Kohl’s Department Stores Inc. settled Federal Trade Commission claims that it violated the Fair Credit Reporting Act (FCRA) by failing to provide required application and business transaction records to consumers who were victims of identity theft. Kohl’s agreed to pay a civil penalty of $220,000.

The complaint, filed by the Department of Justice on behalf of the FTC in the U.S. District Court for the Eastern District of Wisconsin, alleged that “Kohl’s entered into commercial transactions with persons who made unauthorized use of the means of identification of victims” and (i) Kohl’s refused to provide records to the identity theft victims identifying these perpetrators and (ii) failed to do so within 30 days of receipt of a request from a victim, as required by FCRA.

This is the first instance in which the FTC has brought a case under Section 609(e), which was enacted for the very purpose at issue here – requiring companies to provide identity theft victims with application and business transaction records regarding fraudulent transactions made in their names within 30 days of the victim’s request. As part of the settlement agreement, Kohl’s is required to abide by Section 609(e) by providing identity theft victims access to the necessary records within 30 days of their requests. Additionally, Kohl’s must post a notice on its website concerning the method of obtaining these records and must certify that it has attempted to contact victims who were previously unlawfully denied access to these records.

“This case is a warning to other companies” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, that the FTC will hold companies responsible for failing to give identity theft victims business records as required by FCRA.