[co-author: Cierra Newman]
On June 10, 2020, Kohl's Department Stores settled claims brought by the Federal Trade Commission alleging that the retailer violated the Fair Credit Reporting Act by refusing to provide victims of identity theft with complete records of questionable transactions.
Under Section 609(e) of the FCRA, businesses are required to provide an identity theft victim with application and business transaction records evidencing any transaction that the victim alleges to be the result of identity theft, subject to limited exceptions. The business entity must provide such records no later than 30 days after the date of receipt of a request from a victim with appropriate proof of identity and proof of a claim of identity theft. Recognizing that millions of Americans have been victims of identity theft, Congress added this requirement to the statute in order to ensure that companies provide victims of identity theft with application and business transaction records about fraudulent transactions made in their names in a timely manner.
The FTC's complaint alleges that, prior to February 2017, Kohl's policies and procedures for handling requests for application and business transaction records from victims of identity theft, pursuant to Section 609(e) of the FCRA ("609(e) requests"), were to provide all such records to the victim within 30 days of receiving a request, after appropriate verification. However, the complaint alleges that, beginning in February 2017, Kohl's modified its policies and procedures for responding to 609(e) requests related to website orders. Under the new policy, Kohl's would only share information identifying the identify thief with law enforcement or with a victim's attorney upon the direct request of law enforcement or the victim's attorney.
In August 2018, the complaint alleges that Kohl's further revised its policy to provide customers with a Kohl's charge account with a more expansive list of business transaction records, but Kohl's continued to refuse to provide detailed order information, including address and phone numbers listed on a fraudulent application or the shipping address used for fraudulent orders, directly to the customer. In addition, Kohl's no longer provided such detailed information about fraudulent orders to victims' attorneys. According to this policy, a victim's only recourse for obtaining such information from Kohl's was a request directly from law enforcement.
As part of the settlement, Kohl's agreed to an injunction requiring it to comply with Section 609(e) and pay a $220,000 civil money penalty. In addition, Kohl's agreed to provide records and certain notices to any eligible victims who previously submitted 609(e) requests and to post a notice on its website for the next three years informing consumers how to request business transaction records related to transactions resulting from identity theft.
This is the first case the FTC has brought using its authority under Section 609(e) of the FCRA. More information is avaiable here.