State Identity Theft Laws: Variation Across US Jurisdictions

Identity theft is criminalized at the federal level under 18 U.S.C. § 1028, but the operational weight of prosecution and victim remediation falls substantially on state-level statutes, which vary in scope, penalty structure, and civil remedy provisions. All 50 states have enacted dedicated identity theft laws, yet the definitions, felony thresholds, restitution mechanisms, and enforcement agency designations differ significantly across jurisdictions. These variations shape the services offered by recovery professionals, the exposure faced by consumers, and the investigative pathways available to victims seeking relief — context that is directly relevant to practitioners and researchers navigating the identity theft services landscape.

Definition and scope

At the federal level, the Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C. § 1028) established a baseline definition: the knowing transfer, possession, or use of another person's means of identification with intent to commit unlawful activity. The Federal Trade Commission (FTC) administers the national consumer-facing response infrastructure, including IdentityTheft.gov.

State statutes extend, narrow, or layer onto this baseline in four structurally distinct ways:

1. Definitional breadth — Some states, including California under Penal Code § 530.5, define "personal identifying information" to include biometric data, insurance policy numbers, and digital identifiers. Others restrict the definition to Social Security numbers, financial account numbers, and government-issued IDs.
2. Threshold for felony classification — Dollar-value thresholds triggering felony charges range from $500 in states such as Virginia to $2,500 or more in others. Below those thresholds, conduct may be classified as a misdemeanor, carrying substantially lighter penalties.
3. Aggravated identity theft provisions — A subset of states mirror the federal aggravated identity theft statute (18 U.S.C. § 1028A), which mandates a consecutive 2-year sentence for identity theft committed during certain predicate felonies.
4. Civil remedy access — California, Texas, and New York each provide statutory civil causes of action that allow victims to sue for actual damages, attorney fees, and in some cases statutory damages without proving a specific dollar loss.

The National Conference of State Legislatures (NCSL) maintains a comparative index of state identity theft statutes, including citation tables updated through legislative session records.

How it works

State identity theft prosecutions typically proceed through a sequence of institutional actors:

1. Victim report — A victim files with local law enforcement or the state attorney general's consumer protection division. The FTC's IdentityTheft.gov platform generates an Identity Theft Report that carries legal weight in many states as a substitute for a police report.
2. Jurisdictional determination — Prosecutors assess whether the conduct crosses state lines (implicating federal jurisdiction under 18 U.S.C. § 1028), involves a single-state actor, or requires coordination with financial regulators such as state banking departments.
3. Charge calibration — Charges are tiered based on the aggravating factors codified in state law: prior convictions, victim vulnerability (elder fraud provisions exist in at least 40 states per the National Center for Victims of Crime), organized criminal conduct, or use of identity information to obtain government benefits.
4. Restitution and remediation orders — State courts may order restitution under general criminal statutes or under identity theft-specific restitution provisions. Some states authorize courts to order defendants to notify credit bureaus and assist with credit repair.
5. Administrative civil remedies — Separate from criminal prosecution, state attorneys general in California, New York, and Florida have authority under consumer protection statutes to seek civil penalties, injunctive relief, and remediation orders.

Practitioners navigating victim services should consult the purpose and scope of this provider network for how professional providers are structured by service category and jurisdiction.

Common scenarios

The following patterns represent the primary fact patterns driving state-level identity theft prosecutions and victim service engagements:

• Financial account takeover — Unauthorized access to existing bank or credit accounts. Most states classify this as identity theft when a third party's identifying credentials are used, regardless of whether new accounts are opened.
• Synthetic identity fraud — Combining a real Social Security number (often belonging to a minor or deceased person) with fabricated name and address data to create a new credit profile. This pattern is harder to prosecute because no single real person's complete identity is used. The Consumer Financial Protection Bureau (CFPB) has documented synthetic identity fraud as a distinct category not uniformly addressed in state statutes.
• Medical identity theft — Use of another person's insurance credentials to obtain healthcare services or prescriptions. At least 12 states have enacted health-specific identity theft provisions (NCSL Health Identity Theft Statutes). The Department of Health and Human Services (HHS) coordinates federal HIPAA enforcement but state criminal statutes govern criminal prosecution.
• Tax identity fraud — Filing fraudulent state income tax returns using a victim's Social Security number. State revenue agencies, including the California Franchise Tax Board and the New York State Department of Taxation and Finance, maintain dedicated fraud units with referral relationships to state attorneys general.
• Child identity theft — Use of a minor's Social Security number, often undetected for years. The Social Security Administration (SSA) administers the foundational identifier infrastructure, while state child-specific statutes govern criminal liability.

Decision boundaries

Practitioners and researchers working across jurisdictions encounter four core decision points that determine which legal framework governs a given case:

Federal vs. state jurisdiction — Federal prosecution is more likely when identity theft crosses state lines, involves interstate wire fraud, or is part of an organized criminal scheme. The Department of Justice (DOJ) maintains jurisdictional guidance, but dual prosecution is not precluded; a defendant may face both federal and state charges for the same conduct under the dual sovereignty doctrine.

Criminal vs. civil pathways — Not all identity theft incidents support criminal prosecution. Civil actions under state consumer protection statutes, Fair Credit Reporting Act (15 U.S.C. § 1681) provisions, or state-specific civil identity theft statutes provide alternative remediation routes when criminal prosecution thresholds are not met.

Aggregation rules — Some states permit charging prosecutors to aggregate the dollar value of multiple identity theft incidents against the same victim to reach a felony threshold. Others require each incident to independently satisfy the threshold. This distinction directly affects charge severity across otherwise similar fact patterns.

Elder and vulnerable adult provisions — At least 40 states impose enhanced penalties when the victim is 65 or older or is classified as a vulnerable adult under state elder abuse statutes. The penalties in these cases can escalate a charge by one full felony degree. Victims seeking professional assistance should review the resource guide for service categories organized by victim population.