a member of the military and away from your usual duty station, you may place an active duty alert on your credit reports to help minimize the risk of identity theft while you are deployed. Active duty alerts are in effect on your report for one year. If your deployment lasts longer, you can place another alert on your credit report. When you place an active duty alert, you'll be removed from the credit reporting companies' marketing list for pre-screened credit card offers for two years unless you ask to go back on the list before then. See Consumer Reporting Companies for contact information. The process for getting and removing an alert, and a business's response to your alert, are the same as that for an initial alert. See Fraud Alerts. You may use a personal representative to place or remove an alert. Maintaining Vigilance Don't give out personal information on the phone, through the mail, or on the Internet unless you've initiated the contact or are sure you know who you're dealing with. Identity thieves are clever, and have posed as representatives of banks, Internet service providers (ISPs), and even government agencies to get people to reveal their SSN, mother's maiden name, account numbers, and other identifying information. Before you share any personal information, confirm that you are dealing with a legitimate organization. Check an organization's website by typing its URL in the address line, rather than cutting and pasting it. Many companies post scam alerts when their name is used improperly. Or call customer service using the number listed on your account statement or in the telephone book. For more information, see How Not to Get Hooked by a 'Phishing' Scam, a publication from the FTC. Treat your mail and trash carefully. Deposit your outgoing mail in post office collection boxes or at your local post office, rather than in an unsecured mailbox. Promptly remove mail from your mailbox. If you're planning to be away from home and can't pick up your mail, call the U.S. Postal Service at to request a vacation hold. The Postal Service will hold your mail at your local post office until you can pick it up or are home to receive it. To thwart an identity thief who may pick through your trash or recycling bins to capture your personal information, tear or shred your charge receipts, copies of credit applications, insurance forms, physician statements, checks and bank statements, expired charge cards that you're discarding, and credit offers you get in the mail. To opt out of receiving offers of credit in the mail, call: OPTOUT ( ). The three nationwide consumer reporting companies use the same toll-free number to let consumers choose not to receive credit offers based on their lists. Note: You will be asked to provide your SSN which the consumer reporting companies need to match you with your file. Don't carry your SSN card; leave it in a secure place. Give your SSN only when absolutely necessary, and ask to use other types of identifiers. If your state uses your SSN as your driver's license number, ask to substitute another number. Do the same if your health insurance company uses your SSN as your policy number. Carry only the identification information and the credit and debit cards that you'll actually need when you go out. Be cautious when responding to promotions. Identity thieves may create phony promotional offers to get you to give them your personal information. Keep your purse or wallet in a safe place at work; do the same with copies of administrative forms that have your sensitive personal information. When ordering new checks, pick them up from the bank instead of having them mailed to your home mailbox. A Special Word About Social Security Numbers Your employer and financial institutions will need your SSN for wage and tax reporting purposes. Other businesses may ask you for your SSN to do a credit check if you are applying for a loan, renting an apartment, or signing up for utilities. Sometimes, however, they simply want your SSN for general record keeping.

40 Take Charge: Fighting Back Against Identity Theft Page 17 of 18 Ifsomeone asks for your SSN, ask: Why do you need my SSN? How will my SSN be used? How do you protect my SSN from being stolen? What will happen if I don't give you my SSN? If you don't provide your SSN, some businesses may not provide you with the service or benefit you want. Getting satisfactory answers to these questions will help you decide whether you want to share your SSN with the business. The decision to share is yours. The Doors and Windows Are Locked, But... You may be careful about locking your doors and windows, and keeping your personal papers in a secure place. Depending on what you use your personal computer for, an identity thief may not need to set foot in your house to steal your personal information. You may store your SSN, financial records, tax returns, birth date, and bank account numbers on your computer. These tips can help you keep your computer - and the personal information it stores - safe. Virus protection software should be updated regularly, and patches for your operating system and other software programs should be installed to protect against intrusions and infections that can lead to the compromise of your computer files or passwords. Ideally, virus protection software should be set to automatically update each week. The Windows XP operating system also can be set to automatically check for patches and download them to your computer. Do not open files sent to you by strangers, or click on hyperlinks or download programs from people you don't know. Be careful about using file-sharing programs. Opening a file could expose your system to a computer virus or a program known as "spyware," which could capture your passwords or any other information as you type it into your keyboard. For more information, see File Sharing: A Fair Share? Maybe Not and Spyware, publications from the FTC. Use a firewall program, especially if you use a high-speed Internet connection like cable, DSL or T-1 that leaves your computer connected to the Internet 24 hours a day. The firewall program will allow you to stop uninvited access to your computer. Without it, hackers can take over your computer, access the personal information stored on it, or use it to commit other crimes. Use a secure browser - software that encrypts or scrambles information you send over the Internet -to guard your online transactions. Be sure your browser has the most up-to-date encryption capabilities by using the latest version available from the manufacturer. You also can download some browsers for free over the Internet. When submitting information, look for the "lock" icon on the browser's status bar to be sure your information is secure during transmission. Try not to store financial information on your laptop unless absolutely necessary. If you do, use a strong password a combination of letters (upper and lower case), numbers and symbols. A good way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, "I love Felix; he's a good cat," would become 1LFHA6c. Don't use an automatic log-in feature that saves your user name and password, and always log off when you're finished. That way, if your laptop is stolen, it's harder for a thief to access your personal information. Before you dispose of a computer, delete all the personal information it stored. Deleting files using the keyboard or mouse commands or reformatting your hard drive may not be enough because the files may stay on the computer's hard drive, where they may be retrieved easily. Use a "wipe" utility program to overwrite the entire hard drive. Look for website privacy policies. They should answer questions about maintaining accuracy, access, security, and control of personal information collected by the site, how the information will be used, and whether it will be provided to third parties. If you don't see a privacy policy - or if you can't understand it - consider doing business elsewhere. For more information, see Site-Seeing on the Internet: A Traveler's Guide to Cyberspace, a publication from the FTC. APPENDIX It's The Law Federal Law The Identity Theft and Assumption Deterrence Act, enacted by Congress in October 1998 (and codified, in part, at 18 U.S.C. 1028) makes identity theft a federal crime. Under federal criminal law, identity theft takes place when someone "knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."

41 Take Charge: Fighting Back Against Identity Theft Page 18 of 18 Under this definition, a name or Social Security number is considered a "means of identification." So is a credit card number, cellular telephone electronic serial number, or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual. Violations of the federal crime are investigated by federal law enforcement agencies, including the U.S. Secret Service, the FBI, the U.S. Postal Inspection Service, and the Social Security Administration's Office of the Inspector General. Federal identity theft cases are prosecuted by the U.S. Department of Justice. For the purposes of the law, the FCRA defines identity theft to apply to consumers and businesses. State Laws Many states have passed laws making identity theft a crime or providing help in recovery from identity theft; others are considering such legislation. Where specific criminal identity theft laws do not exist, the practices may be prohibited under other laws. Contact your state Attorney General (for a list of state offices, visit or local consumer protection agency for laws related to identity theft, or visit Instructions for Completing the ID Theft Affidavit/ID Theft Affidavit [PDF only] Annual Credit Report Request Form [PDF only] Privacy Policy When you contact us with complaints or requests for information, you can do it online at by telephone, toll-free at ID-THEFT ( ); or by mail: Federal Trade Commission, Identity Theft Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, DC Before you contact us, there are a few things you should know. We enter the information you send into the Identity Theft Clearinghouse, an electronic database. The Clearinghouse is a system of records covered under the Privacy Act of In general, the Privacy Act prohibits unauthorized disclosures of the records it protects. It also gives individuals the right to review records about themselves. Learn more about your Privacy Act rights and the FTC's Privacy Act procedures by contacting the FTC's Freedom of Information Act Office: ; The information you submit is shared with FTC attorneys and investigators. It also may be shared with employees of various federal, state, or local law enforcement or regulatory authorities. The FTC also may share your information with some private entities, such as consumer reporting companies and any companies you may have complained about, where it believes that doing so might help resolve identity theft-related problems. You may be contacted by the FTC or any of the agencies or private entities to whom your complaint has been referred. In some limited circumstances, including requests from Congress, the FTC may be required by law to disclose information you submit. You have the option to submit your information anonymously. However, if you do not provide your name and contact information, law enforcement agencies and other organizations will not be able to contact you for more information to help in identity theft investigations and prosecutions ID-THEFT ( ) The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit or call toll-free, FTC-HELP ( ); TTY: The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. February 2005 HOME CONSUMERS BUSINESSES NEWSROOM FORMAL ANTITRUST CONGRESSIONAL ECONOMIC LEGAL Privacy Policy About FTC Commissioners File a Complaint HSR FOIA IG Office En Español

42 Attachment D: FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some Privacy Rights Clearinghouse, copywritten material distributable for non-profit educational use only.

43 Facts on FACTA, the Fair and Accurate Credit Transactions Act Page 1 of 13 Fact Sheet 6(a): Facts on FACTA Copyright Privacy Rights Clearinghouse / UCAN April th Ave., Suite B San Diego, CA Voice: (619) Fax: (619) Web: Contact Us: HOME FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some 1. Introduction 2. Help for Identity Theft Victims 2A. Free Credit Reports 2B. Fraud Alerts and Active Duty Alerts 2C. Truncation: Credit Cards, Debit Cards, Social Security Numbers 2D. Information Available to Victims 2E. Collection Agencies 2F. Red Flags 2G. Disposal of Consumer Reports 3. Notice of Consumer Rights 4. Credit Scores 5. Disputing Inaccurate Information 6. Negative Information in a Consumer Report 7. Medical Information and Consumer Reports 8. Nationwide Specialty Consumer Reporting Agencies 9. Workplace Investigations 10. Information Sharing Among Affiliates Opt-Out for Marketing 11. Risk-Based Pricing 12. FACTA Studies 13. References 1. Introduction The Fair and Accurate Credit Transaction Act of 2003, Pub. L , 111 Stat , (FACTA) added new sections to the federal Fair Credit Reporting Act, 15 U.S.C et seq., (FCRA) intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. This is all good news for consumers. However, consumers came out on the losing end when Congress virtually barred states from adopting stronger laws. 1 As of this writing, some new sections of FACTA are already in effect. Other sections will be effective only after federal agencies solicit public comment and then adopt final regulations. In addition to the Federal Trade Commission ( the federal financial agencies have jurisdiction and are involved in writing regulations to implement FACTA. 2 As of this writing, some new sections of FACTA are already in effect. Other sections will be

44 Facts on FACTA, the Fair and Accurate Credit Transactions Act effective only after federal agencies solicit public comment and then adopt final regulations. In addition to the Federal Trade Commission ( the federal financial agencies have jurisdiction and are involved in writing regulations to implement FACTA. Page 2 of 13 Generally, those FACTA provisions without a specific effective date will be effective December 1, This guide is intended only as a brief summary of the new FACTA provisions. There are as yet many details to be decided through regulations. We will revise and update these sections as final federal regulations are published. 2. Help for Identity Theft Victims The crime of identity theft has continued to grow at epidemic proportions. Several widely reported surveys on the number of identity theft victims were released as Congress went into final hearings on FCRA amendments. A shocking report released by the Federal Trade Commission in September 2003 estimated that nearly 10 million people were victims of identity theft in 2002 alone. To see the FTC s analysis and other surveys on identity theft released in the latter half of 2003, see the PRC publication, How Many Identity Theft Victims Are There?, In response to new findings about identity theft, Congress adopted a number of FCRA provisions aimed at prevention and help for victims. The Federal Trade Commission recently published a revised guide for identity theft victims which includes new FACTA provisions. This guide, titled Take Charge: Fighting Back Against Identity Theft, can be found at A. Free Reports Consumer advocates have long encouraged you to monitor your credit report as a way to detect identity theft. The standard advice was to request a copy of your credit report once a year from each of the three national credit bureaus: Experian, TransUnion, and Equifax. Until now, you usually had to pay up to $9.50 to get a copy of your report from each of these credit bureaus. Recognizing the benefit of self-monitoring, Congress adopted a new rule that allows you a free copy of your credit report annually from each of the big three. (FCRA sec. 612 (a)(1)(a)&(b)) Congress left it to the Federal Trade Commission (FTC), through regulations, to set up the procedure for obtaining your free reports. When can I order my free credit report? That depends on where you live. The rules on free credit reports are among the first regulations adopted by the FTC. The procedure established by the FTC calls for a phase-in, starting with the Western states, in December If you live on the East Coast, your right to a free credit report will not take effect until September Here s the phase-in schedule: December 1, 2004: Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming. March 1, 2005: Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin. June 1, 2005: Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas. September 1, 2005: Connecticut, Delaware, District of Columbia, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia, Puerto Rico, and all U.S. territories.

45 Facts on FACTA, the Fair and Accurate Credit Transactions Act To order your free reports when they become available in your state, go to where you can order your reports directly or download the Annual Credit Report Request form to mail in your request. You can also call The World Privacy Forum has released a study that indicates that privacy-conscious consumers may be better served by ordering their credit reports by phone or mail rather than online. See for more details. And for more information about access to free credit reports, see the Federal Trade Commission's Facts for Consumers at Page 3 of 13 Even now, you are entitled to a free copy of your credit report if you live in one of seven states. Those states are: Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont. Am I still entitled to a free credit report if I am unemployed? Yes, and for other reasons as well. You can still get a free copy of your credit report if you certify to the credit reporting agency that: You are unemployed and intend to apply for employment in the 60-day period beginning on the date you make the certification. Or you receive public welfare assistance. Or you believe your file contains inaccurate information due to fraud. FACTA also gives you new rights to a free credit report if you are a victim of identity theft. For more on this, see Section 2B below on fraud and active duty alerts. In addition to free credit reports, FACTA gives you the right to one free report annually from a consumer reporting agency that compiles reports on employment, medical records, check writing, insurance, and housing rental history. For more on what FACTA calls nationwide specialty consumer reporting agencies, see Section 8 below. To review public comments submitted to the FTC from consumer advocates, industry representatives, and others in response to the free credit report rule, see: For the final free credit report rule published by the FTC on June 24, 2004, see B. Fraud Alerts and Active Duty Alerts If you are the victim of identity theft, FACTA gives you the right to contact a credit reporting agency to flag your account. This new procedure, called a fraud alert, is already available by law to consumers in some states. And, the three major credit bureaus, Experian, TransUnion, and Equifax, have already voluntarily adopted this as standard procedure. To place a fraud alert, you must provide proof of your identity to the credit bureau. The fraud alert is initially effective for 90 days, but may be extended, at your request, for seven years. FACTA also creates a new kind of alert, an active duty alert, that allows active duty military personnel to place a notation on their credit report as a way to alert potential creditors to possible fraud. While on duty outside the country, military members are particularly vulnerable to identity theft and lack the means to monitor credit activity. An active duty alert is maintained in the file for at least 12 months. If a fraud alert or active duty alert is placed on your credit report, any business that is asked to extend credit to you must contact you at a telephone number you provide or take other reasonable steps to see that the credit application was not made by an identity thief. New FACTA provisions also allow you to block certain items on your credit report that resulted from identity theft. Like the fraud alert, blocking was already an option for consumers in some states. With FACTA, Congress has made blocking the national standard. FACTA gives you the right to a free copy of your credit report when you place a fraud alert. With the extended alert (seven years), you are entitled to two free copies of your report during the 12-month period after you place the alert.

46 Facts on FACTA, the Fair and Accurate Credit Transactions Act Congress directed the FTC to issue regulations to fine-tune procedures for fraud alerts and active duty alerts. Significant portions of this rulemaking include adopting a definition of identity theft as well as standards for what constitutes proper identity required to place a fraud alert or active duty alert. Page 4 of 13 The FTC proposed regulations to implement the alert sections of FACTA were published on April 21, To see comments submitted in response to this proposal, go to The PRC joined Consumers Union and other consumer organizations in commenting on this proposal. C. Truncation: Credit Cards, Debit Cards, Social Security Numbers Receipts that include full account numbers and expiration dates are a gold mine for identity thieves. In some states, full printing of this information is already prohibited. For the future, FACTA sets a national standard for truncation of card information. FACTA says receipts for credit and debt card transactions may not include more than the last five digits of the card number or expiration date. However, the effective date of this provision is a long way off, and there are a couple of loopholes: This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card. For machines in use before January 1, 2005, the merchant has three (3) years to comply. For machines in use after January 1, 2005, the merchant has one (1) year to comply. Another FACTA section allows consumers who request a copy of their file to also request that the first 5 digits of their Social Security number (or similar identification number) not be included in the file. This section takes effect December 1, D. Information Available to Victims For victims, obtaining copies of the imposter s account application and transactions is an important step toward regaining financial health. Effective June 1, 2004, a business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of documents such as applications for credit or transaction records. The business must also provide copies of documents to any Federal, state, or local law enforcement agency you specify. To obtain information, you must supply proof of your identity. Usually this would be the same type of identifying information necessary to open an account. The business may ask you to provide a police report and an identity theft affidavit. For a copy of the FTC s fraud affidavit, see You must also: Make your request in writing. Mail the request to the business at an address it specifies. If the business asks, include relevant information about dates and account numbers. Are there reasons a business would not have to give me this information? Yes, there are some exceptions. A business does not have to provide this information if: There is not a "high degree of confidence" in your true identity. The request contains a misrepresentation of fact. The information is Internet navigational data or similar information about a person's visit to a web site or online service.

47 Facts on FACTA, the Fair and Accurate Credit Transactions Act Can I sue a business for not turning information over to me? Page 5 of 13 The business can be sued only by a government agency. And the business cannot be held civilly liable if it makes a good faith effort to comply. E. Collection Agencies A call from a collection agency is often the first sign of trouble for an identity theft victim. Under FACTA, if you are contacted by a collection agency about a debt that resulted from the theft of your identity, the collector must so inform the creditor. You are entitled to receive all information about this debt (such as applications, account statements, late notices from the creditor) that you would be entitled to see if the debt were actually yours. In addition, FACTA now says that a creditor, once notified that the debt is the work of an identity thief, cannot sell the debt or place it for collection. The new sections relating to collection of debt are effective December 1, For more on collection agencies, see Debt Collection Practices: When Hardball Tactics Go Too Far, F. Red Flags Financial institutions must adopt procedures designed to spot identity theft before it occurs. Certain events such as a change of address, a request for a replacement credit card, or efforts to reactivate a dormant credit card account may signal a potential fraud. Consumer advocates have long pointed out that consumers can only go so far in protecting against identity theft, and that much of the problem lies with lax procedures on the part of business. FACTA requires the FTC and the federal banking agencies to adopt regulations that establish guidelines. As of this writing, red flag regulations have not been published for public comment. The FTC and the banking agencies have existing security guidelines and regulations adopted under the Gramm-Leach-Bliley Act, 15 USC ). In October 2003, the banking agencies published proposed regulations to establish guidelines for notice to customers of a security breach. The PRC s comments to these proposed regulations can be found at, Once final, FACTA s red flag regulations along with the agencies existing security regulations should provide greater protection for consumer data. G. Disposal of Consumer Reports In the past, the practice known as dumpster diving has provided identity thieves with a wealth of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now, under new FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper disposal. The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published proposed regulations to implement the new FACTA Disposal Rule. To see the comments submitted by the PRC and other consumer organizations in response to these rule proposals, see: Notice of Consumer Rights Reporting agencies have a new obligation to give identity theft victims a notice of rights. This includes, among other things, notice of: (1) the right to file a fraud alert, (2) the right to block information in a report that resulted from fraud, and (3) the right to obtain copies of documents used to commit fraud. This new notice of rights is in addition to a general notice of rights already required by earlier FCRA amendments. The FTC has issued proposed regulations and

48 Facts on FACTA, the Fair and Accurate Credit Transactions Act a sample copy of the identity theft rights. Under the FTC s proposal, consumers who report fraud to a consumer reporting agency will receive the special victims notice of rights. The comment period ends August 16, Page 6 of Credit Scores It has become increasingly common for lenders to make decisions based upon a score. Until recently, consumers did not have access to their score or information about the factors that made up the score. Common sense says a series of late payments can lead to a bad credit rating. However, a score is determined by other factors as well, and to give you the chance to improve your score, you should know how the score is calculated. Even if you do not have a history of late payments, your score may be lowered if your credit card balance is close to the limit or if you are just starting out with using credit. If you are looking for a car loan or thinking of refinancing your mortgage, it is a good idea to check your score before you apply for new credit. What is a credit score? FACTA defines a credit score as: A numerical value or categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may also be referred to as a risk predictor or risk score (FCRA 609(f)(2)) The definition does not include a mortgage score. FACTA provides separate requirements for scores generated for home loans and mortgage lenders. (FCRA 609(g)) Under new FACTA provisions, consumers may request a credit score including an explanation of the factors that went into computing the score. Consumers will be charged a reasonable fee, which is to be determined by regulations to be later published by the FTC. The FTC is currently conducting a study of scores used for credit and insurance purposes as well as a number of other studies required by FACTA. For more on credit scores: See the FTC publication, Visit the web site for Fair Isaac, the company that originally developed the credit scoring model, For information on credit scores used by insurers, see the PRC publication, CLUE and You: How Insurers Size You Up, 5. Disputing Inaccurate Information By its very name, the Fair and Accurate Credit Transactions Act places new emphasis on accuracy of information in consumer reports. In a recent study, the U.S. Public Interest Research Group (USPIRG) found that one in four credit reports contain serious errors. To read the PIRG Report, go to: id2=13650&id3=uspirgnewsroom&. For other studies on credit reports, see Section 12 at the end of this guide. Previously, disputes about the accuracy of information in a consumer report had to be made directly to the consumer reporting agency. Under new FACTA provisions, a consumer may dispute inaccurate information directly with a furnisher, that is, a creditor that is a financial institution. Upon notice of disputed information, the furnisher must investigate and cannot report negative information while the investigation is pending. Furnishers notified that information is the result of identify theft must not report that information

49 Facts on FACTA, the Fair and Accurate Credit Transactions Act to a consumer reporting agency. Consumers must now also be given notice before negative information is reported to a consumer reporting agency. Page 7 of 13 The new obligations for furnishers of information should be effective December 1, 2004, after final regulations are published. The FTC is currently soliciting public comment on revisions to existing directives for furnishers of information Notice of Negative Information The number one tip for detecting identity theft is to check your credit report. Erroneous information about late payments and collection actions is what you don t want to see. Like a lot of people, ordering your credit report is probably high on your to do list, but it never seems to get to the top of that list. FACTA now requires creditors to give you what might be called an early warning notice. This notice could alert you that something is amiss with an account. However, the notice is not a substitute for your own close monitoring of credit reports, bank accounts, and credit card statements. And, you may have to look closely to even see this new notice. Starting in December 2004 a financial institution that extends credit must send you a notice before or no later than 30 days after negative information is furnished to a credit bureau. Negative information includes late payments, missed payments, partial payments, or any other form of default on the account. Does this apply only to my accounts with a bank? No. A financial institution has the same meaning as under the Gramm-Leach-Bliley Act. In addition to a bank, this can mean a merchant that extends credit to you or a collection agency that routinely reports information to a credit bureau. For more on non-bank entities that are considered financial institutions, see the FTC publication, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, Do I get a notice every time the account is delinquent? It s a one-time notice as long as the late payment or other negative information has to do with the same account. After the one-time notice, the financial institution can continue to report negative information about the same account. For example, if you are late on your credit card payment three months straight, you are only entitled to the notice either before or within 30 days after the first late payment is reported. Will I receive a separate notice or registered letter? You will almost certainly not receive a registered letter. FACTA requires the financial institution to give you this notice along with any notice of default, any billing statement, or any other materials provided to [you]. The one place the notice cannot appear is in the Truth in Lending Act notice you get when you first open an account. The notice must be clear and conspicuous, but need not be in bold or enlarged type. The Federal Reserve Board ( was directed by Congress to write sample notices for financial institutions. The Board has finalized the regulation, at The sample notices adopted by the Federal Reserve Board are short and to the point: Notice before negative information is reported: We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report. Notice after negative information is reported: We have told a credit bureau about a late payment, missed payment

50 Facts on FACTA, the Fair and Accurate Credit Transactions Act or other default on your account. This information may be reflected in your credit report. Page 8 of 13 Will the notice let me know when I m a victim of identity theft? Not always. When an imposter opens up a new credit account in your name, the thief usually establishes an address different from yours. The address might be a post office box or a vacant apartment used as a mail-pickup by the thief. When the imposter fails to pay on the credit card account, which is usually the case, the creditor will send the warning notice to the address associated with the account. And that is not your address. So you will be in the dark about the impending negative notice to your credit report. The negative information will be recorded in your credit report. That is why we emphasize the importance of ordering your credit report at least once a year. If you are a victim of identity theft, you will learn of it on your credit report. As you learned in Section 2.A above, FACTA gives consumers the ability to obtain one free credit report per year from each of the three credit bureaus. The major reason the law requires credit bureaus to provide free annual credit reports is so individuals can check for identity theft. We strongly encourage you to take advantage of this provision of FACTA. To learn when you can order your free report, go back to Section 2.A for the roll-out schedule. In short, you should not be lulled into a false sense of security just because a creditor must send you a notice before posting negative information to your credit report. Identity thieves operate in various ways. They might attempt to take over your existing accounts. And they might open up new accounts unbeknownst to you. Your best defense against fraud is always close and frequent review of your credit reports and your monthly credit card and bank account statements. 7. Medical Information and Consumer Reports If you re like most people, privacy of your medical information is a top priority. A major concern is that medical information may be used when you apply for a job or refinance your mortgage. Even when medical information is protected in one area, it may still be disclosed through other means. A good example of this is the credit report. A collection action noted on a credit report that names a medical facility as creditor could inadvertently reveal an underlying medical condition. This is a significant threat since the Federal Reserve Board found in a 2003 study that over half the collections reported on credit reports are for medical debt. To read this study, see An Overview of Consumer Data and Credit Reporting, Under a new FACTA provision, consumer reporting agencies may not report the name, address, and telephone number of any medical creditor unless the information is provided in codes that do not identify or infer the provider of care or the individual s medical condition. This does not apply to insurance companies selling other than property and casualty insurance. (FCRA 605(a)(6)) Another section of FACTA says a creditor may not obtain or use medical information to make credit decisions. (FCRA 604(g)(2)). But, there are exceptions, and federal banking agencies were directed to issue regulations to cover uses of medical information to protect legitimate operational, transactional, risk, consumer, and other needs. (FCRA 604(g)(5)(A)) The banking agencies published regulations for comment on medical information and credit. However, the regulations are not final as of this writing. To see the comments submitted by the PRC in response, see Is my consent needed to disclose medical information to an employer? Yes. Even before FACTA, your consent was required to disclose medical information to an

51 Facts on FACTA, the Fair and Accurate Credit Transactions Act employer or for credit or insurance. Now, under FACTA, your consent to use medical data for employment and credit purposes must be specific and in writing. Further, the consent request must use clear and conspicuous language about how the information will be used. FACTA also requires that the medical information requested for employment or credit purposes be relevant. (FCRA 605(a)(6)) The same standard does not apply to insurance. Page 9 of Nationwide Specialty Consumer Reporting Agencies Consumer reports are generally thought to mean credit reports issued by one of the three national credit bureaus: Experian, TransUnion, or Equifax. However, consumer reports may also be issued for purposes other than credit applications. The FCRA also covers reports for insurance, employment, check writing and housing rental history. (FCRA sec. 612 (a)(1)(c)) Such reports are quite common and a number of companies now specialize in providing reports for these specific purposes. FACTA defines companies that issue non-credit reports as a nationwide specialty consumer reporting agency when reports relate to: Medical records or payments. Residential or tenant history. Check writing history. Employment history. Insurance claims. Starting in December 2004, consumers may request a free report annually for any of the specialty CRAs. The FTC has declined to publish a list of companies that meet the definition of nationwide specialty consumer reporting agencies. For some specialties such as employment and rental history, there are many companies that meet the definition of consumer reporting agency and that follow the FCRA. Other specialties are dominated by one or two companies. Medical Records: Medical Information Bureau ( For more on the MIB, see PRC Fact Sheet 8, How Private is my Medical Information, Insurance Reports: ChoicePoint's CLUE ( and Insurance Services Office ISO A-PLUS Report, ( For more on insurance reports, see PRC Fact Sheet 26, CLUE and You: How Insurers Size You Up, Check Writing History, ChexSystems ( To order your report, visit 9. Workplace Investigations FACTA sets a new standard for what the law calls "employee misconduct investigations." What is an "employee misconduct investigation"? This is an investigation conducted by a third-party your employer may hire if the employer suspects you of: Misconduct relating to your employment. A violation of federal, state, or local laws or regulations. A violation of any preexisting written policies of the employer. Noncompliance with the rules of a self-regulatory organization, that, for example, oversees the securities and commodity futures industry. Why was this change made to the FCRA?

52 Facts on FACTA, the Fair and Accurate Credit Transactions Act This section was adopted to make it clear that employers do not have to get permission to conduct a misconduct investigation. Prior to this, FTC staff issued an opinion letter, the socalled Vail Letter ( that said the disclosure and consent requirement of FCRA applies even when an employee is suspected of misconduct and the employer hires an outside investigator. Employers objected to this interpretation of the law because they felt that obtaining consent would tip off the employee to an investigation. (Note: California law already includes an exception for workplace misconduct investigations. Page 10 of 13 If my employer suspects me of misconduct, what does this mean for me? It means your employer does not have to give you notice and get your permission to conduct a misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the employer hires an outside party to conduct the investigation. It also means you will not receive a notice of your rights as others who are subject to a standard employment background check normally would. If, at the end of the investigation, the employer decides to take some action against you, you receive the "adverse action" notice only after the action has been taken. You will receive only a "summary" of the investigation report, but not the more detailed report that may include sources. Who will see the investigation report? The report may be communicated to: The employer or its agent. Any federal or state officer, agency or department, or any officer, agency or department of a unit of general local government. Any self-regulatory organization with regulatory authority over the activities of the employer or the employee. Others, as otherwise required by law; or A government agency, in accordance with an existing FCRA section that allows a consumer reporting agency to disclose personal identifying information to a government agency. Can I dispute the findings? Not under the FCRA dispute procedure. That is because this new section on workplace misconduct investigations was established by removing this type of investigation from the definition of "consumer report." Thus, the usual protections that apply to a consumer report conducted for employment purposes do not apply to workplace misconduct investigations. If you find yourself in this position, you will probably want to seek the advice of an employment law attorney. 10. Information Sharing Among Affiliates Opt-Out for Marketing FACTA will give consumers a new opt-out to stop a corporation s affiliates from sharing consumer data for marketing purposes. This opt-out is in addition to the existing opt-out choices for information shared with third-party non-affiliates and an existing opt-out under the FCRA. For more on the existing opt-outs, see PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden Is on You, and Fact 24a, Financial Privacy: How to Read Your Opt-Out Notices, Existing provisions of the FCRA allow affiliates to share information about your experience and transactions But that section of the FCRA enables you to stop affiliates from sharing information about your credit-worthiness, also sometimes called application information.

53 Facts on FACTA, the Fair and Accurate Credit Transactions Act FACTA does not change these procedures, but adds a new opt-out choice to stop information sharing among affiliates when the purpose is for marketing. You now have the ability to prevent the affiliate receiving your information to solicit you for its products and services. Page 11 of 13 The FTC and the federal banking agencies have proposed regulations to create this new optout procedure. How and when will I be able to opt-out? The details will be known only after the agencies issue final regulations. An important question for the agencies is whether this new opt-out will be included in a separate notice or whether it will be included along with the notice already required. The section of FACTA that establishes the affiliate opt-out provision allows the notice to be included with other notices. The statute also specifies that the notice should be concise and simple. In addition, this opt-out is in effect for five years, with another five-year extension available. To help prevent confusion, we believe the FTC and banking agencies should move forward in considering a short form opt-out that includes all consumer choices. To read the comments provided by the PRC and other consumer organizations on a short form notice, visit these web pages: and Does this change the right of California consumers? No. California law on financial privacy, SB1, took effect July 1, Its provisions on opting out of affiliate sharing are stronger than federal law. SB1 enables individuals to opt-out of most sharing of customer data among a corporation s affiliates, not just for marketing. The affiliate sharing opt-out provision of the California law was challenged by an industry lawsuit, although to date, the law has been upheld by a US District Court. The decision is on appeal to the Ninth Circuit Court of Appeals Risk-Based Pricing The amount you pay in interest can vary greatly. If you have a poor credit history, you will usually have to pay a higher rate than people with a good history of repayments. Like everyone else, you probably receive direct mail or other solicitations quoting exceptionally low interest rates. But, if you apply for the loan or credit card, the interest rate may end up being several points higher than originally quoted. A new section of FACTA (FCRA 615(h)) says you must receive a notice if you are offered credit on terms that are materially less favorable than others you received from the creditor. In short, this covers the situation where you apply for a loan and, although you get the loan, you have to pay a higher interest rate than most people because of something in your credit history. If this happens, you are entitled to notice plus a free copy of your credit report. The FTC and the banking agencies will address the details of this notice requirement through rulemaking. Regulations to implement 615(h)) have not yet been published as of this writing. However, this notice requirement appears in a recent FTC proposal to amend notice consumer reporting agencies are required to make to users of consumer reports FACTA Studies The FTC and other federal agencies have been directed by Congress to conduct several studies of the credit reporting industry. The results of these studies, when combined with earlier studies (see Section 13 below), may help to improve reporting accuracy and consumer awareness. The FTC is currently seeking public comment as part of the studies. The topics under consideration are:

54 Facts on FACTA, the Fair and Accurate Credit Transactions Act Same Report Study (Should a consumer who receives an "adverse action" receive the same copy of the consumer report obtained by the "user?") Accuracy Study. Agency Information Collection Activities Study Credit and Insurance Score Study Page 12 of 13 For more about these studies, visit the FTC web site at Federal Law PRC Publications 13. References The Fair Credit Reporting Act, as amended by FACTA. H.R This is the version of the House of Representatives Bill that was passed by Congress and signed by the President. H.R (To view all versions) Gramm-Leach-Bliley Act, 15 USC , www4.law.cornell.edu/uscode/15/6801.html How Private is My Credit Report? How Private Is My Medical Information? Employment Background Checks:A Jobseeker's Guide, Coping with Identity Theft: Reducing the Risk of Fraud, Identity Theft: What to Do if It Happens to You, Financial Privacy: How to Read Your "Opt-Out" Notices, CLUE and You: How Insurers Size You Up Debt Collection Practices: When Hardball Tactics Go Too Far, Other Studies of Interest One in Four Credit Reports Contains Errors Serious Enough To Wreak Havoc for Consumers, U.S. PIRG, June 17, 2004, id2=13650&id3=uspirgnewsroom& An Overview of Consumer Data and Credit Reporting, Board of Governors of the Federal Reserve, Feb. 2003, Credit Score Accuracy and Implications for Consumers, Consumer Federation of America, December 17, 2002, Consumers Lack Essential Knowledge, and Strongly Support New Protections, on Credit Reporting and Credit Scores, Consumer Federation of America Survey, July 28, 2003,

55 Facts on FACTA, the Fair and Accurate Credit Transactions Act Additional Resources Page 13 of 13 Analysis of the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No (2003), National Consumer Law Center, After the FACT Act: What States Can Still Do to Prevent Identity Theft, Consumers Union, Federal Trade Commission, FCRA Homepage, FACT Act Actions, Federal Trade Commission, Identity Theft Homepage, 1 For more on the subject of state preemption, see the analysis of the National Consumer Law Center as well as a separate analysis by Consumers Union ( 2 The financial agencies are: Office of Comptroller of Currency ( ); Office of Thrift Supervision ( Federal Deposit Insurance Corporation ( Federal Reserve Board ( and the National Credit Union Administration ( The Privacy Rights Clearinghouse developed this guide with funding from the Rose Foundation Consumer Privacy Rights Fund. HOME Copyright Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution of this fact sheet, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. TOP