Subtitle A—Identity Theft Prevention
SEC. 111. AMENDMENT TO DEFINITIONS.
Section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a)
is amended by adding at the end the following:
(q) DEFINITIONS RELATING TO FRAUD ALERTS.—
(1) ACTIVE DUTY MILITARY CONSUMER.—The term active
duty military consumer’ means a consumer in military service
who—
(A) is on active duty (as defined in section 101(d)(1)
of title 10, United States Code) or is a reservist performing
duty under a call or order to active duty under a provision
of law referred to in section 101(a)(13) of title 10, United
States Code; and
(B) is assigned to service away from the usual duty
station of the consumer.
(2) FRAUD ALERT; ACTIVE DUTY ALERT.—The terms fraud
alert’ and active duty alert’ mean a statement in the file
of a consumer that—
(A) notifies all prospective users of a consumer report
relating to the consumer that the consumer may be a
victim of fraud, including identity theft, or is an active
duty military consumer, as applicable; and
(B) is presented in a manner that facilitates a clear
and conspicuous view of the statement described in
subparagraph (A) by any person requesting such consumer
report.
(3) IDENTITY THEFT.—The term identity theft’ means a
fraud committed using the identifying information of another
person, subject to such further definition as the Commission
may prescribe, by regulation.
(4) IDENTITY THEFT REPORT.—The term identity theft
report’ has the meaning given that term by rule of the Commission,
and means, at a minimum, a report—
(A) that alleges an identity theft;
(B) that is a copy of an official, valid report filed
by a consumer with an appropriate Federal, State, or local
law enforcement agency, including the United States Postal
Inspection Service, or such other government agency
deemed appropriate by the Commission; and
(C) the filing of which subjects the person filing the
report to criminal penalties relating to the filing of false
information if, in fact, the information in the report is
false.
(5) NEW CREDIT PLAN.—The term new credit plan’ means
a new account under an open end credit plan (as defined
in section 103(i) of the Truth in Lending Act) or a new credit
transaction not under an open end credit plan.
(r) CREDIT AND DEBIT RELATED TERMS—
(1) CARD ISSUER.—The term card issuer’ means—
(A) a credit card issuer, in the case of a credit card;
and
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00004 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1955
(B) a debit card issuer, in the case of a debit card.
(2) CREDIT CARD.—The term credit card’ has the same
meaning as in section 103 of the Truth in Lending Act.
(3) DEBIT CARD.—The term debit card’ means any card
issued by a financial institution to a consumer for use in
initiating an electronic fund transfer from the account of the
consumer at such financial institution, for the purpose of
transferring money between accounts or obtaining money, property,
labor, or services.
(4) ACCOUNT AND ELECTRONIC FUND TRANSFER.—The terms
account’ and electronic fund transfer’ have the same meanings
as in section 903 of the Electronic Fund Transfer Act.
(5) CREDIT AND CREDITOR.—The terms credit’ and creditor’
have the same meanings as in section 702 of the Equal Credit
Opportunity Act.
(s) FEDERAL BANKING AGENCY.—The term Federal banking
agency’ has the same meaning as in section 3 of the Federal
Deposit Insurance Act.
(t) FINANCIAL INSTITUTION.—The term financial institution’
means a State or National bank, a State or Federal savings and
loan association, a mutual savings bank, a State or Federal credit
union, or any other person that, directly or indirectly, holds a
transaction account (as defined in section 19(b) of the Federal
Reserve Act) belonging to a consumer.
(u) RESELLER.—The term reseller’ means a consumer reporting
agency that—
(1) assembles and merges information contained in the
database of another consumer reporting agency or multiple
consumer reporting agencies concerning any consumer for purposes
of furnishing such information to any third party, to
the extent of such activities; and
(2) does not maintain a database of the assembled or
merged information from which new consumer reports are produced.
(v) COMMISSION.—The term Commission’ means the Federal
Trade Commission.
(w) NATIONWIDE SPECIALTY CONSUMER REPORTING AGENCY.—
The term nationwide specialty consumer reporting agency’ means
a consumer reporting agency that compiles and maintains files
on consumers on a nationwide basis relating to—
(1) medical records or payments;
(2) residential or tenant history;
(3) check writing history;
(4) employment history; or
(5) insurance claims.”.
SEC. 112. FRAUD ALERTS AND ACTIVE DUTY ALERTS.
(a) FRAUD ALERTS.—The Fair Credit Reporting Act (15 U.S.C.
1681 et seq.) is amended by inserting after section 605 the following:
§ 605A. Identity theft prevention; fraud alerts and active
duty alerts
(a) ONE-CALL FRAUD ALERTS.—
(1) INITIAL ALERTS.—Upon the direct request of a consumer,
or an individual acting on behalf of or as a personal
representative of a consumer, who asserts in good faith a suspicion
that the consumer has been or is about to become a
15 USC 1681c–1.
VerDate 11-MAY-2000 14:13 Dec 23, 2003 Jkt 029139 PO 00159 Frm 00005 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 APPS10 PsN: PUBL159
117 STAT. 1956 PUBLIC LAW 108–159—DEC. 4, 2003
victim of fraud or related crime, including identity theft, a
consumer reporting agency described in section 603(p) that
maintains a file on the consumer and has received appropriate
proof of the identity of the requester shall—
(A) include a fraud alert in the file of that consumer,
and also provide that alert along with any credit score
generated in using that file, for a period of not less than
90 days, beginning on the date of such request, unless
the consumer or such representative requests that such
fraud alert be removed before the end of such period,
and the agency has received appropriate proof of the
identity of the requester for such purpose; and
(B) refer the information regarding the fraud alert
under this paragraph to each of the other consumer
reporting agencies described in section 603(p), in accordance
with procedures developed under section 621(f).
(2) ACCESS TO FREE REPORTS.—In any case in which a
consumer reporting agency includes a fraud alert in the file
of a consumer pursuant to this subsection, the consumer
reporting agency shall—
(A) disclose to the consumer that the consumer may
request a free copy of the file of the consumer pursuant
to section 612(d); and
(B) provide to the consumer all disclosures required
to be made under section 609, without charge to the consumer,
not later than 3 business days after any request
described in subparagraph (A).
(b) EXTENDED ALERTS.—
(1) IN GENERAL.—Upon the direct request of a consumer,
or an individual acting on behalf of or as a personal representative
of a consumer, who submits an identity theft report to
a consumer reporting agency described in section 603(p) that
maintains a file on the consumer, if the agency has received
appropriate proof of the identity of the requester, the agency
shall—
(A) include a fraud alert in the file of that consumer,
and also provide that alert along with any credit score
generated in using that file, during the 7-year period beginning
on the date of such request, unless the consumer
or such representative requests that such fraud alert be
removed before the end of such period and the agency
has received appropriate proof of the identity of the
requester for such purpose;
(B) during the 5-year period beginning on the date
of such request, exclude the consumer from any list of
consumers prepared by the consumer reporting agency and
provided to any third party to offer credit or insurance
to the consumer as part of a transaction that was not
initiated by the consumer, unless the consumer or such
representative requests that such exclusion be rescinded
before the end of such period; and
(C) refer the information regarding the extended fraud
alert under this paragraph to each of the other consumer
reporting agencies described in section 603(p), in accordance
with procedures developed under section 621(f).
(2) ACCESS TO FREE REPORTS.—In any case in which a
consumer reporting agency includes a fraud alert in the file
Deadline.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00006 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1957
of a consumer pursuant to this subsection, the consumer
reporting agency shall—
(A) disclose to the consumer that the consumer may
request 2 free copies of the file of the consumer pursuant
to section 612(d) during the 12-month period beginning
on the date on which the fraud alert was included in
the file; and
(B) provide to the consumer all disclosures required
to be made under section 609, without charge to the consumer,
not later than 3 business days after any request
described in subparagraph (A).
(c) ACTIVE DUTY ALERTS.—Upon the direct request of an active
duty military consumer, or an individual acting on behalf of or
as a personal representative of an active duty military consumer,
a consumer reporting agency described in section 603(p) that maintains
a file on the active duty military consumer and has received
appropriate proof of the identity of the requester shall—
(1) include an active duty alert in the file of that active
duty military consumer, and also provide that alert along with
any credit score generated in using that file, during a period
of not less than 12 months, or such longer period as the
Commission shall determine, by regulation, beginning on the
date of the request, unless the active duty military consumer
or such representative requests that such fraud alert be
removed before the end of such period, and the agency has
received appropriate proof of the identity of the requester for
such purpose;
(2) during the 2-year period beginning on the date of
such request, exclude the active duty military consumer from
any list of consumers prepared by the consumer reporting
agency and provided to any third party to offer credit or insurance
to the consumer as part of a transaction that was not
initiated by the consumer, unless the consumer requests that
such exclusion be rescinded before the end of such period;
and
(3) refer the information regarding the active duty alert
to each of the other consumer reporting agencies described
in section 603(p), in accordance with procedures developed
under section 621(f).
(d) PROCEDURES.—Each consumer reporting agency described
in section 603(p) shall establish policies and procedures to comply
with this section, including procedures that inform consumers of
the availability of initial, extended, and active duty alerts and
procedures that allow consumers and active duty military consumers
to request initial, extended, or active duty alerts (as
applicable) in a simple and easy manner, including by telephone.
(e) REFERRALS OF ALERTS.—Each consumer reporting agency
described in section 603(p) that receives a referral of a fraud alert
or active duty alert from another consumer reporting agency pursuant
to this section shall, as though the agency received the request
from the consumer directly, follow the procedures required under—
(1) paragraphs (1)(A) and (2) of subsection (a), in the
case of a referral under subsection (a)(1)(B);
(2) paragraphs (1)(A), (1)(B), and (2) of subsection (b),
in the case of a referral under subsection (b)(1)(C); and
(3) paragraphs (1) and (2) of subsection (c), in the case
of a referral under subsection (c)(3).
Deadline.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00007 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 1958 PUBLIC LAW 108–159—DEC. 4, 2003
(f) DUTY OF RESELLER TO RECONVEY ALERT.—A reseller shall
include in its report any fraud alert or active duty alert placed
in the file of a consumer pursuant to this section by another
consumer reporting agency.
(g) DUTY OF OTHER CONSUMER REPORTING AGENCIES TO PROVIDE
CONTACT INFORMATION.—If a consumer contacts any consumer
reporting agency that is not described in section 603(p) to communicate
a suspicion that the consumer has been or is about to
become a victim of fraud or related crime, including identity theft,
the agency shall provide information to the consumer on how to
contact the Commission and the consumer reporting agencies
described in section 603(p) to obtain more detailed information
and request alerts under this section.
(h) LIMITATIONS ON USE OF INFORMATION FOR CREDIT EXTENSIONS.—
(1) REQUIREMENTS FOR INITIAL AND ACTIVE DUTY ALERTS.—
(A) NOTIFICATION.—Each initial fraud alert and active
duty alert under this section shall include information that
notifies all prospective users of a consumer report on the
consumer to which the alert relates that the consumer
does not authorize the establishment of any new credit
plan or extension of credit, other than under an openend
credit plan (as defined in section 103(i)), in the name
of the consumer, or issuance of an additional card on an
existing credit account requested by a consumer, or any
increase in credit limit on an existing credit account
requested by a consumer, except in accordance with
subparagraph (B).
(B) LIMITATION ON USERS.—
(i) IN GENERAL.—No prospective user of a consumer
report that includes an initial fraud alert or
an active duty alert in accordance with this section
may establish a new credit plan or extension of credit,
other than under an open-end credit plan (as defined
in section 103(i)), in the name of the consumer, or
issue an additional card on an existing credit account
requested by a consumer, or grant any increase in
credit limit on an existing credit account requested
by a consumer, unless the user utilizes reasonable
policies and procedures to form a reasonable belief
that the user knows the identity of the person making
the request.
(ii) VERIFICATION.—If a consumer requesting the
alert has specified a telephone number to be used
for identity verification purposes, before authorizing
any new credit plan or extension described in clause
(i) in the name of such consumer, a user of such consumer
report shall contact the consumer using that
telephone number or take reasonable steps to verify
the consumer’s identity and confirm that the application
for a new credit plan is not the result of identity
theft.
(2) REQUIREMENTS FOR EXTENDED ALERTS.—
(A) NOTIFICATION.—Each extended alert under this
section shall include information that provides all prospective
users of a consumer report relating to a consumer
with—
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00008 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1959
(i) notification that the consumer does not
authorize the establishment of any new credit plan
or extension of credit described in clause (i), other
than under an open-end credit plan (as defined in
section 103(i)), in the name of the consumer, or
issuance of an additional card on an existing credit
account requested by a consumer, or any increase in
credit limit on an existing credit account requested
by a consumer, except in accordance with subparagraph
(B); and
(ii) a telephone number or other reasonable contact
method designated by the consumer.
(B) LIMITATION ON USERS.—No prospective user of
a consumer report or of a credit score generated using
the information in the file of a consumer that includes
an extended fraud alert in accordance with this section
may establish a new credit plan or extension of credit,
other than under an open-end credit plan (as defined in
section 103(i)), in the name of the consumer, or issue an
additional card on an existing credit account requested
by a consumer, or any increase in credit limit on an existing
credit account requested by a consumer, unless the user
contacts the consumer in person or using the contact
method described in subparagraph (A)(ii) to confirm that
the application for a new credit plan or increase in credit
limit, or request for an additional card is not the result
of identity theft.”.
(b) RULEMAKING.—The Commission shall prescribe regulations
to define what constitutes appropriate proof of identity for purposes
of sections 605A, 605B, and 609(a)(1) of the Fair Credit Reporting
Act, as amended by this Act.
SEC. 113. TRUNCATION OF CREDIT CARD AND DEBIT CARD ACCOUNT
NUMBERS.
Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c)
is amended by adding at the end the following:
(g) TRUNCATION OF CREDIT CARD AND DEBIT CARD NUMBERS.—
(1) IN GENERAL.—Except as otherwise provided in this
subsection, no person that accepts credit cards or debit cards
for the transaction of business shall print more than the last
5 digits of the card number or the expiration date upon any
receipt provided to the cardholder at the point of the sale
or transaction.
(2) LIMITATION.—This subsection shall apply only to
receipts that are electronically printed, and shall not apply
to transactions in which the sole means of recording a credit
card or debit card account number is by handwriting or by
an imprint or copy of the card.
(3) EFFECTIVE DATE.—This subsection shall become
effective—
(A) 3 years after the date of enactment of this subsection,
with respect to any cash register or other machine
or device that electronically prints receipts for credit card
or debit card transactions that is in use before January
1, 2005; and
(B) 1 year after the date of enactment of this subsection,
with respect to any cash register or other machine
Applicability.
15 USC 1681c–1
note.
VerDate 11-MAY-2000 14:13 Dec 23, 2003 Jkt 029139 PO 00159 Frm 00009 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 APPS10 PsN: PUBL159
117 STAT. 1960 PUBLIC LAW 108–159—DEC. 4, 2003
or device that electronically prints receipts for credit card
or debit card transactions that is first put into use on
or after January 1, 2005.”.
SEC. 114. ESTABLISHMENT OF PROCEDURES FOR THE IDENTIFICATION
OF POSSIBLE INSTANCES OF IDENTITY THEFT.
Section 615 of the Fair Credit Reporting Act (15 U.S.C. 1681m)
is amended—
(1) by striking (e)” at the end; and
(2) by adding at the end the following:
(e) RED FLAG GUIDELINES AND REGULATIONS REQUIRED.—
(1) GUIDELINES.—The Federal banking agencies, the
National Credit Union Administration, and the Commission
shall jointly, with respect to the entities that are subject to
their respective enforcement authority under section 621—
(A) establish and maintain guidelines for use by each
financial institution and each creditor regarding identity
theft with respect to account holders at, or customers of,
such entities, and update such guidelines as often as necessary;
(B) prescribe regulations requiring each financial
institution and each creditor to establish reasonable policies
and procedures for implementing the guidelines established
pursuant to subparagraph (A), to identify possible risks
to account holders or customers or to the safety and soundness
of the institution or customers; and
(C) prescribe regulations applicable to card issuers
to ensure that, if a card issuer receives notification of
a change of address for an existing account, and within
a short period of time (during at least the first 30 days
after such notification is received) receives a request for
an additional or replacement card for the same account,
the card issuer may not issue the additional or replacement
card, unless the card issuer, in accordance with reasonable
policies and procedures—
(i) notifies the cardholder of the request at the
former address of the cardholder and provides to the
cardholder a means of promptly reporting incorrect
address changes;
(ii) notifies the cardholder of the request by such
other means of communication as the cardholder and
the card issuer previously agreed to; or
(iii) uses other means of assessing the validity
of the change of address, in accordance with reasonable
policies and procedures established by the card issuer
in accordance with the regulations prescribed under
subparagraph (B).
(2) CRITERIA.—
(A) IN GENERAL.—In developing the guidelines
required by paragraph (1)(A), the agencies described in
paragraph (1) shall identify patterns, practices, and specific
forms of activity that indicate the possible existence of
identity theft.
(B) INACTIVE ACCOUNTS.—In developing the guidelines
required by paragraph (1)(A), the agencies described in
paragraph (1) shall consider including reasonable guidelines
providing that when a transaction occurs with respect
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00010 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1961
to a credit or deposit account that has been inactive for
more than 2 years, the creditor or financial institution
shall follow reasonable policies and procedures that provide
for notice to be given to a consumer in a manner reasonably
designed to reduce the likelihood of identity theft with
respect to such account.
(3) CONSISTENCY WITH VERIFICATION REQUIREMENTS.—
Guidelines established pursuant to paragraph (1) shall not
be inconsistent with the policies and procedures required under
section 5318(l) of title 31, United States Code.”.
SEC. 115. AUTHORITY TO TRUNCATE SOCIAL SECURITY NUMBERS.
Section 609(a)(1) of the Fair Credit Reporting Act (15 U.S.C.
1681g(a)(1)) is amended by striking except that nothing” and
inserting the following: except that—
(A) if the consumer to whom the file relates requests
that the first 5 digits of the social security number (or
similar identification number) of the consumer not be
included in the disclosure and the consumer reporting
agency has received appropriate proof of the identity of
the requester, the consumer reporting agency shall so truncate
such number in such disclosure; and
(B) nothing”.
Subtitle B—Protection and Restoration of
Identity Theft Victim Credit History
SEC. 151. SUMMARY OF RIGHTS OF IDENTITY THEFT VICTIMS.
(a) IN GENERAL.—
(1) SUMMARY.—Section 609 of the Fair Credit Reporting
Act (15 U.S.C. 1681g) is amended by adding at the end the
following:
(d) SUMMARY OF RIGHTS OF IDENTITY THEFT VICTIMS.—
(1) IN GENERAL.—The Commission, in consultation with
the Federal banking agencies and the National Credit Union
Administration, shall prepare a model summary of the rights
of consumers under this title with respect to the procedures
for remedying the effects of fraud or identity theft involving
credit, an electronic fund transfer, or an account or transaction
at or with a financial institution or other creditor.
(2) SUMMARY OF RIGHTS AND CONTACT INFORMATION.—
Beginning 60 days after the date on which the model summary
of rights is prescribed in final form by the Commission pursuant
to paragraph (1), if any consumer contacts a consumer reporting
agency and expresses a belief that the consumer is a victim
of fraud or identity theft involving credit, an electronic fund
transfer, or an account or transaction at or with a financial
institution or other creditor, the consumer reporting agency
shall, in addition to any other action that the agency may
take, provide the consumer with a summary of rights that
contains all of the information required by the Commission
under paragraph (1), and information on how to contact the
Commission to obtain more detailed information.
(e) INFORMATION AVAILABLE TO VICTIMS.—
(1) IN GENERAL.—For the purpose of documenting fraudulent
transactions resulting from identity theft, not later than
Deadline.
Effective date.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00011 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 1962 PUBLIC LAW 108–159—DEC. 4, 2003
30 days after the date of receipt of a request from a victim
in accordance with paragraph (3), and subject to verification
of the identity of the victim and the claim of identity theft
in accordance with paragraph (2), a business entity that has
provided credit to, provided for consideration products, goods,
or services to, accepted payment from, or otherwise entered
into a commercial transaction for consideration with, a person
who has allegedly made unauthorized use of the means of
identification of the victim, shall provide a copy of application
and business transaction records in the control of the business
entity, whether maintained by the business entity or by another
person on behalf of the business entity, evidencing any transaction
alleged to be a result of identity theft to—
(A) the victim;
(B) any Federal, State, or local government law
enforcement agency or officer specified by the victim in
such a request; or
(C) any law enforcement agency investigating the
identity theft and authorized by the victim to take receipt
of records provided under this subsection.
(2) VERIFICATION OF IDENTITY AND CLAIM.—Before a business
entity provides any information under paragraph (1),
unless the business entity, at its discretion, otherwise has
a high degree of confidence that it knows the identity of the
victim making a request under paragraph (1), the victim shall
provide to the business entity—
(A) as proof of positive identification of the victim,
at the election of the business entity—
(i) the presentation of a government-issued identification
card;
(ii) personally identifying information of the same
type as was provided to the business entity by the
unauthorized person; or
(iii) personally identifying information that the
business entity typically requests from new applicants
or for new transactions, at the time of the victim’s
request for information, including any documentation
described in clauses (i) and (ii); and
(B) as proof of a claim of identity theft, at the election
of the business entity—
(i) a copy of a police report evidencing the claim
of the victim of identity theft; and
(ii) a properly completed—
(I) copy of a standardized affidavit of identity
theft developed and made available by the
Commission; or
(II) an affidavit of fact that is acceptable to
the business entity for that purpose.
(3) PROCEDURES.—The request of a victim under paragraph
(1) shall—
(A) be in writing;
(B) be mailed to an address specified by the business
entity, if any; and
(C) if asked by the business entity, include relevant
information about any transaction alleged to be a result
of identity theft to facilitate compliance with this section
including—
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00012 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1963
(i) if known by the victim (or if readily obtainable
by the victim), the date of the application or transaction;
and
(ii) if known by the victim (or if readily obtainable
by the victim), any other identifying information such
as an account or transaction number.
(4) NO CHARGE TO VICTIM.—Information required to be
provided under paragraph (1) shall be so provided without
charge.
(5) AUTHORITY TO DECLINE TO PROVIDE INFORMATION.—
A business entity may decline to provide information under
paragraph (1) if, in the exercise of good faith, the business
entity determines that—
(A) this subsection does not require disclosure of the
information;
(B) after reviewing the information provided pursuant
to paragraph (2), the business entity does not have a high
degree of confidence in knowing the true identity of the
individual requesting the information;
(C) the request for the information is based on a
misrepresentation of fact by the individual requesting the
information relevant to the request for information; or
(D) the information requested is Internet navigational
data or similar information about a person’s visit to a
website or online service.
(6) LIMITATION ON LIABILITY.—Except as provided in section
621, sections 616 and 617 do not apply to any violation
of this subsection.
(7) LIMITATION ON CIVIL LIABILITY.—No business entity
may be held civilly liable under any provision of Federal, State,
or other law for disclosure, made in good faith pursuant to
this subsection.
(8) NO NEW RECORDKEEPING OBLIGATION.—Nothing in this
subsection creates an obligation on the part of a business entity
to obtain, retain, or maintain information or records that are
not otherwise required to be obtained, retained, or maintained
in the ordinary course of its business or under other applicable
law.
(9) RULE OF CONSTRUCTION.—
(A) IN GENERAL.—No provision of subtitle A of title
V of Public Law 106–102, prohibiting the disclosure of
financial information by a business entity to third parties
shall be used to deny disclosure of information to the
victim under this subsection.
(B) LIMITATION.—Except as provided in subparagraph
(A), nothing in this subsection permits a business entity
to disclose information, including information to law
enforcement under subparagraphs (B) and (C) of paragraph
(1), that the business entity is otherwise prohibited from
disclosing under any other applicable provision of Federal
or State law.
(10) AFFIRMATIVE DEFENSE.—In any civil action brought
to enforce this subsection, it is an affirmative defense (which
the defendant must establish by a preponderance of the evidence)
for a business entity to file an affidavit or answer
stating that—
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00013 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 1964 PUBLIC LAW 108–159—DEC. 4, 2003
(A) the business entity has made a reasonably diligent
search of its available business records; and
(B) the records requested under this subsection do
not exist or are not reasonably available.
(11) DEFINITION OF VICTIM.—For purposes of this subsection,
the term victim’ means a consumer whose means of
identification or financial information has been used or transferred
(or has been alleged to have been used or transferred)
without the authority of that consumer, with the intent to
commit, or to aid or abet, an identity theft or a similar crime.
(12) EFFECTIVE DATE.—This subsection shall become effective
180 days after the date of enactment of this subsection.
(13) EFFECTIVENESS STUDY.—Not later than 18 months
after the date of enactment of this subsection, the Comptroller
General of the United States shall submit a report to Congress
assessing the effectiveness of this provision.”.
(2) RELATION TO STATE LAWS.—Section 625(b)(1) of the Fair
Credit Reporting Act (15 U.S.C. 1681t(b)(1), as so redesignated)
is amended by adding at the end the following new subparagraph:
(G) section 609(e), relating to information available
to victims under section 609(e);”.
(b) PUBLIC CAMPAIGN TO PREVENT IDENTITY THEFT.—Not later
than 2 years after the date of enactment of this Act, the Commission
shall establish and implement a media and distribution campaign
to teach the public how to prevent identity theft. Such campaign
shall include existing Commission education materials, as well as
radio, television, and print public service announcements, video
cassettes, interactive digital video discs (DVD’s) or compact audio
discs (CD’s), and Internet resources.
SEC. 152. BLOCKING OF INFORMATION RESULTING FROM IDENTITY
THEFT.
(a) IN GENERAL.—The Fair Credit Reporting Act (15 U.S.C.
1681 et seq.) is amended by inserting after section 605A, as added
by this Act, the following:
§ 605B. Block of information resulting from identity theft
(a) BLOCK.—Except as otherwise provided in this section, a
consumer reporting agency shall block the reporting of any information
in the file of a consumer that the consumer identifies as
information that resulted from an alleged identity theft, not later
than 4 business days after the date of receipt by such agency
of—
(1) appropriate proof of the identity of the consumer;
(2) a copy of an identity theft report;
(3) the identification of such information by the consumer;
and
(4) a statement by the consumer that the information
is not information relating to any transaction by the consumer.
(b) NOTIFICATION.—A consumer reporting agency shall
promptly notify the furnisher of information identified by the consumer
under subsection (a)—
(1) that the information may be a result of identity theft;
(2) that an identity theft report has been filed;
(3) that a block has been requested under this section;
and
Deadline.
15 USC 1681c–2.
Deadline.
15 USC 1681c–1
note.
Deadline.
Reports.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00014 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1965
(4) of the effective dates of the block.
(c) AUTHORITY TO DECLINE OR RESCIND.—
(1) IN GENERAL.—A consumer reporting agency may
decline to block, or may rescind any block, of information
relating to a consumer under this section, if the consumer
reporting agency reasonably determines that—
(A) the information was blocked in error or a block
was requested by the consumer in error;
(B) the information was blocked, or a block was
requested by the consumer, on the basis of a material
misrepresentation of fact by the consumer relevant to the
request to block; or
(C) the consumer obtained possession of goods, services,
or money as a result of the blocked transaction or
transactions.
(2) NOTIFICATION TO CONSUMER.—If a block of information
is declined or rescinded under this subsection, the affected
consumer shall be notified promptly, in the same manner as
consumers are notified of the reinsertion of information under
section 611(a)(5)(B).
(3) SIGNIFICANCE OF BLOCK.—For purposes of this subsection,
if a consumer reporting agency rescinds a block, the
presence of information in the file of a consumer prior to
the blocking of such information is not evidence of whether
the consumer knew or should have known that the consumer
obtained possession of any goods, services, or money as a result
of the block.
(d) EXCEPTION FOR RESELLERS.—
(1) NO RESELLER FILE.—This section shall not apply to
a consumer reporting agency, if the consumer reporting
agency—
(A) is a reseller;
(B) is not, at the time of the request of the consumer
under subsection (a), otherwise furnishing or reselling a
consumer report concerning the information identified by
the consumer; and
(C) informs the consumer, by any means, that the
consumer may report the identity theft to the Commission
to obtain consumer information regarding identity theft.
(2) RESELLER WITH FILE.—The sole obligation of the consumer
reporting agency under this section, with regard to any
request of a consumer under this section, shall be to block
the consumer report maintained by the consumer reporting
agency from any subsequent use, if—
(A) the consumer, in accordance with the provisions
of subsection (a), identifies, to a consumer reporting agency,
information in the file of the consumer that resulted from
identity theft; and
(B) the consumer reporting agency is a reseller of
the identified information.
(3) NOTICE.—In carrying out its obligation under paragraph
(2), the reseller shall promptly provide a notice to the
consumer of the decision to block the file. Such notice shall
contain the name, address, and telephone number of each consumer
reporting agency from which the consumer information
was obtained for resale.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00015 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 1966 PUBLIC LAW 108–159—DEC. 4, 2003
(e) EXCEPTION FOR VERIFICATION COMPANIES.—The provisions
of this section do not apply to a check services company, acting
as such, which issues authorizations for the purpose of approving
or processing negotiable instruments, electronic fund transfers, or
similar methods of payments, except that, beginning 4 business
days after receipt of information described in paragraphs (1)
through (3) of subsection (a), a check services company shall not
report to a national consumer reporting agency described in section
603(p), any information identified in the subject identity theft report
as resulting from identity theft.
(f) ACCESS TO BLOCKED INFORMATION BY LAW ENFORCEMENT
AGENCIES.—No provision of this section shall be construed as
requiring a consumer reporting agency to prevent a Federal, State,
or local law enforcement agency from accessing blocked information
in a consumer file to which the agency could otherwise obtain
access under this title.”.
(b) CLERICAL AMENDMENT.—The table of sections for the Fair
Credit Reporting Act (15 U.S.C. 1681 et seq.) is amended by
inserting after the item relating to section 605 the following new
items:
605A. Identity theft prevention; fraud alerts and active duty alerts.
605B. Block of information resulting from identity theft.”.
SEC. 153. COORDINATION OF IDENTITY THEFT COMPLAINT INVESTIGATIONS.
Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s)
is amended by adding at the end the following:
(f) COORDINATION OF CONSUMER COMPLAINT INVESTIGATIONS.—
(1) IN GENERAL.—Each consumer reporting agency
described in section 603(p) shall develop and maintain procedures
for the referral to each other such agency of any consumer
complaint received by the agency alleging identity theft, or
requesting a fraud alert under section 605A or a block under
section 605B.
(2) MODEL FORM AND PROCEDURE FOR REPORTING IDENTITY
THEFT.—The Commission, in consultation with the Federal
banking agencies and the National Credit Union Administration,
shall develop a model form and model procedures to be
used by consumers who are victims of identity theft for contacting
and informing creditors and consumer reporting agencies
of the fraud.
(3) ANNUAL SUMMARY REPORTS.—Each consumer reporting
agency described in section 603(p) shall submit an annual summary
report to the Commission on consumer complaints
received by the agency on identity theft or fraud alerts.”.
SEC. 154. PREVENTION OF REPOLLUTION OF CONSUMER REPORTS.
(a) PREVENTION OF REINSERTION OF ERRONEOUS INFORMATION.—
Section 623(a) of the Fair Credit Reporting Act (15 U.S.C.
1681s–2(a)) is amended by adding at the end the following:
(6) DUTIES OF FURNISHERS UPON NOTICE OF IDENTITY
THEFT-RELATED INFORMATION.—
(A) REASONABLE PROCEDURES.—A person that furnishes
information to any consumer reporting agency shall
have in place reasonable procedures to respond to any
notification that it receives from a consumer reporting
agency under section 605B relating to information resulting
Procedures.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00016 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 1967
from identity theft, to prevent that person from refurnishing
such blocked information.
(B) INFORMATION ALLEGED TO RESULT FROM IDENTITY
THEFT.—If a consumer submits an identity theft report
to a person who furnishes information to a consumer
reporting agency at the address specified by that person
for receiving such reports stating that information maintained
by such person that purports to relate to the consumer
resulted from identity theft, the person may not
furnish such information that purports to relate to the
consumer to any consumer reporting agency, unless the
person subsequently knows or is informed by the consumer
that the information is correct.”.
(b) PROHIBITION ON SALE OR TRANSFER OF DEBT CAUSED BY
IDENTITY THEFT.—Section 615 of the Fair Credit Reporting Act
(15 U.S.C. 1681m), as amended by this Act, is amended by adding
at the end the following:
(f) PROHIBITION ON SALE OR TRANSFER OF DEBT CAUSED BY
IDENTITY THEFT.—
(1) IN GENERAL.—No person shall sell, transfer for consideration,
or place for collection a debt that such person has
been notified under section 605B has resulted from identity
theft.
(2) APPLICABILITY.—The prohibitions of this subsection
shall apply to all persons collecting a debt described in paragraph
(1) after the date of a notification under paragraph
(1).
(3) RULE OF CONSTRUCTION.—Nothing in this subsection
shall be construed to prohibit—
(A) the repurchase of a debt in any case in which
the assignee of the debt requires such repurchase because
the debt has resulted from identity theft;
(B) the securitization of a debt or the pledging of
a portfolio of debt as collateral in connection with a borrowing;
or
(C) the transfer of debt as a result of a merger, acquisition,
purchase and assumption transaction, or transfer of
substantially all of the assets of an entity.”.
SEC. 155. NOTICE BY DEBT COLLECTORS WITH RESPECT TO FRAUDULENT
INFORMATION.
Section 615 of the Fair Credit Reporting Act (15 U.S.C. 1681m),
as amended by this Act, is amended by adding at the end the
following:
(g) DEBT COLLECTOR COMMUNICATIONS CONCERNING IDENTITY
THEFT.—If a person acting as a debt collector (as that term is
defined in title VIII) on behalf of a third party that is a creditor
or other user of a consumer report is notified that any information
relating to a debt that the person is attempting to collect may
be fraudulent or may be the result of identity theft, that person
shall—
(1) notify the third party that the information may be
fraudulent or may be the result of identity theft; and
(2) upon request of the consumer to whom the debt
purportedly relates, provide to the consumer all information
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00017 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 1968 PUBLIC LAW 108–159—DEC. 4, 2003
to which the consumer would otherwise be entitled if the consumer
were not a victim of identity theft, but wished to dispute
the debt under provisions of law applicable to that person.”.
SEC. 156. STATUTE OF LIMITATIONS.
Section 618 of the Fair Credit Reporting Act (15 U.S.C. 1681p)
is amended to read as follows:
§ 618. Jurisdiction of courts; limitation of actions
An action to enforce any liability created under this title
may be brought in any appropriate United States district court,
without regard to the amount in controversy, or in any other court
of competent jurisdiction, not later than the earlier of—
(1) 2 years after the date of discovery by the plaintiff
of the violation that is the basis for such liability; or
(2) 5 years after the date on which the violation that
is the basis for such liability occurs.”.
SEC. 157. STUDY ON THE USE OF TECHNOLOGY TO COMBAT IDENTITY
THEFT.
(a) STUDY REQUIRED.—The Secretary of the Treasury shall
conduct a study of the use of biometrics and other similar technologies
to reduce the incidence and costs to society of identity
theft by providing convincing evidence of who actually performed
a given financial transaction.
(b) CONSULTATION.—The Secretary of the Treasury shall consult
with Federal banking agencies, the Commission, and representatives
of financial institutions, consumer reporting agencies, Federal,
State, and local government agencies that issue official forms or
means of identification, State prosecutors, law enforcement agencies,
the biometric industry, and the general public in formulating
and conducting the study required by subsection (a).
(c) AUTHORIZATION OF APPROPRIATIONS.—There are authorized
to be appropriated to the Secretary of the Treasury for fiscal year
2004, such sums as may be necessary to carry out the provisions
of this section.
(d) REPORT REQUIRED.—Before the end of the 180-day period
beginning on the date of enactment of this Act, the Secretary
shall submit a report to Congress containing the findings and
conclusions of the study required under subsection (a), together
with such recommendations for legislative or administrative actions
as may be appropriate.
Sfmt 6580 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159