Dive Brief:
- Amazon.com agreed to pay $2.25 million to settle a federal complaint this week that alleged the retailer failed to give consumers who were victims of identity theft access to records related to fraudulent credit or debit card transactions.
- The Justice Department’s lawsuit Monday on behalf of the Federal Trade Commission alleged that Amazon “knowingly” violated the Fair Credit Reporting Act, and offered a proposed consent order for the U.S. District Court in Washington D.C. to consider. The FTC announced the agreement Tuesday with a press release.
- “In numerous instances, Defendant entered into commercial transactions with persons who made unauthorized use of the means of identification of victims of identity theft, and Defendant then failed to provide the application and business transaction records related to those transactions to the identity theft victims upon request,” the DOJ complaint said of Amazon’s actions.
Dive Insight:
Consumers who contacted the company to report fraud with their Amazon accounts or payment cards were told by Amazon customer service agents that “they could not provide the requested records for ‘security’ or ‘privacy’ reasons,” the FTC said.
The Fair Credit Reporting Act gives companies 30 days to furnish victims of identity theft with application and business records about fraudulent transactions made in their names, the FTC said.
Spokespeople for Amazon, and the company’s attorneys with Sidley Austin, did not respond to emails Tuesday seeking comment.
The Seattle-based retailer “often put identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in the press release.
In one instance, a consumer told the FTC that Amazon said it could not share business records about a fraudulent account that had made unauthorized charges on the customer’s credit card “unless the consumer guessed the name on the account (the name used by the identity thief), which the consumer was unable to do after making 30 attempts.”
The company also denied access for application and business transaction records to law enforcement agencies, the FTC said in the press release.
The FTC said its staff had previously told Amazon lawyers in June 2023 to review the company’s compliance with that part of the Fair Credit Reporting Act after the agency received a consumer complaint.
As part of the settlement, Amazon will post a notice on its website about how ID theft victims can request records from the company. The $2.25 million penalty is a record for a Section 609(e) violation of the Fair Credit Reporting Act, according to the FTC.