The Fair Credit Reporting Act of 1970
The Fair Credit Reporting Act of 1970 controls the collection, use, and redistribution of your consumer information. Enacted 26 October 1970 as title VI of Public Law 91-508, 84 Stat. 1114, it can be found in the United States Code (15 U.S.C. § 1681 et seq.) It represents an amendment to the Consumer Credit Protection Act of 1968, and is enforced by the FTC. The law is usually referred to as FCRA, and you can get a copy of it directly from the FTC, or you can view the law as it stands in the US Code on the Cornell University Law School website.
Originally, the law was primarily of interest to banks and consumer reporting agencies (CRA), and businesses which sent information to them. Today, this law applies to a wide variety of organizations that collect personal information from you directly, as well as from public records.
The law was amended in 2003 by the Fair and Accurate Credit Transactions Act (FACTA) to allow consumers to obtain a free report from consumer reporting agencies that are covered by FCRA. By that time, however, the list of consumer reporting agencies had grown significantly. The FCRA defines the organizations that must comply with the law by the type of information that is handled. As credit lenders have widened their search for credit worthiness to include things like utility bills and rental history, organizations that collect this type of information are also included.
Generally, the FCRA says you may see whatever information a CRA has in their file on you, and that you have the right to dispute inaccurate information in that file.
If you dispute something, FCRA dictates how that dispute is resolved, and if inaccurate information is removed, they must also notify you within 5 days if the information is put back into your file.
If you're a victim of identity theft, however, the most important part of FCRA is Section 609(e). This is the part that says if a company has done business with someone using your information (in other words, an identity thief who says they are you) that company must provide you with all applications and business records that were made in your name.
However, companies have given identity theft victims a lot of grief over this. Some companies say they cannot release the records because they are proprietary, others may say they won't give you the information without a court order. A few have even gone so far as to say they wouldn't provide that information because they must protect the privacy of their clients (be careful not to explode when they tell you that.) The problem is so prevalent, that the FTC has written a brochure specifically addressing this issue. (NOTE: The FTC was hacked Feb 17, 2012, and had to take the link for this brochure down until they addressed the vulnerability. They have not given a time when this will be back up.) They have also created a letter you can download to send to a company if you need to obtain these records.
FCRA specifies that these records may be given to you, and to a law enforcement officer you designate – which will probably be the detective looking into your case (assuming you have one.)
One advantage the FCRA offers consumers is that it permits a private citizen to prosecute their own case against any "nationwide specialty consumer reporting agency" that is in violation of the law in state or federal court.
The statute of limitations is either 5 years after the infraction that is the basis of the suit, or 2 years after discovery, whichever is shorter. (In other words, if you don't discover the violation for 6 years, you won't be able to file a suit because the shorter would be 5 years, and would have already passed.) Companies that know they have violated the FCRA may be able to have a case dismissed by notifying their clients of the error, because this would give clients a 2-year window instead, after which they could argue that the statute of limitations has already passed.