Federal Identity Theft Laws: ITADA, FACTA, and Related Statutes
The federal statutory framework governing identity theft in the United States spans criminal prohibition, civil remedies, consumer data rights, and agency enforcement authority — distributed across legislation enacted between 1998 and the present. This page maps the principal statutes: the Identity Theft and Assumption Deterrence Act (ITADA), the Fair and Accurate Credit Transactions Act (FACTA), the Fair Credit Reporting Act (FCRA), and related federal laws that collectively define how identity theft is prosecuted, remediated, and prevented at the national level. Understanding the boundaries and interactions among these statutes is essential for legal practitioners, compliance officers, victim advocates, and researchers navigating this regulatory sector.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
- References
Definition and Scope
Federal identity theft law, as a unified body, addresses unauthorized acquisition and fraudulent use of another person's identifying information. The operative definition embedded in the primary criminal statute — 18 U.S.C. § 1028, as amended by ITADA — covers the knowing transfer, possession, or use of a means of identification of another person with intent to commit, aid, or abet any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under applicable state or local law (18 U.S.C. § 1028, Cornell LII).
ITADA, enacted in 1998 (Pub. L. 105-318), elevated identity theft from a supporting charge — previously prosecutable only as fraud or wire fraud — to a standalone federal felony. Prior to 1998, federal prosecutors could charge identity-related conduct only under predicate offenses; ITADA created an independent criminal framework.
FACTA (2003, Pub. L. 108-159) operates in the civil and regulatory domain, amending FCRA to impose obligations on consumer reporting agencies (CRAs) and data furnishers regarding fraud alerts, credit freezes, truncation of account numbers, and identity theft block procedures.
The scope of federal identity theft law extends to:
- Criminal prosecution under 18 U.S.C. §§ 1028 and 1028A
- Civil enforcement authority of the Federal Trade Commission (FTC) under 15 U.S.C. § 45
- Consumer rights under FCRA/FACTA (15 U.S.C. § 1681 et seq.)
- Sector-specific statutes covering financial fraud, healthcare records, and tax administration
The types and categories of identity theft that these statutes address range from financial account takeover to criminal impersonation.
Core Mechanics or Structure
18 U.S.C. § 1028 — Identity Fraud
Section 1028 establishes eight distinct criminal offenses related to identification documents and authentication features. Penalties scale by conduct type: base offenses carry up to 15 years imprisonment; offenses committed in connection with drug trafficking or crimes of violence carry up to 20 years; offenses involving terrorism carry up to 30 years (18 U.S.C. § 1028(b)).
18 U.S.C. § 1028A — Aggravated Identity Theft
Added by the Identity Theft Penalty Enhancement Act of 2004 (Pub. L. 108-275), § 1028A imposes a mandatory consecutive 2-year prison term for identity theft committed during, or in relation to, a predicate felony enumerated in the statute. The 5-year consecutive term applies when the predicate offense involves terrorism. Courts have no discretion to impose concurrent sentences under § 1028A — the term runs consecutively by statutory mandate.
FACTA Consumer Mechanisms
FACTA introduced four operational mechanisms embedded in FCRA:
- Fraud alerts — A 1-year initial fraud alert, or 7-year extended alert for documented victims, placed in a consumer's file at any of the 3 major CRAs (Equifax, Experian, TransUnion) triggers mandatory notification to the other two.
- Identity theft blocking — Section 605B of FCRA ([15 U.S.C.
- Free credit reports — FACTA mandated annual free credit report access through AnnualCreditReport.com, administered jointly by the three major CRAs.
- Truncation of account numbers — Merchants are prohibited from printing more than the last 5 digits of a payment card number on any electronically printed receipt.
The FTC administers rulemaking authority over FACTA's consumer protection provisions, while the Consumer Financial Protection Bureau (CFPB) holds supervisory authority over large CRAs and financial institutions under the Dodd-Frank Act of 2010.
Causal Relationships or Drivers
The 1998 enactment of ITADA responded directly to a documented gap in federal law: prosecutors pursuing identity-related schemes were forced to charge mail fraud, wire fraud, or bank fraud as primary offenses, with identity theft treated as means rather than crime. Congressional findings accompanying ITADA cited identity theft as the fastest-growing financial crime in the United States at the time of passage.
FACTA's 2003 enactment was driven by the rapid growth of consumer credit data infrastructure and rising complaint volume at the FTC. The FTC's Consumer Sentinel Network documented a substantial increase in identity theft complaints throughout the late 1990s and early 2000s, creating legislative pressure for direct consumer remedies rather than reliance solely on criminal prosecution.
The Identity Theft Penalty Enhancement Act of 2004 addressed prosecutorial observations that defendants were committing predicate felonies with stolen identity documentation as a tool — particularly in immigration fraud, social security fraud, and tax fraud — without facing identity-specific criminal exposure proportionate to the enabling role that identity theft played. Tax identity theft and social security identity theft represent sectors where the § 1028A mandatory consecutive sentence has been applied most frequently by federal prosecutors.
The CFPB's assumption of FCRA supervisory authority in 2011 (under Dodd-Frank, Pub. L. 111-203) shifted enforcement gravity from the FTC toward a dedicated consumer financial regulator — a structural change with ongoing implications for CRA compliance obligations.
Classification Boundaries
Federal identity theft law intersects with but is distinct from:
| Domain | Governing Law | Primary Enforcer |
|---|---|---|
| Criminal identity theft prosecution | 18 U.S.C. §§ 1028, 1028A | DOJ / U.S. Attorneys |
| Consumer credit reporting rights | 15 U.S.C. § 1681 (FCRA/FACTA) | CFPB, FTC |
| Financial institution fraud | 18 U.S.C. § 1344 (bank fraud) | DOJ, FBI |
| Healthcare identity fraud | 42 U.S.C. § 1320a-7b | HHS OIG, DOJ |
| Tax identity fraud | 26 U.S.C. § 7201 et seq. | IRS, DOJ Tax Division |
| Social Security fraud | 42 U.S.C. § 408 | SSA OIG, DOJ |
| State criminal statutes | Varies by state | State AG, local prosecutors |
The boundary between federal criminal jurisdiction and state identity theft laws is primarily determined by whether the conduct triggers a federal predicate — use of interstate wire communications, involvement of federally insured financial institutions, or misuse of federal benefit programs.
Financial identity theft and medical identity theft each involve distinct regulatory regimes layered on top of the base criminal statute.
Tradeoffs and Tensions
Mandatory Minimums vs. Prosecutorial Flexibility
The § 1028A mandatory consecutive 2-year sentence, while designed to deter aggravated identity theft, has generated tension in federal sentencing. The Supreme Court addressed statutory interpretation of § 1028A in Flores-Figueroa v. United States, 556 U.S. 646 (2009), holding that the government must prove the defendant knew the means of identification belonged to an actual person — raising the evidentiary burden and narrowing the statute's reach in cases involving synthetic or fabricated credentials. Synthetic identity theft cases often fall outside § 1028A's reach precisely because no real person's identity is knowingly used.
Consumer Rights vs. Data Industry Interests
FACTA's blocking and fraud alert provisions impose costs on CRAs and data furnishers. The rulemaking record for FACTA implementation shows industry opposition to the 4-business-day blocking timeline as operationally unworkable at scale, while consumer advocates argued the timeline was insufficiently short. This tension persists in ongoing CFPB rulemaking.
Federal Preemption vs. State Law
FCRA contains an explicit preemption provision (15 U.S.C. § 1681t) that bars states from imposing requirements on CRAs inconsistent with the federal scheme in enumerated areas — while preserving state authority in others. California, Minnesota, and other states have enacted supplementary identity theft protections that operate in the spaces FCRA preemption does not cover.
Common Misconceptions
Misconception: ITADA created a private right of action for identity theft victims.
ITADA amended 18 U.S.C. § 1028 as a criminal statute. It does not create a civil cause of action allowing victims to sue perpetrators directly under that provision. Civil remedies arise under FCRA/FACTA (against CRAs and furnishers), state consumer protection statutes, or common law tort theories — not under § 1028 itself.
Misconception: Filing an FTC identity theft report triggers criminal prosecution.
The FTC's identity theft reporting function at IdentityTheft.gov generates an FTC Identity Theft Report — an administrative document used to invoke FCRA remedies. The FTC does not prosecute crimes; criminal referrals are handled by the DOJ and U.S. Attorneys. The FTC report has no direct effect on prosecutorial decisions.
Misconception: A credit freeze prevents identity theft.
A credit freeze, authorized under 15 U.S.C. § 1681c-1 as amended by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (Pub. L. 115-174), restricts new creditor access to a credit file but does not block fraud in existing accounts, medical billing fraud, tax fraud, or employment fraud. The credit freeze and fraud alert guide addresses these scope limits in detail.
Misconception: FACTA's free credit report entitlement is annual and unlimited.
Each consumer is entitled to 1 free credit report from each of the 3 major CRAs per 12-month period through AnnualCreditReport.com (15 U.S.C. § 1681j). Additional reports may be obtained in circumstances including adverse action, fraud alert placement, or state law entitlements — but the baseline federal entitlement is 3 reports per year total (one per bureau), not unlimited.
Checklist or Steps (Non-Advisory)
The following sequence describes the procedural elements of a federal identity theft statutory remedy engagement. These steps reflect the mechanics of the statutory framework, not legal advice.
FCRA/FACTA Consumer Remedy Sequence
- [ ] Obtain credit reports from all 3 major CRAs via AnnualCreditReport.com to identify fraudulent accounts or inquiries
- [ ] Place an initial fraud alert (1-year) with one CRA under 15 U.S.C. § 1681c-1; the receiving CRA notifies the other two
- [ ] For victims with a police report or FTC Identity Theft Report, request an extended 7-year fraud alert under 15 U.S.C. § 1681c-1(b)
- [ ] Submit a blocking request under 15 U.S.C. § 1681c-2 to each CRA containing fraudulent information, attaching required documentation (identity proof, fraud claim statement, description of information to block)
- [ ] File an FTC Identity Theft Report at IdentityTheft.gov to generate the administrative record used to support FCRA blocking requests
- [ ] Request a security freeze under 15 U.S.C. § 1681c-1(i) (free since 2018 under Pub. L. 115-174) at each of the 3 major CRAs and, as applicable, specialty CRAs (ChexSystems, LexisNexis Risk Solutions)
- [ ] Submit dispute letters to CRAs and data furnishers under 15 U.S.C. § 1681i, which requires investigation within 30 days of receipt
- [ ] Retain documentation of all correspondence for potential civil enforcement action under FCRA § 616/617 if CRAs fail to comply
Criminal Reporting Pathway
- [ ] File a local police report to establish a contemporaneous record
- [ ] Report to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov where the fraud involved online means
- [ ] Report to the U.S. Postal Inspection Service if mail was used in the scheme
- [ ] Contact the relevant federal agency (IRS, SSA, HHS) if government benefits or tax fraud is implicated
Reference Table or Matrix
| Statute | U.S. Code Citation | Primary Function | Enforcing Body | Key Penalty/Remedy |
|---|---|---|---|---|
| Identity Theft and Assumption Deterrence Act (1998) | 18 U.S.C. § 1028 | Criminalizes identity fraud | DOJ / U.S. Attorneys | Up to 15–30 years imprisonment |
| Identity Theft Penalty Enhancement Act (2004) | 18 U.S.C. § 1028A | Mandatory consecutive sentence for aggravated ID theft | DOJ | Mandatory 2-year consecutive term |
| Fair Credit Reporting Act (1970, as amended) | 15 U.S.C. § 1681 et seq. | Consumer credit file accuracy and access rights | CFPB, FTC | Civil damages, regulatory enforcement |
| Fair and Accurate Credit Transactions Act (2003) | Amends 15 U.S.C. § 1681 | Fraud alerts, blocking, free reports, truncation | CFPB, FTC | Injunctive relief, statutory damages up to $1,000 per violation (15 U.S.C. § 1681n) |
| Economic Growth, Regulatory Relief, and Consumer Protection Act (2018) | Pub. L. 115-174 | Free security freezes; enhanced protections | FTC, CFPB | Free freeze mandate |
| Gramm-Leach-Bliley Act (1999) | 15 U.S.C. § 6801 et seq. | Financial institution data safeguards | FTC, federal banking regulators | Civil enforcement, regulatory action |
| Health Insurance Portability and Accountability Act (1996) | 42 U.S.C. § 1320d et seq. | Protected health information security | HHS Office for Civil Rights | Civil penalties up to $1.9 million per violation category per year ([HHS Summary of HIPAA Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations |