FTC Brings First Enforcement Action Alleging Failure to Provide Documentation of Identity Theft to Victims

Hudson Cook, LLP

[co-author: Cierra Newman]

On June 10, 2020, Kohl's Department Stores settled claims brought by the Federal Trade Commission alleging that the retailer violated the Fair Credit Reporting Act by refusing to provide victims of identity theft with complete records of questionable transactions.

Under Section 609(e) of the FCRA, businesses are required to provide an identity theft victim with application and business transaction records evidencing any transaction that the victim alleges to be the result of identity theft, subject to limited exceptions. The business entity must provide such records no later than 30 days after the date of receipt of a request from a victim with appropriate proof of identity and proof of a claim of identity theft. Recognizing that millions of Americans have been victims of identity theft, Congress added this requirement to the statute in order to ensure that companies provide victims of identity theft with application and business transaction records about fraudulent transactions made in their names in a timely manner.

The FTC's complaint alleges that, prior to February 2017, Kohl's policies and procedures for handling requests for application and business transaction records from victims of identity theft, pursuant to Section 609(e) of the FCRA ("609(e) requests"), were to provide all such records to the victim within 30 days of receiving a request, after appropriate verification. However, the complaint alleges that, beginning in February 2017, Kohl's modified its policies and procedures for responding to 609(e) requests related to website orders. Under the new policy, Kohl's would only share information identifying the identify thief with law enforcement or with a victim's attorney upon the direct request of law enforcement or the victim's attorney.

In August 2018, the complaint alleges that Kohl's further revised its policy to provide customers with a Kohl's charge account with a more expansive list of business transaction records, but Kohl's continued to refuse to provide detailed order information, including address and phone numbers listed on a fraudulent application or the shipping address used for fraudulent orders, directly to the customer. In addition, Kohl's no longer provided such detailed information about fraudulent orders to victims' attorneys. According to this policy, a victim's only recourse for obtaining such information from Kohl's was a request directly from law enforcement.

As part of the settlement, Kohl's agreed to an injunction requiring it to comply with Section 609(e) and pay a $220,000 civil money penalty. In addition, Kohl's agreed to provide records and certain notices to any eligible victims who previously submitted 609(e) requests and to post a notice on its website for the next three years informing consumers how to request business transaction records related to transactions resulting from identity theft.

This is the first case the FTC has brought using its authority under Section 609(e) of the FCRA. More information is avaiable here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hudson Cook, LLP | Attorney Advertising

Written by:

Hudson Cook, LLP

Hudson Cook, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.