Washington, DC - There’s been a lot of talk about identity theft lately. Maybe you’ve even heard from customers affected by it. Your help can make a big difference. In fact, did you know that your business is required to provide identity theft victims with copies of records relating to the theft?

The Fair Credit Reporting Act (FCRA) Section 609(e) requires you to provide identity theft victims – or law enforcement at the victim’s request – with a copy of records relating to the theft. Following a written request from an identity theft victim, you must provide the records within 30 days, free of charge and without a subpoena. This is sometimes called “the business records turnover provision.”

Identity theft victims may need the records to document the crime or clear up their good name. You want to help them and you know you need to comply with the law. So, make sure you have policies in place for responding to victims’ requests for records.

Based on what we’ve learned, here are a few things to keep in mind when responding to a business records turnover request

  • Take stock. Know what types of records you have. Think about applications, account statements, receipts, customer service notes associated with a transaction, and records showing where merchandise was purchased or shipped. If you know what you have, then you can better ensure that victims are provided all types of records related to the identity theft
  • Think broadly. The FCRA’s business record turnover provision applies to all different types of identity theft, including new accounts opened, as well as purchases on existing accounts. That’s why it’s important to evaluate your policies periodically to make sure they include new types of identity theft as they emerge.
  • Don’t be afraid to duplicate. Under the FCRA you must provide records even if the victim has received the records before. Here’s an example: Suppose a victim sends in a request for records after receiving a late notice on a billing statement. What should you do? Produce all records related to the unauthorized charges, including copies of billing statements, even though the victim may have already received them. Why? Victims may not have kept the copies they previously received, especially if the identity theft happened some time ago. Denying the victim’s request because the victim previously had access to the records does not comply with Section 609(e).

You may be wondering if there’s any time you can refuse to provide records in response to a 609(e) request. If you’re not sure of the victim’s identity, the FCRA allows you to ask for proof of identity, such as a copy of a government-issued identification. You also may ask for proof of a claim of identity theft, such as an Identity Theft Report issued by the FTC or a police report. An FTC Identity Theft Report subjects the person filing the report to criminal penalties if the information is false, and businesses can treat it as they would a police report. After receiving those documents, if, in good faith, you can’t verify the victim’s identity or believe the request for records was based on a misrepresentation, you may decline to provide the records.

For more information about complying with 609(e), read Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft.