Order Code RL31919
CRS Report for Congress
Received through the CRS Web
Remedies Available to
Victims of Identity Theft
Updated September 7, 2004
Angie A. Welborn
Legislative Attorney
American Law Division
Congressional Research Service ˜ The Library of Congress
Remedies Available to Victims of Identity Theft
Summary
According to the Federal Trade Commission, identity theft is the most common
complaint from consumers in all fifty states, and complaints regarding identity theft
have grown for three consecutive years [http://www.consumer
.gov/sentinel/trends.htm]. Victims of identity theft may incur damaged credit
records, unauthorized charges on credit cards, and unauthorized withdrawals from
bank accounts. Sometimes, victims must change their telephone numbers or even
their Social Security numbers. Victims may also need to change addresses that were
falsified by the impostor.
This report provides an overview of the federal laws that could assist victims of
identity theft with purging inaccurate information from their credit records and
removing unauthorized charges from credit accounts, as well as federal laws that
impose criminal penalties on those who assume another person’s identity through the
use of fraudulent identification documents. State laws and recently enacted federal
legislation (P.L. 108-159 and P.L. 108-275), as well as additional legislative
proposals (S. 22, S. 153, S. 223, S. 228, S. 745, S. 1533, S. 1581, S. 1633, S. 1749,
S. 2636, H.R. 220, H.R. 637, H.R. 818, H.R. 858, H.R. 1636, H.R. 1729, H.R. 1731,
H.R. 1931, H.R. 2035, H.R. 2617, H.R. 2622, H.R. 2633, H.R. 2971, H.R. 3233,
H.R. 3254, H.R. 3296, and H.R. 3693) aimed at preventing identity theft and
providing additional remedies are also discussed. This report will be updated as
events warrant.
Contents
Federal Laws Related to Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Identity Theft Assumption and Deterrence Act . . . . . . . . . . . . . . . . . . . 1
Identity Theft Penalty Enhancement Act . . . . . . . . . . . . . . . . . . . . . . . . 2
Fair Credit Reporting Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Fair and Accurate Credit Transactions (FACT) Act of 2003 . . . . . . . . . 3
Fair Credit Billing Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Electronic Fund Transfer Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
State Identity Theft Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
State Criminal Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
State Laws Aimed at Assisting Victims . . . . . . . . . . . . . . . . . . . . . . . . . 7
Legislative Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Remedies Available to Victims of Identity
Theft
Federal Laws Related to Identity Theft
Identity Theft Assumption and Deterrence Act. While not exclusively
aimed at consumer identity theft, the Identity Theft Assumption Deterrence Act
prohibits fraud in connection with identification documents under a variety of
circumstances.1 Certain offenses under the statute relate directly to consumer identity
theft, and impostors could be prosecuted under the statute. For example, the statute
makes it a federal crime, under certain circumstances,2 to knowingly and without
lawful authority produce an identification document3 or false identification
document; or to knowingly possess an identification document that is or appears to
be an identification document of the United States which is stolen or produced
without lawful authority knowing that such document was stolen or produced without
such authority.4 It is also a federal crime to knowingly transfer or use, without lawful
authority, a means of identification of another person with the intent to commit, or
118 U.S.C. 1028. The statute lists several actions that constitute fraud in connection with
identification documents. However, for the purposes of this report, they do not all relate to
consumer-related identity theft, i.e. situations where a consumer’s Social Security number
or driver’s license number may be stolen and used to establish credit accounts by an
impostor.
2According to the statute, the prohibitions listed apply when “the identification document
or false identification document is or appears to be issued by or under the authority of the
United States or the document-making implement is designed or suited for making such an
identification document or false identification document;” the document is presented with
the intent to defraud the United States; or “either the production, transfer, possession, or use
prohibited by this section is in or affects interstate or foreign commerce, including the
transfer of a document by electronic means, or the means of identification, identification
document, false identification document, or document-making implement is transported in
the mail in the course of the production, transfer, possession, or use prohibited by this
section.” 18 U.S.C. 1028(c).
3Identification document is defined as “a document made or issued by or under the authority
of the United States Government, a State, political subdivision of a State, a foreign
government, political subdivision of a foreign government, an international governmental
or an internal quasi-governmental organization which, when completed with information
concerning a particular individual, is of a type intended or commonly accepted for the
purpose of identification of individuals.” 18 U.S.C. 1028(d)(2). Identification documents
include Social Security cards, birth certificates, driver’s licenses, and personal identification
cards.
418 U.S.C. 1028(a)(1) and (2).
CRS-2
aid or abet, any unlawful activity that constitutes a violation of federal law, or that
constitutes a felony under any applicable state or local law.5
The punishment for offenses involving fraud related to identification documents
varies depending on the specific offense and the type of document involved.6 For
example, a fine or imprisonment of up to 15 years may be imposed for using the
identification of another person with the intent to commit any unlawful activity under
state law, if, as a result of the offense, the person committing the offense obtains
anything of value totaling $1,000 or more during any one-year period.7 Other
offenses carry terms of imprisonment up to three years.8 However, if the offense is
committed to facilitate a drug trafficking crime or in connection with a crime of
violence, the term of imprisonment could be up to twenty years.9 Offenses
committed to facilitate an action of international terrorism are punishable by terms
of imprisonment up to twenty-five years.10
Identity Theft Penalty Enhancement Act. The Identity Theft Penalty
Enhancement Act was signed by the President on July 15, 2004, (P.L. 108-275). The
Act amends Title 18 of the United States Code to define and establish penalties for
aggravated identity theft and makes changes to the existing identity theft provisions
of Title 18. Under the new law, aggravated identity theft occurs when a person
“knowingly transfers, possess, or uses, without lawful authority, a means of
identification of another person” during and in relation to the commission of certain
enumerated felonies.11 The penalty for aggravated identity theft is a term of
imprisonment of two years in addition to the punishment provided for the original
felony committed. Offenses committed in conjunction with certain terrorism
offenses are subject to an additional term of imprisonment of five years. The Act
also directs the United States Sentencing Commission to “review and amend its
guidelines and its policy statements to ensure that the guideline offense levels and
enhancements appropriately punish identity theft offenses involving an abuse of
position” adhering to certain requirements outlined in the legislation.12
518 U.S.C. 1028(a)(7).
618 U.S.C. 1028(b).
718 U.S.C. 1028(b)(1)(D).
818 U.S.C. 1028(b)(2).
918 U.S.C. 1028(b)(3).
1018 U.S.C. 1028(b)(4).
11P.L. 108-275, Sec. 2, to be codified at 18 U.S.C. 1028A. Offenses that could give rise to
aggravated identity theft are enumerated in this section, and include offenses relating to theft
of public money, property, or rewards; theft, embezzlement, or misapplication by a bank
officer or employee; theft from employee benefit plans; false personation of citizenship;
false statements in connection with the acquisition of a firearm; mail, bank, and wire fraud;
obtaining consumer information by false pretenses; and certain immigration violations. The
list of enumerated offenses will be codified at 18 U.S.C. 1028A(c).
12P.L. 108-275, Sec. 5.
CRS-3
In addition to increasing penalties for identity theft, the Act authorized
appropriations to the Justice Department “for the investigation and prosecution of
identity theft and related credit card and other fraud cases constituting felony
violations of law, $2,000,000 for fiscal year 2005 and $2,000,000 for each of the 4
succeeding fiscal years.”13
Fair Credit Reporting Act. While the Fair Credit Reporting Act (FCRA)
does not directly address identity theft, it could offer victims assistance in having
negative information resulting from unauthorized charges or accounts removed from
their credit files.14 The purpose of the FCRA is “to require that consumer reporting
agencies adopt reasonable procedures for meeting the needs of commerce for
consumer credit, personnel, insurance, and other information in a manner which is
fair and equitable to the consumer, with regard to the confidentiality, accuracy,
relevancy, and proper utilization of such information.”15 The FCRA outlines a
consumer’s rights in relation to his or her credit report, as well as permissible uses
for credit reports and disclosure requirements. In addition, the FCRA imposes a duty
on consumer reporting agencies to ensure that the information they report is accurate,
and requires persons who furnish information to ensure that the information they
furnish is accurate.
The FCRA allows consumers to file suit for violations of the act, which could
include the disclosure of inaccurate information about a consumer by a credit
reporting agency.16 A consumer who is a victim of identity theft could file suit
against a credit reporting agency for the agency’s failure to verify the accuracy of
information contained in the report and the agency’s disclosure of inaccurate
information as a result of the consumer’s stolen identity. Under the FCRA, as
recently amended, a consumer may file suit not later than the earlier of two years
after the date of discovery by the plaintiff of the violation that is the basis for such
liability, or five years after the date on which the violation occurred.17
Fair and Accurate Credit Transactions (FACT) Act of 2003. The
FACT Act, signed by the President on December 4, 2003, includes, inter alia, a
number of amendments to the Fair Credit Reporting Act aimed at preventing identity
theft and assisting victims.18 Generally, these new provisions mirror laws passed by
13P.L. 108-275, Sec. 6.
14For more information on a consumer’s rights under the FCRA, see CRS Report RL31666,
Fair Credit Reporting Act: Rights and Responsibilities.
1515 U.S.C. 1681(b).
1615 U.S.C. 1681n; 15 U.S.C. 1681o. For more information see CRS Report RS21083,
Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v. Andrews and
Current Legislation.
17P.L. 108-159, Section 156.
18P.L. 108-159. For effective dates, see 68 FR 74467 and 68 FR 74529 (December 24,
2003).
CRS-4
state legislatures and create a national standard for addressing consumer concerns
with regard to identity theft and other types of fraud.19
Credit card issuers, who operate as users of consumer credit reports, are
required, under a new provision of the FCRA, to follow certain procedures when the
issuer receives a request for an additional or replacement card within a short period
of time following notification of a change of address for the same account.20 In a
further effort to prevent identity theft, other new provisions require the truncation of
credit card account numbers on electronically printed receipts,21 and, upon request,
the truncation of social security numbers on credit reports provided to a consumer.22
Consumers who have been victims of identity theft, or expect that they may
become victims, are now able to have fraud alerts placed in their files.23 Pursuant to
the new provisions, a consumer may request a fraud alert from one consumer
reporting agency and that agency is required to notify the other nationwide consumer
reporting agencies of the existence of the alert. In general, fraud alerts are to be
maintained in the file for 90 days, but a consumer may request an extended alert
which is maintained for up to seven years. The fraud alert becomes a part of the
consumer’s credit file and is thus passed along to all users of the report. The alert
must also be included with any credit score generated using the consumer’s file, and
must be referred to other consumer reporting agencies.24
In addition to the fraud alert, victims of identity theft may also have information
resulting from the crime blocked from their credit reports.25 After the receipt of
appropriate proof of the identity of the consumer, a copy of an identity theft report,
the identification of the alleged fraudulent information, and a statement by the
consumer that the information is not information relating to any transaction
conducted by the consumer, a consumer reporting agency must block all such
information from being reported and must notify the furnisher of the information in
question that it may be the result of identity theft. Requests for the blocking of
information must also be referred to other consumer reporting agencies.26
Victims of identity theft are also allowed to request information about the
alleged crime. A business entity is required, upon request and subject to verification
of the victim’s identity, to provide copies of application and business transaction
records evidencing any transaction alleged to be a result of identity theft to the victim
19Generally, many of these new federal provisions preempt similar state laws. For more
information on the preemptive effects of the Fair Credit Reporting Act, see CRS Report
RS21449, Fair Credit Reporting Act: Preemption of State Law.
20P.L. 108-159, Section 114.
21P.L. 108-159, Section 113.
22P.L. 108-159, Section 115.
23P.L. 108-159, Section 112.
24P.L. 108-159, Section 153.
25P.L. 108-159, Section 152.
26P.L. 108-159, Section 153.
CRS-5
or to any law enforcement agency investigating the theft and authorized by the victim
to take receipt of the records in question.27
Fair Credit Billing Act. The Fair Credit Billing Act (FCBA) is not an
identity theft statute per se, but it does provide consumers with an opportunity to
receive an explanation and proof of charges that may have been made by an impostor
and to have unauthorized charges removed from their accounts. The purpose of the
FCBA is “to protect the consumer against inaccurate and unfair credit billing and
credit card practices.”28 The law defines and establishes a procedure for resolving
billing errors in consumer credit transactions. For purposes of the FCBA, a “billing
error” includes unauthorized charges, charges for goods or services not accepted by
the consumer or delivered to the consumer, and charges for which the consumer has
asked for an explanation or written proof of purchase.29
Under the FCBA, consumers are able to file a claim with the creditor to have
billing errors resolved. Until the alleged billing error is resolved, the consumer is not
required to pay the disputed amount, and the creditor may not attempt to collect, any
part of the disputed amount, including related finance charges or other charges.30 The
act sets forth dispute resolution procedures and requires an investigation into the
consumer’s claims. If the creditor determines that the alleged billing error did occur,
the creditor is obligated to correct the billing error and credit the consumer’s account
with the disputed amount and any applicable finance charges.31
Electronic Fund Transfer Act. Similar to the Fair Credit Billing Act, the
Electronic Fund Transfer Act is not an identity theft statute per se, but it does provide
consumers with a mechanism for challenging unauthorized transactions and having
their accounts recredited in the event of an error. The purpose of the Electronic Fund
Transfer Act (EFTA) is to “provide a basic framework establishing the rights,
liabilities, and responsibilities of participants in electronic fund transfer systems.”32
Among other things, the EFTA limits a consumer’s liability for unauthorized
electronic fund transfers. If the consumer notifies the financial institution within two
business days after learning of the loss or theft of a debt card or other device used to
make electronic transfers, the consumer’s liability is limited to the lesser of $50 or
the amount of the unauthorized transfers that occurred before notice was given to the
financial institution.33
Additionally, financial institutions are required to provide a consumer with
documentation of all electronic fund transfers initiated by the consumer from an
electronic terminal. If a financial institution receives, within 60 days after providing
27P.L. 108-159, Section 151.
2815 U.S.C. 1601(a).
2915 U.S.C. 1666(b); 12 C.F.R. 226.13(a).
3015 U.S.C. 1666(c); 12 C.F.R. 226.13(d)(1).
3115 U.S.C. 1666(a); 12 C.F.R. 226.13(e).
3215 U.S.C. 1693(b).
3315 U.S.C. 1693g(a), 12 C.F.R. 205.6(b)(1).
CRS-6
such documentation, an oral or written notice from the consumer indicating the
consumer’s belief that the documentation provided contains an error, the financial
institution must investigate the alleged error, determine whether an error has
occurred, and report or mail the results of the investigation and determination to the
consumer within ten business days.34 The notice from the consumer to the financial
institution must identify the name and account number of the consumer; indicate the
consumer’s belief that the documentation contains an error and the amount of the
error; and set forth the reasons for the consumer’s belief that an error has occurred.35
In the event that the financial institution determines that an error has occurred,
the financial institution must correct the error within one day of the determination in
accordance with the provisions relating to the consumer’s liability for unauthorized
charges.36 The financial institution may provisionally recredit the consumer’s
account for the amount alleged to be in error pending the conclusion of its
investigation and its determination of whether an error has occurred, if it is unable
to complete the investigation within ten business days.37
State Identity Theft Statutes
State Criminal Laws. Most states have enacted some type of criminal
identity theft statute.38 Many of these statutes impose criminal monetary penalties
for identity theft activities. For example, in California, impostors are subject to fines
of up to $10,000 and confinement in jail for up to one year.39 Restitution may also
be a component of the impostor’s punishment. In Texas, identity theft is a felony
and, in addition to jail time, the court may order the impostor to reimburse the victim
for lost income and other expenses incurred as a result of the theft.40 Other states
impose civil penalties and provide victims with judicial recourse for damages
incurred as a result of the theft. In Washington, impostors are “liable for civil
damages of five hundred dollars or actual damages, whichever is greater, including
costs to repair the victim’s credit record.”41
While some statutes may define identity theft to include only the fraudulent use
of identification documents, other statutes may more broadly define such activities.
For example, Oregon also criminalizes the fraudulent use of credit cards. Such use
constitutes a felony if the “aggregate total amount of property or services the person
3415 U.S.C. 1693f(a), 12 C.F.R. 205.11(b) and (c).
35Id.
3615 U.S.C. 1693f(b).
3715 U.S.C. 1693f(c), 12 C.F.R. 205.11(c).
3 8 F o r a l i s t o f s t a t e i d e n t i t y t h e f t s t a t u t e s s e e
[http://www.consumer.gov/idtheft/federallaws.html#statelaws].
39Cal. Penal Code §§ 530.5 - 530.7.
40Tex. Penal Code § 32.51. See also Va. Code Ann. § 18.2-186.3; Md. Code Ann. art. 27
§ 231.
41RCW 9.35.020(3).
CRS-7
obtains or attempts to obtain is $750 or more.”42 In Illinois, the crime of financial
identity theft includes the fraudulent use of credit card numbers, in addition to the
fraudulent use of identification documents.43
State Laws Aimed at Assisting Victims. In addition to the states that
provide for criminal prosecution of impostors, some states have enacted laws aimed
at assisting victims of identity theft. These laws served as a model for the recently
enacted Fair and Accurate Credit Transactions (FACT) Act’s amendments to the
FCRA. Pursuant to amendments made by the FACT Act, many of these provisions
are now preempted by federal law, subject to certain exceptions and exclusions.44
Prior to the enactment of the federal law, at least three states – California, Idaho,
and Washington – enacted laws allowing victims of identity theft to place fraud alerts
on their credit reports or have information resulting from the alleged theft blocked
from their credit reports.45
California enacted what some consider to be the most extensive law aimed at
assisting victims of identity theft and preventing future occurrences. Under
California law, a consumer may request that a security alert be placed in his or her
credit report to notify recipients of the report “that the consumer’s identity may have
been used without the consumer’s consent to fraudulently obtain goods or services
in the consumer’s name.”46 Consumer reporting agencies are required to notify each
person requesting consumer credit information with respect to a consumer of the
existence of a security alert in the consumer’s report, regardless of whether a full
credit report, credit score, or summary report is requested.47
A consumer may also be able to have a security freeze placed on his or her
credit report by making a request in writing by certified mail with a consumer credit
reporting agency.48 A security freeze prohibits the consumer reporting agency from
releasing the consumer’s credit report or any information from it without the express
authorization of the consumer.49 The consumer reporting agency may advise a third
party requesting the consumer’s report that a security freeze is in place, but may not
release any additional information without prior express authorization from the
consumer. If a security freeze is in place, a consumer credit reporting agency may
not change the name, date of birth, social security number, or address in a consumer
42 Or. Rev. Stat. § 165.055.
43720 ILCS 5/16G-10. See also Ohio Rev. Code Ann. § 2913.49.
44For more information on the FCRA’s preemption of state law, see CRS Report RS21449,
Fair Credit Reporting Act: Preemption of State Law.
45California, Cal. Civ. Code § 1785.11.1; Idaho, Idaho Code § 28-51-02; Washington, RCW
19.182.160.
46Cal. Civ. Code § 1785.11.1(a).
47Cal. Civ. Code § 1785.11.1(b).
48Cal. Civ. Code § 1785.11.2(a).
49Id.
CRS-8
credit report without sending a written confirmation of the change to the consumer
within 30 days of the change being posted to the consumer’s file.50 In the case of an
address change, the written confirmation must be sent to both the new address and
to the former address.
Victims of identity theft who are sued on an obligation resulting from the theft,
may bring a cross-claim alleging identity theft. If the victim prevails, he or she is
entitled to a judgment stating that he or she is not responsible for the debt or other
basis for the claim and an injunction restraining any collection efforts.51 The victim
may join other claimants, and the court may keep jurisdiction for up to ten years, so
as to resolve all claims resulting from the theft.
An additional provision, required a consumer reporting agency to provide
consumers who have reason to believe that they are victims of identity theft with
information as to their rights under California law.52 Upon receipt from a victim of
identity theft of a police report or a valid investigative report, a consumer reporting
agency must also provide a victim of identity theft with up to 12 copies of his or her
credit report during a consecutive 12-month period free of charge.53
Washington has also enacted an extensive identity theft statute that includes
provisions aimed at assisting victims of identity theft. As noted above, the
Washington identity theft statute has a provision that allows consumers to block
information resulting from identity theft from their credit reports. A consumer
reporting agency must block such information within 30 days of receiving a copy of
a police report regarding the alleged theft.54 Another provision allows victims of
identity theft to receive information about the alleged crime from persons who may
have entered into transactions with the impostor. Upon the request of the victim,
such persons must provide copies of all relevant application and transaction
information related to the alleged fraudulent transaction.55
Legislative Proposals
To date, a number of bills related to identity theft have been introduced in the
108th Congress. However, with the exception of H.R. 1731, and H.R. 2622, much of
the legislation has not been acted upon. H.R. 1731 was passed by both the House and
the Senate in June 2004, and was signed by the President on July 15, 2004, becoming
P.L. 108-275. H.R. 2622 was passed by both the House and the Senate during the
first session of the 108th Congress, and was signed by the President on December 4,
2003, becoming P.L. 108-159.
50Cal. Civ. Code § 1785.11.3(a).
51Cal. Civ. Code § 1798.2.
52Cal. Civ. Code § 1785.15.3(a).
53Cal. Civ. Code § 1785.15.3(b).
54RCW 19.182.160.
55RCW 9.35.040.
CRS-9
Title III of S. 22, the Justice Enhancement and Domestic Security Act of
2003, includes several provisions aimed at deterring and preventing identity theft,
including identity theft mitigation, amendments to the Fair Credit Reporting Act
requiring the blocking of information on a consumer’s credit report resulting from
identity theft, an amendment to the FCRA’s statute of limitations, provisions related
to the misuse of social security numbers, and prevention provisions similar to those
in S. 223 discussed below.
S. 223, the Identity Theft Prevention Act, includes several provisions aimed
at preventing identity theft, including a requirement that credit card issuers confirm
change of address requests, a requirement that consumer reporting agencies include
fraud alerts in consumer reports at the request of the consumer, and a requirement
that credit card numbers on printed receipts be truncated.
S. 228, the Social Security Number Misuse Prevention Act, would prohibit
the display, sale, or purchase of an individual’s social security number with limited
exceptions. It would also prohibit the display, sale, or purchase of public records
containing social security numbers, and prohibit the use of social security numbers
on certain government documents, such as checks and driver’s licenses. The bill
would also place limitations on the use of social security numbers by commercial
entities. H.R. 637 appears to be substantially similar.
S. 745, the Privacy Act of 2003, while not directly related to identity theft,
includes numerous provisions aimed at protecting the privacy of personal
information, which could assist identity theft prevention efforts. Provisions set forth
in S. 745 would generally prohibit the collection and distribution of personally
identifiable information unless the individual receives notification and is provided
an opportunity to restrict the disclosure or sale of such information; prohibit the
display, sale, or purchase of an individual’s Social Security number without consent
from the individual; place limitations on the sale and sharing of nonpublic personal
financial information; place limitations on the provisions of protected health
information; and prohibit the release of certain information included on an
individual’s driver’s license.
S. 1533, the Identity Theft Victims Assistance Act of 2003, includes a number
of provisions aimed at assisting victims of identity theft. The bill would require
businesses that possess information relating to an alleged identity theft to provide the
alleged victim or a law enforcement agency authorized by the victim with such
information no later than 20 days after receiving a request from the victim and upon
verification of the victim’s identity. The bill would also amend the Fair Credit
Reporting Act to allow victims of identity theft to block information resulting from
the theft from their credit reports and to extend the FCRA’s statute of limitations.
S. 1581 appears to include similar provisions.
S. 1633, the Identity Theft Notification and Credit Restoration Act of 2003,
would require financial institutions and financial service providers to notify
consumers of the unauthorized use of personal information following a security
breach, and require consumer reporting agencies to include a fraud alert in a
consumer’s report upon notification by a financial institution of such a breach
CRS-10
relating to the consumer’s information. A similar bill, H.R. 3233, was introduced
in the House.
S. 2636, the Anti-phishing Act of 2004, would amend title 18 of the United
States Code to make “phishing”56 a federal crime. Under the Act, it would be a
federal crime, subject to a penalty of up to five years, to create or procure the creation
of a website or domain name that represents itself as a legitimate online business,
without the authority or approval of the registered owner of the actual website or
domain name of the legitimate online business, for the purpose of soliciting any
person to submit or provide any means of identification to another person.
H.R. 220, the Identity Theft Prevention Act of 2003, would place new
restrictions on the use of social security numbers and require all social security
numbers to be randomly generated.
H.R. 818, the Identity Theft Consumer Notification Act, would require
financial institutions to notify consumers whose personal information has been
compromised. The financial institution would also be required to assist the
individual by correcting information in the consumer’s credit file and to compensate
the consumer for any monetary losses resulting from the compromise. The bill would
also amend the Fair Credit Reporting Act’s statute of limitations to allow additional
time for a consumer to file suit.
H.R. 1636, the Consumer Privacy Protection Act of 2003, includes several
provisions aimed at protecting consumer privacy. Title I of the bill addresses a
consumer’s rights with respect to the use or dissemination of his or her personal
information in interstate commerce, including a requirement that consumers be given
an opportunity to preclude the sale or disclosure of the consumer’s personally
identifiable information. Title II specifically addresses the prevention of identity
theft and provides remedies for victims of identity theft. The bill would require the
Federal Trade Commission to take actions necessary to permit consumers to file
electronic identity theft affidavits with the Commission and to promote the use of a
common identity theft affidavit among entities that receive disputes regarding the
unauthorized use of accounts from consumers that have reason to believe that they
are victims of identity theft. The legislation also directs the FTC to require such
entities to resolve identity theft disputes within 90 days from the date on which all
necessary information to investigate the claim has been submitted. The bill would
also make improvements to the Commission’s consumer clearinghouse, and require
the collection of data from public and private entities that receive and process
complaints from consumers that have a reasonable belief that they are victims of
identity theft.
H.R. 1729, the Negative Credit Notification Act, would require a consumer
reporting agency to notify a consumer if any information that is, or may be construed
56Phishing is a type of internet scam that “uses false e-mail return addresses, stolen graphics,
stylistic imitation, misleading or disguised hyperlinks, so-called `social engineering', and
other artifices to trick users into revealing personally identifiable information.” S. 2636,
Sec. 2.
CRS-11
as being, adverse to the interests of the consumer is added to the consumer’s file.
The notification must also include a brief description of the information “sufficient
to allow the consumer to determine the accuracy or completeness of the information
so furnished and the source of the information.”
H.R. 1931, the Personal Information Privacy Act of 2003, includes several
provisions aimed at protecting an individual’s Social Security number and other
personal information. The bill would amend the Fair Credit Reporting Act to include
in the definition of a consumer report any identifying information of the consumer,
except the name, address and telephone number of the consumer if listed in a
residential telephone directory available in the locality of the consumer, and require
a consumer reporting agency to receive express written authorization from a
consumer prior to releasing information with respect to a transaction that was not
initiated by the consumer. An additional amendment to the FCRA would add a new
section prohibiting the sale or transfer of transaction or experience information
without the consumer’s express written consent. H.R. 1931 would also prohibit the
use of an individual’s Social Security number for commercial purposes without
consent.
H.R. 2035, the Identity Theft and Financial Privacy Act of 2003, includes
several provisions aimed at preventing identity theft. The bill would require credit
card issuers to confirm change of address requests if such request is received within
30 days of a request for an additional card, and amend the Fair Credit Reporting Act
to require consumer reporting agencies to notify requesters of potential fraud when
the request includes an address for the consumer that is substantially different from
the most recent address on file with the consumer reporting agency. An additional
amendment to the FCRA would require consumer reporting agencies, upon receipt
of proper identification, to include a fraud alert in a consumer’s file if the consumer
has been or suspects that he or she is about to become a victim of identity theft. The
consumer reporting agency would be required to notify each person procuring the
consumer’s file of the existence of a fraud alert, regardless of whether a full credit
report, credit score, or summary report is requested. The Federal Trade Commission
would be required to promulgate rules providing for procedures for referral of
consumer complaints about identity theft and fraud alters between and among the
consumer reporting agencies and the Commission. In addition, rules developing a
model form and standard procedures to be used by consumers who are victims of
identity theft for contacting and informing creditors and consumer agencies of the
fraud would be required. H.R. 2035 would also require the truncation of credit card
numbers on printed receipts and require consumer reporting agencies to provide free
credit reports annually upon the request of a consumer.
H.R. 2617, the Consumer Identity and Information Security Act of 2003,
includes several provisions aimed at preventing identity theft and assisting victims.
The bill would prohibit certain actions with respect to an individual’s social security
number, including prohibitions on the display of an individual’s social security
number and a prohibition on requiring an individual to transmit his or her social
security number over the Internet. The truncation of credit and debit card numbers
on receipts would also be required. The bill would also require credit card issuers to
verify a consumer’s identity if the issuer receives a change of address request within
30 days of receiving a request for an additional card. Consumer reporting agencies
CRS-12
would also be required, upon receipt of proper identification, to include in a
consumer’s file a fraud alert and notify all subsequent users of the consumer’s report
of the existence of the alert. A consumer reporting agency that maintains files on a
nationwide basis would be required to notify other such agencies of the alert, and
such agencies would then be required to place similar alerts in the files they maintain.
H.R. 2633, the Identity Theft Protection and Information Blackout Act of
2003, includes a number of provisions restricting the sale, purchase, display, and use
of an individual’s social security number in both the government and private sector.
The bill would also deem the refusal to do business without receipt of a social
security number an unfair or deceptive act of practice under the Federal Trade
Commission Act, and prohibit the disclosure of a social security number by a
consumer reporting agency except in connection with the disclosure of a full
consumer credit report furnished in accordance with section 604 of the FCRA. H.R.
2633 also includes provisions aimed at protecting the privacy of medical information
in connection with financial transactions, and prohibiting the use of medical
information in connection with any decision to offer, provide, or continue to provide
any financial product or service.
H.R. 2971, the Social Security Number Privacy and Identity Theft
Prevention Act of 2003, includes a number of provisions aimed at restricting or
prohibiting the use of social security account numbers in the private and public
sectors. In general, these provisions are similar to those found in other bills
discussed supra.
H.R. 3254, the Consumer Credit and Identity Protection Act, would require
the truncation of account numbers on transaction receipts with respect to an
electronic funds transfer initiated by the consumer at an electronic terminal, and
require the Federal Reserve Board to study the feasibility of truncating credit and
debit card account numbers in all consumer transactions.
H.R. 3296, the Prevent Identity Theft From Affecting Lives and Livelihoods
(PITFALL) Act, would require creditors, consumer reporting agencies, and debt
collectors to take certain actions with respect to identity theft victims upon
completion of an investigation by a state or local law enforcement agency. If a state
provides for such investigations and the law enforcement agency in question issues
a document stating the results of the investigation, the victim may not be held liable
for debts incurred in his or her name as a result of identity theft. A similar Senate
bill, S. 1749, was also introduced.
H.R. 3693, the Identity Theft Investigation and Prosecution Act of 2003,
would provide additional resources to the Department of Justice for the investigation
and prosecution of identity theft and related credit card and other fraud.