Business Blog
FTC says Kohl’s didn’t honor rights of identity theft victims
An FTC complaint against Kohl’s Department Stores alleges the retailer violated the Fair Credit Reporting Act by refusing to provide victims of identity theft with complete records of questionable transactions – a right the FCRA guarantees to victimized consumers. The $220,000 settlement is a reminder to other companies to rethink their approach to that provision of the law.
The FTC’s allegations start with the plain language of Section 609(e) of the Fair Credit Reporting Act, but it boils down to this. Let’s say a consumer spots unauthorized charges or lines of credit that suggest they’re victims of identity theft. To put the puzzle pieces together, they’ll need copies of documents from the businesses where those transactions occurred. Once a consumer asks for those documents, Section 609(e) gives businesses 30 days to provide the records. The law allows businesses to require proof of identity (like a driver’s license) and proof of the identity theft (like a police report and affidavit), but the whole idea behind the provision is to avoid re-victimizing consumers by tying them up in red tape.
Kohl’s original practice was to provide records to victims within 30 days, subject to proper verification. But according to the FTC, in February 2017, Kohl’s changed its policy and would share information identifying the identify thief only with law enforcement or with a victim’s attorney – not with the victimized consumer.
In August 2018, Kohl’s changed its policy again and gave customers with a Kohl’s charge account a more expansive list of business and transaction records – for example, statements, receipts, and applications. But Kohl’s still refused to give them information identifying the alleged thief (including the address and phone number listed on a fraudulent application or the shipping address used for fraudulent orders). Kohl’s also stopped providing that information to victims’ attorneys. That left victims with only one recourse: a direct request from a law enforcement agency.
According to the complaint, the company’s revised policies left consumers with no practical way to get the documentation they needed to establish the charges weren’t theirs. What’s more, people whose lives had already been turned upside down by identity thieves now found themselves at odds with Kohl’s. Even when consumers complained to Kohl’s and sent the company copies of Section 609(e) of the FCRA and accompanying FTC guidance documents, the complaint alleges that Kohl’s stonewalled them.
It wasn’t until April 2019 that Kohl’s finally re-re-revised its policy to provide victims with the credit application and transaction records they asked for. The complaint charges that Kohl’s violated the FCRA by failing to provide consumers with the records they had a right to under the law. The FTC also says the company violated Section 609(e)’s 30-day requirement. In addition to the $220,000 civil penalty, the settlement requires Kohl’s to provide identity theft victims with business transaction records related to the theft within 30 days. The company also must post a notice on its website letting victims know how to get those records and must certify that it’s reached out to victims who were unlawfully denied access to those records in the past.
In reconsidering your own company’s compliance, take a close look at the FCRA, of course. But also view your procedures through the eyes of the millions of Americans who have been victims of identity theft – including your friends, family members, and employees. How would you want them to be treated as they undertake the all-too-arduous task of reclaiming their good name in the aftermath of identity theft? In the long run, implementing a consumer-centric approach to Section 609(e) compliance has two benefits for your business. First, it can keep you off the law enforcement radar screen. Second, by treating victims of identity theft with sensitivity and respect, you just may win a loyal customer for life.
Visit the FTC’s Credit Reporting page for compliance resources, including Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.