The IT Law Wiki


The Fair and Accurate Credit Transactions (FACT) Act of 2003 (FACT Act), Pub. L. No. 108-159, 117 Stat. 1952 (Dec. 4, 2003) (see 15 U.S.C. §1601 nt. for affected provisions) (full-text).


The FACT Act amended FCRA by adding requirements designed to prevent identity theft and assist identity theft victims. The FACT Act also included a provision requiring financial regulatory[1] agencies and the FTC to promulgate a coordinated rule designed to prevent unauthorized access to consumer report information by requiring reasonable procedures for the proper disposal of such information.

Specific provisions[]

The FACT Act contains the most comprehensive identity theft provisions in federal law. Among its identity theft-related provisions, the law:

  • requires consumer reporting agencies (CRAs) to follow certain procedures concerning when to place, and what to do in response to, fraud alerts[2] on consumers’ credit files;
  • allows consumers one free copy of their consumer report each year from nationwide CRAs as long as the consumer requests it through a centralized source under rules to be established by the FTC;
  • allows consumers one free copy of their consumer report each year from nationwide specialty CRAs (medical records or payments, residential or tenant history, check writing history, employment history, and insurance claims) upon request pursuant to regulations to be established by the FTC;
  • requires credit card issuers to follow certain procedures if additional cards are requested within 30 days of a change of address notification for the same account;
  • requires the truncation of credit card numbers on electronically printed receipts[3];
  • requires business entities to provide records evidencing transactions alleged to be the result of identity theft to the victim and to law enforcement agencies authorized by the victim to take receipt of the records in question;
  • requires CRAs to block the reporting of information in a consumer’s file that resulted from identity theft and to notify the furnisher of the information in question that it may be the result of identity theft;
  • requires federal banking agencies, the FTC, and the National Credit Union Administration to jointly develop guidelines for use by financial institutions, creditors and other users of consumer reports regarding identity theft; and
  • extends the statute of limitations for when identity theft cases can be brought.


The type of damages depends on whether the violation was negligent or willful. A defendant is liable for actual damages caused by identity theft plus attorney's fees when a violation is negligent.[4] If a violation is willful, a plaintiff may recover either actual damages or statutory damages between $100 and $1,000 per violation, plus punitive damages and attorney's fees.

A violation is willful if, based on an objectively reasonable interpretation of the statute, the defendant knowingly or recklessly violated its terms.[5] Therefore, to establish a claim for a willful violation of FACTA, a plaintiff must plead more than the defendant's awareness of the statute's requirements.[6] Instead, a plaintiff must allege "a sufficiently high degree of knowledge of the statute's requirements," such that "it would be plausible to infer — indeed, implausible not to infer — that at some point the [defendant] or its agents became aware of a violation of FACTA's requirements, or at least recklessly endeavored to avoid learning of a potential violation."[7] Under civil law, an act is reckless if it ignores "an unjustifiably high risk of harm that is either known or so obvious that it should be known."[8]


  1. Pub. L. No. 108-159, 117 Stat. 1952.
  2. The Act enabled consumers to place three different types of fraud alerts intended to stop credit grantors from opening any new accounts. An individual who suspects they are, or are about to become, the victim of identity theft, can place an "initial alert" in their file. If an individual has been a victim of identity theft, and has filed report with a law enforcement agency, they can then request an “extended alert.” After an extended alert is activated, it will stay in place for seven years, and the victim may order two free credit reports within 12 months. For the next five years, credit agencies must exclude the consumer's name from lists used to make pre-screened credit or insurance offers. Finally, military officials are enabled to place an "active duty alert" when they are on active duty or assigned to service away from the usual duty station. 15 U.S.C. §1681c-1.
  3. 15 U.S.C. §1681c.
  4. 15 U.S.C. §1681o(a).
  5. See Dover v. Shoe Show, Inc., 2013 WL 1748337, at *3 (W.D.Pa. Mar.19, 2013) report and recommendation adopted, 2013 WL 1748174 (W.D.Pa. Apr.23, 2013).
  6. Fullwood v. Wolfgang's Steakhouse, Inc., 2015 WL 4486311 (S.D.N.Y. July 23, 2015).
  7. Id. at *4 (internal quotations and citations omitted).
  8. Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 68 (2007).