This is the accessible text file for GAO report number GAO-05-710 entitled 'Identity Theft: Some Outreach Efforts to Promote Awareness of New Consumer Rights Are Under Way' which was released on June 30, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: June 2005: Identity Theft: Some Outreach Efforts to Promote Awareness of New Consumer Rights Are Under Way: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-710]: GAO Highlights: Highlights of GAO-05-710, a report to congressional committees: Why GAO Did This Study: The Fair and Accurate Credit Transactions (FACT) Act of 2003 which amended the Fair Credit Reporting Act (FCRA), contains provisions intended to help consumers remedy the effects of identity theft. For example, section 609(e) of the amended FCRA gives identity theft victims the right to obtain records of fraudulent business transactions, and section 609(d) requires the Federal Trade Commission (FTC) to develop a model summary of identity theft victims’ rights. This report provides information on (1) outreach efforts to inform consumers, businesses, and law enforcement entities about section 609(e); (2) the views of relevant groups on the provision’s expected impact; and (3) FTC’s process for developing its model summary of rights and views on the summary’s potential usefulness. What GAO Found: Some efforts to educate consumers, business entities, and local law enforcement officials about their rights and obligations under section 609(e), which grants identity theft victims access to fraudulent business transaction records, were under way as of June 2005—notably by the FTC, U.S. Postal Inspection Service, International Association of Chiefs of Police, and National Credit Union Administration. For example, FTC had a number of outreach efforts on section 609(e) including coverage in conferences and presentations as well as information available through its Web site, toll-free hotline, and identity theft publications. While many of the other federal regulators and law enforcement agencies have undertaken outreach efforts on identity theft, most did not specifically include information on section 609(e). FTC staff indicated that the public education campaign on identity theft prevention mandated to be implemented by December 2005 by the FACT Act will also include coverage of section 609(e). According to FTC, law enforcement agency officials, and consumer advocacy group representatives we spoke with, section 609(e) should help victims to remedy the effects of identity theft more quickly. Other cited benefits include allowing victims to build stronger cases that could assist law enforcement agencies in developing intelligence data for their investigations. However, due to the limited experience with victims attempting to obtain business records, it is too early to assess the actual effectiveness of the section 609(e) provisions. Consumer groups and state agencies identified some potential problems with the timeliness of business transaction data and the extent of documents needed to verify a victim’s identity theft claim. Given the newness of the provision, additional experience is needed to verify the validity of these potential concerns or other concerns not yet anticipated. FTC staff told us that as part of their overall FACT Act outreach efforts, they intend to monitor the implementation of section 609(e) to determine whether the provision is working as intended. Most of the agencies and groups we spoke with had favorable views of FTC’s process to develop the model summary of identity theft victim rights mandated under section 609(d). FTC published its final form of the summary on November 30, 2004, and as required by FTC’s guidance, the three national credit reporting agencies told us they began distributing a summary to consumers who contacted them with identity theft concerns before January 31, 2005. While most of the groups that we contacted felt that FTC had been responsive to their comments, consumer advocacy groups identified two potential concerns. These potential concerns center on the limited availability of a Spanish version of the summary of rights and the clarity of the model summary of rights to the general population. However, due to the limited time that the summary has been available, it is too early to determine the extent of any implementation issues. www.gao.gov/cgi-bin/getrpt?GAO-05-710. To view the full product, including the scope and methodology, click on the link above. For more information, contact Richard J. Hillman at (202) 512-8678 or hillmanr@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Some Efforts to Increase Awareness of Section 609(e) Were Under Way as of June 2005: Many Believe the New Provision Will Be Useful, but Some Potential Concerns Were Identified: FTC's Model Summary of Rights Process Has Generally Been Viewed Favorably: Conclusions: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Reprint of FTC's Model Summary of Identity Theft Victim Rights: Figure: Figure 1: U.S. Postal Inspection Service Advertisement on Identity Theft and the FACT Act: Abbreviations: CRA: Credit Reporting Agency: DOJ: Department of Justice: DOL: Department of Labor: FACT: Fair and Accurate Credit Transactions Act of 2003: FBI: Federal Bureau of Investigation: FCRA: Fair Credit Reporting Act: FDIC: Federal Deposit Insurance Corporation: FFIEC: Federal Financial Institutions Examination Council: FTC: Federal Trade Commission: IACP: International Association of Chiefs of Police: Letter June 30, 2005: The Honorable Richard C. Shelby: Chairman: The Honorable Paul S. Sarbanes: Ranking Minority Member: Committee on Banking, Housing, and Urban Affairs: United States Senate: The Honorable Michael G. Oxley: Chairman: The Honorable Barney Frank: Ranking Minority Member: Committee on Financial Services: House of Representatives: Recent thefts of customer information from several large commercial databases have reinforced widespread concerns about identity theft. The Federal Trade Commission (FTC) has reported that identity theft represented about 40 percent of all the consumer fraud complaints it received during each of the last 3 calendar years. Identity theft generally involves the fraudulent use of another person's identifying information--such as a Social Security number, date of birth, or mother's maiden name--to establish credit, run up debt, or take over existing financial accounts. According to identity theft experts, individuals whose identities have been stolen can spend months or years and thousands of dollars clearing their names. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identity theft. To help address the difficulties victims often encounter in trying to recover from identity theft, Congress added various provisions to the Fair and Accurate Credit Transactions (FACT) Act of 2003.[Footnote 1] In particular, recognizing that the amount of damage done to an individual's name, financial or otherwise, can be mitigated by how quickly the identity theft is discovered and addressed, Congress included a provision to help victims obtain records of alleged fraudulent business transactions. This provision--section 609(e) of the amended Fair Credit Reporting Act (FCRA)--established the right of identity theft victims to obtain, within 30 days, copies of business records involved in transactions alleged to be the result of identity theft.[Footnote 2] Further, the FACT Act requires that FTC develop a model summary of rights to be distributed to consumers who believe that they are victims of identity theft--including the right to obtain information available to them under section 609(e).[Footnote 3] Additionally, the act requires FTC to establish and implement a public media and distribution campaign on identity theft prevention by December 2005.[Footnote 4] The FACT Act also required GAO to evaluate the effectiveness of section 609(e) and issue a report to Congress by June 2005.[Footnote 5] Because of the short period of time that had elapsed since the June 2004 effective date of the provision, we informed the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that we would be unable to assess the effectiveness of the provision. Consequently, to satisfy the mandate, we agreed with the two committees that this report would (1) provide information on outreach efforts to consumers, businesses, and local law enforcement agencies on the provision; (2) describe the views and opinions of relevant federal agencies, private business entities, and consumer groups on the expected impact of the provision; and (3) discuss the process that FTC used to develop the model summary of rights mandated by the FACT Act and the opinions of groups that commented on the model summary. To address these objectives, we obtained and analyzed information and interviewed officials from groups that have a role in implementing section 609(e) and the FACT Act. Specifically, we contacted and obtained information from representatives of FTC and five federal law enforcement agencies, met with officials from the five federal banking regulators, attempted to contact six organizations or individuals representing business entities, held meetings with the three national credit reporting agencies (CRAs), and met with five consumer advocacy groups identified as being active on identity theft issues.[Footnote 6] We reviewed literature used in outreach efforts, FTC's model summary of identity theft victim rights and public comments on it, Web site information, and state identity theft laws similar to the FACT Act. Appendix I contains a more complete description of our scope and methodology. We conducted our work in Washington, D.C., and San Francisco from September 2004 through June 2005 in accordance with generally accepted government auditing standards. Results in Brief: As of June 2005, a number of outreach efforts to consumers, businesses, and local law enforcement agencies on identity theft prevention and remediation by federal regulatory and enforcement agencies and others were under way. We found that with a few exceptions--notably efforts by the FTC, U.S. Postal Inspection Service, International Association of Chiefs of Police, and National Credit Union Administration--most of the outreach efforts we identified were designed to provide general information on identity theft crimes and did not specifically address section 609(e). At the time of our review, the primary mechanism for providing consumers with information on their right to obtain business records on potentially fraudulent transactions was the mandated summary of rights that CRAs began distributing in January 2005 to individuals who contacted them with concerns about identity theft. FTC staff told us they began posting information on section 609(e) on its web site at the time the FACT Act took effect in June 2004. FTC staff also stated that the planned effort to satisfy the December 2005 mandated public education campaign would be broadly focused on all aspects of identity theft prevention and remediation, including the provisions of section 609(e). A variety of other interest groups, including businesses and their trade groups, federal law enforcement agencies and banking regulators, and consumer groups also told us that their outreach efforts on the FACT Act were just beginning. We found that for the most part these agencies and groups viewed FTC as having the primary responsibility for providing outreach on the FACT Act and section 609(e). Law enforcement agency officials and consumer advocacy group representatives stated that section 609(e) should help victims remedy the effects of identity theft. Law enforcement officials noted that the provision would allow victims to build stronger cases that could prompt local police agencies to open an investigation and added that the information would be useful in identifying patterns or trends in identity theft practices. Consumer advocacy groups told us that they believed that the new provision should make local police more willing to take reports on identity theft because these reports could be used to substantiate the victim's access to information. However, one of the states we contacted that has a similar identity theft law told us that the number of police investigations or prosecutions of identity theft crimes had not increased since the state law had been in effect. The officials cited workload and other priorities that determine the types of investigations and prosecutions law enforcement undertake. Some state agencies with similar identity theft laws and some consumer advocacy groups had a few concerns about the provision. Specifically, while they had no evidence that demonstrated a problem, both state agencies and consumer advocacy groups we contacted believed that the 30- day response time allowed under section 609(e) for businesses to provide victims with information was too long and suggested that 2 weeks would be more reasonable. One state agency and a consumer advocacy group stressed the importance of businesses providing the requested information within the shortest time frame possible to allow consumers to quickly clear their credit files and undo the damage caused by identity theft. Officials from the two states that already had provisions similar to section 609(e) told us that victims in those states had generally been able to obtain business transaction information within the shorter time frame. Additionally, some consumer advocacy groups were concerned that the provision gave business entities the discretion to require that consumers provide additional documentation to verify their identity and identity theft claims. These entities believed that a police report should be sufficient evidence and questioned how much additional information businesses actually needed. Finally, we were unable to obtain corresponding opinions on the impact of this provision from businesses and trade associations. Officials we spoke with generally had favorable views of the process FTC used to develop the mandated model summary of identity theft victim rights and stated that they felt that the model summary provided useful information that should aid identity theft victims. FTC published its final form of the model summary of identity theft victim rights on November 30, 2004. CRAs told us that, as required by FTC's guidance, they had begun distributing a "substantially similar" version of the model summary to consumers who contacted them with a claim of identity theft before January 31, 2005. In accordance with the FACT Act, FTC consulted with the federal banking agencies during the development of the model summary of rights. Specifically, FTC solicited and, according to federal banking agency officials, substantially incorporated input from the federal banking agencies on a draft version of the model summary of rights before publishing a proposed version for public comment. Representatives of the consumer groups we contacted identified two potential concerns: first, that FTC had not required CRAs to provide a Spanish version of the summary and second, that the text of the summary may be too technical or difficult for the general public to understand. FTC staff stated that while they had not required CRAs to provide a Spanish translation of the model summary, the final version contained a statement in Spanish directing consumers to FTC to obtain Spanish language information. It is too early to determine the extent to which these potential concerns were affecting identity theft victims. We provided a draft of this report to the heads or designees of FTC, Department of Justice, Federal Bureau of Investigation, Social Security Administration, U.S. Postal Inspection Service, U.S. Secret Service, Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Office of Thrift Supervision, and National Credit Union Administration for comment. The agencies provided technical comments that are incorporated where appropriate in the report. Background: The Identity Theft and Assumption Deterrence Act of 1998 made identity theft a federal crime.[Footnote 7] Although FTC does not have the authority to bring criminal cases, the act established FTC as the federal clearinghouse for identity theft complaints. FTC is required to keep a log of such complaints and to notify consumers that their complaints have been received.[Footnote 8] In response to this requirement, in November 1999 FTC established the Identity Theft Data Clearinghouse to gather information from consumers who file complaints or inquire about identity theft. FTC inputs this information into its Consumer Sentinel database, which is used by more than 1,000 law enforcement agencies. According to FTC, the number of identity theft complaints it has received has steadily risen each year--climbing from 31,000 in 2000 to 247,000 in 2004. FTC staff noted that the increase in reported instances of identity theft may in part reflect enhanced consumer awareness and willingness to report such crimes. However, not all identity theft victims contact FTC. No single federal law enforcement agency has primary jurisdiction over identity theft crimes. Identity theft is not typically a stand-alone crime but rather a component of one or more crimes such as bank fraud, credit card fraud, social program fraud, tax refund fraud, and mail fraud. For example, a fraudster might steal another individual's personal identifying information in one city and use the information to commit credit card fraud and mail fraud in another city or state. Consequently, a number of federal law enforcement agencies can have a role in investigating identity theft crimes, including the Federal Bureau of Investigation (FBI), Internal Revenue Service, U.S. Postal Inspection Service, U.S. Secret Service, and the Social Security Administration's Office of the Inspector General. The Department of Justice (DOJ) prosecutes federal identity theft cases. The FACT Act of 2003, among other things, strengthened victims' rights with respect to identity theft and gave FTC and businesses a larger role in dealing with identity theft crimes. The act also highlighted the need for law enforcement agencies to assist victims in documenting their identity theft crime. Section 609(e) requires business entities to provide victims of identity theft with information on fraudulent business transactions--for example, copies of applications for credit or records of purchases. In the past, businesses have been reluctant to provide such information, fearing their potential exposure to lawsuits for the inappropriate disclosure of sensitive personal financial information. To address this concern, Congress added a provision protecting businesses from civil liability claims for disclosing such information. In addition, the FACT Act reinforces the need for police to assist victims in taking official reports. These reports can then be used to substantiate claims of identity theft when alleged victims request, for example, copies of business records involving instances of potential fraud. The FACT Act also requires that FTC develop a model summary of rights for consumers who believe that they are victims of identity theft (see app. II). CRAs are required to provide a substantially similar version of the model summary of identity theft victim rights to any consumer who "contacts a consumer reporting agency and expresses a belief that the consumer is a victim of fraud or identity theft." As previously mentioned, the act mandated that FTC launch a public campaign on how to prevent identity theft by December 2005, but did not specifically require that section 609(e) be included in the campaign. Some Efforts to Increase Awareness of Section 609(e) Were Under Way as of June 2005: At the time of our review, some efforts to educate consumers, business entities, and local enforcement officials about their rights and obligations under section 609(e)--notably efforts undertaken by the FTC, U.S. Postal Inspection Service, International Association of Chiefs of Police, and National Credit Union Administration--were under way. We found that while most of the federal agencies and law enforcement agencies and other groups that we contacted were engaged in outreach related to identity theft issues, those efforts generally did not have a component specifically addressing section 609(e). In particular, FTC staff told us that outreach for section 609(e) would be part of broader efforts to educate the public, business entities, and law enforcement officials about identity theft and FACT Act provisions and that outreach on 609(e) would increase beginning in December 2005 as part of its public identity theft campaign. As of June 2005, outreach efforts by a variety of interest groups, including businesses and their trade groups, federal law enforcement agencies, and banking regulators, were also just beginning. Most of these groups saw FTC as having primary responsibility for outreach. FTC's Outreach Initiatives on the FACT Act Provisions Are Ongoing and Expected to Increase: FTC staff told us that they have undertaken a number of outreach efforts to educate the public, law enforcement, and others on the FACT Act, including section 609(e). However, FTC staff explained that section 609(e) is only one tool in the resources available to victims for remedying the effects of identity theft and that FTC's first priority is to make those affected aware of all of the relevant provisions contained in the FACT Act. Since 2004, FTC in conjunction with federal law enforcement agencies has cosponsored six conferences and presentations geared directly to local law enforcement, which included a discussion on the FACT Act. In addition, since January 2004 FTC has participated in more than 50 conferences, seminars, and presentations on the FACT Act involving attorneys, bar associations, business trade groups, financial institutions and state regulators. FTC staff told us that these outreach efforts addressed increasing the awareness of section 609(e) provisions, as appropriate to the particular audience. Other FTC outreach efforts on section 609(e) include links on FTC's Web site at [Hyperlink, http://www.consumer.gov/idtheft] to its model summary of identity theft victim rights and other information on identity theft, a toll-free hotline (1-877-IDTHEFT) offering counseling to help consumers who want or need more information about dealing with the consequences of identity theft, and FTC's Consumer Response Center and Distribution Office that provides publications on identity theft, among other topics.[Footnote 9] For example, FTC recently updated its identity theft booklet, renamed Take Charge: Fighting Back Against Identity Theft, to incorporate the FACT Act requirements, including section 609(e).[Footnote 10] Further, FTC has included section 609(e) in the mandated summary of identity theft victim rights that the CRAs began distributing in January 2005. At the time of our review, this summary was the primary mechanism for providing consumers with information on their right to obtain business records on potentially fraudulent transactions. According to FTC staff, FTC's Web site on identity theft included links to section 609(e) as of its effective date of June 1, 2004, which was subsequently integrated into an updated identity theft Web site. According to FTC staff, section 609(e) will also be incorporated into the public education campaign that FTC is required by the FACT Act to implement by December 2005 which will help increase outreach on the provisions. FTC staff told us that the agency has conducted outreach on privacy, consumer reporting, identity theft, and related legislation and regulations for several years and that the initiatives target consumers, businesses, and law enforcement agencies. FTC conducts its identity theft education campaign through its Web site, printed publications, conferences and presentations, syndicated news articles and newscasts, training sessions, communications with state attorneys general, and visits to high school and college campuses. It also holds seminars for small businesses that may not be active with trade groups. Additionally, the agency provides counseling over the telephone to consumers who contact FTC with complaints or inquiries about identity theft. FTC staff explained that the agency attempts to leverage its resources to conduct outreach--that is, it relies on consumers, law enforcement agencies, and businesses to spread the relevant information it provides among one another. FTC staff stated that the mandated public education campaign would build upon and become a component of FTC's ongoing consumer and business education campaigns. FTC staff stated that the mandated campaign will be under way by the December 2005 deadline and will include coverage of section 609(e). The staff told us that in terms of its identity theft outreach to consumers, FTC's priority is for consumers to know that FTC is the organization that consumers should contact if they need information or assistance with identity theft problems. They added that requesting business transaction records under section 609(e) is not the first step an identity theft victim takes to restore his or her credit. According to FTC staff, the campaign will focus on all aspects of identity theft prevention and remediation as well as informing consumers, businesses, and law enforcement agencies about the new rights and responsibilities discussed in section 609(e) and other provisions that are useful to consumers. At the time of our review, FTC could not provide us with information on the exact extent of coverage that section 609(e) would receive in FTC's outreach materials to consumers and businesses. FTC did provide us with a copy of its identity theft public education solicitation dated June 1, 2005. According to the solicitation, one of the expected targets of the campaign are identity theft victims with the goal of assisting those victims in the recovery process by teaching them the steps to take to reclaim their good names. FTC plans to evaluate the effectiveness of the public outreach campaign using various means. According to the solicitation, the program plan for the public education campaign is expected to include strategies for monitoring and evaluation of program results. FTC staff also told us that they also intend to monitor and evaluate the results of this contract through traffic to the identity theft Web site, publications distribution, and identity theft complaints to the FTC. Identity Theft Outreach Efforts by Others Are Also Under Way, but Few Specifically Address Section 609(e): We found that a variety of outreach efforts on identity theft were under way or were being planned by businesses, trade groups, law enforcement agencies, federal banking regulators, and consumer groups. We were able to obtain only limited information on efforts undertaken by businesses and their trade groups and associations. A few business trade group representatives told us that they had been active in reaching out to their constituents on identity theft issues through presentations and newsletters. These representatives told us that it was likely that the level of awareness among midsize and large business entities regarding the FACT Act and section 609(e) was greater than among small businesses, because larger businesses were more likely to belong to trade groups and associations and to have more internal legal resources. The representatives also told us that at the time of our review business entities and their trade groups were focused on other issues likely to have a more direct impact on their operations than section 609(e), such as working with Congress on bankruptcy legislation, which was ultimately passed and became law on April 20, 2005.[Footnote 11] Most of the federal law enforcement officials that we contacted had general identity theft outreach efforts under way that included some form of outreach on the FACT Act, although few specifically included information that addressed section 609(e). Rather, most of these groups focused on general identity theft prevention rather than on the section 609(e) provisions. Officials from one federal law enforcement agency indicated that their identity theft outreach efforts that include FACT Act provisions were in the initial stages of implementation. These efforts are designed to reach consumers, businesses, and law enforcement entities. For example, as previously discussed, federal law enforcement agencies such as DOJ, FBI, the U.S. Postal Inspection Service, and the Secret Service have held joint conferences on identity theft, including a discussion of the FACT Act, and invited local police to attend. As shown in figure 1, one effort that did specifically address section 609(e) and was directed to law enforcement agencies was an advertisement developed by the U.S. Postal Inspection Service that prominently noted the new tools for law enforcement and new rights of victims under the FACT Act, including section 609(e). Figure 1: U.S. Postal Inspection Service Advertisement on Identity Theft and the FACT Act: [See PDF for image] [End of figure] The International Association of Chiefs of Police (IACP) has also specifically addressed section 609(e) in the information that it has disseminated on identity theft.[Footnote 12] An IACP official told us that a lack of awareness among local police departments of the new provision could make it problematic for some identity theft victims to get local police departments to take a police report. The IACP official also emphasized the importance of ensuring that police were aware of the FACT Act and of their responsibility to take reports to validate an identity theft claim. The official added that local police were likely to become increasingly involved in identity theft crimes because these officers are committed to being responsive to the citizens within their communities. To address the perceived lack of awareness among local police, the IACP featured articles on identity theft and the FACT Act, including section 609(e), in its January through April 2005 editions of Police Chief magazine.[Footnote 13] The IACP official also stated that the association was in the process of finalizing a national report on identity theft that would be released in print, on the Internet, and on a CD, and would be featured at conferences. The report will discuss policies and recommended procedures under current laws and describe the responsibilities, including the FACT Act requirements, of law enforcement. While all of the federal banking regulators provided general identity theft outreach, only the National Credit Union Administration specifically addressed the section 609(e) provision in its identity theft outreach efforts. Each of the regulator's general identity theft outreach included conducting presentations, posting related information on their Web site, and publishing identity theft literature or brochures. For example, the Federal Deposit Insurance Corporation (FDIC) published materials such as Consumer News, which featured articles on identity theft but did not address the provisions of section 609(e).[Footnote 14] The only regulator that we identified as having specifically addressed section 609(e) was the National Credit Union Administration which issued a Regulatory Alert in January 2005 informing credit unions about the FACT Act's provisions including section 609(e).[Footnote 15] Some officials noted that the Federal Financial Institutions Examination Council (FFIEC) had recently formed an interagency task force, to among other things, address how federal banking regulators could ensure that regulated institutions were in compliance with the new requirements.[Footnote 16] These officials added that their agencies had not yet established any outreach efforts specific to section 609(e) because they were waiting for the results of the recently formed FFIEC task force, in order to avoid duplicating the task force's efforts. Some consumer groups we contacted maintained FACT Act information on their Web sites and educated identity theft victims who contacted them in some instances by providing telephone counseling and printed publications. Officials from one consumer group acknowledged FTC's mandated campaign as a key outreach tool and suggested that the campaign should also include initiatives directed to businesses. These officials explained that it was important that business entities understand their obligations and roles under section 609(e). Specifically, the officials stated that these initiatives should involve business groups such as the Better Business Bureau, the U.S. Chamber of Commerce, the National Retail Federation, state retailer associations, and TRUSTe®.[Footnote 17] FTC staff told us that they often use associations in their outreach as an effective method to help spread information. The limited anecdotal information that FTC had on victims who attempted to obtain business transaction records related to identity theft suggested that not all businesses were aware of their obligations under section 609(e). According to FTC staff, a few identity theft victims had contacted FTC and reported that they were unable to obtain business transaction records related to the theft of their identity. According to FTC, these instances were caused primarily by businesses' lack of knowledge about their obligations under the FACT Act. Once FTC informed these business entities about their obligations, the victims were able to obtain the necessary transaction records. Most agencies and groups that we spoke with had done some general identity theft outreach and had planned or already had under way a few efforts that focused on section 609(e), but viewed FTC as having the primary responsibility for providing outreach on the FACT Act, including section 609(e). FTC staff told us that they intend to evaluate the effectiveness of FTC's mandated identity theft campaign, which will include the 609(e) provisions, but emphasized that FTC's first priority is outreach to consumers, businesses, and law enforcement on the FACT Act, an effort that would occur over time. As a result, more time is needed to disseminate information about the section 609(e) provisions and determine how useful the provision is in helping victims correct their credit files and resolve their cases. Many Believe the New Provision Will Be Useful, but Some Potential Concerns Were Identified: While not all identity theft victims will need section 609(e), FTC, law enforcement agencies and consumer groups with whom we spoke believed that the provision giving victims access to data on fraudulent business transactions would help in resolving identity theft cases. In particular, law enforcement agencies told us that the information would help victims build stronger cases to present to law enforcement agencies and should provide more of the data that are needed to identify patterns or trends in identity theft practices. Noting that victims of identity theft often have difficulty getting local police to take a report to help substantiate an identity theft crime, consumer advocacy groups also told us that they believed that the new provision should make filing these reports easier. State agencies and consumer advocacy groups also identified some potential concerns with the provision. Among these were the timeliness of the data provided to victims and a concern that businesses could require excessive documentation from victims to support an identity theft claim. FTC, Law Enforcement Agencies and Consumer Groups Believe That the New Provision Will Help Some Victims of Identity Theft: FTC staff told us that depending on the specific circumstances, not all identity theft victims will need to assert their rights under section 609(e) but that section 609(e) would be extremely useful for those victims who need additional documentation to support their disputes of fraudulent accounts. Representatives from federal law enforcement agencies and IACP said that it was too early to determine whether victims were finding it easier to get local police to take identity theft reports and that local law enforcement agencies might not yet be fully aware of the requirements of this provision. But representatives of federal law enforcement agencies and consumer advocacy groups said that the new provision should help empower victims of identity theft by giving these victims access to data on fraudulent business transactions that could help resolve the crimes. The officials explained that before Congress created section 609(e), victims had generally been unable to obtain data on fraudulent business transactions because businesses feared being held liable for providing the information. To address this concern, Congress established limitations in the FACT Act provision so that businesses could not be held liable for disclosing such information to victims.[Footnote 18] Representatives of businesses we spoke to said that addressing the liability issue in the law had removed the barrier to providing information on allegedly fraudulent transactions to victims of identity theft. One consumer group told us that having records of fraudulent business transactions, such as copies of checks or signed applications for credit, would allow victims to prove that someone else was responsible--for instance, by comparing signatures. Without these records, victims may have no way of proving that the transactions were fraudulent and could be forced to pay the bills themselves. Officials from law enforcement agencies told us that as an added benefit, victims would be able to gather more information on their cases that may prompt law enforcement agencies into opening an investigation. In turn, law enforcement officials could use that information to assess the nature and scope of alleged crimes of identity theft. Additionally, law enforcement officials anticipated that the information would help investigators build cases more quickly and identify patterns or trends in identity theft practices. For instance, the information could help identify the frequency of certain types of fraud and the locations being targeted, allowing investigators to better determine whether individual crimes were part of a larger operation. However, federal and state law enforcement officials pointed out that having more information might not necessarily lead to an increase in prosecutions. In fact, one of the states we contacted that had a similar identity theft law told us that the number of police investigations or prosecutions of identity theft crimes had not increased since the state law had been in effect. The officials explained that workloads and other priorities often determined the types of investigations and prosecutions law enforcement undertake. Consumer Advocacy Groups Anticipated That the New Provision Would Make Obtaining a Local Police Report Easier for Victims: Consumer advocacy groups we interviewed noted that in the past, victims of identity theft sometimes had difficulty getting local police to take reports about the crimes, although police reports help substantiate victims' claims. As we reported in 2002, getting local police to file a police report is a critical first step in being able to investigate the crime and in undoing the impacts of identity theft.[Footnote 19] The consumer advocacy groups noted that the new provision will increase pressure on local police to take reports because these reports can play a key role in verifying the identity theft victim's right to access information. These groups pointed out that in California, which has a similar identity theft law already in place, local police who were aware of their obligations under the state law were more likely to take identity theft reports. One consumer advocacy group told us they expect a similar outcome with the FACT Act provision. Additionally, officials from the two states--California and Washington--that have enacted similar identity theft laws agreed that since their laws had been in place, police had generally been more willing to take reports from identity theft victims. Officials from one of the states told us that law enforcement agencies there had also been more active in discussing identity theft issues. Representatives of a consumer advocacy group and law enforcement agencies acknowledged that the overall number of police reports charging identity theft crimes was increasing but noted that it was difficult to attribute this increase to any one cause, including the FACT Act. For instance, one consumer advocacy group we spoke with attributed the increasing willingness of local police to take these reports to the fact that identity theft was a growing problem and that the public was generally more aware of it. Officials from law enforcement agencies also pointed out that the difficulty of filing local police reports was only one of the frustrations victims of identity theft faced. For example, the amount of time required to clean up credit and the lack of criminal prosecutions for these crimes are even more frustrating for victims, and both of the issues remain unresolved. Some State Agencies and Consumer Groups Had Reservations about Portions of the New Provision: Representatives of state agencies and consumer advocacy groups with whom we spoke identified two potential concerns about the provision. First, the provision gives businesses 30 days from the date of a victim's request to provide information on fraudulent business transactions--a time period that some feel is too long. For instance, officials from one state agency and a consumer advocacy group we spoke to stressed the importance of providing information quickly so that victims could begin clearing their credit files and resolving their cases. Several of those we spoke with recommended 2 weeks as a more reasonable length of time for victims to gain access to records and pointed out that states such as California and Washington, which have similar identity theft laws, ask business entities to respond faster. California's privacy laws require that businesses respond within 10 business days of receiving the person's request (which must include a copy of the police report and identifying information). Washington's identity theft law does not specify a time frame for responding to requests for records, but state officials stated that business entities are encouraged to respond within a reasonable amount of time. State officials from both California and Washington noted that victims in their respective states had generally been able to obtain data on fraudulent business transactions within their respective time frames. In contrast, business entities we spoke with believed that there could be complicated situations in which it might be difficult to respond within the 30-day time period. Additionally, representatives from two law enforcement groups said that the 30-day time period appeared to be reasonable. They explained that businesses might need the time to review the request and verify a victim's identity and added that the 30 days could reflect the reality of running a business with competing priorities. FTC staff said that although they did not know how long businesses were taking to respond to victims, it would be unfortunate if businesses were in fact taking the full 30 days. While these officials agreed that victims needed to obtain information promptly in order to resolve their cases, they noted that the 30-day time period had been established to give businesses additional time to respond to requests if needed. Because the law affects a wide range of businesses, the officials told us, it must allow for a wide range of circumstances. Consumer advocacy groups were also concerned with the discretion the provision gives to businesses to request additional documentation-- beyond a police report--as proof of a victim's claim of identity theft. Under the provision, businesses may require victims to provide a copy of a standardized affidavit of identity theft or an acceptable affidavit of fact as well as a police report.[Footnote 20] FTC, in conjunction with credit grantors and consumer advocates, has developed the Identity Theft Affidavit, a standard form victims can use to report information on, for example, fraudulent accounts that have been opened. The affidavit of fact is a business' own form used by a victim for documenting alleged identity theft. However, consumer groups we spoke with said that a police report should be sufficient evidence to verify an identity theft claim and questioned the amount of information businesses actually needed. Representatives of CRAs also pointed out that a broad range of what could be characterized as identity theft reports existed. These representatives explained that any law enforcement group, whether civil or criminal, could take an identity theft report, raising concerns about the consistency of the information being reported and the possibility that the credit repair industry could misuse it.[Footnote 21] Additionally, officials in California and Washington told us that victims of identity theft in their states had experienced difficulties trying to obtain data on fraudulent business transactions immediately after their state laws were enacted. The officials attributed the initial difficulties to the fact that businesses were probably not aware of the new statutes. Officials in California told us that they had developed a template for a letter that victims could send to businesses. The letter provides information both on the law and on penalties for noncompliance and had been effective in getting businesses to comply. Officials in Washington told us that they had provided education to consumers, businesses, and the law enforcement community early on. For instance, the business community was involved in disseminating information on the requirements of the law, and a law enforcement "tool kit" was developed that provided information on the law and criminal provisions. As mentioned earlier, we were only able to obtain opinions from a limited number of businesses or industry representatives, including trade associations, on the experiences of businesses in complying with section 609(e) or the expected impact of this provision. Several of the national business and industry representatives we contacted declined our requests for comments because they had limited information to share with us on the likely extent of awareness within the business community on this provision. While we did manage to gather some opinions from a few businesses and associations, the information obtained was extremely limited. FTC staff told us that as part of their overall FACT Act outreach efforts, they intend to monitor the implementation of section 609(e) to determine whether any additional efforts are necessary to ensure that the provision is working as Congress intended. They also stated that they would use their law enforcement authority as appropriate if they determined that a business or businesses were not complying with the provisions of section 609(e). FTC's Model Summary of Rights Process Has Generally Been Viewed Favorably: Officials and representatives of federal agencies and consumer groups we contacted believe that the FTC's new summary of rights will be useful to victims of identity theft. As mandated by the FACT Act, FTC published its final summary of rights in November 2004, and CRAs began distributing a version of the summary to consumers in January 2005. Federal banking agencies spoke favorably of FTC's process for soliciting comments while the agency was developing the model summary. However, some consumer groups told us that they still had some potential concerns with the final document. These potential concerns included the lack of a requirement that CRAs make the summary available in other languages, specifically Spanish, and the general readability of the summary. In response to these potential concerns, FTC stated that while CRAs are not required to provide the summary in other languages, FTC's consumer model summary does contain a statement in Spanish directing consumers to FTC to obtain additional information. FTC has made a Spanish version available on its identity theft Web site. FTC also stated that it had tried to use plain language in the summary, and it recognized the need for additional outreach efforts. We also noted that overall FTC's final summary was more concise and used shorter sentences than its draft summary, resulting in a document that we found generally easy to read. Federal Banking Regulators Had a Favorable View of FTC's Process of Developing the Model Summary: On November 30, 2004, FTC published its final version of the model summary of identity theft rights as mandated by the FACT Act (see app. II). The summary highlights the major rights FCRA provides to identity theft victims seeking to remedy the effects of fraud or identity theft. These include: * the right to obtain free file disclosures, * the right to file fraud alerts,[Footnote 22] * the right to obtain documents or information relating to transactions involving the consumers' personal information, and: * the right to prevent consumer reporting agencies from reporting information that is the result of identity theft. As outlined in FTC's guidance, CRAs were to begin distributing by January 31, 2005, a "substantially similar" version of FTC's summary to consumers who believed they had been victims of fraud or identity theft. According to representatives with whom we spoke, these agencies had begun distributing their summaries of identity theft victim rights before this date. The representatives also noted that the summaries distributed were very similar to the FTC's model summary of rights. Under the FACT Act, the FTC was required to consult with the federal banking agencies and the NCUA in preparing the model summary of consumers' rights. Federal banking agency officials told us that FTC had effectively promoted collaboration among the regulators in developing the summary of identity theft rights. Federal banking agency officials also stated that FTC solicited comments on two draft versions. The officials told us that although they did not have substantive concerns with either version, they did provide editorial comments. These officials said that they suggested, among other things, avoiding technical terms, using fewer acronyms, shortening sentences, and in general focusing on keeping the summary easy to read by using simple English. Additionally, the federal banking agency officials stated that FTC had substantially incorporated the agencies' input. Officials of law enforcement agencies and representatives of consumer groups whom we contacted believed that the summary should provide useful information for victims of identity theft. For instance, officials from two law enforcement agencies stated that the model summary would be a significant aid to victims. The officials explained that in the past victims had often felt helpless because of the limited avenues available to them in resolving their cases. With the summary of rights, however, victims can learn about concrete steps they can take to help themselves. Similarly, consumer advocacy groups believed that the summary of rights contained information that would be useful to victims of identity theft and added that the document would be among the most important tools in implementing the changes to the FACT Act. These groups also stated that FTC's model summary of rights would be useful in setting the standards for efforts by media and nongovernmental organizations to educate consumers about their credit reporting rights in general. Some Consumer Groups Remain Concerned about the Availability of Translations and about Readability: Some consumer advocacy groups we spoke with identified two potential concerns with FTC's final model summary of rights.[Footnote 23] First, these groups pointed out that FTC did not require CRAs to make the model summary of rights available in other languages, primarily Spanish, and that access to bilingual information was especially important to those persons whose dominant or sole language is Spanish. According to these groups, the Census 2000 figures indicate that nearly 19.6 million U.S. citizens between the ages of 18 and 64 spoke Spanish and that one-third of this group spoke English "not well" or "not at all." FTC staff told us that while the CRAs were not required to provide a copy of the summary in other languages, the final summary did contain a Spanish statement telling consumers to contact the FTC for information in Spanish and giving both the agency's mailing and Web site addresses. A Spanish translation of the summary of rights is available on FTC's identity theft Web site. Finally, FTC staff told us that FTC targets certain populations in its ongoing public outreach efforts and expects to continue to do so in the context of its mandated public campaign on identity theft prevention. The three nationwide CRAs we contacted provided us with copies of their summaries of rights for identity theft victims that the agencies had begun distributing to consumers in January 2005. Only one of the agencies had made a summary of rights available in Spanish; the other two had placed a Spanish statement similar to FTC's on their summaries directing consumers to FTC for information in Spanish. Officials from the CRAs told us that they distributed the model summary of rights to consumers who notified them of potential identity theft and not, in general, to every consumer who contacted them. Second, consumer advocacy groups were concerned that the model summary would not be easy to read and understand. A comment letter to the FTC from nine consumer advocacy groups said that the model summary of rights should be tested for readability before it was finalized to ensure that it could be easily understood by all consumers, including those with limited education and those who did not speak English as their primary language. The letter stated that having a readable summary was vital to ensuring that consumers were aware of their rights with respect to identity theft, especially those consumers who might not be familiar with the financial services world. One consumer group we spoke with also stressed that readability, which includes the organization of the document and format, was important for any public message. In response to the comments the agency received, FTC's final rule stated that the agency had tried as far as possible to use plain language in the summary and agreed that the notices needed to be supplemented by outreach efforts, which the agency said it intended to undertake. FTC staff also told us that while they did not have the document reviewed by a private readability expert, they did have the document reviewed internally for presentation and clarity by FTC's Office of Consumer and Business Education. In our review of FTC's draft and final summary of identity theft rights, we found that overall FTC's final summary was more concise and used shorter sentences than its draft summary. Several of the comments to FTC had suggested streamlining the information to improve the clarity of the document. As a result, the final summary was generally easy to read. Conclusions: Section 609(e) is intended to help victims of identity theft obtain access to data on fraudulent business transaction records that could help in repairing the damage, financial and otherwise, that crimes of identity theft can inflict. However, because section 609(e) has been in effect only a short time (since June 2004), it is too soon to assess the effectiveness of the provision. Because efforts to alert consumers, business entities, and local law enforcement agencies on their rights and responsibilities under section 609(e) were in their early stages, it is also too soon to determine the extent of the awareness and use of section 609(e) by these groups. The FACT Act mandates that FTC conduct outreach on identity theft prevention, and most of the groups we contacted felt that FTC should have primary responsibility on identity theft issues. FTC is in a unique position because it already has an existing dialogue with the critical groups involved in section 609(e) through its ongoing outreach efforts on identity theft issues, its interaction with consumers who use its identity theft hotline and consumer complaint database, and its mandated campaign on identity theft prevention. In contrast, no other agency or group maintains public outreach efforts that are as far reaching as the FTC's. FTC intends to assess the effectiveness of its mandated identity theft campaign which will include coverage of section 609(e). Such an assessment would be useful as a means of determining the extent that consumers, businesses, and local law enforcement agencies are aware of their rights and obligations under section 609(e), the extent of any implementation issues, and whether the new provision is helping consumers as intended to remedy the effects of identity theft. Similarly, experience with victims who have attempted to obtain business records is limited by the short period of time that has elapsed since the act went into effect. It is too early to assess the actual impact of section 609(e) on consumers' ability to get business records relating to suspected fraudulent transactions. While consumer groups and state agencies identified some potential problems with the provision, additional experience and input from identity theft victims will be needed to determine whether these concerns prove to be valid and what, if any, other issues may arise. While FTC's process for developing its mandated model summary of identity theft victim rights was viewed favorably and CRAs had begun distributing a similar version of the summary to consumers, some potential concerns with the summary of rights were noted. These potential concerns center primarily on the limited availability of a Spanish version of the summary of rights and, to a lesser extent, on the clarity of the summary of rights to the general population. While it is too early to determine the extent of any implementation issues, FTC efforts to monitor the implementation of section 609(e) should provide additional information on the usefulness of the summary of rights in aiding identity theft victims. We are sending copies of this report to interested congressional committees and subcommittees; the Chairman, FTC; the Attorney General; the Director, FBI; the Secretary of Homeland Security; the Commissioner, Social Security Administration; the Chief Postal Inspector, U.S. Postal Inspection Service; the Director, U.S. Secret Service; the Chairman, Federal Deposit Insurance Corporation; the Chairman, Board of Governors of the Federal Reserve System; the Acting Comptroller of the Currency; the Acting Director, Office of Thrift Supervision; the Chairman, National Credit Union Administration; and the Secretary of the Treasury. We will make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at http://www.gao.gov. If you have any questions concerning this report, please contact me at (202) 512-8678 or [Hyperlink, hillmanr@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Other staff who contributed to this report are Harry Medina, Tania Calhoun, Heather Dignan, and Janet Fong. Signed by: Richard J. Hillman: Director, Financial Markets and Community Investment: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: Our reporting objectives were to (1) provide information on outreach efforts to consumers, businesses, and local law enforcement agencies on the provision in the Fair and Accurate Credit Transactions (FACT) Act of 2003 that allows identity theft victims to obtain business records relating to fraudulent transactions; (2) describe the views and opinions of relevant federal agencies, private business entities, and consumer groups regarding the expected impact of the provision; and (3) discuss the process used by the Federal Trade Commission (FTC) to develop the model summary of rights of identity theft victims mandated in the FACT Act and examine the opinions of related groups on this process. To address all three objectives, we: * contacted representatives of FTC and five federal law enforcement agencies that are involved in the investigation and prosecution of identity theft crimes--Department of Justice, Federal Bureau of Investigation, Social Security Administration, U.S. Postal Inspection Service, and U.S. Secret Service--and the International Association of Chiefs of Police, which includes the heads of police departments around the country and abroad; * met with officials of the five federal banking regulators--Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision-- regarding compliance by federally insured depository institutions with the FACT Act provision and their interaction with consumers on identity theft issues; * spoke with representatives of the three national credit reporting agencies (CRAs)--Experian, Equifax, and Transunion--which play a key role in distributing the summary of identity theft victim rights and in helping identity theft victims correct their credit records; * held meetings with representatives of two states--California and Washington--that had previously enacted identity theft laws with provisions similar to the section 609(e) to obtain their views on the expected effectiveness of the federal provision; * contacted five consumer advocacy groups--Consumers Union, Identity Theft Resource Center, National Consumer Law Center, Privacy Rights Clearinghouse, and U.S. Public Interest Research Group--that were identified as being active in identity theft issues to obtain their views and perspectives as representatives of consumers and identity theft victims; and: * obtained limited information from a few businesses and trade associations on these subjects. Specifically, we contacted officials from state retailers' associations in California, Florida, and Texas, as well as the Coalition to Implement the FACT Act which represents a range of trade associations and business entities that furnish and use consumer information, including financial services companies and retail associations. We also attempted to contact other businesses and associations through other groups such as the U.S. Chamber of Commerce and a private consultant. However, these businesses and associations declined to offer comments, in some cases citing their limited exposure to these provisions. For all the groups that we contacted, we reviewed information pertaining to identity theft and the FACT Act that was available to consumers on their Web sites. We obtained and examined information associated with their outreach programs. However, we did not perform test callings of FTC's identity theft hotline to determine how the FACT Act provisions had been incorporated. We also did not interview identity theft victims. Additionally, to describe the process FTC used to develop the model summary of rights of identity theft victims required by the FACT Act and the views of groups that commented on the process, we reviewed a variety of documents from the agency and other sources. These documents included FTC's draft and final versions of the model summary, final guidance on model disclosures, public comment letters FTC received on the draft, and other summaries of identity theft victims' rights created by the CRAs. We conducted our work in Washington, D.C., and San Francisco, California, from September 2004 through June 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Reprint of FTC's Model Summary of Identity Theft Victim Rights: Para informacion en espanol, visite [Hyperlink, http://www.consumer.gov/idtheft] o escribe a la FTC, Consumer Response Center, Room 130-B, 600 Pennsylvania Avenue, N.W. Washington, D.C., 20580. Remedying the Effects of Identity Theft: You are receiving this information because you have notified a consumer reporting agency that you believe that you are a victim of identity theft. Identity theft occurs when someone uses your name, Social Security number, date of birth, or other identifying information, without authority, to commit fraud. For example, someone may have committed identity theft by using your personal information to open a credit card account or get a loan in your name. For more information, visit [Hyperlink, http://www.consumer.gov/idtheft] or write to: FTC, Consumer Response Center, Room 130-B, 600 Pennsylvania Avenue, N.W. Washington, D.C., 20580. The Fair Credit Reporting Act (FCRA) gives you specific rights when you are, or believe that you are, the victim of identity theft. Here is a brief summary of the rights designed to help you recover from identity theft. 1. You have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide consumer reporting agencies. As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file. * Equifax: 1-800-525-6285; [Hyperlink, http://www.equifax.com]: * Experian: 1-888-EXPERIAN (397-3742); [Hyperlink, http://www.experian.com]: * TransUnion: 1-800-680-7289; [Hyperlink, http://www.transunion.com]: An initial fraud alert stays in your file for at least 90 days. An extended alert stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit [Hyperlink, http://www.consumer.gov/idtheft]. 2. You have the right to free copies of the information in your file (your "file disclosure"). An initial fraud alert entitles you to a copy of all the information in your file at each of the three nationwide agencies, and an extended alert entitles you to two free file disclosures in a 12-month period following the placing of the alert. These additional disclosures may help you detect signs of fraud, for example, whether fraudulent accounts have been opened in your name or whether someone has reported a change in your address. Once a year, you also have the right to a free copy of the information in your file at any consumer reporting agency, if you believe it has inaccurate information due to fraud, such as identity theft. You also have the ability to obtain additional free file disclosures under other provisions of the FCRA. See [Hyperlink, http://www.ftc.gov/credit]. 3. You have the right to obtain documents relating to fraudulent transactions made or accounts opened using your personal information. A creditor or other business must give you copies of applications and other business records relating to transactions and accounts that resulted from the theft of your identity, if you ask for them in writing. A business may ask you for proof of your identity, a police report, and an affidavit before giving you the documents. It also may specify an address for you to send your request. Under certain circumstances, a business can refuse to provide you with these documents. See [Hyperlink, http://www.consumer.gov/idtheft]. 4. You have the right to obtain information from a debt collector. If you ask, a debt collector must provide you with certain information about the debt you believe was incurred in your name by an identity thief - like the name of the creditor and the amount of the debt. 5. If you believe information in your file results from identity theft, you have the right to ask that a consumer reporting agency block that information from your file. An identity thief may run up bills in your name and not pay them. Information about the unpaid bills may appear on your consumer report. Should you decide to ask a consumer reporting agency to block the reporting of this information, you must identify the information to block, and provide the consumer reporting agency with proof of your identity and a copy of your identity theft report. The consumer reporting agency can refuse or cancel your request for a block if, for example, you don't provide the necessary documentation, or where the block results from an error or a material misrepresentation of fact made by you. If the agency declines or rescinds the block, it must notify you. Once a debt resulting from identity theft has been blocked, a person or business with notice of the block may not sell, transfer, or place the debt for collection. 6. You also may prevent businesses from reporting information about you to consumer reporting agencies if you believe the information is a result of identity theft. To do so, you must send your request to the address specified by the business that reports the information to the consumer reporting agency. The business will expect you to identify what information you do not want reported and to provide an identity theft report. To learn more about identity theft and how to deal with its consequences, visit [Hyperlink, http://www.consumer.gov/idtheft], or write to the FTC. You may have additional rights under state law. For more information, contact your local consumer protection agency or your state attorney General. In addition to the new rights and procedures to help consumers deal with the effects of identity theft, the FCRA has many other important consumer protections. They are described in more detail at [Hyperlink, http://www.ftc.gov/credit]. (250217): FOOTNOTES [1] Pub. L. No. 108-159, 117 Stat. 1952 (2003) and Pub. L. No. 91-508, 84 Stat. 1114 (codified at 15 U.S.C. §§ 1681 et seq.) (2000). [2] Section 151 of the FACT Act amended section 609 of the FCRA. Section 609(e) of the amended FCRA specifies that business entities must respond within 30 days, subject to verification of the victim's identity and claim of identity theft, to request a copy of an application and business transaction records evidencing any transaction alleged to be the result of identity theft. These transactions may involve, among other things, granting credit; providing products, goods, or services; and accepting payments. Pub. L. No. 108-159, § 151(a)(1), 117 Stat. 1952, 1961 (2003) (codified at 15 U.S.C.A. § 1681g) (West Supp. 2004). [3] Section 609(d) of the amended FCRA. Pub. L. No. 108-159, sec. 151(a)(1). Appendix II provides FTC's final Model Summary of Identity Theft Victims Rights. [4] Pub. L. No. 108-159, § 151(b), 117 Stat. 1952, 1964 (2003). FTC's mandate requires it to establish and implement, by December 2005, a media and distribution campaign to educate the public on how to prevent identity theft. The campaign is to include existing Commission education materials, as well as radio, television, and print public service announcements, video cassettes, interactive digital video discs (DVDs) or compact audio discs (CDs), and Internet resources. [5] Section 609(e)(13) of the amended FCRA. The FACT Act also mandated that GAO evaluate consumers' knowledge and experience with credit reporting and provide recommendations for improving general financial literacy among consumers. We addressed these topics in Credit Reporting Literacy: Consumers Understood the Basics but Could Benefit from Targeted Education Efforts, GAO-05-223 (Washington, D.C.: Mar. 16, 2005) and Highlights of a GAO Forum, the Federal Government's Role in Improving Financial Literacy, GAO-05-93SP (Washington, D.C.: Nov. 15, 2004) available at http://www.gao.gov. In addition, the FACT Act directed GAO to conduct an assessment of the effectiveness of the Financial Literacy and Education Commission, created by the FACT Act (section 517). This report will be issued in December 2006. [6] Companies that assemble consumer credit information and sell this information are referred to as "consumer reporting agencies" by the legislation governing credit reports. See FCRA, 12 U.S.C. §§ 1681-1681x as amended (2004). These companies are also referred to as "credit bureaus," "credit reporting companies," and "credit reporting agencies." [7] Pub. L. No. 105-318, codified in part at 18 U.S.C. § 1028. Under the 1998 act, it is a criminal offense if a person "knowingly transfers, possesses, or uses, without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." 18 U.S.C.A § 1028(a)(7) (West Supp. Oct. 2004). [8] Pub. L. No. 105-318, § 5(a)(1), 112 Stat. 3007, 3010 (1998) (codified at 18 U.S.C. § 1028 note (2000). [9] We reviewed FTC's Web sites on credit and identity theft at www.ftc.gov and www.consumer.gov. FTC makes available printed copies of all its publications through the Consumer Response Center and Distribution Office. All publications from FTC are free. [10] See page 8. This guidance, formerly titled ID Theft: When Bad Things Happen to Your Good Name, is available at www.ftc.gov and www.consumer.gov. The FACT Act required the FTC, in consultation with the federal banking agencies and the National Credit Union Administration, to develop a model form and procedures for consumers to use when informing creditors and consumer reporting agencies that they are identity theft victims. The model form and procedures are included in this guidance. [11] Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, Pub. L. 109-8, 119 Stat. 23 (2005). [12] According to its Web site, IACP is the world's oldest and largest nonprofit membership organization of police executives, with more than 20,000 members in over 89 different countries. Its leadership consists of the operating chief executives of international, federal, state, and local agencies of all sizes. See http://www.theiacp.org. [13] The online edition of Police Chief is available at www.policechiefmagazine.org. [14] See www.fdic.gov. An FDIC official also indicated that they plan to remind financial institutions of their obligations under the provisions of the FACT Act and section 609(e) at future outreach events. [15] National Credit Union Administration Regulatory Alert No. 05-RA- 03, January 2005. [16] FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for federal examination of financial institutions by the Board of Governors of the Federal Reserve System, FDIC, Office of Thrift Supervision, National Credit Union Administration, and Office of the Comptroller of the Currency, and to make recommendations to promote uniformity in the supervision of financial institutions. [17] See the TRUSTe® Web site at www.truste.org. [18] Section 609(e)(7) of the amended FCRA. No business entity may be held civilly liable under any provision of federal, state, or other law for disclosure, made in good faith pursuant to this subsection. [19] GAO, Identity Theft: Greater Awareness and Use of Existing Data Are Needed, GAO-02-766 (Washington, D.C.: June 28, 2002). [20] Section 609(e)(2)(B) of the amended FCRA. As proof of a claim of identity theft, a business may require a copy of a police report evidencing the claim of the victim of identity theft, a copy of FTC's standardized affidavit of identity theft, or an acceptable affidavit of fact. [21] Credit reporting agency representatives were concerned that there may be instances in which certain consumer credit information is blocked under the pretense of alleged identity theft in an effort to improve a consumer's credit standing. [22] According to the FTC Web site, a fraud alert requests creditors to contact the consumer before opening any new accounts or making any changes to existing accounts. Once a fraud alert has been confirmed by one nationwide CRA, the other two nationwide agencies are automatically notified and requested to do the same. [23] The Federal Trade Commission published for public comment two summaries of rights under FCRA and two notices of duties under FCRA, as required by FCRA Section 609 and 607, respectively. See 69 Fed. Reg. 42616 n. 136 (July 16, 2004). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: