Order Code RS21163
Updated February 27, 2003
CRS Report for Congress
Received through the CRS Web
Remedies Available to Victims of
Identity Theft
Angie A. Welborn
Legislative Attorney
American Law Division
Summary
According to the Federal Trade Commission, identity theft is the most common
complaint from consumers in all fifty states.1 Victims of identity theft may incur
damaged credit records, unauthorized charges on credit cards, and unauthorized
withdrawals from bank accounts. Oftentimes, victims must change their addresses,
telephone numbers, and even their Social Security numbers.
This report provides an overview of the federal laws that could assist victims of
identity theft with purging inaccurate information from their credit records and removing
unauthorized charges from credit accounts, as well as federal laws that impose criminal
penalties on those who assume another person’s identity through the use of fraudulent
identification documents. Similar state laws and recent legislative proposals aimed at
preventing identity theft and providing additional remedies will also be discussed. To
date, several bills (S. 22, S. 153, S. 223, S. 228, H.R. 220, H.R. 637, H.R. 818, and H.R.
858) related to identity theft have been introduced in the 108th Congress. This report
will be updated as events warrant.
Federal Statutes Related to Identity Theft
Identity Theft Assumption and Deterrence Act. While not exclusively aimed
at consumer identity theft, the Identity Theft Assumption Deterrence Act prohibits fraud
in connection with identification documents under a variety of circumstances.2 Certain
offenses under the statute relate directly to consumer identity theft, and impostors could
be prosecuted under the statute. For example, the statute makes it a federal crime, under
1 [http://www.consumer.gov/sentinel/trends.htm#Charts].
2 18 U.S.C. 1028. The statute lists several actions that constitute fraud in connection with
identification documents. However, for the purposes of this report, they do not all relate to
consumer-related identity theft, i.e. situations where a consumer’s Social Security number or
driver’s license number may be stolen and used to establish credit accounts by an impostor.
Congressional Research Service ˜ The Library of Congress
CRS-2
certain circumstances,3 to knowingly and without lawful authority produce an
identification document4 or false identification document; or to knowingly possess an
identification document that is or appears to be an identification document of the United
States which is stolen or produced without lawful authority knowing that such document
was stolen or produced without such authority.5 It is also a federal crime to knowingly
transfer or use, without lawful authority, a means of identification of another person with
the intent to commit, or aid or abet, any unlawful activity that constitutes a violation of
federal law, or that constitutes a felony under any applicable state or local law.6
The punishment for offenses involving fraud related to identification documents
varies depending on the specific offense and the type of document involved.7 For
example, a fine or imprisonment of up to 15 years may be imposed for using the
identification of another person with the intent to commit any unlawful activity under
state law, if, as a result of the offense, the person committing the offense obtains anything
of value totaling $1,000 or more during any one-year period.8 Other offenses carry terms
of imprisonment up to three years.9 However, if the offense is committed to facilitate a
drug trafficking crime or in connection with a crime of violence, the term of
imprisonment could be up to twenty years.10 Offenses committed to facilitate an action
of international terrorism are punishable by terms of imprisonment up to twenty-five
years.11
Fair Credit Reporting Act. While the Fair Credit Reporting Act (FCRA) does
not directly address identity theft, it could offer victims assistance in having negative
3 According to the statute, the prohibitions listed apply when “the identification document or false
identification document is or appears to be issued by or under the authority of the United States
or the document-making implement is designed or suited for making such an identification
document or false identification document;” the document is presented with the intent to defraud
the United States; or “either the production, transfer, possession, or use prohibited by this section
is in or affects interstate or foreign commerce, including the transfer of a document by electronic
means, or the means of identification, identification document, false identification document, or
document-making implement is transported in the mail in the course of the production, transfer,
possession, or use prohibited by this section.” 18 U.S.C. 1028(c).
4 Identification document is defined as “a document made or issued by or under the authority of
the United States Government, a State, political subdivision of a State, a foreign government,
political subdivision of a foreign government, an international governmental or an internal quasi-
governmental organization which, when completed with information concerning a particular
individual, is of a type intended or commonly accepted for the purpose of identification of
individuals.” 18 U.S.C. 1028(d)(2). Identification documents include Social Security cards, birth
certificates, driver’s licenses, and personal identification cards.
5 18 U.S.C. 1028(a)(1) and (2).
6 18 U.S.C. 1028(a)(7).
7 18 U.S.C. 1028(b).
8 18 U.S.C. 1028(b)(1)(D).
9 18 U.S.C. 1028(b)(2).
10 18 U.S.C. 1028(b)(3).
11 18 U.S.C. 1028(b)(4).
CRS-3
information resulting from unauthorized charges or accounts removed from their credit
files. The purpose of the FCRA is “to require that consumer reporting agencies adopt
reasonable procedures for meeting the needs of commerce for consumer credit, personnel,
insurance, and other information in a manner which is fair and equitable to the consumer,
with regard to the confidentiality, accuracy, relevancy, and proper utilization of such
information.”12 The FCRA outlines a consumer’s rights in relation to his or her credit
report, as well as permissible uses for credit reports and disclosure requirements. In
addition, the FCRA requires credit reporting agencies to follow “reasonable procedures
to assure maximum possible accuracy of the information concerning the individual about
whom the report relates.”13
The FCRA allows consumers to file suit for violations of the Act, which could
include the disclosure of inaccurate information about a consumer by a credit reporting
agency.14 A consumer who is a victim of identity theft could file suit against a credit
reporting agency for the agency’s failure to verify the accuracy of information contained
in the report and the agency’s disclosure of inaccurate information as a result of the
consumer’s stolen identity. Generally, the FCRA requires a consumer to file suit “within
two years from the date on which the liability arises.”15 However, there is an exception
in cases where there was willful misrepresentation of information that is required to be
disclosed to a consumer and such information is material to the establishment of the
defendant’s liability.16 In such cases, the action “may be brought any time within two
years after the discovery by the individual of the misrepresentation.”17
Fair Credit Billing Act. The Fair Credit Billing Act (FCBA) is not an identity
theft statute per se, but it does provide consumers with an opportunity to receive an
explanation and proof of charges that may have been made by an impostor and to have
unauthorized charges removed from their accounts. The purpose of the FCBA is “to
protect the consumer against inaccurate and unfair credit billing and credit card
practices.”18 The law defines and establishes a procedure for resolving billing errors in
consumer credit transactions. For purposes of the FCBA, a “billing error” includes
unauthorized charges, charges for goods or services not accepted by the consumer or
delivered to the consumer, and charges for which the consumer has asked for an
explanation or written proof of purchase.19
12 15 U.S.C. 1681(b).
13 15 U.S.C. 1681e(b).
14 15 U.S.C. 1681n; 15 U.S.C. 1681o. For more information see CRS Report RS21083, Identity
Theft and the Fair Credit Reporting Act: An Analysis of TRW v. Andrews and Current
Legislation.
15 15 U.S.C. 1681p.
16 Id.
17 Id.
18 15 U.S.C. 1601(a).
19 15 U.S.C. 1666(b); 12 C.F.R. 226.13(a).
CRS-4
Under the FCBA, consumers are able to file a claim with the creditor to have billing
errors resolved. Until the alleged billing error is resolved, the consumer is not required
to pay the disputed amount, and the creditor may not attempt to collect, any part of the
disputed amount, including related finance charges or other charges.20 The Act sets forth
dispute resolution procedures and requires an investigation into the consumer’s claims.
If the creditor determines that the alleged billing error did occur, the creditor is obligated
to correct the billing error and credit the consumer’s account with the disputed amount
and any applicable finance charges.21
Electronic Fund Transfer Act. Similar to the Fair Credit Billing Act, the
Electronic Fund Transfer Act is not an identity theft statute per se, but it does provide
consumers with a mechanism for challenging unauthorized transactions and having their
accounts recredited in the event of an error. The purpose of the Electronic Fund Transfer
Act (EFTA) is to “provide a basic framework establishing the rights, liabilities, and
responsibilities of participants in electronic fund transfer systems.”22 Among other things,
the EFTA limits a consumer’s liability for unauthorized electronic fund transfers. If the
consumer notifies the financial institution within two business days after learning of the
loss or theft of a debt card or other device used to make electronic transfers, the
consumer’s liability is limited to the lesser of $50 or the amount of the unauthorized
transfers that occurred before notice was given to the financial institution.23
Additionally, financial institutions are required to provide a consumer with
documentation of all electronic fund transfers initiated by the consumer from an electronic
terminal. If a financial institution receives, within 60 days after providing such
documentation, an oral or written notice from the consumer indicating the consumer’s
belief that the documentation provided contains an error, the financial institution must
investigate the alleged error, determine whether an error has occurred, and report or mail
the results of the investigation and determination to the consumer within ten business
days.24 The notice from the consumer to the financial institution must identify the name
and account number of the consumer; indicate the consumer’s belief that the
documentation contains an error and the amount of the error; and set forth the reasons for
the consumer’s belief that an error has occurred.25
In the event that the financial institution determines that an error has occurred, the
financial institution must correct the error within one day of the determination in
accordance with the provisions relating to consumer’s liability for unauthorized charges.26
The financial institution may provisionally recredit the consumer’s account for the amount
alleged to be in error pending the conclusion of its investigation and its determination of
20 15 U.S.C. 1666(c); 12 C.F.R. 226.13(d)(1).
21 15 U.S.C. 1666(a); 12 C.F.R. 226.13(e).
22 15 U.S.C. 1693(b).
23 15 U.S.C. 1693g(a), 12 C.F.R. 205.6(b)(1).
24 15 U.S.C. 1693f(a), 12 C.F.R. 205.11(b) and (c).
25 Id.
26 15 U.S.C. 1693f(b).
CRS-5
whether an error has occurred, if it is unable to complete the investigation within ten
business days.27
State Identity Theft Statutes
Most states have enacted some type of identity theft statute.28 Many of these statutes
impose criminal penalties for identity theft activities. For example, in California,
impostors are subject to fines of up to $10,000 and confinement in jail for up to one
year.29 Restitution may also be a component of the impostors punishment. In Texas,
identity theft is a felony and, in addition to jail time, the court may order the impostor to
reimburse the victim for lost income and other expenses incurred as a result of the theft.30
Other states impose civil penalties and provide victims with judicial recourse for damages
incurred as a result of the theft. In Washington, impostors are “liable for civil damages
of five hundred dollars or actual damages, whichever is greater, including costs to repair
the victim's credit record.”31
While some statutes may define identity theft to include only the fraudulent use of
identification documents, other statutes may more broadly define such activities. For
example, Oregon also criminalizes the fraudulent use of credit cards. Such use constitutes
a felony if the “aggregate total amount of property or services the person obtains or
attempts to obtain is $750 or more.”32 In Illinois, the crime of financial identity theft
includes the fraudulent use of credit card numbers, in addition to the fraudulent use of
identification documents.33
Legislative Proposals
107th Congress. During the 107th Congress, numerous bills related to identity
theft were introduced. In general, these proposals were aimed at preventing identity theft
and providing assistance to victims who need to clear adverse information from their
credit files. Several bills imposing additional criminal penalties for identity theft and
related crimes were also introduced. An overview of this legislation can be found in CRS
Report RL31752, Identity Theft: An Overview of Proposed Legislation.
108th Congress. To date, several bills related to identity theft have been
introduced in the 108th Congress. In general, these bills include provisions similar to
those found in legislation introduced during the 107th Congress.
27 15 U.S.C. 1693f(c), 12 C.F.R. 205.11(c).
28 For a list of state identity theft statutes see [http://www.consumer.gov/idtheft/statelaw.htm].
29 Cal. Penal Code §§ 530.5 - 530.7.
30 Tex. Penal Code § 32.51. See also Va. Code Ann. § 18.2-186.3; Md. Code Ann. art. 27 § 231.
31 RCW 9.35.020(3).
32 Or. Rev. Stat. § 165.055.
33 720 ILCS 5/16G-10. See also Ohio Rev. Code Ann. § 2913.49.
CRS-6
Title III of S. 22, the Justice Enhancement and Domestic Security Act of 2003,
includes several provisions aimed at deterring and preventing identity theft, including
identity theft mitigation, amendments to the Fair Credit Reporting Act requiring the
blocking of information on a consumer’s credit report resulting from identity theft, an
amendment to the FCRA’s statute of limitations, provisions related to the misuse of social
security numbers, and prevention provisions similar to those in S. 223 discussed below.
S. 153, the Identity Theft Penalty Enhancement Act, would amend Title 18 of the
United States Code to establish penalties for aggravated identity theft and make changes
to the existing identity theft provisions of Title 18. Under S. 153, aggravated identity
theft would occur when a person “knowingly transfers, possess, or uses, without lawful
authority, a means of identification of another person” during and in relation to the
commission of certain enumerated felonies. The penalty for aggravated identity theft
would be a term of imprisonment of 2 years in addition to the punishment provided for
the original felony committed. Offenses committed in conjunction with certain terrorism
offenses would be subject to a additional term of imprisonment of 5 years. H.R. 858
appears to be substantially similar.
S. 223, the Identity Theft Prevention Act, includes several provisions aimed at
preventing identity theft, including a requirement that credit card issuers confirm change
of address requests, a requirement that consumer reporting agencies include fraud alerts
in consumer reports at the request of the consumer, and a requirement that credit card
numbers on printed receipts be truncated.
S. 228, the Social Security Number Misuse Prevention Act, would prohibit the
display, sale, or purchase of an individual’s social security number with limited
exceptions. It would also prohibit the display, sale, or purchase of public records
containing social security numbers, and prohibit the use of social security numbers on
certain government documents, such as checks and driver’s licenses. The bill would also
place limitations on the use of social security numbers by commercial entities. H.R. 637
appears to be substantially similar.
H.R. 220, the Identity Theft Prevention Act of 2003, would place new restrictions
on the use of social security numbers and require all social security numbers to be
randomly generated.
H.R. 818, the Identity Theft Consumer Notification Act, would require financial
institutions to notify consumers whose personal information has been compromised. The
financial institution would also be required to assist the individual by correcting
information in the consumer’s credit file and to compensate the consumer for any
monetary losses resulting from the compromise. The bill would also amend the Fair
Credit Reporting Act’s statute of limitations to allow additional time for a consumer to
file suit.