State Identity Theft Laws: Variation Across US Jurisdictions
State-level identity theft statutes create a fragmented enforcement landscape across all 50 US jurisdictions, with substantial variation in criminal classifications, penalty structures, civil remedies, and definitional scope. This page maps the structural dimensions of that variation — covering how states define the offense, how penalty thresholds differ, which conduct categories fall inside or outside state law, and how state frameworks interact with federal identity theft law. Researchers, legal professionals, and affected individuals navigating multi-state incidents need to understand these jurisdictional boundaries to assess exposure, remedies, and reporting obligations accurately.
Definition and scope
No uniform statutory definition of identity theft applies across all 50 states. The National Conference of State Legislatures (NCSL) has tracked identity theft legislation since the late 1990s, when California became the first state to criminalize the conduct in 1997. As of the mid-2020s, all 50 states, the District of Columbia, and US territories maintain at least one statute addressing identity theft or identity fraud, but the operative definitions diverge significantly.
Statutory definitions vary along three primary axes:
- What constitutes "personal information" — Some states, including California under Penal Code § 530.5, enumerate specific data types (name, address, Social Security number, account number, date of birth). Others adopt broader formulations covering "any information" that identifies an individual.
- Required mental state (mens rea) — Most statutes require knowing or intentional use of another's identity, but a subset of states also criminalizes reckless misappropriation.
- Whether possession alone triggers liability — Several states criminalize possession of identifying information with intent to defraud, even absent completed use. Others require a completed act of fraud or attempted financial gain.
The Federal Trade Commission maintains the IdentityTheft.gov platform and the FTC Act provides federal baseline protections, but does not preempt state criminal statutes. The federal Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C. § 1028) establishes federal jurisdiction without displacing the parallel state-level regime. Understanding this dual-track structure is foundational when evaluating identity theft penalties and prosecution at either level.
How it works
State identity theft statutes operate through criminal and civil tracks simultaneously. The criminal enforcement structure generally follows this sequence:
- Offense classification — States classify identity theft as a misdemeanor or felony, typically based on the dollar value of fraudulent transactions or the volume of victims affected. For example, Texas Penal Code § 32.51 grades the offense from a Class C misdemeanor (fewer than 5 items of identifying information) through a first-degree felony (50 or more items).
- Penalty calculation — Threshold triggers vary widely. California's Penal Code § 530.5 establishes felony penalties for any completed identity theft regardless of dollar amount. By contrast, many states set a $500–$1,000 threshold before felony classification applies.
- Aggregation provisions — At least 30 states include aggregation clauses allowing prosecutors to combine the value of multiple fraudulent transactions — sometimes across multiple victims — to reach higher felony thresholds. This mirrors the federal aggravated identity theft statute (18 U.S.C. § 1028A), which mandates a 2-year consecutive sentence.
- Civil cause of action — A distinct civil remedy track allows victims to sue perpetrators directly. Florida, California, and Michigan, among others, permit statutory civil damages ranging from actual losses to treble damages in aggravated cases.
- Restitution orders — All 50 states authorize some form of criminal restitution, though the scope of covered losses (direct financial harm vs. remediation costs such as credit repair and legal fees) differs by jurisdiction.
State consumer protection offices, coordinated through the National Association of Attorneys General (NAAG), often handle civil enforcement actions against entities facilitating identity theft through negligent data practices.
Common scenarios
The variation across state statutes becomes operationally significant in four recurring fact patterns:
Multi-state offenses — When a perpetrator in one state uses the identity of a victim in a second state to commit fraud against a financial institution in a third state, all three jurisdictions may have concurrent authority. State prosecutions frequently proceed on whichever forum assembled evidence first, with federal prosecution reserved for the most organized criminal conduct. This is particularly relevant in data breach and identity theft incidents involving victim populations across multiple states.
Medical and tax identity theft — Medical identity theft and tax identity theft trigger state-specific reporting obligations in addition to federal ones. Sixteen states have enacted dedicated medical identity theft statutes as of NCSL tracking data, separate from general identity fraud laws. State tax agencies — such as the California Franchise Tax Board or the New York Department of Taxation and Finance — operate parallel remediation processes distinct from the IRS Identity Protection PIN program.
Child and synthetic identity theft — Child identity theft and synthetic identity theft often go undetected for years, and state statutes differ in whether minors or estates of deceased individuals qualify as protected persons. California, Texas, and Florida explicitly extend their identity theft statutes to cover the use of deceased persons' identifying information.
Employment and government benefits fraud — Employment identity theft and government benefits identity theft activate both state labor agency jurisdiction and state benefits administration enforcement, in addition to federal tax and benefits fraud statutes.
Decision boundaries
Assessing which legal framework governs a specific incident requires evaluating four boundary conditions:
Federal vs. state jurisdiction — Federal prosecution under 18 U.S.C. § 1028 or § 1028A typically attaches when the conduct involves interstate commerce, federal benefits, or organized criminal activity. State jurisdiction attaches when the fraudulent act and victim are localized within that state. Both tracks can proceed simultaneously without double jeopardy bar due to the dual sovereignty doctrine (recognized in Gamble v. United States, 587 U.S. 678 (2019)).
Civil vs. criminal remedies — Criminal prosecution and civil suit are not mutually exclusive. Victims in states with statutory civil causes of action — California, Florida, Texas — can pursue direct damages while criminal proceedings remain pending.
Minimum threshold classification:
| State | Felony Threshold (Value) | Felony Threshold (Item Count) | Statutory Citation |
|---|---|---|---|
| California | Any completed offense | Not applicable | Penal Code § 530.5 |
| Texas | Varies by tier | 5 items (Class A misdemeanor) / 50+ items (1st degree felony) | Penal Code § 32.51 |
| Florida | $5,000 (third-degree felony) | 3+ items | F.S. § 817.568 |
| New York | $500 (Class E felony) | Not the primary metric | Penal Law § 190.78–190.80 |
Reporting obligations — State data breach notification laws interact directly with identity theft statutes. All 50 states have enacted data breach notification laws (NCSL, State Data Breach Notification Laws), with notification timelines ranging from 30 days (Florida F.S. § 501.171) to no specified deadline in some jurisdictions. Breach notification obligations affect the evidentiary record available to identity theft victims and prosecutors alike.
Practitioners and researchers working across jurisdictions should reference both state attorney general offices and the FTC's consumer protection enforcement framework as dual authoritative sources on current enforcement posture. For a structured breakdown of specific offense categories relevant to individual claim types, the identity theft types and categories reference and the identity theft reporting steps framework provide classification context that applies across jurisdictions.
References
- National Conference of State Legislatures — Identity Theft Statutes
- National Conference of State Legislatures — Security Breach Notification Laws
- Federal Trade Commission — Identity Theft and Assumption Deterrence Act
- Federal Trade Commission — IdentityTheft.gov
- US Department of Justice — Identity Theft (18 U.S.C. § 1028)
- National Association of Attorneys General (NAAG)
- California Legislative Information — Penal Code § 530.5
- Texas Statutes — Penal Code § 32.51
- Florida Statutes — F.S. § 817.568
- [New York Penal Law § 190.78–190.80](https://www.nysenate.gov/