Identity Theft: Some Outreach Efforts to Promote Awareness of New
Consumer Rights Are Under Way (30-JUN-05, GAO-05-710).
The Fair and Accurate Credit Transactions (FACT) Act of 2003
which amended the Fair Credit Reporting Act (FCRA), contains
provisions intended to help consumers remedy the effects of
identity theft. For example, section 609(e) of the amended FCRA
gives identity theft victims the right to obtain records of
fraudulent business transactions, and section 609(d) requires the
Federal Trade Commission (FTC) to develop a model summary of
identity theft victims' rights. This report provides information
on (1) outreach efforts to inform consumers, businesses, and law
enforcement entities about section 609(e); (2) the views of
relevant groups on the provision's expected impact; and (3) FTC's
process for developing its model summary of rights and views on
the summary's potential usefulness.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-05-710
ACCNO: A28624
TITLE: Identity Theft: Some Outreach Efforts to Promote
Awareness of New Consumer Rights Are Under Way
DATE: 06/30/2005
SUBJECT: Crime prevention
Crime victims
Crimes
Federal law
Fraud
Identity theft
Investigations by federal agencies
Law enforcement
Law enforcement agencies
Web sites
Information security
Consumer protection
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-05-710
United States Government Accountability Office
GAO Report to Congressional Committees
June 2005
IDENTITY THEFT
Some Outreach Efforts to Promote Awareness of New Consumer Rights Are Under Way
a
GAO-05-710
[IMG]
June 2005
IDENTITY THEFT
Some Outreach Efforts to Promote Awareness of New Consumer Rights Are Under Way
What GAO Found
Some efforts to educate consumers, business entities, and local law
enforcement officials about their rights and obligations under section
609(e), which grants identity theft victims access to fraudulent business
transaction records, were under way as of June 2005-notably by the FTC,
U.S. Postal Inspection Service, International Association of Chiefs of
Police, and National Credit Union Administration. For example, FTC had a
number of outreach efforts on section 609(e) including coverage in
conferences and presentations as well as information available through its
Web site, toll-free hotline, and identity theft publications. While many
of the other federal regulators and law enforcement agencies have
undertaken outreach efforts on identity theft, most did not specifically
include information on section 609(e). FTC staff indicated that the public
education campaign on identity theft prevention mandated to be implemented
by December 2005 by the FACT Act will also include coverage of section
609(e).
According to FTC, law enforcement agency officials, and consumer advocacy
group representatives we spoke with, section 609(e) should help victims to
remedy the effects of identity theft more quickly. Other cited benefits
include allowing victims to build stronger cases that could assist law
enforcement agencies in developing intelligence data for their
investigations. However, due to the limited experience with victims
attempting to obtain business records, it is too early to assess the
actual effectiveness of the section 609(e) provisions. Consumer groups and
state agencies identified some potential problems with the timeliness of
business transaction data and the extent of documents needed to verify a
victim's identity theft claim. Given the newness of the provision,
additional experience is needed to verify the validity of these potential
concerns or other concerns not yet anticipated. FTC staff told us that as
part of their overall FACT Act outreach efforts, they intend to monitor
the implementation of section 609(e) to determine whether the provision is
working as intended.
Most of the agencies and groups we spoke with had favorable views of FTC's
process to develop the model summary of identity theft victim rights
mandated under section 609(d). FTC published its final form of the summary
on November 30, 2004, and as required by FTC's guidance, the three
national credit reporting agencies told us they began distributing a
summary to consumers who contacted them with identity theft concerns
before January 31, 2005. While most of the groups that we contacted felt
that FTC had been responsive to their comments, consumer advocacy groups
identified two potential concerns. These potential concerns center on the
limited availability of a Spanish version of the summary of rights and the
clarity of the model summary of rights to the general population. However,
due to the limited time that the summary has been available, it is too
early to determine the extent of any implementation issues.
United States Government Accountability Office
Contents
Letter
Results in Brief
Background
Some Efforts to Increase Awareness of Section 609(e) Were Under
Way as of June 2005
Many Believe the New Provision Will Be Useful, but Some Potential
Concerns Were Identified
FTC's Model Summary of Rights Process Has Generally Been Viewed
Favorably
Conclusions
1 3 6
7
15
20 23
Appendixes
Appendix I: Objectives, Scope, and Methodology 26
Appendix II: Reprint of FTC's Model Summary of Identity Theft Victim
Rights 28
Figure Figure 1: U.S. Postal Inspection Service Advertisement on Identity
Theft and the FACT Act
Contents
Abbreviations
CRA Credit Reporting Agency
DOJ Department of Justice
DOL Department of Labor
FACT Fair and Accurate Credit Transactions Act of 2003
FBI Federal Bureau of Investigation
FCRA Fair Credit Reporting Act
FDIC Federal Deposit Insurance Corporation
FFIEC Federal Financial Institutions Examination Council
FTC Federal Trade Commission
IACP International Association of Chiefs of Police
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
A
United States Government Accountability Office Washington, D.C. 20548
June 30, 2005
The Honorable Richard C. Shelby
Chairman
The Honorable Paul S. Sarbanes
Ranking Minority Member
Committee on Banking, Housing, and Urban Affairs
United States Senate
The Honorable Michael G. Oxley
Chairman
The Honorable Barney Frank
Ranking Minority Member
Committee on Financial Services
House of Representatives
Recent thefts of customer information from several large commercial
databases have reinforced widespread concerns about identity theft. The
Federal Trade Commission (FTC) has reported that identity theft
represented about 40 percent of all the consumer fraud complaints it
received during each of the last 3 calendar years. Identity theft
generally
involves the fraudulent use of another person's identifying information-
such as a Social Security number, date of birth, or mother's maiden name-
to establish credit, run up debt, or take over existing financial
accounts.
According to identity theft experts, individuals whose identities have
been
stolen can spend months or years and thousands of dollars clearing their
names. Some individuals have lost job opportunities, been refused loans,
or
even been arrested for crimes they did not commit as a result of identity
theft.
To help address the difficulties victims often encounter in trying to
recover
from identity theft, Congress added various provisions to the Fair and
Accurate Credit Transactions (FACT) Act of 2003.1 In particular,
recognizing that the amount of damage done to an individual's name,
financial or otherwise, can be mitigated by how quickly the identity theft
is
discovered and addressed, Congress included a provision to help victims
obtain records of alleged fraudulent business transactions. This
provision-section 609(e) of the amended Fair Credit Reporting Act
1Pub. L. No. 108-159, 117 Stat. 1952 (2003) and Pub. L. No. 91-508, 84
Stat. 1114 (codified at 15 U.S.C. S:S: 1681 et seq.) (2000).
(FCRA)-established the right of identity theft victims to obtain, within
30 days, copies of business records involved in transactions alleged to be
the result of identity theft.2 Further, the FACT Act requires that FTC
develop a model summary of rights to be distributed to consumers who
believe that they are victims of identity theft-including the right to
obtain information available to them under section 609(e).3 Additionally,
the act requires FTC to establish and implement a public media and
distribution campaign on identity theft prevention by December 2005.4
The FACT Act also required GAO to evaluate the effectiveness of section
609(e) and issue a report to Congress by June 2005.5 Because of the short
period of time that had elapsed since the June 2004 effective date of the
provision, we informed the Senate Committee on Banking, Housing, and Urban
Affairs and the House Committee on Financial Services that we would be
unable to assess the effectiveness of the provision. Consequently, to
satisfy the mandate, we agreed with the two committees that this report
would (1) provide information on outreach efforts to consumers,
businesses, and local law enforcement agencies on the provision; (2)
2Section 151 of the FACT Act amended section 609 of the FCRA. Section
609(e) of the amended FCRA specifies that business entities must respond
within 30 days, subject to verification of the victim's identity and claim
of identity theft, to request a copy of an application and business
transaction records evidencing any transaction alleged to be the result of
identity theft. These transactions may involve, among other things,
granting credit; providing products, goods, or services; and accepting
payments. Pub. L. No. 108-159, S: 151(a)(1), 117 Stat. 1952, 1961 (2003)
(codified at 15 U.S.C.A. S: 1681g) (West Supp. 2004).
3Section 609(d) of the amended FCRA. Pub. L. No. 108-159, sec. 151(a)(1).
Appendix II provides FTC's final Model Summary of Identity Theft Victims
Rights.
4Pub. L. No. 108-159, S: 151(b), 117 Stat. 1952, 1964 (2003). FTC's
mandate requires it to establish and implement, by December 2005, a media
and distribution campaign to educate the public on how to prevent identity
theft. The campaign is to include existing Commission education materials,
as well as radio, television, and print public service announcements,
video cassettes, interactive digital video discs (DVDs) or compact audio
discs (CDs), and Internet resources.
5Section 609(e)(13) of the amended FCRA. The FACT Act also mandated that
GAO evaluate consumers' knowledge and experience with credit reporting and
provide recommendations for improving general financial literacy among
consumers. We addressed these topics in
Credit Reporting Literacy: Consumers Understood the Basics but Could
Benefit from Targeted Education Efforts, GAO-05-223 (Washington, D.C.:
Mar. 16, 2005) and Highlights of a GAO Forum, the Federal Government's
Role in Improving Financial Literacy, GAO05-93SP (Washington, D.C.: Nov.
15, 2004) available at http://www.gao.gov. In addition, the FACT Act
directed GAO to conduct an assessment of the effectiveness of the
Financial Literacy and Education Commission, created by the FACT Act
(section 517). This report will be issued in December 2006.
describe the views and opinions of relevant federal agencies, private
business entities, and consumer groups on the expected impact of the
provision; and (3) discuss the process that FTC used to develop the model
summary of rights mandated by the FACT Act and the opinions of groups that
commented on the model summary.
To address these objectives, we obtained and analyzed information and
interviewed officials from groups that have a role in implementing section
609(e) and the FACT Act. Specifically, we contacted and obtained
information from representatives of FTC and five federal law enforcement
agencies, met with officials from the five federal banking regulators,
attempted to contact six organizations or individuals representing
business entities, held meetings with the three national credit reporting
agencies (CRAs), and met with five consumer advocacy groups identified as
being active on identity theft issues.6 We reviewed literature used in
outreach efforts, FTC's model summary of identity theft victim rights and
public comments on it, Web site information, and state identity theft laws
similar to the FACT Act. Appendix I contains a more complete description
of our scope and methodology. We conducted our work in Washington, D.C.,
and San Francisco from September 2004 through June 2005 in accordance with
generally accepted government auditing standards.
Results in Brief As of June 2005, a number of outreach efforts to
consumers, businesses, and local law enforcement agencies on identity
theft prevention and remediation by federal regulatory and enforcement
agencies and others were under way. We found that with a few
exceptions-notably efforts by the FTC, U.S. Postal Inspection Service,
International Association of Chiefs of Police, and National Credit Union
Administration-most of the outreach efforts we identified were designed to
provide general information on identity theft crimes and did not
specifically address section 609(e). At the time of our review, the
primary mechanism for providing consumers with information on their right
to obtain business records on potentially fraudulent transactions was the
mandated summary of rights that CRAs began distributing in January 2005 to
individuals who contacted them with concerns about identity theft. FTC
staff told us they began posting
6Companies that assemble consumer credit information and sell this
information are referred to as "consumer reporting agencies" by the
legislation governing credit reports. See FCRA, 12 U.S.C. S:S: 1681-1681x
as amended (2004). These companies are also referred to as "credit
bureaus," "credit reporting companies," and "credit reporting agencies."
information on section 609(e) on its web site at the time the FACT Act
took effect in June 2004. FTC staff also stated that the planned effort to
satisfy the December 2005 mandated public education campaign would be
broadly focused on all aspects of identity theft prevention and
remediation, including the provisions of section 609(e). A variety of
other interest groups, including businesses and their trade groups,
federal law enforcement agencies and banking regulators, and consumer
groups also told us that their outreach efforts on the FACT Act were just
beginning. We found that for the most part these agencies and groups
viewed FTC as having the primary responsibility for providing outreach on
the FACT Act and section 609(e).
Law enforcement agency officials and consumer advocacy group
representatives stated that section 609(e) should help victims remedy the
effects of identity theft. Law enforcement officials noted that the
provision would allow victims to build stronger cases that could prompt
local police agencies to open an investigation and added that the
information would be useful in identifying patterns or trends in identity
theft practices. Consumer advocacy groups told us that they believed that
the new provision should make local police more willing to take reports on
identity theft because these reports could be used to substantiate the
victim's access to information. However, one of the states we contacted
that has a similar identity theft law told us that the number of police
investigations or prosecutions of identity theft crimes had not increased
since the state law had been in effect. The officials cited workload and
other priorities that determine the types of investigations and
prosecutions law enforcement undertake. Some state agencies with similar
identity theft laws and some consumer advocacy groups had a few concerns
about the provision. Specifically, while they had no evidence that
demonstrated a problem, both state agencies and consumer advocacy groups
we contacted believed that the 30-day response time allowed under section
609(e) for businesses to provide victims with information was too long and
suggested that 2 weeks would be more reasonable. One state agency and a
consumer advocacy group stressed the importance of businesses providing
the requested information within the shortest time frame possible to allow
consumers to quickly clear their credit files and undo the damage caused
by identity theft. Officials from the two states that already had
provisions similar to section 609(e) told us that victims in those states
had generally been able to obtain business transaction information within
the shorter time frame. Additionally, some consumer advocacy groups were
concerned that the provision gave business entities the discretion to
require that consumers provide additional documentation to verify their
identity and identity theft
claims. These entities believed that a police report should be sufficient
evidence and questioned how much additional information businesses
actually needed. Finally, we were unable to obtain corresponding opinions
on the impact of this provision from businesses and trade associations.
Officials we spoke with generally had favorable views of the process FTC
used to develop the mandated model summary of identity theft victim rights
and stated that they felt that the model summary provided useful
information that should aid identity theft victims. FTC published its
final form of the model summary of identity theft victim rights on
November 30, 2004. CRAs told us that, as required by FTC's guidance, they
had begun distributing a "substantially similar" version of the model
summary to consumers who contacted them with a claim of identity theft
before January 31, 2005. In accordance with the FACT Act, FTC consulted
with the federal banking agencies during the development of the model
summary of rights. Specifically, FTC solicited and, according to federal
banking agency officials, substantially incorporated input from the
federal banking agencies on a draft version of the model summary of rights
before publishing a proposed version for public comment. Representatives
of the consumer groups we contacted identified two potential concerns:
first, that FTC had not required CRAs to provide a Spanish version of the
summary and second, that the text of the summary may be too technical or
difficult for the general public to understand. FTC staff stated that
while they had not required CRAs to provide a Spanish translation of the
model summary, the final version contained a statement in Spanish
directing consumers to FTC to obtain Spanish language information. It is
too early to determine the extent to which these potential concerns were
affecting identity theft victims.
We provided a draft of this report to the heads or designees of FTC,
Department of Justice, Federal Bureau of Investigation, Social Security
Administration, U.S. Postal Inspection Service, U.S. Secret Service,
Federal Deposit Insurance Corporation, Board of Governors of the Federal
Reserve System, Office of the Comptroller of the Currency, Office of
Thrift Supervision, and National Credit Union Administration for comment.
The agencies provided technical comments that are incorporated where
appropriate in the report.
Background The Identity Theft and Assumption Deterrence Act of 1998 made
identity theft a federal crime.7 Although FTC does not have the authority
to bring criminal cases, the act established FTC as the federal
clearinghouse for identity theft complaints. FTC is required to keep a log
of such complaints and to notify consumers that their complaints have been
received.8 In response to this requirement, in November 1999 FTC
established the Identity Theft Data Clearinghouse to gather information
from consumers who file complaints or inquire about identity theft. FTC
inputs this information into its Consumer Sentinel database, which is used
by more than 1,000 law enforcement agencies. According to FTC, the number
of identity theft complaints it has received has steadily risen each year-
climbing from 31,000 in 2000 to 247,000 in 2004. FTC staff noted that the
increase in reported instances of identity theft may in part reflect
enhanced consumer awareness and willingness to report such crimes.
However, not all identity theft victims contact FTC.
No single federal law enforcement agency has primary jurisdiction over
identity theft crimes. Identity theft is not typically a stand-alone crime
but rather a component of one or more crimes such as bank fraud, credit
card fraud, social program fraud, tax refund fraud, and mail fraud. For
example, a fraudster might steal another individual's personal identifying
information in one city and use the information to commit credit card
fraud and mail fraud in another city or state. Consequently, a number of
federal law enforcement agencies can have a role in investigating identity
theft crimes, including the Federal Bureau of Investigation (FBI),
Internal Revenue Service, U.S. Postal Inspection Service, U.S. Secret
Service, and the Social Security Administration's Office of the Inspector
General. The Department of Justice (DOJ) prosecutes federal identity theft
cases.
The FACT Act of 2003, among other things, strengthened victims' rights
with respect to identity theft and gave FTC and businesses a larger role
in dealing with identity theft crimes. The act also highlighted the need
for law
7Pub. L. No. 105-318, codified in part at 18 U.S.C. S: 1028. Under the
1998 act, it is a criminal offense if a person "knowingly transfers,
possesses, or uses, without lawful authority," another person's means of
identification "with the intent to commit, or to aid or abet, or in
connection with, any unlawful activity that constitutes a violation of
Federal law, or that constitutes a felony under any applicable State or
local law." 18 U.S.C.A S: 1028(a)(7) (West Supp. Oct. 2004).
8Pub. L. No. 105-318, S: 5(a)(1), 112 Stat. 3007, 3010 (1998) (codified at
18 U.S.C. S: 1028 note (2000).
enforcement agencies to assist victims in documenting their identity theft
crime. Section 609(e) requires business entities to provide victims of
identity theft with information on fraudulent business transactions-for
example, copies of applications for credit or records of purchases. In the
past, businesses have been reluctant to provide such information, fearing
their potential exposure to lawsuits for the inappropriate disclosure of
sensitive personal financial information. To address this concern,
Congress
added a provision protecting businesses from civil liability claims for
disclosing such information. In addition, the FACT Act reinforces the need
for police to assist victims in taking official reports. These reports can
then
be used to substantiate claims of identity theft when alleged victims
request, for example, copies of business records involving instances of
potential fraud.
The FACT Act also requires that FTC develop a model summary of rights
for consumers who believe that they are victims of identity theft
(see app. II). CRAs are required to provide a substantially similar
version of
the model summary of identity theft victim rights to any consumer who
"contacts a consumer reporting agency and expresses a belief that the
consumer is a victim of fraud or identity theft." As previously mentioned,
the act mandated that FTC launch a public campaign on how to prevent
identity theft by December 2005, but did not specifically require that
section 609(e) be included in the campaign.
Some Efforts to Increase Awareness of Section 609(e) Were Under Way as of June
2005
At the time of our review, some efforts to educate consumers, business
entities, and local enforcement officials about their rights and
obligations under section 609(e)-notably efforts undertaken by the FTC,
U.S. Postal Inspection Service, International Association of Chiefs of
Police, and National Credit Union Administration-were under way. We found
that while most of the federal agencies and law enforcement agencies and
other groups that we contacted were engaged in outreach related to
identity theft issues, those efforts generally did not have a component
specifically addressing section 609(e). In particular, FTC staff told us
that outreach for section 609(e) would be part of broader efforts to
educate the public, business entities, and law enforcement officials about
identity theft and FACT Act provisions and that outreach on 609(e) would
increase beginning in December 2005 as part of its public identity theft
campaign. As of June 2005, outreach efforts by a variety of interest
groups, including businesses and their trade groups, federal law
enforcement agencies, and banking regulators, were also just beginning.
Most of these groups saw FTC as having primary responsibility for
outreach.
FTC's Outreach Initiatives on the FACT Act Provisions Are Ongoing and
Expected to Increase
FTC staff told us that they have undertaken a number of outreach efforts
to educate the public, law enforcement, and others on the FACT Act,
including section 609(e). However, FTC staff explained that section 609(e)
is only one tool in the resources available to victims for remedying the
effects of identity theft and that FTC's first priority is to make those
affected aware of all of the relevant provisions contained in the FACT
Act. Since 2004, FTC in conjunction with federal law enforcement agencies
has cosponsored six conferences and presentations geared directly to local
law enforcement, which included a discussion on the FACT Act. In addition,
since January 2004 FTC has participated in more than 50 conferences,
seminars, and presentations on the FACT Act involving attorneys, bar
associations, business trade groups, financial institutions and state
regulators. FTC staff told us that these outreach efforts addressed
increasing the awareness of section 609(e) provisions, as appropriate to
the particular audience.
Other FTC outreach efforts on section 609(e) include links on FTC's Web
site at www.consumer.gov/idtheft to its model summary of identity theft
victim rights and other information on identity theft, a toll-free hotline
(1-877-IDTHEFT) offering counseling to help consumers who want or need
more information about dealing with the consequences of identity theft,
and FTC's Consumer Response Center and Distribution Office that provides
publications on identity theft, among other topics.9 For example, FTC
recently updated its identity theft booklet, renamed Take Charge: Fighting
Back Against Identity Theft, to incorporate the FACT Act requirements,
including section 609(e).10 Further, FTC has included section 609(e) in
the mandated summary of identity theft victim rights that the CRAs began
distributing in January 2005. At the time of our review, this summary was
the primary mechanism for providing consumers with information on their
right to obtain business records on potentially fraudulent transactions.
According to FTC staff, FTC's Web site on identity
9We reviewed FTC's Web sites on credit and identity theft at www.ftc.gov
and www.consumer.gov. FTC makes available printed copies of all its
publications through the Consumer Response Center and Distribution Office.
All publications from FTC are free.
10See page 8. This guidance, formerly titled ID Theft: When Bad Things
Happen to Your Good Name, is available at www.ftc.gov and
www.consumer.gov. The FACT Act required the FTC, in consultation with the
federal banking agencies and the National Credit Union Administration, to
develop a model form and procedures for consumers to use when informing
creditors and consumer reporting agencies that they are identity theft
victims. The model form and procedures are included in this guidance.
theft included links to section 609(e) as of its effective date of June 1,
2004, which was subsequently integrated into an updated identity theft Web
site. According to FTC staff, section 609(e) will also be incorporated
into the public education campaign that FTC is required by the FACT Act to
implement by December 2005 which will help increase outreach on the
provisions.
FTC staff told us that the agency has conducted outreach on privacy,
consumer reporting, identity theft, and related legislation and
regulations for several years and that the initiatives target consumers,
businesses, and law enforcement agencies. FTC conducts its identity theft
education campaign through its Web site, printed publications, conferences
and presentations, syndicated news articles and newscasts, training
sessions, communications with state attorneys general, and visits to high
school and college campuses. It also holds seminars for small businesses
that may not be active with trade groups. Additionally, the agency
provides counseling over the telephone to consumers who contact FTC with
complaints or inquiries about identity theft. FTC staff explained that the
agency attempts to leverage its resources to conduct outreach-that is, it
relies on consumers, law enforcement agencies, and businesses to spread
the relevant information it provides among one another.
FTC staff stated that the mandated public education campaign would build
upon and become a component of FTC's ongoing consumer and business
education campaigns. FTC staff stated that the mandated campaign will be
under way by the December 2005 deadline and will include coverage of
section 609(e). The staff told us that in terms of its identity theft
outreach to consumers, FTC's priority is for consumers to know that FTC is
the organization that consumers should contact if they need information or
assistance with identity theft problems. They added that requesting
business transaction records under section 609(e) is not the first step an
identity theft victim takes to restore his or her credit. According to FTC
staff, the campaign will focus on all aspects of identity theft prevention
and remediation as well as informing consumers, businesses, and law
enforcement agencies about the new rights and responsibilities discussed
in section 609(e) and other provisions that are useful to consumers. At
the time of our review, FTC could not provide us with information on the
exact extent of coverage that section 609(e) would receive in FTC's
outreach materials to consumers and businesses. FTC did provide us with a
copy of its identity theft public education solicitation dated June 1,
2005. According to the solicitation, one of the expected targets of the
campaign are identity
theft victims with the goal of assisting those victims in the recovery
process by teaching them the steps to take to reclaim their good names.
FTC plans to evaluate the effectiveness of the public outreach campaign
using various means. According to the solicitation, the program plan for
the public education campaign is expected to include strategies for
monitoring and evaluation of program results. FTC staff also told us that
they also intend to monitor and evaluate the results of this contract
through traffic to the identity theft Web site, publications distribution,
and identity theft complaints to the FTC.
Identity Theft Outreach Efforts by Others Are Also Under Way, but Few
Specifically Address Section 609(e)
We found that a variety of outreach efforts on identity theft were under
way or were being planned by businesses, trade groups, law enforcement
agencies, federal banking regulators, and consumer groups. We were able to
obtain only limited information on efforts undertaken by businesses and
their trade groups and associations. A few business trade group
representatives told us that they had been active in reaching out to their
constituents on identity theft issues through presentations and
newsletters. These representatives told us that it was likely that the
level of awareness among midsize and large business entities regarding the
FACT Act and section 609(e) was greater than among small businesses,
because larger businesses were more likely to belong to trade groups and
associations and to have more internal legal resources. The
representatives also told us that at the time of our review business
entities and their trade groups were focused on other issues likely to
have a more direct impact on their operations than section 609(e), such as
working with Congress on bankruptcy legislation, which was ultimately
passed and became law on April 20, 2005.11
Most of the federal law enforcement officials that we contacted had
general identity theft outreach efforts under way that included some form
of outreach on the FACT Act, although few specifically included
information that addressed section 609(e). Rather, most of these groups
focused on general identity theft prevention rather than on the section
609(e) provisions. Officials from one federal law enforcement agency
indicated that their identity theft outreach efforts that include FACT Act
provisions were in the initial stages of implementation. These efforts are
designed to
11Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, Pub. L.
109-8, 119 Stat. 23 (2005).
reach consumers, businesses, and law enforcement entities. For example, as
previously discussed, federal law enforcement agencies such as DOJ, FBI,
the U.S. Postal Inspection Service, and the Secret Service have held joint
conferences on identity theft, including a discussion of the FACT Act, and
invited local police to attend. As shown in figure 1, one effort that did
specifically address section 609(e) and was directed to law enforcement
agencies was an advertisement developed by the U.S. Postal Inspection
Service that prominently noted the new tools for law enforcement and new
rights of victims under the FACT Act, including section 609(e).
Figure 1: U.S. Postal Inspection Service Advertisement on Identity Theft
and the FACT Act
Source: U.S. Postal Inspection Service.
The International Association of Chiefs of Police (IACP) has also
specifically addressed section 609(e) in the information that it has
disseminated on identity theft.12 An IACP official told us that a lack of
awareness among local police departments of the new provision could make
it problematic for some identity theft victims to get local police
departments to take a police report. The IACP official also emphasized the
importance of ensuring that police were aware of the FACT Act and of their
responsibility to take reports to validate an identity theft claim. The
official added that local police were likely to become increasingly
involved in identity theft crimes because these officers are committed to
being responsive to the citizens within their communities. To address the
perceived lack of awareness among local police, the IACP featured articles
on identity theft and the FACT Act, including section 609(e), in its
January through April 2005 editions of Police Chief magazine.13 The IACP
official also stated that the association was in the process of finalizing
a national report on identity theft that would be released in print, on
the Internet, and on a CD, and would be featured at conferences. The
report will discuss policies and recommended procedures under current laws
and describe the responsibilities, including the FACT Act requirements, of
law enforcement.
While all of the federal banking regulators provided general identity
theft outreach, only the National Credit Union Administration specifically
addressed the section 609(e) provision in its identity theft outreach
efforts. Each of the regulator's general identity theft outreach included
conducting presentations, posting related information on their Web site,
and publishing identity theft literature or brochures. For example, the
Federal Deposit Insurance Corporation (FDIC) published materials such as
Consumer News, which featured articles on identity theft but did not
address the provisions of section 609(e).14 The only regulator that we
identified as having specifically addressed section 609(e) was the
National Credit Union Administration which issued a Regulatory Alert in
January 2005 informing
12According to its Web site, IACP is the world's oldest and largest
nonprofit membership organization of police executives, with more than
20,000 members in over 89 different countries. Its leadership consists of
the operating chief executives of international, federal, state, and local
agencies of all sizes. See http://www.theiacp.org.
13The online edition of Police Chief is available at
www.policechiefmagazine.org.
14See www.fdic.gov. An FDIC official also indicated that they plan to
remind financial institutions of their obligations under the provisions of
the FACT Act and section 609(e) at future outreach events.
credit unions about the FACT Act's provisions including section 609(e).15
Some officials noted that the Federal Financial Institutions Examination
Council (FFIEC) had recently formed an interagency task force, to among
other things, address how federal banking regulators could ensure that
regulated institutions were in compliance with the new requirements.16
These officials added that their agencies had not yet established any
outreach efforts specific to section 609(e) because they were waiting for
the results of the recently formed FFIEC task force, in order to avoid
duplicating the task force's efforts.
Some consumer groups we contacted maintained FACT Act information on their
Web sites and educated identity theft victims who contacted them in some
instances by providing telephone counseling and printed publications.
Officials from one consumer group acknowledged FTC's mandated campaign as
a key outreach tool and suggested that the campaign should also include
initiatives directed to businesses. These officials explained that it was
important that business entities understand their obligations and roles
under section 609(e). Specifically, the officials stated that these
initiatives should involve business groups such as the Better Business
Bureau, the U.S. Chamber of Commerce, the National Retail Federation,
state retailer associations, and TRUSTe(R).17 FTC staff told us that they
often use associations in their outreach as an effective method to help
spread information. The limited anecdotal information that FTC had on
victims who attempted to obtain business transaction records related to
identity theft suggested that not all businesses were aware of their
obligations under section 609(e). According to FTC staff, a few identity
theft victims had contacted FTC and reported that they were unable to
obtain business transaction records related to the theft of their
identity. According to FTC, these instances were caused primarily by
businesses' lack of knowledge about their obligations under the FACT Act.
Once FTC informed these business entities about their obligations, the
victims were able to obtain the necessary transaction records.
15National Credit Union Administration Regulatory Alert No. 05-RA-03,
January 2005.
16FFIEC is a formal interagency body empowered to prescribe uniform
principles, standards, and report forms for federal examination of
financial institutions by the Board of Governors of the Federal Reserve
System, FDIC, Office of Thrift Supervision, National Credit Union
Administration, and Office of the Comptroller of the Currency, and to make
recommendations to promote uniformity in the supervision of financial
institutions.
17See the TRUSTe(R) Web site at www.truste.org.
Most agencies and groups that we spoke with had done some general identity
theft outreach and had planned or already had under way a few efforts that
focused on section 609(e), but viewed FTC as having the primary
responsibility for providing outreach on the FACT Act, including section
609(e). FTC staff told us that they intend to evaluate the effectiveness
of FTC's mandated identity theft campaign, which will include the 609(e)
provisions, but emphasized that FTC's first priority is outreach to
consumers, businesses, and law enforcement on the FACT Act, an effort that
would occur over time. As a result, more time is needed to disseminate
information about the section 609(e) provisions and determine how useful
the provision is in helping victims correct their credit files and resolve
their cases.
Many Believe the New Provision Will Be Useful, but Some Potential Concerns
Were Identified
While not all identity theft victims will need section 609(e), FTC, law
enforcement agencies and consumer groups with whom we spoke believed that
the provision giving victims access to data on fraudulent business
transactions would help in resolving identity theft cases. In particular,
law enforcement agencies told us that the information would help victims
build stronger cases to present to law enforcement agencies and should
provide more of the data that are needed to identify patterns or trends in
identity theft practices. Noting that victims of identity theft often have
difficulty getting local police to take a report to help substantiate an
identity theft crime, consumer advocacy groups also told us that they
believed that the new provision should make filing these reports easier.
State agencies and consumer advocacy groups also identified some potential
concerns with the provision. Among these were the timeliness of the data
provided to victims and a concern that businesses could require excessive
documentation from victims to support an identity theft claim.
FTC, Law Enforcement Agencies and Consumer Groups Believe That the New
Provision Will Help Some Victims of Identity Theft
FTC staff told us that depending on the specific circumstances, not all
identity theft victims will need to assert their rights under section
609(e) but that section 609(e) would be extremely useful for those victims
who need additional documentation to support their disputes of fraudulent
accounts. Representatives from federal law enforcement agencies and IACP
said that it was too early to determine whether victims were finding it
easier to get local police to take identity theft reports and that local
law enforcement agencies might not yet be fully aware of the requirements
of this provision. But representatives of federal law enforcement agencies
and consumer advocacy groups said that the new provision should help
empower victims of identity theft by giving these victims access to data
on fraudulent business transactions that could help resolve the crimes.
The officials explained that before Congress created section 609(e),
victims had generally been unable to obtain data on fraudulent business
transactions because businesses feared being held liable for providing the
information. To address this concern, Congress established limitations in
the FACT Act provision so that businesses could not be held liable for
disclosing such information to victims.18 Representatives of businesses we
spoke to said that addressing the liability issue in the law had removed
the barrier to providing information on allegedly fraudulent transactions
to victims of identity theft. One consumer group told us that having
records of fraudulent business transactions, such as copies of checks or
signed applications for credit, would allow victims to prove that someone
else was responsible-for instance, by comparing signatures. Without these
records, victims may have no way of proving that the transactions were
fraudulent and could be forced to pay the bills themselves.
Officials from law enforcement agencies told us that as an added benefit,
victims would be able to gather more information on their cases that may
prompt law enforcement agencies into opening an investigation. In turn,
law enforcement officials could use that information to assess the nature
and scope of alleged crimes of identity theft. Additionally, law
enforcement officials anticipated that the information would help
investigators build cases more quickly and identify patterns or trends in
identity theft practices. For instance, the information could help
identify the frequency of certain types of fraud and the locations being
targeted, allowing investigators to better determine whether individual
crimes were part of a larger operation. However, federal and state law
enforcement officials pointed out that having more information might not
necessarily lead to an increase in prosecutions. In fact, one of the
states we contacted that had a similar identity theft law told us that the
number of police investigations or prosecutions of identity theft crimes
had not increased since the state law had been in effect. The officials
explained that workloads and other priorities often determined the types
of investigations and prosecutions law enforcement undertake.
18Section 609(e)(7) of the amended FCRA. No business entity may be held
civilly liable under any provision of federal, state, or other law for
disclosure, made in good faith pursuant to this subsection.
Consumer Advocacy Groups Anticipated That the New Provision Would Make
Obtaining a Local Police Report Easier for Victims
Consumer advocacy groups we interviewed noted that in the past, victims of
identity theft sometimes had difficulty getting local police to take
reports about the crimes, although police reports help substantiate
victims' claims. As we reported in 2002, getting local police to file a
police report is a critical first step in being able to investigate the
crime and in undoing the impacts of identity theft.19 The consumer
advocacy groups noted that the new provision will increase pressure on
local police to take reports because these reports can play a key role in
verifying the identity theft victim's right to access information. These
groups pointed out that in California, which has a similar identity theft
law already in place, local police who were aware of their obligations
under the state law were more likely to take identity theft reports. One
consumer advocacy group told us they expect a similar outcome with the
FACT Act provision. Additionally, officials from the two states-California
and Washington-that have enacted similar identity theft laws agreed that
since their laws had been in place, police had generally been more willing
to take reports from identity theft victims. Officials from one of the
states told us that law enforcement agencies there had also been more
active in discussing identity theft issues.
Representatives of a consumer advocacy group and law enforcement agencies
acknowledged that the overall number of police reports charging identity
theft crimes was increasing but noted that it was difficult to attribute
this increase to any one cause, including the FACT Act. For instance, one
consumer advocacy group we spoke with attributed the increasing
willingness of local police to take these reports to the fact that
identity theft was a growing problem and that the public was generally
more aware of it. Officials from law enforcement agencies also pointed out
that the difficulty of filing local police reports was only one of the
frustrations victims of identity theft faced. For example, the amount of
time required to clean up credit and the lack of criminal prosecutions for
these crimes are even more frustrating for victims, and both of the issues
remain unresolved.
19GAO, Identity Theft: Greater Awareness and Use of Existing Data Are
Needed, GAO-02766 (Washington, D.C.: June 28, 2002).
Some State Agencies and Consumer Groups Had Reservations aboutPortions of
the New Provision
Representatives of state agencies and consumer advocacy groups with whom
we spoke identified two potential concerns about the provision. First, the
provision gives businesses 30 days from the date of a victim's request to
provide information on fraudulent business transactions-a time period that
some feel is too long. For instance, officials from one state agency and a
consumer advocacy group we spoke to stressed the importance of providing
information quickly so that victims could begin clearing their credit
files and resolving their cases. Several of those we spoke with
recommended 2 weeks as a more reasonable length of time for victims to
gain access to records and pointed out that states such as California and
Washington, which have similar identity theft laws, ask business entities
to respond faster. California's privacy laws require that businesses
respond within 10 business days of receiving the person's request (which
must include a copy of the police report and identifying information).
Washington's identity theft law does not specify a time frame for
responding to requests for records, but state officials stated that
business entities are encouraged to respond within a reasonable amount of
time. State officials from both California and Washington noted that
victims in their respective states had generally been able to obtain data
on fraudulent business transactions within their respective time frames.
In contrast, business entities we spoke with believed that there could be
complicated situations in which it might be difficult to respond within
the 30-day time period. Additionally, representatives from two law
enforcement groups said that the 30-day time period appeared to be
reasonable. They explained that businesses might need the time to review
the request and verify a victim's identity and added that the 30 days
could reflect the reality of running a business with competing priorities.
FTC staff said that although they did not know how long businesses were
taking to respond to victims, it would be unfortunate if businesses were
in fact taking the full 30 days. While these officials agreed that victims
needed to obtain information promptly in order to resolve their cases,
they noted that the 30-day time period had been established to give
businesses additional time to respond to requests if needed. Because the
law affects a wide range of businesses, the officials told us, it must
allow for a wide range of circumstances.
Consumer advocacy groups were also concerned with the discretion the
provision gives to businesses to request additional documentation- beyond
a police report-as proof of a victim's claim of identity theft. Under the
provision, businesses may require victims to provide a copy of a
standardized affidavit of identity theft or an acceptable affidavit of
fact as
well as a police report.20 FTC, in conjunction with credit grantors and
consumer advocates, has developed the Identity Theft Affidavit, a standard
form victims can use to report information on, for example, fraudulent
accounts that have been opened. The affidavit of fact is a business' own
form used by a victim for documenting alleged identity theft. However,
consumer groups we spoke with said that a police report should be
sufficient evidence to verify an identity theft claim and questioned the
amount of information businesses actually needed. Representatives of CRAs
also pointed out that a broad range of what could be characterized as
identity theft reports existed. These representatives explained that any
law enforcement group, whether civil or criminal, could take an identity
theft report, raising concerns about the consistency of the information
being reported and the possibility that the credit repair industry could
misuse it.21
Additionally, officials in California and Washington told us that victims
of identity theft in their states had experienced difficulties trying to
obtain data on fraudulent business transactions immediately after their
state laws were enacted. The officials attributed the initial difficulties
to the fact that businesses were probably not aware of the new statutes.
Officials in California told us that they had developed a template for a
letter that victims could send to businesses. The letter provides
information both on the law and on penalties for noncompliance and had
been effective in getting businesses to comply. Officials in Washington
told us that they had provided education to consumers, businesses, and the
law enforcement community early on. For instance, the business community
was involved in disseminating information on the requirements of the law,
and a law enforcement "tool kit" was developed that provided information
on the law and criminal provisions.
As mentioned earlier, we were only able to obtain opinions from a limited
number of businesses or industry representatives, including trade
associations, on the experiences of businesses in complying with section
609(e) or the expected impact of this provision. Several of the national
business and industry representatives we contacted declined our requests
20Section 609(e)(2)(B) of the amended FCRA. As proof of a claim of
identity theft, a business may require a copy of a police report
evidencing the claim of the victim of identity theft, a copy of FTC's
standardized affidavit of identity theft, or an acceptable affidavit of
fact.
21Credit reporting agency representatives were concerned that there may be
instances in which certain consumer credit information is blocked under
the pretense of alleged identity theft in an effort to improve a
consumer's credit standing.
for comments because they had limited information to share with us on the
likely extent of awareness within the business community on this
provision. While we did manage to gather some opinions from a few
businesses and associations, the information obtained was extremely
limited.
FTC staff told us that as part of their overall FACT Act outreach efforts,
they intend to monitor the implementation of section 609(e) to determine
whether any additional efforts are necessary to ensure that the provision
is working as Congress intended. They also stated that they would use
their law enforcement authority as appropriate if they determined that a
business or businesses were not complying with the provisions of section
609(e).
FTC's Model Summary of Rights Process Has Generally Been Viewed Favorably
Officials and representatives of federal agencies and consumer groups we
contacted believe that the FTC's new summary of rights will be useful to
victims of identity theft. As mandated by the FACT Act, FTC published its
final summary of rights in November 2004, and CRAs began distributing a
version of the summary to consumers in January 2005. Federal banking
agencies spoke favorably of FTC's process for soliciting comments while
the agency was developing the model summary. However, some consumer groups
told us that they still had some potential concerns with the final
document. These potential concerns included the lack of a requirement that
CRAs make the summary available in other languages, specifically Spanish,
and the general readability of the summary. In response to these potential
concerns, FTC stated that while CRAs are not required to provide the
summary in other languages, FTC's consumer model summary does contain a
statement in Spanish directing consumers to FTC to obtain additional
information. FTC has made a Spanish version available on its identity
theft Web site. FTC also stated that it had tried to use plain language in
the summary, and it recognized the need for additional outreach efforts.
We also noted that overall FTC's final summary was more concise and used
shorter sentences than its draft summary, resulting in a document that we
found generally easy to read.
Federal Banking Regulators On November 30, 2004, FTC published its final
version of the model
Had a Favorable View of summary of identity theft rights as mandated by
the FACT Act (see app. II).
FTC's Process of Developing The summary highlights the major rights FCRA
provides to identity theft
the Model Summary
victims seeking to remedy the effects of fraud or identity theft. These
include
o the right to obtain free file disclosures,
o the right to file fraud alerts,22
o the right to obtain documents or information relating to transactions
involving the consumers' personal information, and
o the right to prevent consumer reporting agencies from reporting
information that is the result of identity theft.
As outlined in FTC's guidance, CRAs were to begin distributing by January
31, 2005, a "substantially similar" version of FTC's summary to consumers
who believed they had been victims of fraud or identity theft. According
to representatives with whom we spoke, these agencies had begun
distributing their summaries of identity theft victim rights before this
date. The representatives also noted that the summaries distributed were
very similar to the FTC's model summary of rights.
Under the FACT Act, the FTC was required to consult with the federal
banking agencies and the NCUA in preparing the model summary of consumers'
rights. Federal banking agency officials told us that FTC had effectively
promoted collaboration among the regulators in developing the summary of
identity theft rights. Federal banking agency officials also stated that
FTC solicited comments on two draft versions. The officials told us that
although they did not have substantive concerns with either version, they
did provide editorial comments. These officials said that they suggested,
among other things, avoiding technical terms, using fewer acronyms,
shortening sentences, and in general focusing on keeping the summary easy
to read by using simple English. Additionally, the federal banking agency
officials stated that FTC had substantially incorporated the agencies'
input.
22According to the FTC Web site, a fraud alert requests creditors to
contact the consumer before opening any new accounts or making any changes
to existing accounts. Once a fraud alert has been confirmed by one
nationwide CRA, the other two nationwide agencies are automatically
notified and requested to do the same.
Officials of law enforcement agencies and representatives of consumer
groups whom we contacted believed that the summary should provide useful
information for victims of identity theft. For instance, officials from
two law enforcement agencies stated that the model summary would be a
significant aid to victims. The officials explained that in the past
victims had often felt helpless because of the limited avenues available
to them in resolving their cases. With the summary of rights, however,
victims can learn about concrete steps they can take to help themselves.
Similarly, consumer advocacy groups believed that the summary of rights
contained information that would be useful to victims of identity theft
and added that the document would be among the most important tools in
implementing the changes to the FACT Act. These groups also stated that
FTC's model summary of rights would be useful in setting the standards for
efforts by media and nongovernmental organizations to educate consumers
about their credit reporting rights in general.
Some Consumer Groups Remain Concerned about the Availability of Translations
and about Readability
Some consumer advocacy groups we spoke with identified two potential
concerns with FTC's final model summary of rights.23 First, these groups
pointed out that FTC did not require CRAs to make the model summary of
rights available in other languages, primarily Spanish, and that access to
bilingual information was especially important to those persons whose
dominant or sole language is Spanish. According to these groups, the
Census 2000 figures indicate that nearly 19.6 million U.S. citizens
between the ages of 18 and 64 spoke Spanish and that one-third of this
group spoke English "not well" or "not at all." FTC staff told us that
while the CRAs were not required to provide a copy of the summary in other
languages, the final summary did contain a Spanish statement telling
consumers to contact the FTC for information in Spanish and giving both
the agency's mailing and Web site addresses. A Spanish translation of the
summary of rights is available on FTC's identity theft Web site. Finally,
FTC staff told us that FTC targets certain populations in its ongoing
public outreach efforts and expects to continue to do so in the context of
its mandated public campaign on identity theft prevention.
The three nationwide CRAs we contacted provided us with copies of their
summaries of rights for identity theft victims that the agencies had begun
23The Federal Trade Commission published for public comment two summaries
of rights under FCRA and two notices of duties under FCRA, as required by
FCRA Section 609 and 607, respectively. See 69 Fed. Reg. 42616 n. 136
(July 16, 2004).
distributing to consumers in January 2005. Only one of the agencies had
made a summary of rights available in Spanish; the other two had placed a
Spanish statement similar to FTC's on their summaries directing consumers
to FTC for information in Spanish. Officials from the CRAs told us that
they distributed the model summary of rights to consumers who notified
them of potential identity theft and not, in general, to every consumer
who contacted them.
Second, consumer advocacy groups were concerned that the model summary
would not be easy to read and understand. A comment letter to the FTC from
nine consumer advocacy groups said that the model summary of rights should
be tested for readability before it was finalized to ensure that it could
be easily understood by all consumers, including those with limited
education and those who did not speak English as their primary language.
The letter stated that having a readable summary was vital to ensuring
that consumers were aware of their rights with respect to identity theft,
especially those consumers who might not be familiar with the financial
services world. One consumer group we spoke with also stressed that
readability, which includes the organization of the document and format,
was important for any public message. In response to the comments the
agency received, FTC's final rule stated that the agency had tried as far
as possible to use plain language in the summary and agreed that the
notices needed to be supplemented by outreach efforts, which the agency
said it intended to undertake. FTC staff also told us that while they did
not have the document reviewed by a private readability expert, they did
have the document reviewed internally for presentation and clarity by
FTC's Office of Consumer and Business Education.
In our review of FTC's draft and final summary of identity theft rights,
we found that overall FTC's final summary was more concise and used
shorter sentences than its draft summary. Several of the comments to FTC
had suggested streamlining the information to improve the clarity of the
document. As a result, the final summary was generally easy to read.
Conclusions Section 609(e) is intended to help victims of identity theft
obtain access to data on fraudulent business transaction records that
could help in repairing the damage, financial and otherwise, that crimes
of identity theft can inflict. However, because section 609(e) has been in
effect only a short time (since June 2004), it is too soon to assess the
effectiveness of the provision. Because efforts to alert consumers,
business entities, and local law enforcement agencies on their rights and
responsibilities under section
609(e) were in their early stages, it is also too soon to determine the
extent of the awareness and use of section 609(e) by these groups. The
FACT Act mandates that FTC conduct outreach on identity theft prevention,
and most of the groups we contacted felt that FTC should have primary
responsibility on identity theft issues. FTC is in a unique position
because it already has an existing dialogue with the critical groups
involved in section 609(e) through its ongoing outreach efforts on
identity theft issues, its interaction with consumers who use its identity
theft hotline and consumer complaint database, and its mandated campaign
on identity theft prevention. In contrast, no other agency or group
maintains public outreach efforts that are as far reaching as the FTC's.
FTC intends to assess the effectiveness of its mandated identity theft
campaign which will include coverage of section 609(e). Such an assessment
would be useful as a means of determining the extent that consumers,
businesses, and local law enforcement agencies are aware of their rights
and obligations under section 609(e), the extent of any implementation
issues, and whether the new provision is helping consumers as intended to
remedy the effects of identity theft.
Similarly, experience with victims who have attempted to obtain business
records is limited by the short period of time that has elapsed since the
act went into effect. It is too early to assess the actual impact of
section 609(e) on consumers' ability to get business records relating to
suspected fraudulent transactions. While consumer groups and state
agencies identified some potential problems with the provision, additional
experience and input from identity theft victims will be needed to
determine whether these concerns prove to be valid and what, if any, other
issues may arise.
While FTC's process for developing its mandated model summary of identity
theft victim rights was viewed favorably and CRAs had begun distributing a
similar version of the summary to consumers, some potential concerns with
the summary of rights were noted. These potential concerns center
primarily on the limited availability of a Spanish version of the summary
of rights and, to a lesser extent, on the clarity of the summary of rights
to the general population. While it is too early to determine the extent
of any implementation issues, FTC efforts to monitor the implementation of
section 609(e) should provide additional information on the usefulness of
the summary of rights in aiding identity theft victims.
We are sending copies of this report to interested congressional
committees and subcommittees; the Chairman, FTC; the Attorney General; the
Director, FBI; the Secretary of Homeland Security; the Commissioner,
Social Security Administration; the Chief Postal Inspector, U.S. Postal
Inspection Service; the Director, U.S. Secret Service; the Chairman,
Federal Deposit Insurance Corporation; the Chairman, Board of Governors of
the Federal Reserve System; the Acting Comptroller of the Currency; the
Acting Director, Office of Thrift Supervision; the Chairman, National
Credit Union Administration; and the Secretary of the Treasury. We will
make copies available to others upon request. In addition, the report will
be available at no charge on the GAO Web site at http://www.gao.gov.
If you have any questions concerning this report, please contact me at
(202) 512-8678 or [email protected]. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. Other staff who contributed to this report are Harry
Medina, Tania Calhoun, Heather Dignan, and Janet Fong.
Richard J. Hillman Director, Financial Markets
and Community Investment
Appendix I
Objectives, Scope, and Methodology
Our reporting objectives were to (1) provide information on outreach
efforts to consumers, businesses, and local law enforcement agencies on
the provision in the Fair and Accurate Credit Transactions (FACT) Act of
2003 that allows identity theft victims to obtain business records
relating to fraudulent transactions; (2) describe the views and opinions
of relevant federal agencies, private business entities, and consumer
groups regarding the expected impact of the provision; and (3) discuss the
process used by the Federal Trade Commission (FTC) to develop the model
summary of rights of identity theft victims mandated in the FACT Act and
examine the opinions of related groups on this process.
To address all three objectives, we
o contacted representatives of FTC and five federal law enforcement
agencies that are involved in the investigation and prosecution of
identity theft crimes-Department of Justice, Federal Bureau of
Investigation, Social Security Administration, U.S. Postal Inspection
Service, and U.S. Secret Service-and the International Association of
Chiefs of Police, which includes the heads of police departments around
the country and abroad;
o met with officials of the five federal banking regulators-Board of
Governors of the Federal Reserve System, Federal Deposit Insurance
Corporation, National Credit Union Administration, Office of the
Comptroller of the Currency, and Office of Thrift Supervision- regarding
compliance by federally insured depository institutions with the FACT Act
provision and their interaction with consumers on identity theft issues;
o spoke with representatives of the three national credit reporting
agencies (CRAs)-Experian, Equifax, and Transunion-which play a key role in
distributing the summary of identity theft victim rights and in helping
identity theft victims correct their credit records;
o held meetings with representatives of two states-California and
Washington-that had previously enacted identity theft laws with provisions
similar to the section 609(e) to obtain their views on the expected
effectiveness of the federal provision;
o contacted five consumer advocacy groups-Consumers Union, Identity Theft
Resource Center, National Consumer Law Center, Privacy Rights
Clearinghouse, and U.S. Public Interest Research Group-that were
Appendix I
Objectives, Scope, and Methodology
identified as being active in identity theft issues to obtain their views
and perspectives as representatives of consumers and identity theft
victims; and
o obtained limited information from a few businesses and trade
associations on these subjects. Specifically, we contacted officials from
state retailers' associations in California, Florida, and Texas, as well
as the Coalition to Implement the FACT Act which represents a range of
trade associations and business entities that furnish and use consumer
information, including financial services companies and retail
associations. We also attempted to contact other businesses and
associations through other groups such as the U.S. Chamber of Commerce and
a private consultant. However, these businesses and associations declined
to offer comments, in some cases citing their limited exposure to these
provisions.
For all the groups that we contacted, we reviewed information pertaining
to identity theft and the FACT Act that was available to consumers on
their Web sites. We obtained and examined information associated with
their outreach programs. However, we did not perform test callings of
FTC's identity theft hotline to determine how the FACT Act provisions had
been incorporated. We also did not interview identity theft victims.
Additionally, to describe the process FTC used to develop the model
summary of rights of identity theft victims required by the FACT Act and
the views of groups that commented on the process, we reviewed a variety
of documents from the agency and other sources. These documents included
FTC's draft and final versions of the model summary, final guidance on
model disclosures, public comment letters FTC received on the draft, and
other summaries of identity theft victims' rights created by the CRAs. We
conducted our work in Washington, D.C., and San Francisco, California,
from September 2004 through June 2005 in accordance with generally
accepted government auditing standards.
Appendix II
Reprint of FTC's Model Summary of Identity Theft Victim Rights
Para informacion en espanol, visite www.consumer.gov/idtheft o escribe a
la FTC, Consumer Response Center, Room 130-B, 600 Pennsylvania Avenue,
N.W. Washington, D.C., 20580.
Remedying the Effects of Identity Theft
You are receiving this information because you have notified a consumer
reporting agency that you believe that you are a victim of identity theft.
Identity theft occurs when someone uses your name, Social Security number,
date of birth, or other identifying information, without authority, to
commit fraud. For example, someone may have committed identity theft by
using your personal information to open a credit card account or get a
loan in your name. For more information, visit www.consumer.gov/idtheft or
write to: FTC, Consumer Response Center, Room 130-B, 600 Pennsylvania
Avenue, N.W. Washington, D.C., 20580.
The Fair Credit Reporting Act (FCRA) gives you specific rights when you
are, or believe that you are, the victim of identity theft. Here is a
brief summary of the rights designed to help you recover from identity
theft.
1. You have the right to ask that nationwide consumer reporting agencies
place "fraud alerts" in your file to let potential creditors and others
know that you may be a victim of identity theft. A fraud alert can make it
more difficult for someone to get credit in your name because it tells
creditors to follow certain procedures to protect you. It also may delay
your ability to obtain credit. You may place a fraud alert in your file by
calling just one of the three nationwide consumer reporting agencies. As
soon as that agency processes your fraud alert, it will notify the other
two, which then also must place fraud alerts in your file.
o Equifax: 1-800-525-6285; www.equifax.com
o Experian: 1-888-EXPERIAN (397-3742); www.experian.com
o TransUnion: 1-800-680-7289; www.transunion.com
An initial fraud alert stays in your file for at least 90 days. An
extended alert stays in your file for seven years. To place either of
these alerts, a consumer reporting agency will require you to provide
appropriate proof of your identity, which may include your Social Security
number. If you ask for an extended alert, you will have to provide an
identity theft report. An identity theft report includes a copy of a
report you have filed with a
Appendix II
Reprint of FTC's Model Summary of Identity
Theft Victim Rights
federal, state, or local law enforcement agency, and additional
information a consumer reporting agency may require you to submit. For
more detailed information about the identity theft report, visit
www.consumer.gov/idtheft.
2. You have the right to free copies of the information in your file (your
"file disclosure"). An initial fraud alert entitles you to a copy of all
the information in your file at each of the three nationwide agencies, and
an extended alert entitles you to two free file disclosures in a 12-month
period following the placing of the alert. These additional disclosures
may help you detect signs of fraud, for example, whether fraudulent
accounts have been opened in your name or whether someone has reported a
change in your address. Once a year, you also have the right to a free
copy of the information in your file at any consumer reporting agency, if
you believe it has inaccurate information due to fraud, such as identity
theft. You also have the ability to obtain additional free file
disclosures under other provisions of the FCRA. See www.ftc.gov/credit.
3. You have the right to obtain documents relating to fraudulent
transactions made or accounts opened using your personal information. A
creditor or other business must give you copies of applications and other
business records relating to transactions and accounts that resulted from
the theft of your identity, if you ask for them in writing. A business may
ask you for proof of your identity, a police report, and an affidavit
before giving you the documents. It also may specify an address for you to
send your request. Under certain circumstances, a business can refuse to
provide you with these documents. See www.consumer.gov/idtheft.
4. You have the right to obtain information from a debt collector. If you
ask, a debt collector must provide you with certain information about the
debt you believe was incurred in your name by an identity thief - like the
name of the creditor and the amount of the debt.
5. If you believe information in your file results from identity theft,
you have the right to ask that a consumer reporting agency block that
information from your file. An identity thief may run up bills in your
name and not pay them. Information about the unpaid bills may appear on
your consumer report. Should you decide to ask a consumer reporting agency
to block the reporting of this information, you must identify the
information to block, and provide
Appendix II
Reprint of FTC's Model Summary of Identity
Theft Victim Rights
the consumer reporting agency with proof of your identity and a copy of
your identity theft report. The consumer reporting agency can refuse or
cancel your request for a block if, for example, you don't provide the
necessary documentation, or where the block results from an error or a
material misrepresentation of fact made by you. If the agency declines or
rescinds the block, it must notify you. Once a debt resulting from
identity theft has been blocked, a person or business with notice of the
block may not sell, transfer, or place the debt for collection.
6. You also may prevent businesses from reporting information about you to
consumer reporting agencies if you believe the information is a result of
identity theft. To do so, you must send your request to the address
specified by the business that reports the information to the consumer
reporting agency. The business will expect you to identify what
information you do not want reported and to provide an identity theft
report.
To learn more about identity theft and how to deal with its consequences,
visit www.consumer.gov/idtheft, or write to the FTC. You may have
additional rights under state law. For more information, contact your
local consumer protection agency or your state attorney General.
In addition to the new rights and procedures to help consumers deal with
the effects of identity theft, the FCRA has many other important consumer
protections. They are described in more detail at www.ftc.gov/credit.
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548
Public Affairs Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
PRINTED ON RECYCLED PAPER
*** End of document. ***