We must work together to protect the privacy and information of consumers. The following information security measures are designed to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. Capitalized terms used herein have the meaning given in the Glossary attached hereto. The credit reporting agency reserves the right to make changes to Access Security Requirements without notification. The information provided herewith provides minimum baselines for information security.
In accessing the credit reporting agency’s services, you agree to follow these security requirements:
1
Implement Strong Access Control Measures
1.1
Do not provide your credit reporting agency Subscriber Codes or passwords to anyone. No one from the credit reporting agency will ever contact you and request your Subscriber Code number or password.
1.2
Proprietary or third party system access software must have credit reporting agency Subscriber Codes and password(s) hidden or embedded. Account numbers and passwords should be known only by supervisory personnel.
1.3
You must request your Subscriber Code password be changed immediately when: • any system access software is replaced by system access software or is no longer used; • the hardware on which the software resides is upgraded, changed or disposed of
1.4
Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s).
1.5
Create a separate, unique user ID for each user to enable individual authentication and accountability for access to the credit reporting agency’s infrastructure. Each user of the system access software must also have a unique logon password.
1.6
Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users’ profiles
1.7
Keep user passwords Confidential.
1.8
Develop strong passwords that are: • Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) • Contain a minimum of seven (7) alpha/numeric characters for standard user accounts
1.9
Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations.
1.10
Active logins to credit information systems must be configured with a 30 minute inactive session, timeout.
1.11
Restrict the number of key personnel who have access to credit information.
1.12
Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application.
1.13
Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
1.14
Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
1.15
After normal business hours, turn off and lock all devices or systems used to obtain credit information.
1.16
Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information.
2
Maintain a Vulnerability Management Program
2.1
Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.
2.2
Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2.3
Implement and follow current best security practices for Computer Virus detection scanning services and procedures: • Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks. • If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated. • On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files.
2.4
Implement and follow current best security practices for computer anti-Spyware scanning services and procedures: • Use, implement and maintain a current, commercially available computer anti- Spyware scanning product on all computers, systems and networks. • If you suspect actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated. • Run a secondary anti-Spyware scan upon completion of the first scan to ensure all Spyware has been removed from your computers. • Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files weekly, at a minimum. If your company’s computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly.
3
Protect Data
3.1
Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.)
3.2
All credit reporting agency data is classified as Confidential and must be secured to this requirement at a minimum.
3.3
Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
3.4
Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum.
3.5
Only open email attachments and links from trusted sources and after verifying legitimacy.
4
Maintain an Information Security Policy
4.1
Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule.
4.2
Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators.
4.3
The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
4.4
Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization.
5
Build and Maintain a Secure Network
5.1
Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices.
5.2
Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
5.3
Administrative access to Firewalls and servers must be performed through a secure internal wired connection only.
5.4
Any stand alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic.
5.5
Encrypt Wireless access points with a minimum of WEP 128 bit encryption, WPA encryption where available.
5.6
Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point.
6
Regularly Monitor and Test Networks
6.1
Perform regular tests on information systems (port scanning, virus scanning, vulnerability scanning).
6.2
Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: • protecting against intrusions; • securing the computer systems and network devices; • and protecting against intrusions of operating systems or software.
Record Retention
The Federal Equal Opportunities Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, the credit reporting agency requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. “Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $2,500 per violation.”
Glossary of Terms
Computer Virus: A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying.
Confidential: Very sensitive information. Disclosure could adversely impact our company.
Encryption: Encryption is the process of obscuring information to make it unreadable without special knowledge.
Firewall: In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.
Information Lifecycle: (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained.
IP Address: A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices.
Peer-to-Peer: A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission.
Router: A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets.
Spyware : Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet.
SSID: Part of the Wi-Fi Wireless LAN, a service set identifier (SSID) is a code that identifies each packet as part of that network. Wireless devices that communicate with each other share the same SSID.
Subscriber Code: Your seven digit credit reporting agency account number.
WEP Encryption: (Wired Equivalent Privacy) A part of the wireless networking standard intended to provide secure communication. The longer the key used, the stronger the encryption will be. Older technology reaching its end of life.
WPA: (Wi-Fi Protected Access) A part of the wireless networking standard that provides stronger authentication and more secure communications. Replaces WEP. Uses dynamic key encryption verses static as in WEP (key is constantly changing and thus more difficult to break than WEP).
FCRA Requirements
Federal Fair Credit Reporting Act (as amended by the Consumer Credit Reporting Reform Act of 1996)
Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. We have included a copy of the FCRA with your membership kit. We suggest that you and your employees become familiar with the following sections in particular:
§ 604. Permissible Purposes of Reports
§ 607. Compliance Procedures
§ 615. Requirement on users of consumer reports
§ 616. Civil liability for willful noncompliance
§ 617. Civil liability for negligent noncompliance
§ 619. Obtaining information under false pretenses
§ 621. Administrative Enforcement
§ 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies
§ 628. Disposal of Records
Each of these sections is of direct consequence to users who obtain reports on consumers.
As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes.
We strongly endorse the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce.
In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, we expect that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.
We support consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information.
Relevant Sections of the FCRA
THE FAIR CREDIT REPORTING ACT (FCRA)
This version of the FCRA has been edited to include only the sections relevant to you as a user of consumer report information, and includes the amendments to the FCRA set forth in the Consumer Credit Reporting Reform Act of 1996 (Public Law 104-208, the Omnibus Consolidated Appropriations Act for Fiscal Year 1997, Title II, Subtitle D, Chapter 1), Section 311 of the Intelligence Authorization for Fiscal Year 1998 (Public Law 105-107), the Consumer Reporting Employment Clarification Act of 1998 (Public Law 105-347), Section 506 of the Gramm-Leach-Bliley Act (Public Law 106-102), Sections 358(g) and 505(c) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (Public Law 107-56), and the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (Public Law 108-159). The provisions added to the FCRA by the FACT Act will become effective at different times. In some cases, the provision includes its own effective date. In other cases, the FACT Act provides that the effective dates be prescribed by the FTC and Federal Reserve Board. See 16 CFR Part 602. (69 Fed. Reg. 6526; February 11, 2004) (69 Fed. Reg. 29061; May 20, 2004).
In general. Subject to subsection (c), any consumer reporting agency may furnish a consumer report under the following circumstances and no other:
(1)
In response to the order of a court having jurisdiction to issue such an order, or a subpoena issued in connection with proceedings before a Federal grand jury.
(2)
In accordance with the written instructions of the consumer to whom it relates.
(3)
To a person which it has reason to believe
(A)
intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; or
(B)
intends to use the information for employment purposes; or
(C)
intends to use the information in connection with the underwriting of insurance involving the consumer; or
(D)
intends to use the information in connection with a determination of the consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status; or
(E)
intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or
(F)
otherwise has a legitimate business need for the information
(i)
in connection with a business transaction that is initiated by the consumer; or
(ii)
to review an account to determine whether the consumer continues to meet the terms of the account.
(4)
In response to a request by the head of a State or local child support enforcement agency (or a State or local government official authorized by the head of such an agency), if the person making the request certifies to the consumer reporting agency that
(A)
the consumer report is needed for the purpose of establishing an individual’s capacity to make child support payments or determining the appropriate level of such payments;
(B)
the paternity of the consumer for the child to which the obligation relates has been established or acknowledged by the consumer in accordance with State laws under which the obligation arises (if required by those laws);
(C)
the person has provided at least 10 days’ prior notice to the consumer whose report is requested, by certified or registered mail to the last known address of the consumer, that the report will be requested; and
(D)
the consumer report will be kept confidential, will be used solely for a purpose described in subparagraph (A), and will not be used in connection with any other civil, administrative, or criminal proceeding, or for any other purpose.
(5)
To an agency administering a State plan under Section 454 of the Social Security Act (42 U.S.C. § 654) for use to set an initial or modified child support award.
(b)
Conditions for Furnishing and Using Consumer Reports for Employment Purposes.
(1)
Certification from user. A consumer reporting agency may furnish a consumer report for employment purposes only if
(A)
the person who obtains such report from the agency certifies to the agency that
(i)
the person has complied with paragraph (2) with respect to the consumer report, and the person will comply with paragraph (3) with respect to the consumer report if paragraph (3) becomes applicable; and
(ii)
information from the consumer report will not be used in violation of any applicable Federal or State equal employment opportunity law or regulation; and
(B)
the consumer reporting agency provides with the report, or has previously provided, a summary of the consumer's rights under this title, as prescribed by the Federal Trade Commission under section 609(c)(3) [§ 1681g].
(2)
Disclosure to Consumer.
(A)
In general. Except as provided in subparagraph (B), a person may not procure a consumer report, or cause a consumer report to be procured, for employment purposes with respect to any consumer, unless--
(i)
a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes; and
(ii)
the consumer has authorized in writing (which authorization may be made on the document referred to in clause (i)) the procurement of the report by that person.
(B)
Application by mail, telephone, computer, or other similar means. If a consumer described in subparagraph (C) applies for employment by mail, telephone, computer, or other similar means, at any time before a consumer report is procured or caused to be procured in connection with that application--
(i)
the person who procures the consumer report on the consumer for employment purposes shall provide to the consumer, by oral, written, or electronic means, notice that a consumer report may be obtained for employment purposes, and a summary of the consumer's rights under section 615(a)(3); and
(ii)
the consumer shall have consented, orally, in writing, or electronically to the procurement of the report by that person.
(C)
Scope. Subparagraph (B) shall apply to a person procuring a consumer report on a consumer in connection with the consumer's application for employment only if--
(i)
the consumer is applying for a position over which the Secretary of Transportation has the power to establish qualifications and maximum hours of service pursuant to the provisions of section 31502 of title 49, or a position subject to safety regulation by a State transportation agency; and
(ii)
as of the time at which the person procures the report or causes the report to be procured the only interaction between the consumer and the person in connection with that employment application has been by mail, telephone, computer, or other similar means.
(3)
Conditions on use for adverse actions.
(A)
In general. Except as provided in subparagraph (B), in using a consumer report for employment purposes, before taking any adverse action based in whole or in part on the report, the person intending to take such adverse action shall provide to the consumer to whom the report relates--
(i)
a copy of the report; and
(ii)
a description in writing of the rights of the consumer under this title, as prescribed by the Federal Trade Commission under section 609(c)(3).1
(B)
Application by mail, telephone, computer, or other similar means.
(i)
If a consumer described in subparagraph (C) applies for employment by mail, telephone, computer, or other similar means, and if a person who has procured a consumer report on the consumer for employment purposes takes adverse action on the employment application based in whole or in part on the report, then the person must provide to the consumer to whom the report relates, in lieu of the notices required under subparagraph (A) of this section and under section 615(a), within 3 business days of taking such action, an oral, written or electronic notification--
(I)
that adverse action has been taken based in whole or in part on a consumer report received from a consumer reporting agency;
(II)
of the name, address and telephone number of the consumer reporting agency that furnished the consumer report (including a toll-free telephone number established by the agency if the agency compiles and maintains files on consumers on a nationwide basis);
(III)
that the consumer reporting agency did not make the decision to take the adverse action and is unable to provide to the consumer the specific reasons why the adverse action was taken; and
(IV)
that the consumer may, upon providing proper identification, request a free copy of a report and may dispute with the consumer reporting agency the accuracy or completeness of any information in a report.
(ii)
If, under clause (B)(i)(IV), the consumer requests a copy of a consumer report from the person who procured the report, then, within 3 business days of receiving the consumer's request, together with proper identification, the person must send or provide to the consumer a copy of a report and a copy of the consumer's rights as prescribed by the Federal Trade Commission under section 609(c)(3).
(C)
Scope. Subparagraph (B) shall apply to a person procuring a consumer report on a consumer in connection with the consumer's application for employment only if--
(i)
the consumer is applying for a position over which the Secretary of Transportation has the power to establish qualifications and maximum hours of service pursuant to the provisions of section 31502 of title 49, or a position subject to safety regulation by a State transportation agency; and
(ii)
as of the time at which the person procures the report or causes the report to be procured the only interaction between the consumer and the person in connection with that employment application has been by mail, telephone, computer, or other similar means.
(4)
Exception for national security investigations.
(A)
In general. In the case of an agency or department of the United States Government which seeks to obtain and use a consumer report for employment purposes, paragraph (3) shall not apply to any adverse action by such agency or department which is based in part on such consumer report, if the head of such agency or department makes a written finding that–
(i)
the consumer report is relevant to a national security investigation of such agency or department;
(ii)
the investigation is within the jurisdiction of such agency or department;
(iii)
there is reason to believe that compliance with paragraph (3) will--
(I)
endanger the life or physical safety of any person;
(II)
result in flight from prosecution;
(III)
result in the destruction of, or tampering with, evidence relevant to the investigation;
(IV)
result in the intimidation of a potential witness relevant to the investigation;
(V)
result in the compromise of classified information; or
(VI)
otherwise seriously jeopardize or unduly delay the investigation or another official proceeding.
(B)
Notification of consumer upon conclusion of investigation. Upon the conclusion of a national security investigation described in subparagraph (A), or upon the determination that the exception under subparagraph (A) is no longer required for the reasons set forth in such subparagraph, the official exercising the authority in such subparagraph shall provide to the consumer who is the subject of the consumer report with regard to which such finding was made--
(i)
a copy of such consumer report with any classified information redacted as necessary;
(ii)
notice of any adverse action which is based, in part, on the consumer report; and
(iii)
the identification with reasonable specificity of the nature of the investigation for which the consumer report was sought.
(C)
Delegation by head of agency or department. For purposes of subparagraphs (A) and (B), the head of any agency or department of the United States Government may delegate his or her authorities under this paragraph to an official of such agency or department who has personnel security responsibilities and is a member of the Senior Executive Service or equivalent civilian or military rank.
(D)
Report to the Congress. Not later than January 31 of each year, the head of each agency and department of the United States Government that exercised authority under this paragraph during the preceding year shall submit a report to the Congress on the number of times the department or agency exercised such authority during the year.
(E)
Definitions. For purposes of this paragraph, the following definitions shall apply:
(i)
The term “classified information” means information that is protected from unauthorized disclosure under Executive Order No. 12958 or successor orders.
(ii)
The term “national security investigation” means any official inquiry by an agency or department of the United States Government to determine the eligibility of a consumer to receive access or continued access to classified information or to determine whether classified information has been lost or compromised.
(c)
Furnishing reports in connection with credit or insurance transactions that are not initiated by the consumer.
(1)
In general. A consumer reporting agency may furnish a consumer report relating to any consumer pursuant to subparagraph (A) or (C) of subsection (a)(3) in connection with any credit or insurance transaction that is not initiated by the consumer only if
(A)
the consumer authorizes the agency to provide such report to such person; or
(B)
(i)
the transaction consists of a firm offer of credit or insurance;
(ii)
the consumer reporting agency has complied with subsection (e); and
(iii)
there is not in effect an election by the consumer, made in accordance with subsection (e), to have the consumer's name and address excluded from lists of names provided by the agency pursuant to this paragraph.
(2)
Limits on information received under paragraph (1)(B). A person may receive pursuant to paragraph (1)(B) only
(A)
the name and address of a consumer;
(B)
an identifier that is not unique to the consumer and that is used by the person solely for the purpose of verifying the identity of the consumer; and
(C)
other information pertaining to a consumer that does not identify the relationship or experience of the consumer with respect to a particular creditor or other entity.
(3)
Information regarding inquiries. Except as provided in section 609(a)(5) [§1681g], a consumer reporting agency shall not furnish to any person a record of inquiries in connection with a credit or insurance transaction that is not initiated by a consumer.
(d)
Reserved.
(e)
Election of consumer to be excluded from lists.
(1)
In general. A consumer may elect to have the consumer's name and address excluded from any list provided by a consumer reporting agency under subsection (c)(1)(B) in connection with a credit or insurance transaction that is not initiated by the consumer, by notifying the agency in accordance with paragraph (2) that the consumer does not consent to any use of a consumer report relating to the consumer in connection with any credit or insurance transaction that is not initiated by the consumer.
(2)
Manner of notification. A consumer shall notify a consumer reporting agency under paragraph (1)
(A)
through the notification system maintained by the agency under paragraph (5); or
(B)
by submitting to the agency a signed notice of election form issued by the agency for purposes of this subparagraph.
(3)
Response of agency after notification through system. Upon receipt of notification of the election of a consumer under paragraph (1) through the notification system maintained by the agency under paragraph (5), a consumer reporting agency shall
(A)
inform the consumer that the election is effective only for the 5-year period following the election if the consumer does not submit to the agency a signed notice of election form issued by the agency for purposes of paragraph (2)(B); and
(B)
provide to the consumer a notice of election form, if requested by the consumer, not later than 5 business days after receipt of the notification of the election through the system established under paragraph (5), in the case of a request made at the time the consumer provides notification through the system.
(4)
Effectiveness of election. An election of a consumer under paragraph (1)
(A)
shall be effective with respect to a consumer reporting agency beginning 5 business days after the date on which the consumer notifies the agency in accordance with paragraph (2);
(B)
shall be effective with respect to a consumer reporting agency
(i)
subject to subparagraph (C), during the 5-year period beginning 5 business days after the date on which the consumer notifies the agency of the election, in the case of an election for which a consumer notifies the agency only in accordance with paragraph (2)(A); or
(ii)
until the consumer notifies the agency under subparagraph (C), in the case of an election for which a consumer notifies the agency in accordance with paragraph (2)(B);
(C)
shall not be effective after the date on which the consumer notifies the agency, through the notification system established by the agency under paragraph (5), that the election is no longer effective; and
(D)
shall be effective with respect to each affiliate of the agency.
(5)
Notification System
(A)
In general. Each consumer reporting agency that, under subsection (c)(1)(B), furnishes a consumer report in connection with a credit or insurance transaction that is not initiated by a consumer, shall
(i)
establish and maintain a notification system, including a toll-free telephone number, which permits any consumer whose consumer report is maintained by the agency to notify the agency, with appropriate identification, of the consumer's election to have the consumer's name and address excluded from any such list of names and addresses provided by the agency for such a transaction; and
(ii)
publish by not later than 365 days after the date of enactment of the Consumer Credit Reporting Reform Act of 1996, and not less than annually thereafter, in a publication of general circulation in the area served by the agency
(I)
a notification that information in consumer files maintained by the agency may be used in connection with such transactions; and
(II)
the address and toll-free telephone number for consumers to use to notify the agency of the consumer's election under clause (I).
(B)
Establishment and maintenance as compliance. Establishment and maintenance of a notification system (including a toll-free telephone number) and publication by a consumer reporting agency on the agency's own behalf and on behalf of any of its affiliates in accordance with this paragraph is deemed to be compliance with this paragraph by each of those affiliates.
(6)
Notification system by agencies that operate nationwide. Each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis shall establish and maintain a notification system for purposes of paragraph (5) jointly with other such consumer reporting agencies.
(f)
Certain use or obtaining of information prohibited. A person shall not use or obtain a consumer report for any purpose unless
(1)
the consumer report is obtained for a purpose for which the consumer report is authorized to be furnished under this section; and
(2)
the purpose is certified in accordance with section 607 [§ 1681e] by a prospective user of the report through a general or specific certification.
(g)
Protection of Medical Information
(1)
Limitation on consumer reporting agencies. A consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information (other than medical contact information treated in the manner required under section 605(a)(6)) about a consumer, unless--
(A)
if furnished in connection with an insurance transaction, the consumer affirmatively consents to the furnishing of the report;
(B)
if furnished for employment purposes or in connection with a credit transaction--
(i)
the information to be furnished is relevant to process or effect the employment or credit transaction; and
(ii)
the consumer provides specific written consent for the furnishing of the report that describes in clear and conspicuous language the use for which the information will be furnished; or
(C)
the information to be furnished pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devises, where such information, other than account status or amounts, is restricted or reported using codes that do not identify, or do not provide information sufficient to infer, the specific provider or the nature of such services, products, or devices, as provided in section 605(a)(6).
(2)
Limitation on creditors. Except as permitted pursuant to paragraph (3)(C) or regulations prescribed under paragraph (5)(A), a creditor shall not obtain or use medical information (other than medical contact information treated in the manner required under section 605(a)(6)) pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit.
(3)
Actions authorized by federal law, insurance activities and regulatory determinations. Section 603(d)(3) shall not be construed so as to treat information or any communication of information as a consumer report if the information or communication is disclosed--
(A)
in connection with the business of insurance or annuities, including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners (as in effect on January 1, 2003);
(B)
for any purpose permitted without authorization under the Standards for Individually Identifiable Health Information promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996, or referred to under section 1179 of such Act, or described in section 502(e) of Public Law 106-102; or
(C)
as otherwise determined to be necessary and appropriate, by regulation or order and subject to paragraph (6), by the Commission, any Federal banking agency or the National Credit Union Administration (with respect to any financial institution subject to the jurisdiction of such agency or Administration under paragraph (1), (2), or (3) of section 621(b), or the applicable State insurance authority (with respect to any person engaged in providing insurance or annuities).
(4)
Limitation on redisclosure of medical information. Any person that receives medical information pursuant to paragraph (1) or (3) shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.
(5)
Regulations and Effective Date for Paragraph (2)
(A)
Regulations required. Each Federal banking agency and the National Credit Union Administration shall, subject to paragraph (6) and after notice and opportunity for comment, prescribe regulations that permit transactions under paragraph (2) that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (and which shall include permitting actions necessary for administrative verification purposes), consistent with the intent of paragraph (2) to restrict the use of medical information for inappropriate purposes.
(B)
Final regulations required. The Federal banking agencies and the National Credit Union Administration shall issue the regulations required under subparagraph (A) in final form before the end of the 6-month period beginning on the date of enactment of the Fair and Accurate Credit Transactions Act of 2003.
(6)
Coordination with other laws. No provision of this subsection shall be construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality.
Identity and purposes of credit users. Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of section 605 [§ 1681c] and to limit the furnishing of consumer reports to the purposes listed under section 604 [§ 1681b] of this title. These procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report. No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 604 [§ 1681b] of this title.
(b)
Accuracy of report. Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.
(c)
Disclosure of consumer reports by users allowed. A consumer reporting agency may not prohibit a user of a consumer report furnished by the agency on a consumer from disclosing the contents of the report to the consumer, if adverse action against the consumer has been taken by the user based in whole or in part on the report.
(d)
Notice to Users and Furnishers of Information
(1)
Notice requirement. A consumer reporting agency shall provide to any person
(A)
who regularly and in the ordinary course of business furnishes information to the agency with respect to any consumer; or
(B)
to whom a consumer report is provided by the agency; a notice of such person's responsibilities under this title.
(B)
a notice of such person's responsibilities under this subchapter.
(2)
Content of notice. The Federal Trade Commission shall prescribe the content of notices under paragraph (1), and a consumer reporting agency shall be in compliance with this subsection if it provides a notice under paragraph (1) that is substantially similar to the Federal Trade Commission prescription under this paragraph.
(e)
Procurement of Consumer Report for Resale
(1)
Disclosure. A person may not procure a consumer report for purposes of reselling the report (or any information in the report) unless the person discloses to the consumer reporting agency that originally furnishes the report
(A)
the identity of the end-user of the report (or information); and
(B)
each permissible purpose under section 604 [§ 1681b] for which the report is furnished to the end-user of the report (or information).
(2)
Responsibilities of procurers for resale. A person who procures a consumer report for purposes of reselling the report (or any information in the report) shall
(A)
establish and comply with reasonable procedures designed to ensure that the report (or information) is resold by the person only for a purpose for which the report may be furnished under section 604 [§ 1681b], including by requiring that each person to which the report (or information) is resold and that resells or provides the report (or information) to any other person
(i)
identifies each end user of the resold report (or information);
(ii)
certifies each purpose for which the report (or information) will be used; and
(iii)
certifies that the report (or information) will be used for no other purpose; and
(B)
before reselling the report, make reasonable efforts to verify the identifications and certifications made under subparagraph (A).
(3)
Resale of consumer report to a federal agency or department. Notwithstanding paragraph (1) or (2), a person who procures a consumer report for purposes of reselling the report (or any information in the report) shall not disclose the identity of the end-user of the report under paragraph (1) or (2) if--
(A)
the end user is an agency or department of the United States Government which procures the report from the person for purposes of determining the eligibility of the consumer concerned to receive access or continued access to classified information (as defined in section 604(b)(4)(E)(i)); and
(B)
the agency or department certifies in writing to the person reselling the report that nondisclosure is necessary to protect classified information or the safety of persons employed by or contracting with, or undergoing investigation for work or contracting with the agency or department.
In general. Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of
(1)
(A)
(A) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; or
(B)
in the case of liability of a natural person for obtaining a consumer report under false pretenses or knowingly without a permissible purpose, actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater;
(2)
such amount of punitive damages as the court may allow; and
(3)
in the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorney's fees as determined by the court.
(b)
Civil liability for knowing noncompliance. Any person who obtains a consumer report from a consumer reporting agency under false pretenses or knowingly without a permissible purpose shall be liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency or $1,000, whichever is greater.
(c)
Attorney's fees. Upon a finding by the court that an unsuccessful pleading, motion, or other paper filed in connection with an action under this section was filed in bad faith or for purposes of harassment, the court shall award to the prevailing party attorney's fees reasonable in relation to the work expended in responding to the pleading, motion, or other paper.
In general. Any person who is negligent in failing to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of
(1)
any actual damages sustained by the consumer as a result of the failure; and
(2)
in the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorney's fees as determined by the court.
(b)
Attorney's fees. On a finding by the court that an unsuccessful pleading, motion, or other paper filed in connection with an action under this section was filed in bad faith or for purposes of harassment, the court shall award to the prevailing party attorney's fees reasonable in relation to the work expended in responding to the pleading, motion, or other paper.
§ 619. Obtaining information under false pretenses [15 U.S.C. § 1681q]
Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both.
Enforcement by Federal Trade Commission. Compliance with the requirements imposed under this title shall be enforced under the Federal Trade Commission Act [15 U.S.C. §§ 41 et seq.] by the Federal Trade Commission with respect to consumer reporting agencies and all other persons subject thereto, except to the extent that enforcement of the requirements imposed under this title is specifically committed to some other government agency under subsection (b) hereof. For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of section 5(a) of the Federal Trade Commission Act [15 U.S.C. § 45(a)] and shall be subject to enforcement by the Federal Trade Commission under section 5(b) thereof [15 U.S.C. § 45(b)] with respect to any consumer reporting agency or person subject to enforcement by the Federal Trade Commission pursuant to this subsection, irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests in the Federal Trade Commission Act. The Federal Trade Commission shall have such procedural, investigative, and enforcement powers, including the power to issue procedural rules in enforcing compliance with the requirements imposed under this title and to require the filing of reports, the production of documents, and the appearance of witnesses as though the applicable terms and conditions of the Federal Trade Commission Act were part of this title. Any person violating any of the provisions of this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act as though the applicable terms and provisions thereof were part of this title.
(2)
(A)
In the event of a knowing violation, which constitutes a pattern or practice of violations of this title, the Commission may commence a civil action to recover a civil penalty in a district court of the United States against any person that violates this title. In such action, such person shall be liable for a civil penalty of not more than $2,500 per violation.
(B)
In determining the amount of a civil penalty under subparagraph (A), the court shall take into account the degree of culpability, any history of prior such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require.
(3)
Not withstanding paragraph (2), a court may not impose any civil penalty on a person for a violation of section 623(a)(1) [§ 1681s-2] unless the person has been enjoined from committing the violation, or ordered not to commit the violation, in an action or proceeding brought by or on behalf of the Federal Trade Commission, and has violated the injunction or order, and the court may not impose any civil penalty for any violation occurring before the date of the violation of the injunction or order.
(b)
Enforcement by other agencies. Compliance with the requirements imposed under this title with respect to consumer reporting agencies, persons who use consumer reports from such agencies, persons who furnish information to such agencies, and users of information that are subject to subsection (d) of section 615 [§ 1681m] shall be enforced under
(1)
section 8 of the Federal Deposit Insurance Act [12 U.S.C. § 1818], in the case of
(A)
national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B)
member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act [12 U.S.C. §§ 601 et seq., §§ 611 et seq], by the Board of Governors of the Federal Reserve System; and
(C)
banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2)
section 8 of the Federal Deposit Insurance Act [12 U.S.C. § 1818], by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3)
the Federal Credit Union Act [12 U.S.C. §§ 1751 et seq.], by the Administrator of the National Credit Union Administration [National Credit Union Administration Board] with respect to any Federal credit union;
(4)
subtitle IV of title 49 [49 U.S.C. §§ 10101 et seq.], by the Secretary of Transportation, with respect to all carriers subject to the jurisdiction of the Surface Transportation Board;
(5)
the Federal Aviation Act of 1958 [49 U.S.C. Appx §§ 1301 et seq.], by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that Act [49 U.S.C. Appx §§ 1301 et seq.]; and
(6)
the Packers and Stockyards Act, 1921 [7 U.S.C. §§ 181 et seq.] (except as provided in section 406 of that Act [7 U.S.C. §§ 226 and 227]), by the Secretary of Agriculture with respect to any activities subject to that Act. The terms used in paragraph that are not defined in this title or otherwise defined in section 3(s) of the Federal Deposit Insurance Act (12 U.S.C. §1813(s)) shall have the meaning given to them in section 1(b) of the International Banking Act of 1978 (12 U.S.C. § 3101).
(c)
State Action for Violations
(1)
Authority of states. In addition to such other remedies as are provided under State law, if the chief law enforcement officer of a State, or an official or agency designated by a State, has reason to believe that any person has violated or is violating this title, the State
(A)
may bring an action to enjoin such violation in any appropriate United States district court or in any other court of competent jurisdiction;
(B)
subject to paragraph (5), may bring an action on behalf of the residents of the State to recover
(i)
damages for which the person is liable to such residents under sections 616 and 617 [§§ 1681n and 1681o] as a result of the violation;
(ii)
in the case of a violation described in any of paragraphs (1) through (3) of section 623(c), damages for which the person would, but for section 623(c) [§ 1681s-2], be liable to such residents as a result of the violation; or
(iii)
damages of not more than $1,000 for each willful or negligent violation; and
(C)
in the case of any successful action under subparagraph (A) or (B), shall be awarded the costs of the action and reasonable attorney fees as determined by the court.
(2)
Rights of federal regulators. The State shall serve prior written notice of any action under paragraph (1) upon the Federal Trade Commission or the appropriate Federal regulator determined under subsection (b) and provide the Commission or appropriate Federal regulator with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Federal Trade Commission or appropriate Federal regulator shall have the right
(A)
to intervene in the action;
(B)
upon so intervening, to be heard on all matters arising therein;
(C)
to remove the action to the appropriate United States district court; and
(D)
to file petitions for appeal.
(3)
Investigatory powers. For purposes of bringing any action under this subsection, nothing in this subsection shall prevent the chief law enforcement officer, or an official or agency designated by a State, from exercising the powers conferred on the chief law enforcement officer or such official by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.
(4)
Limitation on state action while federal action pending. If the Federal Trade Commission or the appropriate Federal regulator has instituted a civil action or an administrative action under section 8 of the Federal Deposit Insurance Act for a violation of this title, no State may, during the pendency of such action, bring an action under this section against any defendant named in the complaint of the Commission or the appropriate Federal regulator for any violation of this title that is alleged in that complaint.
(5)
Limitations on State Actions for Certain Violations
(A)
Violation of injunction required. A State may not bring an action against a person under paragraph (1)(B) for a violation described in any of paragraphs (1) through (3) of section 623(c), unless
(i)
the person has been enjoined from committing the violation, in an action brought by the State under paragraph (1)(A); and
(ii)
the person has violated the injunction.
(B)
Limitation on damages recoverable. In an action against a person under paragraph (1)(B) for a violation described in any of paragraphs (1) through (3) of section 623(c), a State may not recover any damages incurred before the date of the violation of an injunction on which the action is based.
(d)
Enforcement under other authority. For the purpose of the exercise by any agency referred to in subsection (b) of this section of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this title shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b) of this section, each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this title any other authority conferred on it by law.
(e)
Regulatory authority
(1)
The Federal banking agencies referred to in paragraphs (1) and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraphs (1) and (2) of subsection (b), and the Board of Governors of the Federal Reserve System shall have authority to prescribe regulations consistent with such joint regulations with respect to bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies.
(2)
The Board of the National Credit Union Administration shall prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraph (3) of subsection (b).
(f)
Coordination of Consumer Complaint Investigations
(1)
In general. Each consumer reporting agency described in section 603(p) shall develop and maintain procedures for the referral to each other such agency of any consumer complaint received by the agency alleging identity theft, or requesting a fraud alert under section 605A or a block under section 605B.
(2)
Model form and procedure for reporting identity theft. The Commission, in consultation with the Federal banking agencies and the National Credit Union Administration, shall develop a model form and model procedures to be used by consumers who are victims of identity theft for contacting and informing creditors and consumer reporting agencies of the fraud.
(3)
Annual summary reports. Each consumer reporting agency described in section 603(p) shall submit an annual summary report to the Commission on consumer complaints received by the agency on identity theft or fraud alerts.
(g)
FTC regulation of coding of trade names. If the Commission determines that a person described in paragraph (9) of section 623(a) has not met the requirements of such paragraph, the Commission shall take action to ensure the person's compliance with such paragraph, which may include issuing model guidance or prescribing reasonable policies and procedures, as necessary to ensure that such person complies with such paragraph.
§ 623. Responsibilities of furnishers of information to consumer reporting agencies [15 U.S.C. § 1681s-2]
(a)
Duty of Furnishers of Information to Provide Accurate Information
(1)
Prohibition
(A)
Reporting information with actual knowledge of errors. A person shall not furnish any information relating to a consumer to any consumer reporting agency if the person knows or has reasonable cause to believe that the information is inaccurate.
(B)
Reporting information after notice and confirmation of errors. A person shall not furnish information relating to a consumer to any consumer reporting agency if
(i)
the person has been notified by the consumer, at the address specified by the person for such notices, that specific information is inaccurate; and
(ii)
the information is, in fact, inaccurate.
(C)
No address requirement. A person who clearly and conspicuously specifies to the consumer an address for notices referred to in subparagraph (B) shall not be subject to subparagraph (A); however, nothing in subparagraph (B) shall require a person to specify such an address.
(D)
Definition. For purposes of subparagraph (A), the term “reasonable cause to believe that the information is inaccurate” means having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the accuracy of the information.
(2)
Duty to correct and update information. A person who
(A)
regularly and in the ordinary course of business furnishes information to one or more consumer reporting agencies about the person's transactions or experiences with any consumer; and
(B)
has furnished to a consumer reporting agency information that the person determines is not complete or accurate, shall promptly notify the consumer reporting agency of that determination and provide to the agency any corrections to that information, or any additional information, that is necessary to make the information provided by the person to the agency complete and accurate, and shall not thereafter furnish to the agency any of the information that remains not complete or accurate.
(3)
Duty to provide notice of dispute. If the completeness or accuracy of any information furnished by any person to any consumer reporting agency is disputed to such person by a consumer, the person may not furnish the information to any consumer reporting agency without notice that such information is disputed by the consumer.
(4)
Duty to provide notice of closed accounts. A person who regularly and in the ordinary course of business furnishes information to a consumer reporting agency regarding a consumer who has a credit account with that person shall notify the agency of the voluntary closure of the account by the consumer, in information regularly furnished for the period in which the account is closed.
(5)
Duty to Provide Notice of Delinquency of Accounts
(A)
In general. A person who furnishes information to a consumer reporting agency regarding a delinquent account being placed for collection, charged to profit or loss, or subjected to any similar action shall, not later than 90 days after furnishing the information, notify the agency of the date of delinquency on the account, which shall be the month and year of the commencement of the delinquency on the account that immediately preceded the action.
(B)
Rule of construction. For purposes of this paragraph only, and provided that the consumer does not dispute the information, a person that furnishes information on a delinquent account that is placed for collection, charged for profit or loss, or subjected to any similar action, complies with this paragraph, if--
(i)
the person reports the same date of delinquency as that provided by the creditor to which the account was owed at the time at which the commencement of the delinquency occurred, if the creditor previously reported that date of delinquency to a consumer reporting agency;
(ii)
the creditor did not previously report the date of delinquency to a consumer reporting agency, and the person establishes and follows reasonable procedures to obtain the date of delinquency from the creditor or another reliable source and reports that date to a consumer reporting agency as the date of delinquency; or
(iii)
the creditor did not previously report the date of delinquency to a consumer reporting agency and the date of delinquency cannot be reasonably obtained as provided in clause (ii), the person establishes and follows reasonable procedures to ensure the date reported as the date of delinquency precedes the date on which the account is placed for collection, charged to profit or loss, or subjected to any similar action, and reports such date to the credit reporting agency.
(6)
Duties of Furnishers Upon Notice of Identity Theft-Related Information
(A)
Reasonable procedures. A person that furnishes information to any consumer reporting agency shall have in place reasonable procedures to respond to any notification that it receives from a consumer reporting agency under section 605B relating to information resulting from identity theft, to prevent that person from refurnishing such blocked information.
(B)
Information alleged to result from identity theft. If a consumer submits an identity theft report to a person who furnishes information to a consumer reporting agency at the address specified by that person for receiving such reports stating that information maintained by such person that purports to relate to the consumer resulted from identity theft, the person may not furnish such information that purports to relate to the consumer to any consumer reporting agency, unless the person subsequently knows or is informed by the consumer that the information is correct.
(7)
Negative Information
(A)
Notice to Consumer Required
(i)
In general. If any financial institution that extends credit and regularly and in the ordinary course of business furnishes information to a consumer reporting agency described in section 603(p) furnishes negative information to such an agency regarding credit extended to a customer, the financial institution shall provide a notice of such furnishing of negative information, in writing, to the customer.
(ii)
Notice effective for subsequent submissions. After providing such notice, the financial institution may submit additional negative information to a consumer reporting agency described in section 603(p) with respect to the same transaction, extension of credit, account, or customer without providing additional notice to the customer.
(B)
Time of Notice
(i)
In general. The notice required under subparagraph (A) shall be provided to the customer prior to, or no later than 30 days after, furnishing the negative information to a consumer reporting agency described in section 603(p).
(ii)
Coordination with new account disclosures. If the notice is provided to the customer prior to furnishing the negative information to a consumer reporting agency, the notice may not be included in the initial disclosures provided under section 127(a) of the Truth in Lending Act.
(C)
Coordination with other disclosures- The notice required under subparagraph (A)--
(i)
may be included on or with any notice of default, any billing statement, or any other materials provided to the customer; and
(ii)
must be clear and conspicuous.
(D)
Model Disclosure
(i)
Duty of board to prepare. The Board shall prescribe a brief model disclosure a financial institution may use to comply with subparagraph (A), which shall not exceed 30 words.
(ii)
Use of model not required. No provision of this paragraph shall be construed as requiring a financial institution to use any such model form prescribed by the Board.
(iii)
Compliance using model. A financial institution shall be deemed to be in compliance with subparagraph (A) if the financial institution uses any such model form prescribed by the Board, or the financial institution uses any such model form and rearranges its format.
(E)
Use of notice without submitting negative information. No provision of this paragraph shall be construed as requiring a financial institution that has provided a customer with a notice described in subparagraph (A) to furnish negative information about the customer to a consumer reporting agency.
(F)
Safe harbor. A financial institution shall not be liable for failure to perform the duties required by this paragraph if, at the time of the failure, the financial institution maintained reasonable policies and procedures to comply with this paragraph or the financial institution reasonably believed that the institution is prohibited, by law, from contacting the consumer.
(G)
Definitions. For purposes of this paragraph, the following definitions shall apply:
(i)
The term “negative information” means information concerning a customer's delinquencies, late payments, insolvency, or any form of default.
(ii)
The terms “customer” and “financial institution” have the same meanings as in section 509 Public Law 106-102.
(8)
Ability of Consumer to Dispute Information Directly with Furnisher
(A)
In general. The Federal banking agencies, the National Credit Union Administration, and the Commission shall jointly prescribe regulations that shall identify the circumstances under which a furnisher shall be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer report on the consumer, based on a direct request of a consumer.
(B)
Considerations. In prescribing regulations under subparagraph (A), the agencies shall weigh--
(i)
the benefits to consumers with the costs on furnishers and the credit reporting system;
(ii)
the impact on the overall accuracy and integrity of consumer reports of any such requirements;
(iii)
whether direct contact by the consumer with the furnisher would likely result in the most expeditious resolution of any such dispute; and
(iv)
the potential impact on the credit reporting process if credit repair organizations, as defined in section 403(3) [15 U.S.C. §1679a(3)], including entities that would be a credit repair organization, but for section 403(3)(B)(i), are able to circumvent the prohibition in subparagraph (G).
(C)
Applicability. Subparagraphs (D) through (G) shall apply in any circumstance identified under the regulations promulgated under subparagraph (A).
(D)
Submitting a notice of dispute- A consumer who seeks to dispute the accuracy of information shall provide a dispute notice directly to such person at the address specified by the person for such notices that--
(i)
identifies the specific information that is being disputed;
(ii)
explains the basis for the dispute; and
(iii)
includes all supporting documentation required by the furnisher to substantiate the basis of the dispute.
(E)
Duty of person after receiving notice of dispute. After receiving a notice of dispute from a consumer pursuant to subparagraph (D), the person that provided the information in dispute to a consumer reporting agency shall--
(i)
conduct an investigation with respect to the disputed information;
(ii)
review all relevant information provided by the consumer with the notice;
(iii)
complete such person's investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under section 611(a)(1) within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section; and
(iv)
if the investigation finds that the information reported was inaccurate, promptly notify each consumer reporting agency to which the person furnished the inaccurate information of that determination and provide to the agency any correction to that information that is necessary to make the information provided by the person accurate.
(F)
Frivolous or Irrelevant Dispute
(i)
In general. This paragraph shall not apply if the person receiving a notice of a dispute from a consumer reasonably determines that the dispute is frivolous or irrelevant, including--
(I)
by reason of the failure of a consumer to provide sufficient information to investigate the disputed information; or
(II)
the submission by a consumer of a dispute that is substantially the same as a dispute previously submitted by or for the consumer, either directly to the person or through a consumer reporting agency under subsection (b), with respect to which the person has already performed the person's duties under this paragraph or subsection (b), as applicable.
(ii)
Notice of determination. Upon making any determination under clause (i) that a dispute is frivolous or irrelevant, the person shall notify the consumer of such determination not later than 5 business days after making such determination, by mail or, if authorized by the consumer for that purpose, by any other means available to the person.
(iii)
Contents of notice. A notice under clause (ii) shall include--
(I)
the reasons for the determination under clause (i); and
(II)
identification of any information required to investigate the disputed information, which may consist of a standardized form describing the general nature of such information.
(G)
Exclusion of credit repair organizations. This paragraph shall not apply if the notice of the dispute is submitted by, is prepared on behalf of the consumer by, or is submitted on a form supplied to the consumer by, a credit repair organization, as defined in section 403(3), or an entity that would be a credit repair organization, but for section 403(3)(B)(i).
(9)
Duty to provide notice of status as medical information furnisher. A person whose primary business is providing medical services, products, or devices, or the person's agent or assignee, who furnishes information to a consumer reporting agency on a consumer shall be considered a medical information furnisher for purposes of this title, and shall notify the agency of such status.
(b)
Duties of Furnishers of Information upon Notice of Dispute
(1)
In general. After receiving notice pursuant to section 611(a)(2) [§ 1681i] of a dispute with regard to the completeness or accuracy of any information provided by a person to a consumer reporting agency, the person shall
(A)
conduct an investigation with respect to the disputed information;
(B)
review all relevant information provided by the consumer reporting agency pursuant to section 611(a)(2) [§ 1681i];
(C)
report the results of the investigation to the consumer reporting agency;
(D)
if the investigation finds that the information is incomplete or inaccurate, report those results to all other consumer reporting agencies to which the person furnished the information and that compile and maintain files on consumers on a nationwide basis; and
(E)
if an item of information disputed by a consumer is found to be inaccurate or incomplete or cannot be verified after any reinvestigation under paragraph (1), for purposes of reporting to a consumer reporting agency only, as appropriate, based on the results of the reinvestigation promptly–
(i)
modify that item of information;
(ii)
delete that item of information; or
(iii)
permanently block the reporting of that item of information.
(2)
Deadline. A person shall complete all investigations, reviews, and reports required under paragraph (1) regarding information provided by the person to a consumer reporting agency, before the expiration of the period under section 611(a)(1) [§ 1681i] within which the consumer reporting agency is required to complete actions required by that section regarding that information.
(c)
Limitation on liability. Except as provided in section 621(c)(1)(B), sections 616 and 617 do not apply to any violation of--
(1)
subsection (a) of this section, including any regulations issued thereunder;
(2)
subsection (e) of this section, except that nothing in this paragraph shall limit, expand, or otherwise affect liability under section 616 or 617, as applicable, for violations of subsection (b) of this section; or
(3)
subsection (e) of section 615.
(d)
Limitation on enforcement. The provisions of law described in paragraphs (1) through (3) of subsection (c) (other than with respect to the exception described in paragraph (2) of subsection (c)) shall be enforced exclusively as provided under section 621 by the Federal agencies and officials and the State officials identified in section 621.
(e)
Accuracy Guidelines and Regulations Required
(1)
Guidelines. The Federal banking agencies, the National Credit Union Administration, and the Commission shall, with respect to the entities that are subject to their respective enforcement authority under section 621, and in coordination as described in paragraph (2)--
(A)
establish and maintain guidelines for use by each person that furnishes information to a consumer reporting agency regarding the accuracy and integrity of the information relating to consumers that such entities furnish to consumer reporting agencies, and update such guidelines as often as necessary; and
(B)
prescribe regulations requiring each person that furnishes information to a consumer reporting agency to establish reasonable policies and proceduresfor implementing the guidelines established pursuant to subparagraph (A). (2) Coordination. Each agency required to prescribe regulations under paragraph (1) shall consult and coordinate with each other such agency so that, to the extent possible, the regulations prescribed by each such entity are consistent and comparable with the regulations prescribed by each other such agency.
(2)
Coordination. Each agency required to prescribe regulations under paragraph (1) shall consult and coordinate with each other such agency so that, to the extent possible, the regulations prescribed by each such entity are consistent and comparable with the regulations prescribed by each other such agency.
(3)
Criteria. In developing the guidelines required by paragraph (1)(A), the agencies described in paragraph (1) shall--
(A)
identify patterns, practices, and specific forms of activity that can compromise the accuracy and integrity of information furnished to consumer reporting agencies;
(B)
review the methods (including technological means) used to furnish information relating to consumers to consumer reporting agencies;
(C)
determine whether persons that furnish information to consumer reporting agencies maintain and enforce policies to assure the accuracy and integrity of information furnished to consumer reporting agencies; and
(D)
examine the policies and processes that persons that furnish information to consumer reporting agencies employ to conduct reinvestigations and correct inaccurate information relating to consumers that has been furnished to consumer reporting agencies.
In general. Not later than 1 year after the date of enactment of this section, the Federal banking agencies, the National Credit Union Administration, and the Commission with respect to the entities that are subject to their respective enforcement authority under section 621, and the Securities and Exchange Commission, and in coordination as described in paragraph (2), shall issue final regulations requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.
(2)
Coordination. Each agency required to prescribe regulations under paragraph (1) shall–
(A)
consult and coordinate with each other such agency so that, to the extent possible, the regulations prescribed by each such agency are consistent and comparable with the regulations by each such other agency; and
(B)
ensure that such regulations are consistent with the requirements and regulations issued pursuant to Public Law 106-102 and other provisions of Federal law.
(3)
Exemption authority. In issuing regulations under this section, the Federal banking agencies, the National Credit Union Administration, the Commission, and the Securities and Exchange Commission may exempt any person or class of persons from application of those regulations, as such agency deems appropriate to carry out the purpose of this section.
(b)
Rule of construction. Nothing in this section shall be construed--
(1)
to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or
(2)
to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.
NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA
The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Consumer Financial Protection Bureau's Website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the Bureau's Web site. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA.
I.
OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS
A.
Users Must Have a Permissible Purpose
Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:
As ordered by a court or a federal grand jury subpoena. Section 604(a)(1)
As instructed by the consumer in writing. Section 604(a)(2)
For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer's account. Section 604(a)(3)(A)
For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Sections 604(a)(3)(B) and 604(b)
For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)
To review a consumer's account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)
To determine a consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status. Section 604(a)(3)(D)
For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)
For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5)
In addition, creditors and insurers may obtain certain consumer report information for the purpose of making "prescreened" unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of "prescreened" information are described in Section VII below.
B.
Users Must Provide Certifications
Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.
C.
Users Must Notify Consumers When Adverse Actions Are Taken
The term "adverse action" is defined very broadly by Section 603. as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
1. Adverse Actions Based on Information Obtained From a CRA
If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer (A consumer is defined in the FCRA as the employee, volunteer, or applicant on whom a background investigation is run). The notification may be done in writing, orally, or by electronic means. It must include the following:
The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.
A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.
A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA if the consumer makes a request within 60 days.
A statement setting forth the consumer's right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.
(*As your service provider we will provide the Adverse Action documentation in our system within the report page for each applicant, and forms are individualized to address each applicant specifically.)
2. Adverse Actions Based on Information Obtained From Affiliates
If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.
D.
Users Have Obligations When Disposing of Records
Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. The Consumer Financial Protection Bureau, the Securities and Exchange Commission, and the banking and credit union regulators have issued regulations covering disposal. The Consumer Financial Protection Bureau's regulations may be found at www.consumerfinance.gov/learnmore.
II.
OBLIGATIONS OF USERS WHEN CONSUMER REPORTS ARE OBTAINED FOR EMPLOYMENT PURPOSES
A.
Employment Other Than in the Trucking Industry
If information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:
Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained. *The Authorization and Release form provided by us to you will fulfill this obligation.
Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment. *The Authorization and Release form provided by us to you fulfills this obligation.
Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer.
Before taking an adverse action, the user must provide a copy of the report to the (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken. (*The Pre-Adverse Action – Full Disclosure document found on the report page for each applicant is automatically formatted to said applicant, and can be used to fulfill this obligation.)
An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2) *The procedures for investigative consumer reports and employee misconduct investigations are set forth below.
B.
Employment in the Trucking Industry
Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.
III.
OBLIGATIONS WHEN INVESTIGATIVE CONSUMER REPORTS ARE USED
Investigative consumer reports are a special type of consumer report in which information about a consumer's character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. (*Employment Verifications where more than basic factual employment information is obtained by phone calls or faxed request.) Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:
The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)
The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure described below.
Upon the written request of a consumer (applicant/employee/volunteer) made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed, or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.
IV.
SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONS
Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.
V.
OBLIGATIONS OF USERS OF MEDICAL INFORMATION
Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order).
VI.
LIABILITY FOR VIOLATIONS OF THE FCRA
Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.