1.) What are the major changes or proposed changes to FACTA?
The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights are included in FACTA. The following summary of major changes contains excerpts from an analysis of FACTA provided by the National Consumer Law Center.
I. Identity Theft Prevention
A. One-call fraud alerts
Consumers are able to issue one-call fraud alerts, extended fraud alerts, and active military duty alerts. FACTA adds a new section to the FCRA that provides for three varieties of alerts that consumers may add to their files with nationwide consumer reporting agencies; they differ in their initiation requirements, time periods, and limits on users. However, all three require the agency receiving the alert to refer it to the other nationwide agencies which allows consumers to issue the alert to all the agencies with “one call.”
B. Creditors to implement red-flag guidelines and regulations.
Another new identity theft prevention provision calls for the FTC, the NCUA, and specified banking agencies to issue regulations that will require financial institutions and creditors to “establish reasonable policies and procedures” for implementing to-be-issued “red flag” guidelines regarding identity theft.
C. Businesses must provide identity theft victims with business transaction information.
The revised FCRA requires businesses who have dealt with an identity thief to provide information about the transactions to the thief’s victim and to law enforcement agencies.
D. Businesses must protect certain consumer information.
FACTA adds two provisions that seek to protect key consumer information. Section 605 will require merchants to shorten credit and debit card numbers on electronically printed receipts (though with delayed and staggered effective dates). Section 609 will now allow consumers requesting a report to order the agency to withhold the last 5 digits of the consumer’s social security number on the report.
II. Credit History Restoration
A. Agencies must block identity-theft-related information.
FACTA adds a new section, 605B, to the FCRA that requires agencies to block identity-theft related information within 4 days of receiving specified information: proof of the consumer’s identity, a copy of an identity theft report, the consumer’s identification of the fraudulent information, and the consumer’s statement that the information does not relate to any transaction by the consumer.
B. Furnishers must cease furnishing identity-theft-related information.
As noted above, agencies must block information that a consumer properly identifies as resulting from identity theft and must notify the furnisher of consumer information of the false information of the block.
C. Furnishers may not sell or place identity theft debt for collection.
Once a furnisher has been notified that an agency has blocked a consumer’s information as having resulted from identity theft, the furnisher may not sell or transfer the debt or place it for collection.
D. Debt collectors must notify creditors of fraudulent debt.
FACTA imposes new notification responsibilities on debt collectors; once a consumer notifies a debt collector that a debt may be fraudulent or may have resulted from identity theft, the debt collector must notify the creditor of that allegation and must provide the consumer with all information about the debt to which the consumer would be entitled if the consumer were in fact the liable party.
E. Agencies to provide FTC’s summary of rights of identity theft victims.
The FTC is to prepare a summary of the new rights of identity theft and fraud victims under the FCRA which agencies must provide to any victim who contacts an agency about such theft or fraud.
F. Agencies must coordinate complaints.
Another credit history restoration feature, described above in the discussion of the new fraud alerts, requires a nationwide consumer reporting agency that receives a consumer’s complaint of identity theft or request for a fraud alert to notify the other nationwide agencies.
III. Information Accuracy
A. Agencies to issue new accuracy and integrity regulations for furnishers.
The agencies that enforce the FCRA will establish guidelines for furnishers regarding the accuracy and integrity of furnished information and will issue regulations requiring furnishers to establish reasonable policies and procedures for implementing those guidelines. However, consumers may not privately enforce these new responsibilities and states are preempted from regulating the subject matter of the provision.
B. Consumers may dispute furnished information directly with the furnisher.
The prior version of the FCRA had no provision by which a consumer could dispute an inaccurate item of information directly with the furnisher; rather, the consumer had to dispute the item with the agency which the FCRA then required to notify the furnisher.
C. Furnishers to comply with new standard in reporting information.
The prior version of the FCRA prohibited a furnisher from reporting to agencies information that it “[knew] or consciously avoid[ed] knowing” was inaccurate.87 Now a furnisher may not report information that it “knows or has reasonable cause to believe” is inaccurate.
D. Financial institution furnishers to notify customers of negative information.
The FCRA now requires a financial institution to notify a customer that it is furnishing negative information about that customer;92 however, financial institutions may take advantage of a safe harbor provision.
E. Debt collectors must use creditor’s date of account delinquency.
The FCRA now provides rules regarding the date of an account’s delinquency for reporting purposes and specifies how debt collectors should designate the date to ensure that the date of delinquency precedes the date the creditor placed the account for collection,100 which should curb the reporting of obsolete information.
F. Agencies must notify furnishers of reinvestigation results.
Now an agency that reinvestigates an item of information upon a consumer’s dispute must notify the furnisher that furnished the information if the agency deletes or modifies it from the consumer’s file because the agency found it to be inaccurate, incomplete or unverifiable.
G. Furnishers must block unverifiable information.
Under the prior version of the FCRA, once an agency notified a furnisher that a consumer disputed information that the furnisher had reported to the agency, the furnisher had to reinvestigate that item and report the results of the investigation back to the agency.
H. Resellers must reinvestigate information disputed by consumer.
Resellers must now investigate a consumer’s dispute made to the reseller, and if the reseller determines that the information is incomplete or inaccurate as a result of the reseller’s act or omission, the reseller must correct or delete the information within 20 days.
I. Agencies must reinvestigate upon notice from reseller.
The FCRA extends the responsibilities of agencies to reinvestigate consumer information by requiring them to reinvestigate upon notice from a reseller that a consumer has disputed the item;108 the agency must then report the results of its reinvestigation back to the reseller, who must then reconvey the results back to the consumer.
J. Agency’s reinvestigation must be “reasonable.”
Accordingly, the FCRA now explicitly provides that the reinvestigation of information must be reasonable, a standard lower than that of § 607’s “reasonable procedures to assure maximum possible accuracy” which applies to the initial preparation of the consumer report.
IV. Free Credit Reports
A. Agencies must provide consumers with a free annual credit report.
Consumers now have a right to a free annual credit report from nationwide and nationwide specialty consumer reporting agencies.
B. Agencies must provide free reports to fraud victims.
An independent provision of FACTA allows a consumer who requests a one-call fraud alert to obtain a free copy of the consumer’s report from each of the nationwide consumer reporting agencies.
V. Credit Scores
A. Agencies and mortgage lenders must disclose credit scores and related information.
The FCRA now requires agencies to disclose to a consumer the consumer’s credit score, the range of possible scores under the scoring model, the key factors that adversely affected the score, the date the score was created, and the source of the credit score or the file that produced the score.
B. Agencies must provide FTC’s summary of rights.
The FCRA now requires agencies to give consumers the FTC’s summary of rights to dispute information and obtain credit scores.
VI. Medical Information
VI. Agencies further restricted from furnishing consumer reports containing medical information.
The revised Act continues to prohibit agencies from furnishing a report for employment purposes or in connection with a credit or insurance transaction that contains medical information without the consumer’s consent.
B. Agencies may not identify medical information furnishers in reports.
Agencies are now prohibited from including the name, address, and telephone information of medical information furnishers in consumer reports unless the agency formats the information such that it does not disclose either the specific provider or the nature of the medical services, though the agency may provide such information in a report to an insurance company.
C. Creditors may not obtain or use consumer medical information.
Creditors may no longer obtain or use a consumer’s medical information in connection with any determination of the consumer’s eligibility of continued eligibility for credit.
D. Certain medical information communicated to an affiliate now considered a consumer report.
The FCRA generally excludes from the definition of consumer report communications to affiliates; as amended, however, communications of medical information to affiliates that would otherwise meet the definition of a “consumer report” will remain consumer reports (and therefore protected by the FCRA) if the information consists of one of the following:
Medical information, as defined;
An individualized list or description based on the consumer’s payment transactions for medical products or services; or
An aggregate list of identified consumers based on payment transactions for medical products or services.
E. Medical information furnishers must notify agencies of their status.
In order to help agencies implement the revised restrictions on medical information, persons in the business of providing medical services, products, or devices and who furnish information to agencies must notify the agencies of their status as medical information furnishers.
2.) How will these changes impact businesses?
All businesses must be more cautious about how they secure personal information of employees and consumers. The failure to do so may result in lawsuits or penalties being assessed by the FTC. The FTC recommends that businesses take the following actions regarding consumer report information:
1) burn, pulverize, or shred paper documents so that the information cannot be read or reconstructed;
2) destroy or erase electronic files or media so that the information cannot be read or reconstructed;
3) conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information. Due diligence could include: reviewing an independent audit of a disposal company's operations and/or its compliance with the FACTA; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; and reviewing and evaluating the disposal company's information security policies or procedures.
In addition to the above actions, our law office suggests the following for consideration by our business clients:
1) businesses should promulgate “purge policies” regarding their computerized consumer information. Be sure to check with your IT personnel to make certain that information believed to be purged/deleted is effectively removed before donating electronics to non-profits corporations, etc.
2) if a business undergoes a location change, any documents to be stored and not destroyed should be separately located in a secure, off site storage environment (if office space for storage is too expensive). Ensure both current and older files are held securely. When our office relocated, we burned many files on a farmstead. Burning, rather than shredding, documents may save time and money.
3) records retention schedules are a must. Look to governmental agencies for examples of relevant time frames for records retention.
4) be aware that political events held at business offices - be they fundraisers, phone banking, pick up yard signs, etc. - can expose records to a wide range of people.
5) business reception areas and mail intake centers may put a business at risk unless safeguards are implemented to protect consumer information.
3.) I understand that there is some concern that new provisions to protect consumers may actually open businesses up to lawsuits -- if its found that a security breach originates from a business owner''s company. What are your thoughts on that?
Clearly, the new provisions do subject all kinds of businesses to lawsuits in the event of a security breach. Beyond mandating that all merchants who accept credit cards print only the last five digits of card numbers on receipts, FACTA requires businesses to properly dispose of any "consumer report" used for business purposes. "Consumer report" includes credit reports, background checks, insurance histories, medical histories and residential histories, therefore, all types of businesses are affected by the FACTA mandates. Businesses routinely obtain such information when deciding whether to extend credit to customers, or employment to job applicants. It is a fundamental right of the consumer to insist that a business keep his/her personal information secure.
4.) Overall, what do you see as the bright spots with regard to current identity theft legislation? And what needs to be done to strengthen that legislation?
Identity theft has become the fastest growing financial crime in America. A report released recently concluded that more than 285 million records were compromised in 2008, more than the previous four years combined. FACTA goes a long way in addressing the protections needed by consumers to fight against identity theft. The good news is that consumers today have many more tools at their disposal if they become victims than they did prior to 2003. In an effort to strengthen FACTA, new bills are being considered by Congress and several state legislatures to further restrict the use of personal information and provide confidentiality safeguards of employees, to enable victims of identity theft to obtain restitution equal to the value of the time they spend fixing the damage of identity theft and to provide enhanced criminal penalties for those who steal identities. These continuing efforts by the federal and state governments should result in better and stronger protections for consumers’ personal information.