Remedies Available to Victims of Identity Theft

Order Code RS21163 Updated March 21, 2003 CRS Report for Congress Received through the CRS Web Remedies Available to Victims of Identity Theft Angie A. Welborn Legislative Attorney American Law Division Summary According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all fifty states, and complaints regarding identity theft have grown for three consecutive years.1 Victims of identity theft may incur damaged credit records, unauthorized charges on credit cards, and unauthorized withdrawals from bank accounts. Oftentimes, victims must change their addresses, telephone numbers, and even their Social Security numbers. This report provides an overview of the federal laws that could assist victims of identity theft with purging inaccurate information from their credit records and removing unauthorized charges from credit accounts, as well as federal laws that impose criminal penalties on those who assume another person’s identity through the use of fraudulent identification documents. Similar state laws and recent legislative proposals (S. 22, S. 223, S. 228, H.R. 220, H.R. 637, H.R. 818, and H.R. 858) aimed at preventing identity theft and providing additional remedies will also be discussed, including S. 153, which the Senate passed on March 19, 2003. This report will be updated as events warrant. Federal Statutes Related to Identity Theft Identity Theft Assumption and Deterrence Act. While not exclusively aimed at consumer identity theft, the Identity Theft Assumption Deterrence Act prohibits fraud in connection with identification documents under a variety of circumstances.2 Certain offenses under the statute relate directly to consumer identity theft, and impostors could be prosecuted under the statute. For example, the statute makes it a federal crime, under 1 []. 2 18 U.S.C. 1028. The statute lists several actions that constitute fraud in connection with identification documents. However, for the purposes of this report, they do not all relate to consumer-related identity theft, i.e. situations where a consumer’s Social Security number or driver’s license number may be stolen and used to establish credit accounts by an impostor. Congressional Research Service ˜ The Library of Congress CRS-2 certain circumstances,3 to knowingly and without lawful authority produce an identification document4 or false identification document; or to knowingly possess an identification document that is or appears to be an identification document of the United States which is stolen or produced without lawful authority knowing that such document was stolen or produced without such authority.5 It is also a federal crime to knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.6 The punishment for offenses involving fraud related to identification documents varies depending on the specific offense and the type of document involved.7 For example, a fine or imprisonment of up to 15 years may be imposed for using the identification of another person with the intent to commit any unlawful activity under state law, if, as a result of the offense, the person committing the offense obtains anything of value totaling $1,000 or more during any one-year period.8 Other offenses carry terms of imprisonment up to three years.9 However, if the offense is committed to facilitate a drug trafficking crime or in connection with a crime of violence, the term of imprisonment could be up to twenty years.10 Offenses committed to facilitate an action of international terrorism are punishable by terms of imprisonment up to twenty-five years.11 Fair Credit Reporting Act. While the Fair Credit Reporting Act (FCRA) does not directly address identity theft, it could offer victims assistance in having negative 3 According to the statute, the prohibitions listed apply when “the identification document or false identification document is or appears to be issued by or under the authority of the United States or the document-making implement is designed or suited for making such an identification document or false identification document;” the document is presented with the intent to defraud the United States; or “either the production, transfer, possession, or use prohibited by this section is in or affects interstate or foreign commerce, including the transfer of a document by electronic means, or the means of identification, identification document, false identification document, or document-making implement is transported in the mail in the course of the production, transfer, possession, or use prohibited by this section.” 18 U.S.C. 1028(c). 4 Identification document is defined as “a document made or issued by or under the authority of the United States Government, a State, political subdivision of a State, a foreign government, political subdivision of a foreign government, an international governmental or an internal quasigovernmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals.” 18 U.S.C. 1028(d)(2). Identification documents include Social Security cards, birth certificates, driver’s licenses, and personal identification cards. 5 18 U.S.C. 1028(a)(1) and (2). 6 18 U.S.C. 1028(a)(7). 7 18 U.S.C. 1028(b). 8 18 U.S.C. 1028(b)(1)(D). 9 18 U.S.C. 1028(b)(2). 10 18 U.S.C. 1028(b)(3). 11 18 U.S.C. 1028(b)(4). CRS-3 information resulting from unauthorized charges or accounts removed from their credit files. The purpose of the FCRA is “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.”12 The FCRA outlines a consumer’s rights in relation to his or her credit report, as well as permissible uses for credit reports and disclosure requirements. In addition, the FCRA requires credit reporting agencies to follow “reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.”13 The FCRA allows consumers to file suit for violations of the Act, which could include the disclosure of inaccurate information about a consumer by a credit reporting agency.14 A consumer who is a victim of identity theft could file suit against a credit reporting agency for the agency’s failure to verify the accuracy of information contained in the report and the agency’s disclosure of inaccurate information as a result of the consumer’s stolen identity. Generally, the FCRA requires a consumer to file suit “within two years from the date on which the liability arises.”15 However, there is an exception in cases where there was willful misrepresentation of information that is required to be disclosed to a consumer and such information is material to the establishment of the defendant’s liability.16 In such cases, the action “may be brought any time within two years after the discovery by the individual of the misrepresentation.”17 Fair Credit Billing Act. The Fair Credit Billing Act (FCBA) is not an identity theft statute per se, but it does provide consumers with an opportunity to receive an explanation and proof of charges that may have been made by an impostor and to have unauthorized charges removed from their accounts. The purpose of the FCBA is “to protect the consumer against inaccurate and unfair credit billing and credit card practices.”18 The law defines and establishes a procedure for resolving billing errors in consumer credit transactions. For purposes of the FCBA, a “billing error” includes unauthorized charges, charges for goods or services not accepted by the consumer or delivered to the consumer, and charges for which the consumer has asked for an explanation or written proof of purchase.19 12 15 U.S.C. 1681(b). 13 15 U.S.C. 1681e(b). 14 15 U.S.C. 1681n; 15 U.S.C. 1681o. For more information see CRS Report RS21083, Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v. Andrews and Current Legislation. 15 15 U.S.C. 1681p. 16 Id. 17 Id. 18 15 U.S.C. 1601(a). 19 15 U.S.C. 1666(b); 12 C.F.R. 226.13(a). CRS-4 Under the FCBA, consumers are able to file a claim with the creditor to have billing errors resolved. Until the alleged billing error is resolved, the consumer is not required to pay the disputed amount, and the creditor may not attempt to collect, any part of the disputed amount, including related finance charges or other charges.20 The Act sets forth dispute resolution procedures and requires an investigation into the consumer’s claims. If the creditor determines that the alleged billing error did occur, the creditor is obligated to correct the billing error and credit the consumer’s account with the disputed amount and any applicable finance charges.21 Electronic Fund Transfer Act. Similar to the Fair Credit Billing Act, the Electronic Fund Transfer Act is not an identity theft statute per se, but it does provide consumers with a mechanism for challenging unauthorized transactions and having their accounts recredited in the event of an error. The purpose of the Electronic Fund Transfer Act (EFTA) is to “provide a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund transfer systems.”22 Among other things, the EFTA limits a consumer’s liability for unauthorized electronic fund transfers. If the consumer notifies the financial institution within two business days after learning of the loss or theft of a debt card or other device used to make electronic transfers, the consumer’s liability is limited to the lesser of $50 or the amount of the unauthorized transfers that occurred before notice was given to the financial institution.23 Additionally, financial institutions are required to provide a consumer with documentation of all electronic fund transfers initiated by the consumer from an electronic terminal. If a financial institution receives, within 60 days after providing such documentation, an oral or written notice from the consumer indicating the consumer’s belief that the documentation provided contains an error, the financial institution must investigate the alleged error, determine whether an error has occurred, and report or mail the results of the investigation and determination to the consumer within ten business days.24 The notice from the consumer to the financial institution must identify the name and account number of the consumer; indicate the consumer’s belief that the documentation contains an error and the amount of the error; and set forth the reasons for the consumer’s belief that an error has occurred.25 In the event that the financial institution determines that an error has occurred, the financial institution must correct the error within one day of the determination in accordance with the provisions relating to consumer’s liability for unauthorized charges.26 The financial institution may provisionally recredit the consumer’s account for the amount alleged to be in error pending the conclusion of its investigation and its determination of 20 15 U.S.C. 1666(c); 12 C.F.R. 226.13(d)(1). 21 15 U.S.C. 1666(a); 12 C.F.R. 226.13(e). 22 15 U.S.C. 1693(b). 23 15 U.S.C. 1693g(a), 12 C.F.R. 205.6(b)(1). 24 15 U.S.C. 1693f(a), 12 C.F.R. 205.11(b) and (c). 25 Id. 26 15 U.S.C. 1693f(b). CRS-5 whether an error has occurred, if it is unable to complete the investigation within ten business days.27 State Identity Theft Statutes Most states have enacted some type of identity theft statute.28 Many of these statutes impose criminal penalties for identity theft activities. For example, in California, impostors are subject to fines of up to $10,000 and confinement in jail for up to one year.29 Restitution may also be a component of the impostors punishment. In Texas, identity theft is a felony and, in addition to jail time, the court may order the impostor to reimburse the victim for lost income and other expenses incurred as a result of the theft.30 Other states impose civil penalties and provide victims with judicial recourse for damages incurred as a result of the theft. In Washington, impostors are “liable for civil damages of five hundred dollars or actual damages, whichever is greater, including costs to repair the victim's credit record.”31 While some statutes may define identity theft to include only the fraudulent use of identification documents, other statutes may more broadly define such activities. For example, Oregon also criminalizes the fraudulent use of credit cards. Such use constitutes a felony if the “aggregate total amount of property or services the person obtains or attempts to obtain is $750 or more.”32 In Illinois, the crime of financial identity theft includes the fraudulent use of credit card numbers, in addition to the fraudulent use of identification documents.33 Legislative Proposals 107th Congress. During the 107th Congress, numerous bills related to identity theft were introduced. An overview of this legislation can be found in CRS Report RL31752, Identity Theft: An Overview of Proposed Legislation. 108th Congress. To date, several bills related to identity theft have been introduced in the 108th Congress. With the exception of S. 153, which was passed by the Senate, without amendment, on March 19, no additional action has been taken on this legislation. In general, these bills include provisions similar to those found in legislation introduced during the 107th Congress. Title III of S. 22, the Justice Enhancement and Domestic Security Act of 2003, includes several provisions aimed at deterring and preventing identity theft, including 27 15 U.S.C. 1693f(c), 12 C.F.R. 205.11(c). 28 For a list of state identity theft statutes see []. 29 Cal. Penal Code §§ 530.5 - 530.7. 30 Tex. Penal Code § 32.51. See also Va. Code Ann. § 18.2-186.3; Md. Code Ann. art. 27 § 231. 31 RCW 9.35.020(3). 32 33 Or. Rev. Stat. § 165.055. 720 ILCS 5/16G-10. See also Ohio Rev. Code Ann. § 2913.49. CRS-6 identity theft mitigation, amendments to the Fair Credit Reporting Act requiring the blocking of information on a consumer’s credit report resulting from identity theft, an amendment to the FCRA’s statute of limitations, provisions related to the misuse of social security numbers, and prevention provisions similar to those in S. 223 discussed below. S. 153, the Identity Theft Penalty Enhancement Act, would amend Title 18 of the United States Code to establish penalties for aggravated identity theft and make changes to the existing identity theft provisions of Title 18. Under S. 153, aggravated identity theft would occur when a person “knowingly transfers, possess, or uses, without lawful authority, a means of identification of another person” during and in relation to the commission of certain enumerated felonies. The penalty for aggravated identity theft would be a term of imprisonment of 2 years in addition to the punishment provided for the original felony committed. Offenses committed in conjunction with certain terrorism offenses would be subject to a additional term of imprisonment of 5 years. H.R. 858 appears to be substantially similar. S. 223, the Identity Theft Prevention Act, includes several provisions aimed at preventing identity theft, including a requirement that credit card issuers confirm change of address requests, a requirement that consumer reporting agencies include fraud alerts in consumer reports at the request of the consumer, and a requirement that credit card numbers on printed receipts be truncated. S. 228, the Social Security Number Misuse Prevention Act, would prohibit the display, sale, or purchase of an individual’s social security number with limited exceptions. It would also prohibit the display, sale, or purchase of public records containing social security numbers, and prohibit the use of social security numbers on certain government documents, such as checks and driver’s licenses. The bill would also place limitations on the use of social security numbers by commercial entities. H.R. 637 appears to be substantially similar. H.R. 220, the Identity Theft Prevention Act of 2003, would place new restrictions on the use of social security numbers and require all social security numbers to be randomly generated. H.R. 818, the Identity Theft Consumer Notification Act, would require financial institutions to notify consumers whose personal information has been compromised. The financial institution would also be required to assist the individual by correcting information in the consumer’s credit file and to compensate the consumer for any monetary losses resulting from the compromise. The bill would also amend the Fair Credit Reporting Act’s statute of limitations to allow additional time for a consumer to file suit.