DEPARTMENT OF JUSTICE

Fraud and Consumer Protection Unit

Statutory Authority: 11 Delaware Code, Section 854A(e) (11 Del.C., §854A(e))

FINAL

BEFORE THE ATTORNEY GENERAL OF THE STATE OF DELAWARE

ORDER

IN RE: IDENTITY THEFT PASSPORT

A public hearing was held to receive comments related to the Identity Theft Passport program authorized under 11 Del.C. §854A. Notice was provided as required under the Administrative Proceedings Act in the Register of Regulations at 10 DE Reg. 811(11/01/06) and two newspapers of general circulation. 29 Del.C. §10115.

The Director of Consumer Protection was designated by the Attorney General to conduct the public hearing held at 10 a.m. on December 4, 2006 in the Carvel State Office Building, 6th floor, 820 N. French St., Wilmington, DE 19801.

Summary of the Evidence and Information Submitted

There was no verbal comment at the public hearing. The written comment marked as Exhibit 1 follows:

1. The Consumer Data Industry Association (CDIA) submitted a letter dated November 16, 2006. The CDIA is an international trade association representing over 400 consumer data companies and include organizations involved in credit reporting, mortgage reporting, check verification, fraud prevention, risk management, employment reporting, tenant screening and collection services. Generally, the CDIA supports the concept of an ID theft passport program but has reservations about provisions that affect a consumer reporting agency. The law provides that a consumer reporting agency “must accept the passport as an official notice of a dispute and must include notice of the dispute in all future reports that contain disputed information caused by the identity theft.” 11 Del.C. §584A(b)(3).

The CDIA believes that the passport does not provide enough information to begin the dispute process that is required under the Fair Credit Reporting Act (FCRA) in 15 U.S.C. §1681i. A consumer who wants to dispute information with a credit reporting agency needs to provide a social security number, date of birth, and specific information about fraudulent accounts. The CDIA also notes that the organization furnishing the information to the credit reporting agency is not required to accept the passport as a notice of dispute.

Finally, the CDIA believes that §854A(b)(3) is preempted by 15 U.S.C. §1681t(b)(5)(C) which relates to §1681c-2.

Recommended Findings of Fact With Respect to the Evidence and Information

1. While the ID theft passport may not present as much information as a reporting agency might ultimately need to perform the reinvestigation required under 15 U.S.C. §1681(1), it is a sufficient trigger for reinvestigation. It is direct notice from the consumer and it confirms that a police report was filed. The reinvestigation can be terminated if the consumer does not subsequently provide sufficient information for the investigation. 15 U.S.C. §1681(a)(3)(A).

2. It should be noted that there was some confusion about the numbering of the sections of the law in the written comment. The section numbers included in this order do not precisely correspond to the section numbers provided by the commenter but rather to the substance of the sections in the letter.

Generally, the FCRA does not preempt State law except where there is inconsistency. Section 1681c-2 requires, inter alia, a consumer reporting agency to block information resulting from an alleged identity theft not later than 4 days after receipt of –

(1) appropriate proof of the identity of the consumer;

(2) a copy of an identity theft report;

(3) the identification of such information by the consumer; and

(4) a statement by the consumer that the information is not information relating to any transaction by the consumer.”

Under Delaware law neither the requirement that the passport is a notice of dispute to a credit reporting agency, nor the requirement that the notice is included in reports containing disputed information, is inconsistent with the FCRA. Once the information is blocked under the FCRA, there is no requirement under Delaware law that the notice of dispute appear in the report which no longer contains disputed information.

3. Finally, and most importantly, the comment made by the CDIA to proposed Rule 4.1.3 is really a comment that is addressed to 11 Del.C. §854A(b)(3) since the rule is a recitation of the Delaware Identity Theft Passport law with the federal citations omitted. The Attorney General is empowered to adopt regulations under 11 Del.C. §854A(e). Those regulations can implement, but not change, the law.

Recommended Action

After considering the provisions in the law providing for an Identity Theft Passport and the comment received, it is the recommendation of the Director of Consumer Protection that the Attorney General make the proposed findings and adopt the proposed rules as published pursuant to his authority in 11 Del.C. §854A (e).

Barbara J. Gadbois

Director of Consumer Protection

ORDER AND EFFECTIVE DATE

After review of the law and comment as well as the recommendation of the Director of Consumer Protection, I hereby adopt the recommended findings of fact and the rules implementing 11 Del.C. §854A as proposed in 10 DE Reg. 811 (11/01/06) to be effective 10 days following publication of this final order in the Register of Regulations.

Identity Theft Passports

1.0 Scope

1.1 An identity theft passport is available to a person who is a victim of identity theft as defined in 11 Del.C. §854 and who has filed a police report with a law enforcement agency in this State.

1.2 A law enforcement agency with jurisdiction over the residence of the victim shall take a report from a person who knows or reasonable believes that he or she has been the victim of identity theft. 6 Del.C. §2204(a).

1.3 An identity theft passport is not available for identity mistake or loss of documents containing identifying information.

2.0 Application

2.1 A victim may request an application from the Office of the Attorney General, 820 N. French St. 5th Floor Wilmington, DE 19801, from the police agency taking the report, or online at http://www.state.de.us/attgen/default.shtml

2.2 The application will contain at a minimum:

2.2.1 The name, gender, date of birth, place of birth, address, and phone number of the applicant;

2.2.2 the county and state where the theft occurred;

2.2.3 a description of the identity theft incident;

2.2.4 the identity of the person who stole the information, if known;

2.2.5 the signature and certification of the applicant; and

2.2.6 any other information deemed necessary by the Attorney General.

2.3 The police agency that takes the police report is responsible for transmitting the report and the application to the Attorney General for further processing.

3.0 Qualification

3.1 A designee of the Attorney General will review the application, police report, and any other information necessary to determine whether he or she is reasonably assured that the identity theft claim is legitimate and adequately substantiated.

3.1.1 Documents that may substantiate a claim of identity theft include, but are not limited to:

3.1.1.1 receipts or bills from creditors showing unauthorized use of a credit card;

3.1.1.2 utility accounts created using the applicant’s name without permission;

3.1.1.3 fraudulent checks or bank statements; or

3.1.1.4 any other evidence that the applicant’s identity has been used without consent to commit or facilitate a crime prohibited in Title 11 of the Delaware Code.

3.2 Only police reports submitted by a Delaware law enforcement agency will support an application for an identity theft passport.

3.3 An applicant who is approved will be issued the identity theft passport by the Attorney General.

4.0 Use of the Identity Theft Passport

4.1 An identity theft passport can be presented as follows:

4.1.1 to a law enforcement agency to help prevent the victim’s arrest or detention for an offense committed by someone using the victim’s identity;

4.1.2 to any of the victim’s creditors to aid in a creditor’s investigation and establishment of whether fraudulent charges were made using the victim’s account(s);

4.1.3 to a consumer reporting agency as defined in the Fair Credit Reporting Act which must accept the passport as an official notice of a dispute and must include notice of the dispute in all future reports that contain disputed information caused by the identity theft.

4.2 Acceptance or rejection of the passport presented to a law enforcement agency or credit as provided in 4.1.1 and 4.1.2 is at the discretion of the law enforcement agency or creditor.

5.0 Changes

5.1 Name or address changes shall be reported promptly to the Consumer Protection Unit, Office of the Attorney General, 820 N. French Street 5th floor, Carvel State Office Building, Wilmington, DE 19801.

5.2 The identity theft passport shall be returned to the above location and a new passport will be issued with the new information.

6.0 Lost or Stolen Passports

6.1 A person who is issued an identity theft passport shall immediately notify the Consumer Protection Unit of the Office of the Attorney General if the passport is lost or stolen.

6.2 The lost or stolen passport will be replaced upon proper application.

7.0 Expiration

7.1 An identity theft passport will expire three years after it was originally issued.

7.2 An identity theft passport may be renewed if there are continuing detrimental effects of the identity theft that may be mitigated by the renewal of the passport.

10 DE Reg. 1151 (01/01/07) (Final)

11 Del.C. §854A. Identity theft passport; application; issuance.

(b)A victim of identity theft may present that victim’s identity theft passport issued under subsection (a) of this section to the following:

(3) A consumer reporting agency, as defined in §603(f) of the federal Fair Credit Reporting Act (15 U.S.C. §1681a(f)), which must accept the passport as an official notice of a dispute and must include notice of the dispute in all future reports that contain disputed information caused by the identity theft.

15 U.S.C.A. §1681(i). Procedure in case of disputed accuracy

Reinvestigations of disputed information

Reinvestigation required.—

(A) In general. – If the completeness or accuracy of any item of information contained in a consumer’s file at a consumer reporting agency is disputed by the consumer and the consumer notifies the agency directly of such dispute, the agency shall reinvestigate free of charge and record the current status of the disputed information, or delete the item from the file in accordance with paragraph (5), before the end of the 30-day period that is relevant to the reinvestigation….

15 U.S.C.A. §1681t. Relation to State Laws.

In general

Except as provided in subsection (b) and (c) of this section, this subchapter does not annul, alter, affect, or exempt any person subject to the provisions of his subchapter from complying with the laws of any State with respect to the collection, or use of any information on consumers, or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of any inconsistency.

General exceptions. – No requirement or prohibition may be imposed under the laws of any State –

(5) with respect to the conduct required by the specific provision of—

(C) section 1681c-2 of this title;