Federal Identity Theft Laws: ITADA, FACTA, and Related Statutes

Federal identity theft law in the United States is built across a layered framework of criminal statutes, consumer protection mandates, and sectoral privacy regulations — each addressing distinct harms, enforcement mechanisms, and remedial rights. The Identity Theft and Assumption Deterrence Act of 1998 (ITADA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA) anchor the federal statutory structure, but neither operates in isolation. This page maps the full legislative landscape, the structural mechanics of each major statute, their classification boundaries, and the points of genuine legal tension that shape enforcement and compliance practice.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Statutory Compliance Reference Sequence
• Reference Table: Key Federal Statutes Compared

Definition and Scope

Identity theft under federal law is defined with specificity in 18 U.S.C. § 1028 (as amended by ITADA) as the knowing transfer, possession, or use of a means of identification of another person without lawful authority and with the intent to commit, aid, or abet any unlawful activity that constitutes a violation of federal law or a felony under applicable state law (18 U.S.C. § 1028, via Cornell LII). The statute's scope extends beyond traditional document fraud to include digital identifiers, biometric data, and account credentials.

FACTA, enacted as an amendment to the Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681 et seq.), operates in the civil and consumer-protection domain rather than the criminal domain. Its scope covers credit file accuracy, fraud alert systems, free annual credit reports, and the truncation of account numbers on receipts. The Federal Trade Commission (FTC) administers FACTA's consumer-facing provisions, while the Consumer Financial Protection Bureau (CFPB) holds rulemaking authority over credit reporting entities under the Dodd-Frank Act of 2010.

The scope of federal jurisdiction depends significantly on whether the identity theft involved a federal benefit program, crossed state lines, used electronic communications, or implicated financial institutions subject to federal charter. For practitioners navigating the identity theft service landscape, understanding which statute governs a specific harm class is the threshold analytical step.

Core Mechanics or Structure

ITADA (18 U.S.C. § 1028 and § 1028A)

ITADA created a standalone federal felony for identity theft and established graduated penalties. A conviction under § 1028 carries up to 15 years imprisonment for a first offense involving fraud; aggravated identity theft under § 1028A — added by the Identity Theft Penalty Enhancement Act of 2004 — mandates a 2-year consecutive prison term when the underlying offense is a specified felony (e.g., bank fraud, immigration fraud, or Social Security fraud). The mandatory consecutive structure under § 1028A is non-discretionary: judges cannot reduce or suspend the 2-year term (18 U.S.C. § 1028A, via Cornell LII).

Enforcement is split across agencies: the Department of Justice (DOJ) prosecutes § 1028 and § 1028A violations through U.S. Attorneys' offices; the Secret Service and FBI share investigative jurisdiction for financial and cyber-enabled identity crimes; the Social Security Administration Office of Inspector General handles benefit fraud cases.

FACTA (Public Law 108-159)

FACTA's mechanics operate through obligations imposed on consumer reporting agencies (CRAs), creditors, and businesses that handle consumer financial records. Key structural components include:

• Fraud Alerts: CRAs must place a 1-year initial fraud alert upon consumer request; a 7-year extended fraud alert is available for verified identity theft victims (FTC summary of FACTA provisions).
• Credit Freezes: Codified initially under FACTA and later strengthened by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (S. 2155), which made free credit freezes a federal right at all three major CRAs.
• Red Flags Rule: Under FACTA § 114, financial institutions and creditors must implement written Identity Theft Prevention Programs to detect and respond to patterns indicating identity theft — administered jointly by the FTC and federal banking regulators.
• Truncation Requirement: FACTA § 113 prohibits printing more than the last 5 digits of a payment card number on electronically printed receipts.

Causal Relationships or Drivers

The legislative history of both ITADA and FACTA reflects direct responses to documented market and enforcement failures. ITADA was enacted in 1998 because, before its passage, federal prosecutors had to charge identity thieves under secondary statutes (credit card fraud, wire fraud, Social Security Act violations) rather than a specific identity theft crime — creating sentencing gaps and complicating prosecution.

FACTA emerged from documented failures in the credit reporting system: a 2003 FTC study found that approximately 25 percent of consumers identified errors in their credit files significant enough to result in denial of credit at standard rates (referenced in FTC, Prepared Statement on FACTA Implementation, 2005). The absence of a uniform, free annual credit report mechanism and the lack of standardized fraud alert procedures were identified as structural deficiencies that enabled unremediated identity theft to persist for extended periods.

The economic cost of identity crime also drove legislative expansion: the DOJ's Victims of Identity Theft survey series and the Bureau of Justice Statistics (BJS) have tracked financial losses from identity theft across household surveys, with BJS reporting that identity theft victimization affected approximately 23.9 million U.S. residents age 16 or older in the period studied in its 2014 survey (BJS Identity Theft Supplement).

Classification Boundaries

Federal identity theft law distinguishes offenses across at least 4 classification axes:

1. Criminal vs. Civil: ITADA and § 1028A are criminal statutes; FACTA creates civil liability with statutory damages between $100 and $1,000 per willful violation, plus punitive damages and attorney's fees (15 U.S.C. § 1681n).

2. Aggravated vs. Non-Aggravated: Aggravated identity theft under § 1028A requires a predicate felony from a statutory list — it does not apply to all § 1028 violations.

3. Sectoral Overlays: Healthcare-related identity theft intersects with HIPAA (45 C.F.R. Parts 160 and 164), administered by HHS OCR. Financial account takeover intersects with the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801 et seq.) Safeguards Rule, administered by the FTC.

4. Federal vs. State Jurisdiction: All 50 states have independent identity theft statutes. Federal prosecution typically occurs when the crime involves federal programs, crosses state lines, or meets dollar thresholds justifying U.S. Attorney resource allocation.

Professionals catalogued in identity theft service directories often specialize by these classification axes — criminal defense, credit dispute resolution, and HIPAA breach response are distinct practice domains with different licensing and regulatory contexts.

Tradeoffs and Tensions

The mandatory consecutive sentencing provision of § 1028A has generated persistent constitutional and policy debate. Critics — including the U.S. Sentencing Commission in its 2023 report on mandatory minimums — have argued that mandatory consecutive terms shift sentencing discretion from judges to prosecutors and can produce sentencing disparities based on charging decisions rather than offense severity (U.S. Sentencing Commission, Mandatory Minimum Penalties for Identity Theft Offenses, 2023).

FACTA's credit freeze and fraud alert system creates a procedural tension between consumer protection and the legitimate operational needs of creditors: an extended fraud alert triggers mandatory verification requirements that can delay credit decisions, and credit freezes, when applied across all three major CRAs, can create friction in time-sensitive transactions (mortgage closings, rental applications).

The Red Flags Rule has faced implementation tension with smaller creditors and healthcare providers, who challenged FTC jurisdiction to apply the rule to entities not traditionally classified as "financial institutions." The Dodd-Frank Act ultimately transferred certain rulemaking authority to the CFPB, but jurisdictional boundaries between FTC and CFPB enforcement remain a structural complexity for multi-sector businesses.

Common Misconceptions

Misconception: ITADA created a private right of action for identity theft victims.
ITADA is a criminal statute — it does not create civil liability. Victims cannot sue a perpetrator under ITADA directly. Civil remedies for identity theft originate primarily from FACTA/FCRA, state consumer protection statutes, or common law tort claims.

Misconception: A fraud alert locks a credit file the same way a credit freeze does.
A fraud alert instructs creditors to take extra verification steps before issuing credit — it does not block access to the credit file. A credit freeze (security freeze) restricts file access entirely to unauthorized parties. The two mechanisms operate differently under FACTA and produce different levels of protection.

Misconception: Aggravated identity theft under § 1028A applies to any identity theft crime.
The § 1028A enhancement applies only when the predicate offense is a felony verified in the statute's enumerated list, which includes bank fraud (18 U.S.C. § 1344), mail fraud (§ 1341), wire fraud (§ 1343), and immigration-related offenses, among others — but not all state or federal felonies.

Misconception: FACTA's free credit report entitlement is unlimited.
The Annual Credit Report provision entitles consumers to one free report per 12 months from each of the three nationwide CRAs through AnnualCreditReport.com (established under FACTA § 211). Separate entitlements apply after adverse action notices or verified identity theft, but the baseline is not unlimited.

Researchers and service professionals can explore the broader structural context of this sector through the identity theft resource overview.

Checklist or Steps (Non-Advisory)

Federal Statutory Reference Sequence: Identity Theft Incident Analysis

The following sequence reflects the standard analytical path under federal law when categorizing an identity theft incident:

1. Identify the harm type — credential misuse, account takeover, synthetic identity fraud, benefit fraud, or medical identity theft.
2. Determine federal nexus — assess whether a federal program, federally chartered institution, or interstate electronic communication is involved (§ 1028 jurisdictional triggers).
3. Check predicate felony list — if criminal prosecution is anticipated, evaluate whether the conduct triggers § 1028A mandatory enhancement by cross-referencing the enumerated felony list in 18 U.S.C. § 1028A(c).
4. Assess CRA obligations — determine whether a consumer reporting agency received, processed, or disseminated affected data, triggering FCRA/FACTA obligations (fraud alert placement, dispute rights under 15 U.S.C. § 1681i).
5. Evaluate sectoral overlay — identify whether HIPAA, GLBA Safeguards Rule, or state breach notification laws impose parallel obligations.
6. Document identity theft for FTC report — IdentityTheft.gov (operated by the FTC) generates an official Identity Theft Report, which activates extended fraud alert eligibility and supports credit dispute rights under FACTA.
7. Assess civil recovery options — FCRA/FACTA statutory damages, state UDAP claims, or common law conversion/fraud depending on jurisdiction.

The provider network purpose and scope page provides additional context on how professional service providers map to these analytical phases.

Reference Table or Matrix