Order Code RL31919
Remedies Available to
Victims of Identity Theft
Updated January 23, 2007
Gina Marie Stevens
Legislative Attorney
American Law Division
Remedies Available to Victims of Identity Theft
Summary
According to the Federal Trade Commission, identity theft is the most common
complaint from consumers in all fifty states, and complaints regarding identity theft
have grown for four consecutive years. Victims of identity theft may incur damaged
credit records, unauthorized charges on credit cards, and unauthorized withdrawals
from bank accounts. Sometimes, victims must change their telephone numbers or
even their social security numbers. Victims may also need to change addresses that
were falsified by the impostor. With media reports of information security breaches
increasing, concerns about new cases of widespread identity theft have received
significant attention in Congress.
This report provides an overview of the federal laws that could assist victims of
identity theft with purging inaccurate information from their credit records and
removing unauthorized charges from credit accounts, as well as federal laws that
impose criminal penalties on those who assume another person’s identity through the
use of fraudulent identification documents. This report will be updated as events
warrant.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Laws Related to Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Identity Theft Assumption and Deterrence Act . . . . . . . . . . . . . . . . . . . 1
Identity Theft Penalty Enhancement Act . . . . . . . . . . . . . . . . . . . . . . . . 3
Fair Credit Reporting Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Fair and Accurate Credit Transactions (FACT) Act of 2003 . . . . . . . . . 4
Fair Credit Billing Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Electronic Fund Transfer Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Remedies Available to Victims of
Identity Theft
Introduction1
According to the Federal Trade Commission, identity theft is the most common
complaint from consumers in all 50 states, and complaints regarding identity theft
have grown for 4 consecutive years.2 Victims of identity theft may incur damaged
credit records, unauthorized charges on credit cards, and unauthorized withdrawals
from bank accounts. Sometimes, victims must change their telephone numbers or
even their social security numbers. Victims may also need to change addresses that
were falsified by the impostor. With media reports of information security breaches
increasing, concerns about new cases of potentially widespread identity theft have
received significant attention in Congress.3
This report provides an overview of the federal laws that could assist victims of
identity theft with purging inaccurate information from their credit records and
removing unauthorized charges from credit accounts, as well as federal laws that
impose criminal penalties on those who assume another person’s identity through the
use of fraudulent identification documents. This report will be updated as warranted.
Federal Laws Related to Identity Theft
Identity Theft Assumption and Deterrence Act. While not exclusively
aimed at consumer identity theft, the Identity Theft Assumption Deterrence Act
prohibits fraud in connection with identification documents under a variety of
circumstances.4 Certain offenses under the statute relate directly to consumer identity
theft, and impostors could be prosecuted under the statute. For example, the statute
1 This report was originally prepared by Angie A. Welborn, Legislative Attorney.
2 Federal Trade Commission, ID Theft Clearinghouse Data, January 25, 2006,
[http://www.consumer.gov/idtheft/pdf/clearinghouse_2005.pdf]. CY 2005 is the last year
for which data are currently available.
3 Legislation that has been introduced in response to the increase in information security
breaches is discussed in CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens. For more information on security breaches, see CRS
Report RL33199, Personal Data Security Breaches: Context and Incident Summaries, by
Rita Tehan.
4 18 U.S.C. 1028. The statute lists several actions that constitute fraud in connection with
identification documents. However, for the purposes of this report, they do not all relate to
consumer-related identity theft, i.e. situations where a consumer’s Social Security number
or driver’s license number may be stolen and used to establish credit accounts by an
impostor.
CRS-2
makes it a federal crime, under certain circumstances,5 to knowingly and without
lawful authority produce an identification document6 or false identification
document; or to knowingly possess an identification document that is or appears to
be an identification document of the United States which is stolen or produced
without lawful authority knowing that such document was stolen or produced without
such authority.7 It is also a federal crime to knowingly transfer or use, without lawful
authority, a means of identification of another person with the intent to commit, or
aid or abet, any unlawful activity that constitutes a violation of federal law, or that
constitutes a felony under any applicable state or local law.8
The punishment for offenses involving fraud related to identification documents
varies depending on the specific offense and the type of document involved.9 For
example, a fine or imprisonment of up to 15 years may be imposed for using the
identification of another person with the intent to commit any unlawful activity under
state law, if, as a result of the offense, the person committing the offense obtains
anything of value totaling $1,000 or more during any one-year period.10 Other
offenses carry terms of imprisonment up to three years.11 However, if the offense is
committed to facilitate a drug trafficking crime or in connection with a crime of
violence, the term of imprisonment could be up to twenty years.12 Offenses
5 According to the statute, the prohibitions listed apply when “the identification document
or false identification document is or appears to be issued by or under the authority of the
United States or the document-making implement is designed or suited for making such an
identification document or false identification document;” the document is presented with
the intent to defraud the United States; or “either the production, transfer, possession, or use
prohibited by this section is in or affects interstate or foreign commerce, including the
transfer of a document by electronic means, or the means of identification, identification
document, false identification document, or document-making implement is transported in
the mail in the course of the production, transfer, possession, or use prohibited by this
section.” 18 U.S.C. 1028(c).
6 Identification document is defined as “a document made or issued by or under the authority
of the United States Government, a State, political subdivision of a State, a foreign
government, political subdivision of a foreign government, an international governmental
or an internal quasi-governmental organization which, when completed with information
concerning a particular individual, is of a type intended or commonly accepted for the
purpose of identification of individuals.” 18 U.S.C. 1028(d)(2). Identification documents
include Social Security cards, birth certificates, driver’s licenses, and personal identification
cards.
7 18 U.S.C. 1028(a)(1) and (2).
8 18 U.S.C. 1028(a)(7).
9 18 U.S.C. 1028(b).
10 18 U.S.C. 1028(b)(1)(D).
11 18 U.S.C. 1028(b)(2).
12 18 U.S.C. 1028(b)(3).
CRS-3
committed to facilitate an action of international terrorism are punishable by terms
of imprisonment up to twenty-five years.13
Identity Theft Penalty Enhancement Act. The Identity Theft Penalty
Enhancement Act was signed on July 15, 2004, (P.L. 108-275). The act amends Title
18 of the United States Code to define and establish penalties for aggravated identity
theft and makes changes to the existing identity theft provisions of Title 18. Under
the new law, aggravated identity theft occurs when a person “knowingly transfers,
possess, or uses, without lawful authority, a means of identification of another
person” during and in relation to the commission of certain enumerated felonies.14
The penalty for aggravated identity theft is a term of imprisonment of two years in
addition to the punishment provided for the original felony committed. Offenses
committed in conjunction with certain terrorism offenses are subject to an additional
term of imprisonment of five years. The act also directs the United States Sentencing
Commission to “review and amend its guidelines and its policy statements to ensure
that the guideline offense levels and enhancements appropriately punish identity theft
offenses involving an abuse of position” adhering to certain requirements outlined
in the legislation.15
In addition to increasing penalties for identity theft, the act authorized
appropriations to the Justice Department “for the investigation and prosecution of
identity theft and related credit card and other fraud cases constituting felony
violations of law, $2,000,000 for FY2005 and $2,000,000 for each of the 4
succeeding fiscal years.”16
Fair Credit Reporting Act. While the Fair Credit Reporting Act (FCRA)
does not directly address identity theft, it could offer victims assistance in having
negative information resulting from unauthorized charges or accounts removed from
their credit files.17 The purpose of the FCRA is “to require that consumer reporting
agencies adopt reasonable procedures for meeting the needs of commerce for
consumer credit, personnel, insurance, and other information in a manner which is
fair and equitable to the consumer, with regard to the confidentiality, accuracy,
relevancy, and proper utilization of such information.”18 The FCRA outlines a
consumer’s rights in relation to his or her credit report, as well as permissible uses
13 18 U.S.C. 1028(b)(4).
14 P.L. 108-275, Sec. 2, to be codified at 18 U.S.C. 1028A. Offenses that could give rise to
aggravated identity theft are enumerated in this section, and include offenses relating to theft
of public money, property, or rewards; theft, embezzlement, or misapplication by a bank
officer or employee; theft from employee benefit plans; false personation of citizenship;
false statements in connection with the acquisition of a firearm; mail, bank, and wire fraud;
obtaining consumer information by false pretenses; and certain immigration violations. The
list of enumerated offenses will be codified at 18 U.S.C. 1028A(c).
15 P.L. 108-275, Sec. 5.
16 P.L. 108-275, Sec. 6.
17 For more information on a consumer’s rights under the FCRA, see CRS Report RL31666,
Fair Credit Reporting Act: Rights and Responsibilities, by Angie A. Welborn.
18 15 U.S.C. 1681(b).
CRS-4
for credit reports and disclosure requirements. In addition, the FCRA imposes a duty
on consumer reporting agencies to ensure that the information they report is accurate,
and requires persons who furnish information to ensure that the information they
furnish is accurate.
The FCRA allows consumers to file suit for violations of the act, which could
include the disclosure of inaccurate information about a consumer by a credit
reporting agency.19 A consumer who is a victim of identity theft could file suit
against a credit reporting agency for the agency’s failure to verify the accuracy of
information contained in the report and the agency’s disclosure of inaccurate
information as a result of the consumer’s stolen identity. Under the FCRA, as
recently amended, a consumer may file suit not later than the earlier of two years
after the date of discovery by the plaintiff of the violation that is the basis for such
liability, or five years after the date on which the violation occurred.20
Fair and Accurate Credit Transactions (FACT) Act of 2003. The
FACT Act, signed on December 4, 2003, includes, inter alia, a number of
amendments to the Fair Credit Reporting Act aimed at preventing identity theft and
assisting victims.21 Generally, these new provisions mirror laws passed by state
legislatures and create a national standard for addressing consumer concerns with
regard to identity theft and other types of fraud.22
Credit card issuers, who operate as users of consumer credit reports, are
required, under a new provision of the FCRA, to follow certain procedures when the
issuer receives a request for an additional or replacement card within a short period
of time following notification of a change of address for the same account.23 In a
further effort to prevent identity theft, other new provisions require the truncation of
credit card account numbers on electronically printed receipts,24 and, upon request,
the truncation of social security numbers on credit reports provided to a consumer.25
Consumers who have been victims of identity theft, or expect that they may
become victims, are now able to have fraud alerts placed in their files.26 Pursuant to
the new provisions, a consumer may request a fraud alert from one consumer
reporting agency and that agency is required to notify the other nationwide consumer
reporting agencies of the existence of the alert. In general, fraud alerts are to be
19 15 U.S.C. 1681n; 15 U.S.C. 1681o.
20 P.L. 108-159, Section 156.
21 P.L. 108-159. For effective dates, see 68 FR 74467 and 68 FR 74529 (December 24,
2003).
22 Generally, many of these new federal provisions preempt similar state laws. For more
information on the preemptive effects of the Fair Credit Reporting Act, see CRS Report
RS21449, Fair Credit Reporting Act: Preemption of State Law, by Angie A. Welborn.
23 P.L. 108-159, Section 114.
24 P.L. 108-159, Section 113.
25 P.L. 108-159, Section 115.
26 P.L. 108-159, Section 112.
CRS-5
maintained in the file for 90 days, but a consumer may request an extended alert
which is maintained for up to seven years. The fraud alert becomes a part of the
consumer’s credit file and is thus passed along to all users of the report. The alert
must also be included with any credit score generated using the consumer’s file, and
must be referred to other consumer reporting agencies.27
In addition to the fraud alert, victims of identity theft may also have information
resulting from the crime blocked from their credit reports.28 After the receipt of
appropriate proof of the identity of the consumer, a copy of an identity theft report,
the identification of the alleged fraudulent information, and a statement by the
consumer that the information is not information relating to any transaction
conducted by the consumer, a consumer reporting agency must block all such
information from being reported and must notify the furnisher of the information in
question that it may be the result of identity theft. Requests for the blocking of
information must also be referred to other consumer reporting agencies.29
Victims of identity theft are also allowed to request information about the
alleged crime. A business entity is required, upon request and subject to verification
of the victim’s identity, to provide copies of application and business transaction
records evidencing any transaction alleged to be a result of identity theft to the victim
or to any law enforcement agency investigating the theft and authorized by the victim
to take receipt of the records in question.30
Fair Credit Billing Act. The Fair Credit Billing Act (FCBA) is not an
identity theft statute per se, but it does provide consumers with an opportunity to
receive an explanation and proof of charges that may have been made by an impostor
and to have unauthorized charges removed from their accounts. The purpose of the
FCBA is “to protect the consumer against inaccurate and unfair credit billing and
credit card practices.”31 The law defines and establishes a procedure for resolving
billing errors in consumer credit transactions. For purposes of the FCBA, a “billing
error” includes unauthorized charges, charges for goods or services not accepted by
the consumer or delivered to the consumer, and charges for which the consumer has
asked for an explanation or written proof of purchase.32
Under the FCBA, consumers are able to file a claim with the creditor to have
billing errors resolved. Until the alleged billing error is resolved, the consumer is not
required to pay the disputed amount, and the creditor may not attempt to collect, any
part of the disputed amount, including related finance charges or other charges.33 The
act sets forth dispute resolution procedures and requires an investigation into the
27 P.L. 108-159, Section 153.
28 P.L. 108-159, Section 152.
29 P.L. 108-159, Section 153.
30 P.L. 108-159, Section 151.
31 15 U.S.C. 1601(a).
32 15 U.S.C. 1666(b); 12 C.F.R. 226.13(a).
33 15 U.S.C. 1666(c); 12 C.F.R. 226.13(d)(1).
CRS-6
consumer’s claims. If the creditor determines that the alleged billing error did occur,
the creditor is obligated to correct the billing error and credit the consumer’s account
with the disputed amount and any applicable finance charges.34
Electronic Fund Transfer Act. Similar to the Fair Credit Billing Act, the
Electronic Fund Transfer Act is not an identity theft statute per se, but it does provide
consumers with a mechanism for challenging unauthorized transactions and having
their accounts recredited in the event of an error. The purpose of the Electronic Fund
Transfer Act (EFTA) is to “provide a basic framework establishing the rights,
liabilities, and responsibilities of participants in electronic fund transfer systems.”35
Among other things, the EFTA limits a consumer’s liability for unauthorized
electronic fund transfers. If the consumer notifies the financial institution within two
business days after learning of the loss or theft of a debt card or other device used to
make electronic transfers, the consumer’s liability is limited to the lesser of $50 or
the amount of the unauthorized transfers that occurred before notice was given to the
financial institution.36
Additionally, financial institutions are required to provide a consumer with
documentation of all electronic fund transfers initiated by the consumer from an
electronic terminal. If a financial institution receives, within 60 days after providing
such documentation, an oral or written notice from the consumer indicating the
consumer’s belief that the documentation provided contains an error, the financial
institution must investigate the alleged error, determine whether an error has
occurred, and report or mail the results of the investigation and determination to the
consumer within 10 business days.37 The notice from the consumer to the financial
institution must identify the name and account number of the consumer; indicate the
consumer’s belief that the documentation contains an error and the amount of the
error; and set forth the reasons for the consumer’s belief that an error has occurred.38
In the event that the financial institution determines that an error has occurred,
the financial institution must correct the error within one day of the determination in
accordance with the provisions relating to the consumer’s liability for unauthorized
charges.39 The financial institution may provisionally recredit the consumer’s
account for the amount alleged to be in error pending the conclusion of its
investigation and its determination of whether an error has occurred, if it is unable
to complete the investigation within 10 business days.40
34 15 U.S.C. 1666(a); 12 C.F.R. 226.13(e).
35 15 U.S.C. 1693(b).
36 15 U.S.C. 1693g(a), 12 C.F.R. 205.6(b)(1).
37 15 U.S.C. 1693f(a), 12 C.F.R. 205.11(b) and (c).
38 Id.
39 15 U.S.C. 1693f(b).
40 15 U.S.C. 1693f(c), 12 C.F.R. 205.11(c).