WASHINGTON, D.C. — The Federal Trade Commission reminded businesses on Monday of their duties under federal law if they suffer a data breach. Specifically, businesses are required to provide identity theft victims — or law enforcement at the victim’s request — with a copy of records relating to the theft.

The requirement, or what is called “the business records turnover provision,” falls under the Fair Credit Reporting Act (FCRA). It says businesses must provide free of charge and without subpoena the records relating to the theft within 30 days of a victim’s written request.  

“Identity theft victims may need the records to document the crime or clear up their good name,” FTC attorney Amanda Koulousias wrote in a blog posted to the regulator’s site. “You want to help them and you know you need to comply with the law. So, make sure you have policies in place for responding to victims’ requests for records.”

Koulousias also recommended that businesses know what types of records they have. Examples listed include applications, account statements, receipts, customer service notes associated with the transaction, and records showing where merchandise was purchased or shipped.

“If you know what you have, then you can better ensure that victims are provided all types of records related to the identity theft,” Koulousias wrote.

The FTC attorney noted that the FCRA’s business record turnover provision applies to all different types of identity theft, including new accounts opened, as well as purchases on existing accounting. “That’s why it’s important to evaluate your policies periodically to make sure they include new types of identity theft as they emerge,” she wrote.

Even if the victim has received records before, the FCRA requires that businesses provide the records requested by the consumer. “Victims may not have kept the copies they previously received, especially if the identity theft happened some time ago,” Koulousias wrote, in part. “Denying the victim’s request because the victim previously had access to the records does not comply with Section 609(e).”

Businesses can refuse to provide records if they are not sure of the victim’s identity. According to the blog post, the FCRA allows businesses to ask for proof of identity, such as a copy of a government-issued identification.

“You may also ask for proof of a claim of identity theft, such as an Identity Theft Report issued by the FTC of a police report,” Koulousias noted. “An FTC Identity Theft report subjects the person filing the report to criminal penalties if the information is false, and businesses can treat it as they would a police report.

“After receiving those documents, if, in good faith, you can’t verify the victim’s identity or believe the request for records was based on a misrepresentation, you may decline to provide the records.”