Keep track of ID theft

At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here’s an explanation for

Under the Fair Credit Reporting Act, Section 609(e), victims of identity theft have a lawful right to get the documents from businesses that dealt with the thief.

The FTC recommends that victims contact the businesses at which accounts were opened fraudulently by phone first. Get the address to which the letter requesting documents will be posted.

Also ask what kind of identification they will require to release those documents to you.

Include a police report or ID theft report with your letter, and the police contact who should also receive copies of paperwork.

Make a copy of everything you’re sending for your file and send by certified mail with a return receipt requested.

Use this form from the California Office of Information Security and Privacy Protection to request information about fraudulent transactions and accounts.



Made pursuant to ? 609(e) of the Fair Credit Reporting Act (15 U.S.C. ? 1681g)

To:   Fax:  
Account No:   Reference No:  

I am a victim of identity theft. I am formally disputing a transaction or an account that I have learned has been made, opened or applied for with you. I did not make this transaction or open or apply for this account and have not authorized anyone else to do so for me. You may consider this transaction or account to be fraudulent. Below is my identifying information. I have filed a report of identity theft with my local police department and a copy is attached. Under federal law, creditors and other business entities must provide a copy of application and business transaction records relating to fraudulent transactions or accounts opened or applied for using an identity theft victim’s identity.

A copy of the relevant federal law is enclosed. The victim is generally permitted to authorize your release of the account information to a specified law enforcement officer. I am designating the investigator listed below as additional recipient of all account information and documents. I authorize the release of all account documents and information to the law enforcement officer designated. I am requesting that you provide copies of the following records related to the disputed transaction or account:

Application records or screen prints of Internet/phone applications


Payment/charge slips

Investigator’s Summary

Delivery addresses

Any other documents associated with the account

All records of phone numbers used to activate the account or used to access the account

Name:   SS #:  
Phone:   Fax:  
Employer:   Phone:  
Designated Police Department: Report No.:  
Designated Investigator:
Signed:   Date:  
View worksheet archive
next >>  

Federal Law: Fair Credit Reporting Act, 15 U.S. Code § 609e

(e) Information Available to Victims

(1) In
general. For the purpose of documenting fraudulent transactions resulting from identity theft, not later than 30 days after the date of receipt of a request from a victim in accordance with paragraph (3), and subject to verification of the identity of the victim and the claim of identity theft in accordance with paragraph (2), a business entity that has provided credit to, provided for consideration products, goods, or services to, accepted payment from, or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the means of identification of the victim, shall provide a copy of application and business transaction records in the control of the business entity, whether maintained by the business entity or by another person on behalf of the business entity, evidencing any transaction alleged to be a result of identity theft to –

(A) the victim;

(B) any Federal, State, or local government law enforcement agency or officer specified by the victim in such a request; or

(C) any law enforcement agency investigating the identity theft and authorized by the victim to take receipt of records provided under this subsection.

Verification of identity and claim. Before a business entity provides any information under paragraph (1), unless the business entity, at its discretion, otherwise has a high degree of confidence that it knows the identity of the victim making a request under paragraph (1), the victim shall provide to the business entity –

(A) as proof of positive identification of the victim, at the election of the business entity-

(i) the presentation of a government-issued identification card;

(ii) personally identifying information of the same type as was provided to the business entity by the unauthorized person; or

(iii) personally identifying information that the business entity typically requests from new applicants or for new transactions, at the time of the victim’s request for information, including any documentation described in clauses (i) and (ii); and

(B) as proof of a claim of identity theft, at the election of the business entity–

(i) a copy of a police report evidencing the claim of the victim of identity theft; and

(ii) a properly completed–

(I) copy of a standardized affidavit of identity theft developed and made available by the Commission; or

(II) an affidavit of fact that is acceptable to the business entity for that purpose.

Procedures. The request of a victim under paragraph (1) shall –

(A) be in writing;

(B) be mailed to an address specified by the business entity, if any; and

(C) if asked by the business entity, include relevant information about any transaction alleged to be a result of identity theft to facilitate compliance with this section including –

(i) if known by the victim (or if readily obtainable by the victim), the date of the application or transaction; and

(ii) if known by the victim (or if readily obtainable by the victim), any other identifying information such as an account or transaction number.

No charge to victim. Information required to be provided under paragraph (1) shall be so provided without charge.

Authority to decline to provide information. A business entity may decline to provide information under paragraph (1) if, in the exercise of good faith, the business entity determines that –

(A) this subsection does not require disclosure of the information;

(B) after reviewing the information provided pursuant to paragraph (2), the business entity does not have a high degree of confidence in knowing the true identity of the individual requesting the information;

(C) the request for the information is based on a misrepresentation of fact by the individual requesting the information relevant to the request for information; or

(D) the information requested is Internet navigational data or similar information about a person’s visit to a website or online service.

Limitation on liability. Except as provided in section 621, sections 616 and 617 do not apply to any violation of this subsection.

Limitation on civil liability. No business entity may be held civilly liable under any provision of Federal, State, or other law for disclosure, made in good faith pursuant to this subsection.

No new recordkeeping obligation. Nothing in this subsection creates an obligation on the part of a business entity to obtain, retain, or maintain information or records that are not otherwise required to be obtained, retained, or maintained in the ordinary course of its business or under other applicable law.

(9) Rule of Construction

In general. No provision of subtitle A of title V of Public Law 106-102, prohibiting the disclosure of financial information by a business entity to third parties shall be used to deny disclosure of information to the victim under this subsection.

Limitation. Except as provided in subparagraph (A), nothing in this subsection permits a business entity to disclose information, including information to law enforcement under subparagraphs (B) and (C) of paragraph (1), that the business entity is otherwise prohibited from disclosing under any other applicable provision of Federal or State law.

Affirmative defense. In any civil action brought to enforce this subsection, it is an affirmative defense (which the defendant must establish by a preponderance of the evidence) for a business entity to file an affidavit or answer stating that –

(A) the business entity has made a reasonably diligent search of its available business records; and

(B) the records requested under this subsection do not exist or are not reasonably available.

Definition of victim. For purposes of this subsection, the term “victim” means a consumer whose means of identification or financial information has been used or transferred (or has been alleged to have been used or transferred) without the authority of that consumer, with the intent to commit, or to aid or abet, an identity theft or a similar crime.

Effective date. This subsection shall become effective 180 days after the date of enactment of this subsection.

Effectiveness study. Not later than 18 months after the date of enactment of this subsection, the Comptroller General of the United States shall submit a report to Congress assessing the effectiveness of this provision.

Reproduced with the permission of the California Office of Information Security and Privacy Protection.

View work sheet archive