Tag Archives: Federal Trade Commission

FTC Fines Data Broker Spokeo 800000 Dollars to Settle Charges of Violating Fair Credit Reporting Act

In the first Federal Trade Commission (FTC) case to address the sale of Internet and social media data in the employment screening context, Spokeo, Inc. – a data broker that compiles and sells detailed information profiles on millions of consumers – has agreed to pay a $800,000 fine to settle FTC charges that the company marketed profiles to companies in the human resources, background screening, and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act (FCRA), according to a press release at http://www.ftc.gov/opa/2012/06/spokeo.shtm. Continue reading

Federal Trade Commission Issues Staff Report on Fair Credit Reporting Act Controlling Employment Background Checks

The Federal Trade Commission (FTC) has issued a staff report that compiles and updates the agency’s guidance on the Fair Credit Reporting Act (FCRA), the 1970 law designed to protect the privacy of credit report information and ensure that the information supplied by credit reporting agencies (CRAs) is as accurate as possible. The July 2011 report, “Forty Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report and Summary of Interpretations,” provides a brief overview of the FTC’s role in enforcing and interpreting the FCRA, includes a section-by-section summary of the agency’s interpretations of the Act, and also withdraws the agency’s 1990 Commentary on the FCRA, which has become partially obsolete since it was issued 21 years ago. Continue reading

Identity Theft Tops Federal Trade Commission List of Top Consumer Complaints in 2010

A list of top consumer complaints received in 2010 by the Federal Trade Commission (FTC), the nation’s consumer protection agency, showed that identity theft was the number one consumer complaint category for the 11th year in a row, with 250,854 – or 19 percent – of the 1,339,265 complaints received by the FTC related to identity theft. Continue reading

Three Credit Report Resellers Settle FTC Charges for Not Protecting Personal Information of Consumers

By Lester Rosen, Employment Screening Resources (ESR) President & Thomas Ahearn, ESR News Editor

In the Federal Trade Commission’s (FTC) first cases against credit report resellers for the data security failures of their clients, three companies that resell credit reports of consumers have agreed to settle FTC charges that they did not take reasonable steps to protect personal information of consumers and allowed computer hackers to access that personal information, according to a recent news release from the FTC.

Administrative complaints issued by the FTC showed the three credit report resellers bought credit reports from the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – and added them to reports to sell to determine eligibility for credit of consumers. Because these three resellers allegedly allowed clients to access these reports without basic security measures such as firewalls and updated antivirus software, hackers accessed more than 1,800 credit reports without authorization through the computer networks of clients. The three credit report resellers also allegedly did not make reasonable efforts to protect against future security even after becoming aware of these data breaches.

The three credit report resellers are charged with violating the Fair Credit Reporting Act (FCRA) by:

  • Failing to protect their internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose to have them,
  • Failing to maintain reasonable procedures to limit the furnishing of credit reports for such purposes, and
  • Furnishing credit reports when they had reasonable grounds for believing the reports would not be used for a permissible purpose.

The failure of the three credit report resellers to protect personal information of consumers also allegedly violated the FCRA. In addition, the credit report resellers allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to:

  • Design and implement information safeguards to control the risks to consumer information;
  • Regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs in light of known or identified risks; and
  • Have comprehensive information security programs.

The proposed settlement, part of the ongoing campaign of the FTC to protect the personal information of consumers, would require the three credit report resellers to:

  • Have comprehensive information security programs designed to protect the security, confidentiality, and integrity of the personal information of consumers, including information accessible to clients;
  • Obtain independent audits of their security programs, every other year for 20 years;
  • Furnish credit reports only to those with a permissible purpose; and
  • Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

These cases show that the FTC will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports as required by the FCRA. These cases also send a strong message that companies giving their clients online access to sensitive information of consumers must have reasonable procedures to secure that information.

Consumer protection through data security makes up a critical part of the National Association of Professional Background Screeners (NAPBS) accreditation process. Since its founding in 2003, the NAPBS has believed that there is a strong need for a singular cohesive industry standard and created the Background Screening Agency Accreditation Program (BSAAP). Governed by a strict professional standard composed of requirements and measurements, the BSAAP is becoming a widely recognized seal of approval that brings national recognition to background screening organizations – also referred to as Consumer Reporting Agencies (CRAs) – that will stand as the industry “seal” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued improvement.

The NAPBS Background Screening Credentialing Council (BSCC) oversees the application process and is the governing accreditation body that will ensure the background screening organizations seeking accreditation meet or exceed a measurable standard of competence. To become accredited, a CRA must pass an onsite audit of its policies and procedures as they relate to six critical areas of the BSAAP:

  • ‘Section 1: Consumer Protection’ includes standards for: Information Security Policy; Data Security; Intrusion, Detection and Response; Stored Data Security; Password Protocol; Electronic Access Control; Physical Security; Consumer Information Privacy Policy; Unauthorized Browsing; Record Destruction; Consumer Disputes; Sensitive Data Masking; and Database Criminal Records.
  • ‘Section 2: Legal Compliance’ includes standards for: Designated Compliance Person(s); State Consumer Reporting Laws; Driver Privacy Protection Act (DPPA); State Implemented DPPA Compliance; Integrity; Prescribed Notices; and Certification from Client.
  • ‘Section 3: Client Education’ includes standards for: Client Legal Responsibilities; Client Required Documents; Truth in Advertising; Adverse Action; Legal Counsel; Understanding Consumer Reports; and Information Protection.
  • ‘Section 4: Product Standards’ includes standards for: Public Record Researcher Agreement; Vetting Requirement; Public Record Researcher Certification; Errors and Omissions Coverage; Information Security; Auditing Procedures; Identification Confirmation; and Jurisdictional Knowledge.
  • ‘Section 5: Service Standards’ includes standards for: Verification Accuracy; Current Employment; Diploma Mills; Procedural Disclosures; Verification Databases; Use of Stored Data; Documentation of Verification Attempts; Outsourced Verification Services; Conflicting Data; Professional Conduct; and Authorized Recipient.
  • ‘Section 6: General Business Practices’ includes standards for: Character; Insurance; Client Credentialing; Vendor Credentialing; Consumer Credentialing; Document Management; Employee Certification; Worker Training; Visitor Security; Employee Criminal History; Quality Assurance; and Certification.

Employment Screening Resources (ESR) is formally recognized as accredited by the National Association of Professional Background Screeners (NAPBS) Background Screening Credentialing Council (BSCC) for successfully proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com

Source:
http://ftc.gov/opa/2011/02/settlement.shtm

New FTC Rules on Employment Verifications Do Not Affect Users of Consumer Reports

By Lester Rosen, President of ESR

Some employers may have read about new rules that went into effect July 1, 2010, that potentially affect the accuracy of employment verifications.  For employers concerned about the new rules, the short answer is that it does not affect how and when an employer receives a background report.  It also does not impact a standard response to a request for a past employment check. At most, it may only affect certain limited employers in their role as a “furnisher of information to third parties as defined by the federal Fair Credit Reporting Act (FCRA).

For example, it has been suggested that the new rules could potentially impact an employer that is utilizing a  third party services firm that routinely collects employment data such as payroll data or creates an employment database.

The new rules are at http://www.ftc.gov/os/2009/07/R611017factafrn.pdf. They stem from the Fair and Accurate Credit Transactions Act (FACTA) of 2003, which among other things, provided consumers a means to obtain free yearly credit report from the credit bureaus. The new law also required federal agencies to implement new rules aimed at promoting the accuracy and “integrityof information that furnishers provide to consumer reporting agencies.  A furnisher is a party that provides information.  The main thrust of the new regulations is aimed at organizations such as banks, financial institutions and credit card firms that provide data to the credit bureaus that are used to create consumer credit reports.

Although ESR cannot provide legal advice and it is possible that future clarifications may come out from the Federal Trade Commission or other sources, it certainly appears that the regulations do not affect an employer that simply responds to a standard request for a past employment check, and does not impact employers at all that are users of background reports.

Please contact Employment Screening Resources (ESR) at www.ESRcheck.com if you have any questions.

Source:

http://www.ftc.gov/os/2009/07/R611017factafrn.pdf

The Dangers of Do-It-Yourself Background Checks

By Lester Rosen, President of ESR

(Originally Posted on Toolbox for HR)

From the mailbox: Why shouldn’t employers simply do their own background checks in-house? They can hire people from the screening industry and can certainly figure it out.

Answer: First, the fact that a firm may be able to set up an internal screening program does not mean it makes sense. All sorts of professional services could be done in-house. Successful firms typically spend time and energy doing what they are good at (their core function), and they outsource functions that although critical, do not need to take up in-house resources. Of course, if a firm is large enough it may make sense. Of if the firm has a special place in the market where there is a need to be able to tell people they control the process, then that may be a good reason to perform services in house. Most successful firm outsource those HR endeavors that are unusually complicated or regulated, which would include many human resource services such as benefits, retirement planning and screening.

Secondly, it can be a trap to think that the federal Fair Credit Reporting Act (FCRA), the law that controls third party background checks has no application to in-house processes. An employer that performs these activates in-house can easily hit an FCRA “tripwire” thus invoking the FCRA. There are numerous examples. Hiring an out of state agency to pull a court record for example could, per an FTC staff letter, make what appears to be a non-FCRA investigation into an FCRA regulated activity. Accessing non-public databases can make it an FCRA event. California has applied some FCRA type rules on a limited basis to employers that do public record checks in-house. So unless every single thing an in-house department does is done by your own W-2 employees and you only access public records, you may end up tripping the FCRA. Our advice is that even if done in-house, act as though the FCRA applies.

One argument made in favor of in-house processes is that a firm can conduct better reference checks because it knows what it is looking for. Verifications are an interesting issue. There are two types of verifications. Managers may call to determine if someone should be hired. Screening firms are typically called upon AFTER a tentative hiring decision has been made for the purpose of a methodical review of the work history to confirm employment. Hiring managers cannot always be counted on to document the entire work history. Either Human Resources, an internal department or an outside vendor needs to ensure that all employers have been contacted.

Finally, there are a number of specialized skills and resources that are needed, such as figuring out education fraud, or if a criminal record can be used. Unless a firm has access to experts on the laws of all 50 states, and an understanding of EEOC rules, etc, doing it in-house can be very risky. Accessing records from thousands of different courts can be very tricky. A great deal of knowledge is required,

The bottom-line is that if a business does it in-house and they miss a record that a competent third party firm would have found and someone is harmed, it would not be much of a jury defense that the business was trying to save a few bucks by doing something in-house that requires such specialized skills and knowledge.

There is also the cultural issue that some firms find it advantageous to have a third party do the background checks, so the employment relationship does not start with what may seem an invasion of privacy.

So, the bottom-line is an organization needs to figure out if at the end of the day, the time and effort it takes to perform service in-house is worth it, if it can be outsourced. There are certainly organizations that for cost savings have essentially set up their own internal background units successfully, but they essentially have became an in-house background firm that needs to know how to do everything a third party firm can do. However, for the right firm, an in-house process can make sense as long as they know how to do everything a third party firm can do and if it makes economic sense.

For more information about background checks, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com.

Source: http://hr.toolbox.com/blogs/background-checks/the-dangers-of-doityourself-background-checks-39727

New Legislation Would Make Companies Inform Customers When Calls Outsourced Outside U.S.

By Thomas Ahearn, ESR News Staff Writer

Ever wonder if the customer service call center at the other end of your phone is located in the U.S., or what foreign country it is located in if outside of the U.S.?

Newly proposed legislation would make companies inform customers when their calls are being transferred outside the United States and charge companies for those transferred calls in an effort to maintain call center jobs currently in the United States and provide a reason for companies that have already outsourced call center jobs to bring them back.

According to a press release on Senator Charles E. Schumer’s (D-NY) website, the new legislation would require companies that transfer calls to foreign call centers to disclose to the caller that their call is being transferred to a particular country. The disclosure requirement would also force companies to annually certify to the Federal Trade Commission (FTC) that they are fully complying with this requirement or otherwise be subject to civil penalties that the FTC would prescribe.

In addition, since 800 numbers are often transferred overseas without the caller’s knowledge, the bill would impose a $0.25 excise tax on any customer service call placed inside the United States which is then transferred to an agent in a foreign location, with the fee being assessed on the company that transferred the call.

While the bill’s major aim would be to reduce the outsourcing of U.S. jobs, another benefit could be greater protection against identity theft, since the personally identifying information (PII) of American consumers — such as names, birth dates, addresses, social security numbers, and financial information — would not be offshored as often to call centers in foreign countries beyond the reach of U.S. identity theft and privacy laws.

Employment Screening Resources (ESR) — a member of Concerned CRAs, a group of Consumer Reporting Agencies (CRA) concerned that certain data practices place the personal information of consumers at risk — does not outsource domestic background screening services outside of the U.S. in order to protect the PII contained in background screening reports. ESR believes that sending such personal information offshore places both applicants and employers at risk and should be avoided when possible. If PII is sent to countries outside the U.S., applicants and employers should be made aware of this practice. 

For more information on personally identifiable information, offshoring, and identity theft, visit Employment Screening Resources (ESR) at http://www.esrcheck.com.

Sources:

http://schumer.senate.gov/record.cfm?id=325406&

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule To December 31

By Thomas Ahearn, ESR Staff Writer

The Federal Trade Commission (FTC) has further delaying enforcement of the Red Flags Rule for identity theft scheduled to begin on June 1, 2010 to December 31, 2010.

According to a FTC news release, the delay of the Red Flags Rule for identity theft to the end of the year would give Congress time to consider legislation that would resolve any questions as to which entities are covered by the Red Flags Rule and remove the need for further enforcement delays. As currently written, the Red Flags Rule — which was developed under the Fair and Accurate Credit Transactions Act (FACTA) — requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or activities — called “red flags” — that may indicate identity theft.

With identity theft on the rise — a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 — the FTC’s Red Flags Rule addresses the need for businesses extending credit to customers to develop and implement written identity theft prevention programs. In addition, according to a “Facts For Businesses” page on the FTC website, the Red Flags Rule may apply to groups that might not typically use the words “financial institutions” and “creditors” with “covered accounts” to describe themselves.

  • The Red Flags Rule defines a “financial institution” as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
  • The Red Flags Rule definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
  • The Red Flags Rule defines that term “covered accounts” as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.

Beginning December 31, 2010, the Red Flags Rule would require the entities described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements — Indentify, Detect, Prevent, and Update — to address the threat of identity theft:

  • An Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft, the patterns, practices, or activities that may indicate the possibility of identity theft.
  • An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
  • An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
  • An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.

For more information and the latest news about identity theft and the Red Flags Rule, please visit Employment Screening Resources (ESR) at http://www.esrcheck.com.

Sources:

http://ftc.gov/opa/2010/05/redflags.shtm

http://www.ftc.gov./bcp/edu/pubs/business/idtheft/bus23.shtm

FTC Requiring Businesses Extending Credit To Customers To Follow Red Flags Rule For Identity Theft Starting June 1

By Thomas Ahearn, ESR Staff Writer

With identity theft on the rise – a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 – the Federal Trade Commission (FTC) is requiring businesses that extend credit to customers to develop plans to detect and prevent identity theft beginning June 1, 2010.

The FTC delayed enforcement of this “Red Flags” Rule until June 1, 2010 at the request of Congress after the Rule was published under the Fair and Accurate Credit Transactions Act (FACTA) in which Congress directed the FTC to develop regulations for “financial institutions” and “creditors” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – or “red flags” – that may indicate identity theft.

According to a “Facts For Businesses” page on the FTC website, the Red Flags Rule for implementing a written identity theft prevention program applies to “financial institutions” and “creditors” with “covered accounts,” and the FTC warns that these terms may apply to groups that might not typically use those words to describe themselves.

  • The Red Flags Rule defines a “financial institution” as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
  • The Red Flags Rule definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
  • The Red Flags Rule defines that term “covered accounts” as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.

Beginning June 1, the Red Flags Rule requires “financial institutions” and “creditors” with “covered accounts” described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements to address the threat of identity theft: Indentify, Detect, Prevent, and Update.

  • An Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft, the suspicious patterns and practices, or specific activities, that may indicate the possibility of identity theft.
  • An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
  • An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
  • An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.

In addition, the Red Flags Rule written Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones must be appropriate to the size and complexity of the business or organization and the scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Identity Theft Prevention Program.

For information about identity theft and the Red Flags Rule, visit http://www.ftc.gov/ or Employment Screening Resources (ESR) at http://www.esrcheck.com.

Sources:

http://www.ftc.gov./bcp/edu/pubs/business/idtheft/bus23.shtm

http://www.ftc.gov/opa/2009/10/redflags.shtm

http://www.ftc.gov/os/2009/10/091030redflagsrule.pdf

FTC Offers Facts for Consumers about Credit Reports and Employment Background Checks

By Les Rosen, President of ESR & Thomas Ahearn, ESR Staff Writer

The Federal Trade Commission (FTC) – the nation’s consumer protection agency – issued “FTC Facts For Consumers” in May 2010 that explains “Credit Reports and Employment Background Checks” to consumers who have applied for jobs.

Although the new FTC notice  has been criticized for containing some information that is  technically inaccurate, it still provides helpful information for consumers.

The FTC asks consumers the following question about background checks and credit reports:

Did you know that when you apply for a job, an employer is permitted to do a background check before hiring you? Depending on the employer and the job, that background information might include your employment history, your driving record, and your credit report.

A credit report, according to the FTC, has information about where a consumer lives, how they pay bills, whether they have been sued or arrested, or have filed for bankruptcy. Credit report companies sell the information in credit reports to employers and other businesses that use that information to evaluate applications for employment, credit, insurance, or renting a place to live. Employers also are allowed to use credit reports to evaluate an employee for retention, promotion, or reassignment.

The FTC enforces the Fair Credit Reporting Act (FCRA), a law that protects the privacy and accuracy of the information in a consumer’s credit report. The FCRA spells out the rights of a job applicant and an employer’s responsibilities when using credit reports and other background check information to assess an application for employment.

The FTC also details key employment provisions of the FCRA, most notably that employers must get permission from job applicants before asking for background check reports about them from a credit reporting company or any other company that provides background check information.

In addition, if an applicant does not get a job because of information in a background check report, the employer has certain legal obligations: 1.) an employer must show applicant the report, and 2.) the employer must tell the applicant how to get his or her own copy. The report is free if the applicant asks for it within 60 days.

The FTC provides more details about these key provisions:

  • Notice and Authorization: Before an employer can ask for credit report or background check report about an applicant from any companies that provide them, it must tell the applicant that it might use the information to make an employment decision.
  • Pre-Adverse Action Procedures: If an employer might use information from a credit report or background check report to take an “adverse action” – for example, to deny an application for employment – the employer must give the applicant a copy of the background check report and a document called ‘A Summary of Your Rights Under the Fair Credit Reporting Act’ before taking the adverse action.
  • Adverse Action Procedures: If an employer takes an adverse action against an applicant based on information in a credit report or background check report, it must notify the applicant and that notice must include: 1.) the name, address, and phone number of the company that supplied the credit report or background check report information; 2.) a statement that the company that supplied the credit report or background check report didn’t make the decision to take the adverse action and can’t give the applicant any specific reasons for it; and 3.) a notice of the applicant’s right to dispute the accuracy of any information in the credit report or background check report and to get an additional free report from the company that supplied the credit report or background check report if he or she asks for it within 60 days.

To fix any inaccurate or incomplete information in a background check report, the FTC advises the applicant to contact the background check company that issued the report and dispute the information. If an investigation reveals that a correction is warranted, the company must send an updated report to the employer if asked to do so.

In addition, a ‘Notice of Negative Public Records’ requires that if a company provides an employer with a credit report or background check report that has negative information about an applicant gathered from public records, that company either has to tell the applicant that it provided the information to the employer or has to take special steps to make sure the information is accurate.

The FTC also warns that there are legal consequences for employers who don’t comply with the FCRA if they:

  • Fail to get an applicant’s okay before getting a copy of their credit report or background check report;
  • Fail to provide the appropriate disclosures in a timely way, or;
  • Fail to provide adverse action notices to unsuccessful job applicants.

The FTC advises applicants to report FCRA violations by employers because the law allows the FTC, other federal agencies, and states to sue employers who don’t comply with the law’s provisions. The FCRA also allows people to sue employers in state or federal court for certain violations.

Before applying for a job, the FTC suggests jobseekers order a free copy of their credit report from each of the three nationwide credit reporting companies – Equifax, Experian, and TransUnion – that are required by law to provide consumers once every 12 months (if the consumers ask). To order free credit reports, consumers should visit AnnualCreditReport.com at http://www.annualcreditreport.com/, call 1-877-322-8228, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

For more information about the use of credit reports during background checks, please visit Employment Screening Resources (ESR) at http://www.esrcheck.com.

Sources:

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre36.shtm

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre36.pdf (PDF file)

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre35.pdf (PDF file)

http://www.annualcreditreport.com/

http://www.ftc.gov/bcp/edu/resources/forms/requestformfinal.pdf (PDF file)