Identity Theft Laws in the USA

Identity theft laws play a big part in the fight against ID thieves. We have compiled as many resources on both Federal and State level laws as we could find. 

Take the time to work through this page and educate yourself on the current identity theft laws. Being aware of government rules and regulations may be the key to preventing a theft or catching a thief! ​

Federal Identity Theft Laws & Regulations

Identity Theft and Assumption Deterrence Act of 1998

It was the Identity Theft Assumption Deterrence Act of 1998 that truly made identity theft a crime. Under the Identity Theft Assumption Deterrence Act of 1998, identity theft is defined as any misuse of identification documents or information, including Social Security number, name, or even an account number and password. Misuse of this information can include everything from creating false identifications, possessing identification information that is not your own, or even owning or transferring a machine to produce false identification pieces.

The punishments associated with the Identity Theft and Assumption Deterrence Act of 1998 depends on the crime and the level to which it is committed. For relatively minor infractions, the individual can face up to three years in prison. The act becomes more serious if the individual received over $1,000 in compensation from creating false identification documents in a one-year period. At this level, a 15-year sentence can be expected. Finally, the individual can expect to receive 20 or even 25 years in prison if the false documents that were created were used to commit a violent crime or drug trafficking.

Fair Credit Reporting Act

With the Fair Credit Reporting Act, the Federal Trade Commission hopes to create an accurate, fair and private pathway of obtaining and maintaining consumer credit reports. While a credit score is used to determine a number of things, the Fair Credit Reporting Act focuses on providing rights associated with that credit score.

The rights an individual has under the Fair Credit Reporting Act includes:

  • Being informed if your credit report has been used to deny an application for employment, financial assistance, or insurance
  • Knowing what information is held in your file
  • Having the ability to ask what your credit score is
  • Being able to argue if the information in your file is inaccurate or incomplete
  • Forcing reporting agencies to remove inaccurate or incomplete information
  • Limiting the access that someone may have to your file
  • Consenting to provide your file to other individuals, like your employer
  • Allowing for damages to be received from violators

CAN-SPAM Act of 2003

As the age of the internet took off, so did spam email messages aimed at tricking individuals into providing their detailed information under false pretenses. Rather than sharing useful information with individuals who signed up to receive the emails, spam emails include mislabeled information, viruses, or inappropriate material. To help combat the number of spam emails being shared, the CAN-SPAM Act, or the Controlling the Assault of Non-Solicited Pornography and Marketing Act, was introduced in 2003.

The requirements of the CAN-SPAM act include not using subject lines that are deceptive about the content within, the recipient must be able to clearly and easily opt out of receiving future emails, and if they decide they would like to opt out, their name must be removed from the contact list within 10 business days.

Punishments for violating the CAN-SPAM Act typically includes fines, although they can be pretty hefty pretty quickly. Each separate email that violates the CAN-SPAM act can accumulate in penalties up to $16,000. It is important to note that the email being shared does not need to look only to securing a naïve consumer’s personal information in order to violate the CAN-SPAM Act.

Identity Theft Penalty Enhancement Act of 2004

The Identity Theft Penalty Enhancement Act, which was established in 2004, allows for greater punishments if the individual commits a serious crime using false identification or another individual’s identification information. Created when things like online shopping and everyday use of the internet was taking off, more and more people were running into problems with their identities being stolen.

The Identity Theft Penalty Enhancement Act of 2004 looks particularly at “aggravated” identity theft, which includes crimes at the felony level, committing acts of terrorism, or stealing Social Security benefits from another individual. The Identity Theft Penalty Enhancement Act of 2004 adds time to the sentences of identity theft cases. For felony violations, two additional years in prison can be added on to the sentence. If a stolen or otherwise false identity was used to carry out a terrorist attack, an additional five years can be added to the overall sentence.

Identity Theft Enforcement and Restitution Act of 2008

As the age of the internet continued to grow, so did the number of cyber attacks on users’ identities. But even though identity theft from online sources was becoming such a big problem, it was difficult to prosecute someone over an online crime. With the Identity Theft Enforcement and Restitution Act of 2008, previous requirements and restrictions that made it difficult to punish cyber crimes have been eliminated.

The Identity Theft Enforcement and Restitution Act of 2008 allows for various cyber crimes to be taken more seriously and punished more harshly. First, the Identity Theft Enforcement and Restitution Act of 2008 makes damaging 10 or more computers a year that are used by the federal government a felony. It also brings other serious crimes into light, including illegal wiretapping, computer fraud, or hacking computer systems.

Before the Identity Theft Enforcement and Restitution Act of 2008, a federal court was unable to prosecute a hacking or cyber attack if the hacker and the victim lived in the same state. Now, the Identity Theft Enforcement and Restitution Act of 2008 put even state level crimes into a federal court’s jurisdiction. Finally, the Identity Theft Enforcement and Restitution Act of 2008 helps victims receive compensation for their time spent dealing with an identity theft case.

Identity Theft Red Flags Rule

The Identity Theft Red Flags Rule was designed to help individuals, businesses, and organizations keep their eyes open to identity theft “red flags.” Under the Red Flags Rule, businesses need to implement a strategy comprised of four basic elements, including how to identify relevant red flags, detect red flags, prevent and mitigate identity theft, and how to update the program.

In 2010, the Red Flags Rule was updated with the Red Flag Clarification Act. Under the Red Flag Clarification Act, professionals like doctors and lawyers who may not receive their full payment amount upfront are excluded from the Red Flags Rule.

Where to Find Help

There are a number of organizations, groups, and offices that work to fight identity theft and help protect those who have had their identities stolen. Here are some of the federal-level organizations:

Federal Trade Commission

600 Pennsylvania Avenue, NW Washington, DC 20580 | (202) 326-2222

The main goal of the Federal Trade Commission is to protect consumers from deceptive or unfair business practices. To report an identity theft with the Federal Trade Commission, contact them at 1-877-IDTHEFT or (877) 438-4338.

Department of Education

400 Maryland Avenue, SW Washington, DC 20202 | (800) 872-5327

If the identity theft involves student information or education funds, the Department of Education should be notified. For identity thefts involving education or stolen student information, contact the Department of Education at 1-800-MISUSED or (800) 647-8733.

Department of Justice

905 Pennsylvania Avenue, NW Washington, DC 20530 | (202) 514-2000

Identity theft can fall under the Fraud Section of the Department of Justice, which is in the Criminal Division. The Criminal Division oversees all the federal criminal laws and how they are enforced and applied. You can reach the Criminal Division Citizen Phone Line at (202) 353-4641.

Federal Bureau of Investigation

935 Pennsylvania Avenue, NW Washington, DC 20535 | (202) 324-3000

The Federal Bureau of Investigation covers everything from cyber attacks, terrorism, and more. In the event that identity theft was involved with one of these serious crimes, the FBI may become involved.

Federal Deposit Insurance Corporation

550 17th Street, NW Washington, DC 20429 | (877) 275-3342

The Federal Deposit Insurance Corporation may be able to provide some assistance if there has been identity theft involving your bank account. While they do not have jurisdiction over the criminal activity, they can help you in the process of retrieving your lost money.

U.S. Immigration and Customs Enforcement

(866) 347 - 2423

The U.S. Immigration and Customs Enforcement works to ensure that immigrants do not use another individual’s identity in entering or leaving the country.

Internal Revenue Service

(800) 829 - 1040

While the Internal Revenue Service covers a number of different things related to taxes and income, the IRS also has a Criminal Enforcement center. The Criminal Enforcement center can help individuals with identity theft and tax fraud.

Social Security Administration

(800) 772-1213

Because identity theft usually involves gaining access to another individual’s social security number, the Social Security Administration will likely become involved in an identity theft case. In some cases, they will even assign a new number to someone who has had their identity stolen.

Famous Federal ID Theft Cases

Identity theft cases can get out of hand, but usually there are only one or two victims in each case. But the largest case of identity theft in U.S. history actually had 30,000 victims from all across the United States and Canada.

The case began in 1999 with Philip Cummings, a seemingly regular employee at a Long Island, NY software company. Through working at the help desk, Philip Cummings had access to company profiles of the clients that they worked with, including banks and financial institutions. With the passwords and account codes for each of his clients, Philip Cummings was able to download credit reports for his clients.

While working at the software company, Philip Cummings was contacted by a group of Nigerian nationals offering to pay him for the credit reports he could download. Agreeing to take part in the deal, Cummings downloaded thousands of client’s information and sold them off to the identity theft ring, continuing to do so for years even after leaving the company.

The clients whose information was sold to the identity theft ring lost savings accounts and had a number of credit cards, false charges, and other expenses made in their name and with their personal financial information. The identity theft ring was also able to change the information with bank accounts and financial institutions to allow for checks, credit cards, and debit cards to be mailed directly to them.

The case reported millions of dollars in losses and unpaid credit card bills and expenses. Eventually, Phillip Cummings was tracked down and pled guilty to the crimes.

Another famous case of identity theft involves Abraham Abdallah. Back in 2001, before many of the regulations against identity theft were in place, Abraham Abdallah decided the best individuals to target would be the rich and famous. Using Forbes’ list of richest people, Abraham Abdallah was able to get the financial information of some of the biggest celebrities out there, including Oprah and Steven Speilberg.

After posing as the celebrity and contacting Equifax, Abdallah received everything from credit card numbers to social security numbers and bank account information of his victims. Although he was able to steal thousands and thousands of dollars from famous celebrities from all over, Abdallah was eventually caught when Merrill Lynch received a suspicious email asking that money be transferred.

Abdallah was eventually linked back to the sent email as well as the various other illegal money transfers that were made. It was then discovered that Abdallah had also tried to purchase equipment that would allow him to make his own fake credit cards.

Finally, probably one of the most famous identity theft stories comes from Frank Abagnale. As the story behind the “Catch Me If You Can” movie, Frank began his theft with writing bad checks, including printing his own checks that allowed him to deposit money into his own bank account.

Frank Abagnale didn’t stop there. He also went on to forge a college degree from Columbia University, which allowed him to receive a job as a professor at Birgham Young University. Next, he created a fake degree from Harvard University, all under different names.

He continued to fake careers and education qualifications, becoming a doctor and a pilot, where he also forged false paychecks. After getting caught, Frank Abagnale was offered the opportunity to help the government detect pieces of fraud.