Amazon to Pay $2.25 Million FTC Penalty Over Identity Theft Records Failures

Amazon to Pay $2.25 Million FTC Penalty Over Identity Theft Records Failures

By
Key Takeaways
  • Record Civil Penalty: Amazon will pay $2.25 million to resolve FTC allegations that it knowingly violated Section 609(e) of the Fair Credit Reporting Act.
  • Identity Theft Victims Denied Records: The FTC alleged Amazon repeatedly refused, delayed or improperly restricted requests for records needed by consumers investigating fraudulent activity conducted in their names.
  • Compliance Failures Extended Beyond Customer Service: According to the complaint, Amazon did not establish a written policy for handling Section 609(e) requests until early 2025 after learning of the FTC investigation.
  • Order Imposes Ongoing Compliance Requirements: The proposed settlement requires Amazon to comply with Section 609(e), improve consumer notice and contact affected individuals who sought records beginning in April 2024.
Deep Dive

Section 609(e) of the Fair Credit Reporting Act requires businesses to provide victims with records of fraudulent transactions so they can piece together what was done with their personal information and begin repairing the damage. According to the Federal Trade Commission, Amazon too often turned that straightforward legal obligation into something far more difficult.

The company will pay $2.25 million to settle allegations that it knowingly violated the Fair Credit Reporting Act by repeatedly refusing or delaying requests for records from identity theft victims. The civil penalty, announced Tuesday, is the largest ever imposed for violations of Section 609(e).

The complaint, filed by the U.S. Department of Justice following a referral from the FTC, alleges Amazon.com Inc. failed in numerous instances to provide application and business transaction records within the 30-day period required by law. Those records can be critical for consumers attempting to dispute fraudulent accounts, assist law enforcement investigations and restore their financial standing after identity theft.

The FTC also alleges that Amazon did not adopt a written policy for responding to Section 609(e) requests until early 2025, after learning the agency was investigating its practices, despite previous outreach from FTC staff encouraging the company to review its compliance.

When the Process Became the Obstacle

The government's complaint paints a picture of a customer service process that repeatedly failed people at precisely the moment the law was designed to help them. According to the FTC, consumers who contacted Amazon seeking records were frequently told that privacy or security rules prevented the company from releasing the information.

In one case highlighted by the agency, a consumer attempting to investigate unauthorized charges was informed that Amazon could not disclose records connected to another account unless the consumer correctly identified the name used on that account. Because the account belonged to an identity thief, the consumer could only guess. After roughly 30 unsuccessful attempts, the request remained unresolved.

Other consumers were told that customer service representatives simply could not access the records they were requesting. The complaint also alleges Amazon declined requests submitted by law enforcement agencies that had been properly authorized by identity theft victims to obtain records on their behalf. Some consumers went so far as to send Amazon copies of the Fair Credit Reporting Act itself, along with FTC guidance explaining the company's obligations. According to the complaint, those efforts often made no difference.

Even when records were eventually produced, the FTC alleges Amazon sometimes failed to meet the statute's 30-day deadline. Christopher Mufarrige, director of the FTC's Bureau of Consumer Protection, said the company's approach imposed unnecessary burdens on people already dealing with the consequences of identity theft.

"Amazon often put identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to—records that could help victims protect themselves and recover from the fraudulent conduct," Mufarrige said. "The FTC will not allow companies to simply ignore their legal obligations, especially those designed to support and protect identity theft victims."

Compliance Obligations

The proposed order reaches beyond the financial penalty. It prohibits Amazon from violating Section 609(e) in the future and requires the company to provide qualifying records to identity theft victims and to law enforcement agencies acting with their authorization.

Amazon must also provide clearer notice explaining how consumers can request records under the Fair Credit Reporting Act. In addition, the company is required to contact individuals who requested records from Amazon beginning in April 2024 but did not receive them, informing those consumers that additional records may exist and can now be requested.

The case is notable not only because of the size of the penalty but because Section 609(e) has been enforced only sparingly. The FTC brought its first action under the provision in 2020 against Kohl's Department Stores. Six years later, the agency has returned to the same statutory provision with a much larger case, suggesting that compliance with what can appear to be an administrative obligation is receiving closer scrutiny.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong