The FACT Act

The provisions of the Fair and Accurate Credit Transactions (FACT) Act of 2003 that took effect Dec. 1, 2004, grant new rights and privacy protections to U.S. consumers. But the law imposes strict new requirements on companies that trade or use consumer credit information.

FACT was signed by President Bush on Dec. 3, 2003. The law makes major changes to the Fair Credit Reporting Act (FCRA) of 1970, which first gave consumers the right to obtain their credit information from insurers, lenders and credit bureaus. But the reach of the new amendments extends to a wide range of businesses that harbor sensitive data on employees or customers. In short, even if your employer isn’t in the financial services, insurance or credit reporting business, the FACT Act is required reading for CSOs who don’t want to find themselves on the wrong side of a consumer lawsuit.

FACT extends the reach of FCRA to provide specific protections from fraud and identity theft, mandating that merchants and credit agencies tighten their systems for handling consumer fraud complaints and for protecting sensitive informationsuch as credit card numbersfrom unauthorized disclosure.

FACT has already had a huge impact on companies that traffic in credit information, forcing them to develop new systems to communicate with consumers about changes to their credit status.

At ChoicePoint, a provider of identification and credential verification services for the insurance and real estate industries, FACT prompted major changes in the way the company communicates with the public, says Steve Keen, assistant vice president of customer and consumer services.

FACT required ChoicePoint to set up a system to get credit information to consumers. The company added an interactive voice response system and a Web portal so that customers can order their reports. With those changes came significant investments in software development, labor, employee training and infrastructure to support the new credit report request service and to prepare for a possible flood of requests once the FACT provisions were ratified, Keen says.

While its major provisions pertain to credit reporting agencies and the companies that furnish them with information, CSOs should not be lulled into a false sense of security when it comes to the FCRA and the FACT Act amendments, says Tena Friery, research director of the Privacy Rights Clearinghouse.

In fact, any company that uses credit reportsas part of its hiring or promotions process, for exampleis subject to FCRA and should carefully review the new FACT amendments to FCRA, Friery says.

CSOs should consider setting up an internal business review council of lawyers, privacy experts, IT security experts and representatives from their organizations’ business units to weigh the requirements of FACT and other federal regulations, says Howard Schmidt, former White House cybersecurity adviser and current CISO of eBay.