Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC settlement requires retailer to provide transaction records to identity theft victims

Federal Issues FTC Enforcement Privacy/Cyber Risk & Data Security FTC Act FCRA

Federal Issues

On June 10, the FTC announced a settlement to resolve Fair Credit Reporting Act (FCRA) allegations against a Wisconsin-based retailer for failing to provide the proper transaction records to identify theft victims. According to the FTC, this is the first time the Commission has used its authority under Section 609(e) of the FCRA, which requires companies to provide identity theft victims with “‘application and business transaction records’ evidencing any transactions that the victim alleges to be the ‘result of identity theft’” within 30 days of being requested. The FTC’s complaint alleged that from February 2017 through March 2019, the retailer implemented several changes to its policy, which limited the information that identity theft victims could obtain. The retailer also allegedly refused to directly provide victims with detailed order information, stating it would only share information if the request came directly from law enforcement. Moreover, the FTC claimed that the retailer did not provide the information it was supplying within the 30-day window required by the FCRA, and on several occasions, failed to issue a denial of a victim’s request within 30 days. These unlawful actions, the FTC alleged, violated the FTC Act and the FCRA, and only ended six months after the retailer received a civil investigative demand from the FTC. Under the terms of the settlement, the retailer has agreed to pay a $220,000 civil penalty to settle the claims and must provide identify theft victims, within 30 days, valid verification of their identity and the identity theft, including business transaction records related to the theft. The retailer must also provide a notice on its website to provide identity theft victims information on how to obtain application and business records, and certify that it has provided all such records to victims who were previously denied access.