How to Report Identity Theft: Federal, State, and Local Procedures
Identity theft reporting in the United States operates across three distinct jurisdictional layers — federal, state, and local — each with defined intake channels, statutory authority, and remediation scope. The Federal Trade Commission serves as the primary federal intake point under 15 U.S.C. § 6102, while state attorneys general and local law enforcement maintain parallel reporting channels with their own procedural requirements. Understanding which channel applies to a given incident type determines the speed and effectiveness of the remediation process, including the issuance of Identity Theft Reports, fraud alerts, and credit freeze mechanisms. For a structured overview of service providers operating in this space, see the Identity Theft Providers provider network.
Definition and scope
Identity theft reporting refers to the formal process of documenting and submitting a verified account of identity misuse to a recognized governmental or regulatory authority. Under the Identity Theft Enforcement and Restitution Act of 2008 (Public Law 110-326), identity theft encompasses the knowing transfer, possession, or use of a means of identification belonging to another person without lawful authority, with the intent to commit a federal crime. The FTC's IdentityTheft.gov platform (ftc.gov/identitytheft) operationalizes this definition into a structured intake system that generates a personalized recovery plan and a formal Identity Theft Report — a document recognized by creditors, debt collectors, and credit bureaus under the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.).
Scope distinctions matter for channel selection. Federal reporting applies when the theft involves federal benefit fraud, tax fraud, or interstate wire fraud. State-level reporting applies when a state identity theft statute has been violated — all 50 states and the District of Columbia have enacted such statutes (National Conference of State Legislatures, Identity Theft Laws). Local law enforcement reports are required when a creditor or financial institution demands a police report number as part of its dispute resolution process.
How it works
The reporting process follows a structured sequence across jurisdictional tiers:
-
Document the incident. Collect account statements, collection notices, tax forms, or benefit denial letters that evidence the fraudulent activity. The Social Security Administration (ssa.gov) maintains a reporting intake for SSN misuse.
-
File with the FTC. Submit a report at IdentityTheft.gov. The FTC generates an Identity Theft Report and a step-by-step recovery plan tailored to the incident type. This report satisfies the "identity theft report" requirement under FCRA § 605B, which mandates credit bureaus to block fraudulent tradelines as processing allows of receiving the report.
-
Place fraud alerts or credit freezes. Under FCRA § 605A, a fraud alert requires creditors to verify identity before extending credit. A security freeze — available at no cost under the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (Public Law 115-174) — restricts new credit file access entirely. The three major nationwide credit reporting agencies — Equifax, Experian, and TransUnion — each maintain online freeze portals.
-
File a state-level report. Most state attorneys general operate consumer protection intake portals. The National Association of Attorneys General (naag.org) maintains a provider network of state AG offices. Some states — including California under the California Consumer Privacy Act (Cal. Civ. Code § 1798.80 et seq.) — impose additional notification and remediation obligations on businesses that experienced the breach.
-
File a local police report. Bring the FTC Identity Theft Report to the local law enforcement agency with jurisdiction over the victim's address. Request a copy of the filed report with the case number. This copy satisfies creditor demands and supports FCRA dispute processes.
-
Notify relevant sector-specific agencies. Tax identity theft requires a report to the IRS via Form 14039 (irs.gov/form14039). Medical identity theft requires contacting the relevant provider and, in Medicare/Medicaid cases, the HHS Office of Inspector General (oig.hhs.gov).
Common scenarios
Tax identity theft occurs when a fraudulent return is filed using a victim's Social Security Number. The IRS Identity Protection Specialized Unit handles these cases; victims receive an IP PIN (Identity Protection Personal Identification Number) for future filings.
Financial account fraud involves unauthorized opening of credit accounts or takeover of existing accounts. This scenario triggers the FCRA § 605B blocking process through the FTC report.
Government benefits fraud — including fraudulent unemployment insurance claims — routes through both the FTC and the relevant state workforce agency. The U.S. Department of Labor maintains a fraud reporting portal (dol.gov/agencies/eta/unemployment-insurance-payment-accuracy).
Medical identity theft involves the use of a victim's identity to obtain healthcare services or insurance. Remediation requires written requests to healthcare providers for amended records, governed by HIPAA's right of amendment under 45 C.F.R. § 164.526.
For a comparative look at how federal and state reporting channels differ in scope and authority, the Identity Theft Provider Network Purpose and Scope page outlines the structural distinctions in the service landscape.
Decision boundaries
The selection of reporting channel is not discretionary — it is determined by the nature of the fraud and the remediation outcome required:
| Incident Type | Primary Channel | Secondary Channel |
|---|---|---|
| Credit account fraud | FTC (IdentityTheft.gov) | Local police, credit bureaus |
| Tax fraud | IRS Form 14039 | FTC |
| Benefits fraud | State workforce agency | FTC, DOL |
| Medical identity theft | Healthcare provider / HHS OIG | FTC |
| SSN misuse (non-tax) | SSA OIG | FTC, local law enforcement |
| Child identity theft | FTC | State AG, credit bureaus |
A local police report is not a substitute for an FTC Identity Theft Report, and vice versa. The FTC report satisfies FCRA obligations; the police report satisfies creditor-specific dispute requirements. Filing with one does not preclude or replace the other. The How to Use This Identity Theft Resource page outlines how this provider network structures access to professional services across these reporting categories.