1(1) 2DEFINITION.3-4As used in this section, the term “victim” means a person whose means of identification or financial information is used or transferred or is alleged to be used or transferred without the authority of that person with the intent to commit or to aid or abet an identity theft or a similar crime.
57(2) 58GENERALLY.59-60(a) 61For the purpose of documenting fraudulent transactions resulting from identity theft, within 30 days after the date of receipt of a request from a victim in accordance with subsection (4), and subject to verification of the identity of the victim and the claim of identity theft in accordance with subsection (3), a business entity that has provided credit to; provided for consideration products, goods, or services to; accepted payment from; or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the means of identification of the victim, shall provide a copy of the application and business transaction records in the control of the business entity, whether maintained by the business entity or by another person on behalf of the business entity, evidencing any transaction alleged to be a result of identity theft to:2031. 204The victim;
2062. 207A federal, state, or local government law enforcement agency, or officer specified by the victim in such a request; or
2273. 228A law enforcement agency investigating the identity theft and authorized by the victim to take receipt of records provided under this section.
250(b) 251This subsection does not apply to a third-party providing a service to effect, administer, facilitate, process, or enforce a financial transaction initiated by an individual.
276(3) 277VERIFICATION OF IDENTITY AND CLAIM.282-283Before a business entity provides any information under subsection (2), unless the business entity, at its discretion, otherwise has a high degree of confidence that it knows the identity of the victim making a request under subsection (2), the victim shall provide to the business entity:329(a) 330As proof of positive identification of the victim, at the election of the business entity:3451. 346The presentation of a government-issued identification card;
3532. 354Personal identifying information of the same type as provided to the business entity by the unauthorized person; or
3723. 373Personal identifying information that the business entity typically requests from new applicants or for new transactions, at the time of the victim’s request for information, including any documentation described in subparagraphs 1. and 2.
407(b) 408As proof of a claim of identity theft:4161. 417A copy of a police report evidencing the claim of the victim of identity theft; and
4332. 434A properly completed affidavit of fact that is acceptable to the business entity for that purpose.
450(4) 451PROCEDURES.452-453The request of a victim under subsection (2) shall:462(a) 463Be in writing.
466(b) 467Be mailed or delivered to an address specified by the business entity, if any.
481(c) 482If asked by the business entity, include relevant information about any transaction alleged to be a result of identity theft to facilitate compliance with this section, including:5091. 510If known by the victim or readily obtainable by the victim, the date of the application or transaction.
5282. 529If known by the victim or readily obtainable by the victim, any other identifying information such as an account number or transaction number.
552(5) 553NO CHARGE TO VICTIM.557-558Information required to be provided under subsection (2) shall be provided without charge.
571(6) 572AUTHORITY TO DECLINE TO PROVIDE INFORMATION.578-579A business entity may decline to provide information under subsection (2) if, in the exercise of good faith, the business entity determines that:602(a) 603This section does not require disclosure of the information;
612(b) 613After reviewing the information provided pursuant to subsection (3), the business entity does not have a high degree of confidence in knowing the true identity of the individual requesting the information;
644(c) 645The request for the information is based on a misrepresentation of fact by the individual requesting the information;
663(d) 664The information requested is Internet navigational data or similar information about a person’s visit to a website or online service; or
685(e) 686The disclosure is otherwise prohibited by state or federal law.
696(7) 697LIMITATION ON CIVIL LIABILITY.701-702A business entity may not be held civilly liable in this state for a disclosure made in good faith pursuant to this section or a decision to decline to provide information as provided in subsection (6).
738(8) 739NO NEW RECORDKEEPING OBLIGATION.743-744This section does not create an obligation on the part of a business entity to obtain, retain, or maintain information or records that are not otherwise required to be obtained, retained, or maintained in the ordinary course of its business or under other applicable law.
789(9) 790AFFIRMATIVE DEFENSE.792-793In any civil action brought to enforce this section, it is an affirmative defense, which the defendant must establish by a preponderance of the evidence, for a business entity to file an affidavit or answer stating that:830(a) 831The business entity has made a reasonably diligent search of its available business records.
845(b) 846The records requested under this section do not exist or are not reasonably available.