Federal Laws Related to Identity Theft

^Pr^ep^ar^{ed f}^o^r^M^e^m^b^ers^an^d^Com^mⁱ^t^t^ees^of^C^ong^r^e^ss

According to the Federal Trade Commission, identity theft is the most common complaint from
consumers in all fifty states, and complaints regarding identity theft have grown for seven
consecutive years. Victims of identity theft may incur damaged credit records, unauthorized
charges on credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims
must change their telephone numbers or even their social security numbers. Victims may also
need to change addresses that were falsified by the impostor.
This report provides an overview of the federal laws that could assist victims of identity theft with
purging inaccurate information from their credit records and removing unauthorized charges from
credit accounts, as well as federal laws that impose criminal penalties on those who assume
another person’s identity through the use of fraudulent identification documents. This report will
be updated as events warrant.

Introduction ..............................................................................................................................1
Federal Laws Related to Identity Theft.....................................................................................1
Identity Theft Assumption and Deterrence Act...................................................................1
Identity Theft Penalty Enhancement Act............................................................................3
Fair Credit Reporting Act....................................................................................................3
Fair and Accurate Credit Transactions (FACT) Act of 2003...............................................4
Fair Credit Billing Act........................................................................................................5
Electronic Fund Transfer Act..............................................................................................5
Identity Theft Task Force..........................................................................................................6
Real ID......................................................................................................................................7
Author Contact Information............................................................................................................8

According to the Federal Trade Commission, identity theft is the most common complaint from
consumers in all 50 states, and accounts for over 35% of the total number of complaints the
Identity Theft Data Clearinghouse received for calendar years 2004, 2005, and 2006. In calendar ²
year 2006, of the 674,354 complaints received, 246,035 or 36% were identity theft complaints.
The identity theft victim’s information was misused for credit card fraud in 25% of the identity
theft complaints; for phone or utilities fraud in 16% of the identity theft complaints; for bank
fraud in 16% of the identity theft complaints; for employment-related fraud in 14% of the identity
theft complaints; for government documents or benefits fraud in 5% of the identity theft
complaints; for loan fraud in 5% of the identity theft complaints; and other types of identity theft
fraud made up 24% of the complaints.
As a result of identity theft, victims may incur damaged credit records, unauthorized charges on ³
credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims must
change their telephone numbers or even their social security numbers. Victims may also need to
change addresses that were falsified by the impostor. With media reports of data security breaches ⁴
increasing, concerns about new cases of identity theft are widespread.
This report provides an overview of the federal laws that could assist victims of identity theft with
purging inaccurate information from their credit records and removing unauthorized charges from
credit accounts, as well as federal laws that impose criminal penalties on those who assume ⁵
another person’s identity through the use of fraudulent identification documents. This report will
be updated as warranted.
While not exclusively aimed at consumer identity theft, the Identity Theft Assumption Deterrence
Act prohibits fraud in connection with identification documents under a variety of ⁶
circumstances. Certain offenses under the statute relate directly to consumer identity theft, and
impostors could be prosecuted under the statute. For example, the statute makes it a federal crime, ⁷
under certain circumstances, to knowingly and without lawful authority produce an identification

¹^T^h^{is re}^{port w}^a^{s orig}^ina^lly^pre^p^a^r^e^d^by^Aⁿ^gⁱ^e^A^.^W^e^{lborn, L}^e^gⁱ^sla^t^iv^e^A^ttorne^y^.
²^Fe^de^r^a^{l T}^r^a^d^e^C^o^m^m^is^sⁱ^on,^Ideⁿ^tity^The^f^t^Vic^{tim Com}^p^la^{int D}^a^ta^,^Fe^b.^7,²⁰^07,^a^t^ht^tp:/^/w^w^w^.^f^tc^.gov^/bc^p^/^e^du/
^mⁱ^c^r^os^ite^s^/^idthe^f^t/dow^nloa^ds^/^c^le^a^r^ing^h^o^u^s^e^_2⁰⁰^6.p^d^f^.
³^S^{ee Nan}^c^y^T^r^ej^o^s^,^“^Ideⁿ^tity^The^f^{t G}^e^ts^Pe^r^s^onal:^W^h^eⁿ^{a D}^e^{bit C}^a^r^d^N^u^m^b^e^r^Is^St^oleⁿ^,^Am^e^r^ic^a’s^Ne^{w Cr}^im^e^W^a^v^e
^{Hits Ho}^me^,^”^Washⁱⁿ^gt^oⁿ^P^o^st^at^F⁰^{1 (}^J^an^.¹³^,²⁰⁰⁸⁾^.
⁴^L^e^gi^sl^atⁱ^oⁿ^t^h^at^h^a^s^b^eenⁱⁿ^t^r^od^ucedⁱⁿ^respoⁿ^s^{e t}^o^t^h^eⁱⁿ^{crease i}ⁿⁱⁿ^f^o^rm^atⁱ^oⁿ^secu^ri^t^y^b^r^each^{es i}^s^dⁱ^scu^ssedⁱⁿ^CRS
^R^e^por^{t R}^L³³²⁷^3,^D^a^t^a^S^ecu^ri^t^y^{: F}^e^d^e^ra^l^L^e^gⁱ^sl^a^tⁱ^ve^A^p^p^r^oa^ch^es^,^b^y^Gⁱⁿ^a^M^a^ri^{e S}^t^even^s.
⁵^{For i}ⁿ^f^o^rm^a^{tion on}^sta^t^e^ideⁿ^t^ity^the^f^{t la}^{ws, se}^e^Na^tiona^l^Conf^e^r^eⁿ^c^e^of^Sta^t^e^L^e^gⁱ^sla^t^{ors, Ide}ⁿ^tity^The^f^{t Sta}^t^ute^s^&
^Crim^ina^l^P^e^na^ltie^{s, a}^t^htt^p^://w^ww.nc^sl.org^/^p^rog^r^a^m^s/^lis/priv^a^c^y^/ⁱ^dt^-sta^tute^s.htm^.
⁶^{18 U}^.^S.C^.¹⁰²⁸^{. T}^h^e^s^t^a^t^ute^lis^ts^s^e^v^e^r^a^{l a}^c^tions^tha^t^c^ons^tit^ute^f^r^a^{ud i}ⁿ^c^o^nne^c^tⁱ^{on w}^{ith i}^d^eⁿ^tif^ic^a^tion^doc^um^eⁿ^ts^.
^Ho^w^e^v^e^{r, f}^o^{r th}^e^p^u^r^p^o^s^e^s^o^f^th^is^re^p^o^r^t,^th^e^y^d^oⁿ^o^{t a}^{ll re}^la^te^t^o^c^oⁿ^s^u^m^e^r-re^la^te^d^id^eⁿ^tity^th^e^f^{t, i.e}^.^situ^a^tioⁿ^s^w^h^e^r^e^a
^c^ons^um^e^r^’^s^Socⁱ^a^l^Se^c^u^r^ity^num^be^r^or^dr^iv^e^r^’^s^lic^eⁿ^s^eⁿ^u^m^b^e^r^m^a^y^be^s^t^oleⁿ^aⁿ^d^us^e^d^{to e}^s^ta^bl^is^{h c}^r^e^d^{it a}^c^c^oun^ts^by
^aⁿ^im^postor.
⁷^A^c^co^rdⁱⁿ^{g t}^o^t^h^{e st}^at^u^t^e,^t^h^{e p}^r^o^hⁱ^bⁱ^tⁱ^oⁿ^s^lⁱ^st^ed^app^l^y^w^h^en^“t^h^eⁱ^d^en^tⁱ^fⁱ^catⁱ^oⁿ^do^cu^m^eⁿ^t^o^r^f^a^l^s^{e i}^d^en^tⁱ^fⁱ^catⁱ^oⁿ
⁽^c^onti^nue^d.^..)

document,⁸ authentication feature ,⁹ or false identification document;¹⁰ or to knowingly possess an
identification document that is or appears to be an identification document of the United States
which is stolen or produced without lawful authority knowing that such document was stolen or ¹¹
produced without such authority. It is also a federal crime to knowingly transfer or use, without ¹²
lawful authority, a means of identification of another person with the intent to commit, or aid or
abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony ¹³
under any applicable state or local law.
The punishment for offenses involving fraud related to identification documents varies depending ¹⁴
on the specific offense and the type of document involved. For example, a fine or imprisonment
of up to 15 years may be imposed for using the identification of another person with the intent to
commit any unlawful activity under state law, if, as a result of the offense, the person committing ¹⁵
the offense obtains anything of value totaling $1,000 or more during any one-year period. Other ¹⁶
offenses carry terms of imprisonment up to three years. However, if the offense is committed to
facilitate a drug trafficking crime or in connection with a crime of violence, the term of

^(...c^on^tin^ue^d)
^doc^um^eⁿ^{t is}^or^a^ppe^a^r^s^to^be^is^s^u^e^d^by^or^un^de^r^t^h^e^a^u^th^or^ity^of^the^Uⁿ^ite^{d S}^t^a^t^e^s^or^t^h^e^d^o^c^u^m^e^nt-^m^a^k^ingⁱ^m^plem^eⁿ^t
^is^de^sⁱ^gⁿ^e^d^or^s^u^ite^d^f^o^r^m^a^kⁱ^ng^s^u^c^h^aⁿ^ideⁿ^tⁱ^fⁱ^c^a^{tion d}^o^c^u^m^e^{nt or}^f^a^ls^e^ideⁿ^tif^ic^a^{tion doc}^um^eⁿ^t;”^t^h^e^doc^um^eⁿ^{t is}
^pr^e^s^eⁿ^te^{d w}^{ith the}^inteⁿ^t^to^de^f^r^a^{ud t}^h^e^Uⁿⁱ^t^e^d^Sta^t^e^s^;^or^“^e^ithe^r^t^h^e^pr^od^uc^tio^n,^tr^aⁿ^s^f^e^r^{, pos}^s^e^s^sⁱ^on,^or^us^e^pr^o^h^ib^ite^d
^b^y^t^hⁱ^s^sectⁱ^oⁿⁱ^sⁱⁿ^o^r^af^fect^{s i}ⁿ^t^e^rst^a^t^e^o^r^f^o^rei^gⁿ^co^mmerce,ⁱⁿ^cl^u^dⁱⁿ^g^t^h^{e t}^r^an^sf^{er o}^f^{a d}^o^c^u^m^en^t^b^y^el^ect^roⁿⁱ^{c m}^e^an^s,
^{or the}^m^e^aⁿ^{s of}^ideⁿ^tif^ic^a^tion,^ideⁿ^tif^ic^a^{tion d}^o^c^u^m^e^{nt, f}^a^lse^ideⁿ^tif^ic^a^tion^doc^um^eⁿ^{t, or}^d^o^c^u^m^e^nt-m^a^k^ingⁱ^m^ple^m^eⁿ^t
^is^tr^aⁿ^s^por^te^{d i}ⁿ^t^h^e^m^a^{il in the}^c^o^ur^s^e^of^the^pr^od^uc^tio^{n, tr}^aⁿ^s^f^e^r^{, pos}^s^e^s^sⁱ^on,^or^us^e^pr^o^h^ibi^t^e^d^by^this^s^e^c^tion.”¹⁸
^U^.^S.C^.¹⁰²⁸⁽^c⁾^.
⁸^I^d^eⁿ^tif^ic^a^tion^doc^um^eⁿ^{t is}^de^fⁱ^ne^{d a}^s^“^a^doc^um^eⁿ^{t m}^a^de^or^is^s^u^e^d^by^or^un^de^r^the^a^u^t^hor^ity^of^the^Uⁿ^ite^d^Sta^t^e^s
^G^o^vern^men^t^,^{a S}^t^at^e,^p^o^lⁱ^tⁱ^cal^su^bdⁱ^vⁱ^sⁱ^o^{n o}^f^{a S}^t^at^e,^{a f}^o^rei^gⁿ^go^vern^m^eⁿ^t^,^p^o^lⁱ^tⁱ^cal^su^bdⁱ^vⁱ^sⁱ^oⁿ^o^f^a^f^o^rei^gⁿ
^g^o^v^e^rn^m^e^{nt, a}ⁿⁱⁿ^te^rna^tio^na^{l g}^o^v^e^rnm^e^nta^l^{or a}ⁿ^inte^rⁿ^a^l^q^u^a^s^i-g^o^v^e^rn^m^e^nta^l^org^a^niz^a^{tion w}^h^ic^h,^w^h^eⁿ^c^o^m^p^le^te^d
^w^{ith inf}^o^r^m^a^{tion c}^o^nc^e^r^ning^a^pa^r^tic^ula^rⁱⁿ^divⁱ^d^u^a^l^{, is}^of^a^ty^pe^inte^nde^d^or^c^o^m^m^only^a^c^c^e^p^te^{d f}^o^r^the^p^u^r^p^os^e^of
^ideⁿ^tif^ic^a^tion^of^indivⁱ^dua^ls^.”¹⁸^U^.^S.C^.¹⁰²⁸⁽^d)⁽³⁾^.^I^d^eⁿ^tif^ic^a^tion^doc^um^eⁿ^ts^inc^l^u^d^e^S^o^cⁱ^a^l^Se^c^u^rⁱ^t^y^c^a^r^ds^{, bir}^t^h
^certⁱ^fⁱ^c^at^es,^d^rⁱ^v^{er’s l}ⁱ^cen^ses,^an^d^p^e^rsoⁿ^a^lⁱ^d^en^tⁱ^fⁱ^catⁱ^o^{n card}^s^.
⁹^A^u^t^h^en^tⁱ^catⁱ^o^{n f}^eat^u^r^{e i}^s^d^e^fⁱⁿ^e^d^{as “an}^y^h^o^l^o^g^ram^,^w^a^t^e^r^m^ark,^cer^tⁱ^fⁱ^catⁱ^oⁿ^,^sym^b^o^l^,^co^d^e^,ⁱ^m^age,^s^e^q^u^eⁿ^{ce o}^f
^num^be^r^s^or^le^tte^r^s^{, or}^ot^he^r^f^e^a^t^ur^e^tha^t^e^ithe^rⁱⁿ^dⁱ^vⁱ^dua^lly^orⁱⁿ^c^o^m^b^ina^{tion w}^{ith a}ⁿ^othe^r^f^e^a^t^ur^e^is^us^e^d^by^the^is^s^uⁱⁿ^g
^a^u^thor^ity^{on a}ⁿⁱ^d^eⁿ^tif^ic^a^tion^doc^um^eⁿ^{t, doc}^um^eⁿ^t-m^a^kⁱ^ngⁱ^m^ple^m^eⁿ^{t, or}^m^e^aⁿ^{s of}^ideⁿ^tif^ic^a^{tion to}^de^te^rm^ine^if^the
^doc^um^eⁿ^{t is}^c^o^uⁿ^te^r^f^e^{it, a}^lte^r^e^d,^or^ot^he^r^w^is^e^f^a^lsⁱ^f^ie^d.”^{18 U}^.^S^.^C^.¹⁰²⁸⁽^d)⁽¹⁾^.
¹⁰^F^a^l^s^{e i}^d^en^tⁱ^fⁱ^catⁱ^o^{n do}^cu^m^eⁿ^t^me^an^{s “a d}^o^c^u^m^en^t^o^f^{a t}^y^p^eⁱⁿ^t^eⁿ^d^e^d^o^r^co^mm^oⁿ^l^y^a^ccep^t^e^d^f^o^{r t}^h^{e pu}^rpo^s^{es o}^f
^ideⁿ^tif^ic^a^tion^of^indivⁱ^dua^ls^t^h^a^t^—⁽^A⁾^is^{not is}^s^u^e^d^by^or^un^de^r^t^h^e^a^u^thor^ity^of^a^g^ove^rⁿ^m^e^nta^l^eⁿ^ti^ty^or^w^a^s^is^s^u^e^d
^unde^r^the^a^u^t^hor^ity^of^a^g^ove^rnm^e^nta^l^eⁿ^tity^but^w^a^s^s^ubs^e^que^ntly^a^lte^re^{d f}^o^{r pur}^pos^e^s^of^d^e^c^e^{it; a}ⁿ^d^{(B) a}^ppe^a^r^{s to}^be
^issue^d^by^{or u}^nde^{r t}^h^e^a^u^t^hori^t^y^of^the^Unite^{d Sta}^t^e^s^G^o^v^e^rn^m^e^{nt, a}^Sta^t^e^,^a^p^o^litic^a^l^s^ubd^iv^ision^of^a^Sta^t^e^,^a^f^o^re^igⁿ
^g^o^v^e^rⁿ^m^e^{nt, a}^pol^itic^a^l^s^u^b^d^iv^is^io^{n of}^a^f^o^r^e^ig^{n g}^o^v^e^rⁿ^m^e^{nt, or}^aⁿⁱⁿ^te^rⁿ^a^tio^na^{l g}^o^v^e^rⁿ^m^e^nta^l^or^q^u^a^s^i-^g^o^v^e^rⁿ^m^e^nta^l
^or^g^a^niz^a^tion.”¹⁸^U^.^S.C^.¹⁰²⁸⁽^d⁾⁽⁴⁾^.
¹¹¹⁸^U^.^S.C.¹⁰²⁸^(a)(1^{) an}^d⁽²^).
¹²^Me^aⁿ^s^of^ideⁿ^tif^ic^a^tion^is^de^fⁱ^ne^{d a}^s^“^aⁿ^y^nam^e^or^num^be^r^tha^t^m^a^y^be^us^e^d^{, a}^l^oⁿ^e^or^{in c}^onj^unc^ti^oⁿ^w^{ith a}ⁿ^y^othe^r
^inf^o^r^m^a^{tion, to i}^d^eⁿ^tif^y^a^s^p^e^cⁱ^fⁱ^{c ind}ⁱ^vⁱ^dua^l,^inc^l^udi^ng^aⁿ^y^—⁽^A⁾^nam^e^{, s}^o^cⁱ^a^l^s^e^c^u^rⁱ^t^y^num^be^r^,^da^te^of^bir^t^h,^of^fⁱ^cⁱ^a^l
^Sta^t^e^or^g^o^v^e^rⁿ^m^e^{nt is}^s^u^e^d^dr^iv^e^r^’^s^lic^eⁿ^s^e^orⁱ^d^eⁿ^tif^ic^a^tion^num^be^r^,^a^lie^{n r}^e^gⁱ^s^t^r^a^tionⁿ^u^m^b^e^r^{, g}^o^v^e^rⁿ^m^e^{nt pa}^s^s^por^t
^num^be^r^,^em^ploy^e^r^or^ta^x^p^ay^e^r^identif^ic^a^{tion n}^u^m^b^e^r^{; (}^B⁾^uⁿ^iq^ue^bi^om^e^t^rⁱ^c^da^ta^{, s}^u^c^h^a^s^fⁱ^ng^e^r^pr^int,^v^o^ic^e^pr^int,^r^e^tina
^or^ir^is^im^a^g^e^,^or^othe^r^uni^que^phy^sⁱ^c^a^l^r^e^pr^e^s^eⁿ^ta^{tion; (}^C⁾^uⁿ^iq^ue^e^l^e^c^t^r^onic^ideⁿ^tif^ic^a^tion^num^be^r^,^a^d^dr^e^s^s^,^or^r^outiⁿ^g
^co^d^e^;^o^r^{(D) t}^e^l^eco^mm^uⁿⁱ^catⁱ^oⁿⁱ^d^en^tⁱ^f^yⁱⁿ^gⁱⁿ^f^o^r^m^atⁱ^oⁿ^o^r^{access d}^e^vi^{ce (as d}^e^fⁱⁿ^e^dⁱⁿ^sectⁱ^oⁿ¹⁰²⁹^(e)).^{” 1}⁸^U.^S^.^C.
¹⁰²⁸⁽^d)⁽⁷⁾^.
¹³¹⁸^U^.^S.C.¹⁰²⁸^(a)(7^).
¹⁴¹⁸^U^.^S^.^C^.¹⁰²⁸⁽^b⁾^.
¹⁵¹⁸^U^.^S.C.¹⁰²⁸^(b⁾⁽¹^)(D).
¹⁶^{18 U}^.^S.C^.¹⁰²⁸⁽^b⁾⁽²⁾^.

imprisonment could be up to twenty years.¹⁷ Offenses committed to facilitate an action of ¹⁸
international terrorism are punishable by terms of imprisonment up to twenty-five years.
The Identity Theft Penalty Enhancement Act was signed on July 15, 2004, (P.L. 108-275). The act
amends Title 18 of the United States Code to define and establish penalties for aggravated
identity theft and makes changes to the existing identity theft provisions of Title 18. Under the
law, aggravated identity theft occurs when a person “knowingly transfers, possess, or uses,
without lawful authority, a means of identification of another person” during and in relation to the ¹⁹
commission of certain enumerated felonies. The penalty for aggravated identity theft is a term
of imprisonment of two years in addition to the punishment provided for the original felony
committed. Offenses committed in conjunction with certain terrorism offenses are subject to an
additional term of imprisonment of five years. The act also directs the United States Sentencing
Commission to “review and amend its guidelines and its policy statements to ensure that the
guideline offense levels and enhancements appropriately punish identity theft offenses involving ²⁰
an abuse of position” adhering to certain requirements outlined in the legislation.
In addition to increasing penalties for identity theft, the act authorized appropriations to the
Justice Department “for the investigation and prosecution of identity theft and related credit card
and other fraud cases constituting felony violations of law, $2,000,000 for FY2005 and ²¹
$2,000,000 for each of the 4 succeeding fiscal years.”
While the Fair Credit Reporting Act (FCRA) does not directly address identity theft, it could offer
victims assistance in having negative information resulting from unauthorized charges or ²²
accounts removed from their credit files. The purpose of the FCRA is “to require that consumer
reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer
credit, personnel, insurance, and other information in a manner which is fair and equitable to the
consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such ²³
information.” The FCRA outlines a consumer’s rights in relation to his or her credit report, as
well as permissible uses for credit reports and disclosure requirements. In addition, the FCRA
imposes a duty on consumer reporting agencies to ensure that the information they report is

¹⁷^{18 U}^.^S.C^.¹⁰²⁸⁽^b⁾⁽³⁾^.
¹⁸^{18 U}^.^S.C^.¹⁰²⁸⁽^b⁾⁽⁴⁾^.
¹⁹^P^.^L^.¹⁰^8-2⁷⁵^,^Se^c^.^{2, t}^o^be^c^odifⁱ^e^d^a^t¹⁸^U.S.C^.¹⁰²⁸^A^.^Off^e^nse^s^tha^t^c^o^u^l^{d g}ⁱ^v^e^rise^{to a}^g^g^r^a^v^a^t^e^d^ideⁿ^tity^the^f^{t a}^r^e
^e^num^e^r^a^t^e^d^{in this}^s^e^c^tio^{n, a}ⁿ^{d i}ⁿ^c^l^ude^of^f^e^ns^e^s^r^e^la^ting^{to the}^f^{t of}^pub^lic^m^one^y^,^pr^ope^r^t^y^,^or^r^e^w^a^r^d^s^;^the^f^t,
^e^m^b^ezzl^e^m^en^t^,^o^r^mⁱ^sap^p^lⁱ^catⁱ^oⁿ^b^y^{a b}^aⁿ^k^o^f^fⁱ^{cer o}^r^e^m^p^l^o^y^e^e^;^t^h^ef^t^f^r^o^m^e^m^p^l^o^y^{ee b}^eⁿ^e^fⁱ^t^p^l^an^s;^fal^s^{e p}^e^rsoⁿ^a^tⁱ^oⁿ
^of^c^itiz^eⁿ^s^h^{ip; f}^a^ls^e^s^t^a^t^em^eⁿ^ts^{in c}^onne^c^tio^{n w}^{ith t}^h^e^a^c^quisⁱ^tⁱ^oⁿ^of^a^fⁱ^r^e^a^r^m^;^m^a^{il, ba}^nk^{, a}ⁿ^{d w}ⁱ^r^e^f^r^a^ud;^obtaⁱ^ning
^c^onsum^e^r^inf^o^rm^a^{tion by}^f^a^ls^e^pre^t^eⁿ^se^{s; a}^{nd c}^e^r^ta^{in im}^mⁱ^g^r^a^{tion v}ⁱ^ola^tions.^T^h^e^{list of}^e^num^e^r^a^t^e^d^of^fe^nse^s^w^{ill be}
^co^dⁱ^fⁱ^ed^at¹⁸^U.^S^.^C^.¹⁰²⁸^A⁽^c).
²⁰^P^.^L^.¹⁰^8-²⁷⁵^,^Se^c^.^5.
²¹^P^.^L^.¹⁰^8-²⁷⁵^,^Se^c^.^6.
²²^For^m^o^r^e^inf^o^r^m^a^{tion o}ⁿ^a^c^ons^u^m^e^r^’^s^rⁱ^g^h^ts^unde^r^the^FC^R^A^{, s}^e^e^C^R^S^R^e^por^{t R}^L³¹⁶⁶⁶^,^F^a^{ir Cre}^d^{it Re}^p^o^rti^ng^Ac^t:
^Rights^a^{nd Re}^s^p^onsⁱ^b^ili^tie^s^{, by}^Ma^r^g^a^r^e^t^Miky^ung^L^e^e^.
²³¹⁵^U^.^S^.^C^.¹⁶⁸¹⁽^b⁾^.

accurate, and requires persons who furnish information to ensure that the information they furnish
is accurate.
The FCRA allows consumers to file suit for violations of the act, which could include the ²⁴
disclosure of inaccurate information about a consumer by a credit reporting agency. A consumer
who is a victim of identity theft could file suit against a credit reporting agency for the agency’s
failure to verify the accuracy of information contained in the report and the agency’s disclosure of
inaccurate information as a result of the consumer’s stolen identity. Under the FCRA, as recently
amended, a consumer may file suit not later than the earlier of two years after the date of
discovery by the plaintiff of the violation that is the basis for such liability, or five years after the ²⁵
date on which the violation occurred.
The FACT Act, signed on December 4, 2003, includes, inter alia, a number of amendments to the ²⁶
Fair Credit Reporting Act aimed at preventing identity theft and assisting victims. Generally,
these new provisions mirror laws passed by state legislatures and create a national standard for ²⁷
addressing consumer concerns with regard to identity theft and other types of fraud.
Credit card issuers, who operate as users of consumer credit reports, are required, under a new
provision of the FCRA, to follow certain procedures when the issuer receives a request for an
additional or replacement card within a short period of time following notification of a change of ²⁸
address for the same account. In a further effort to prevent identity theft, other new provisions ²⁹
require the truncation of credit card account numbers on electronically printed receipts, and, ³⁰
upon request, the truncation of social security numbers on credit reports provided to a consumer.
Consumers who have been victims of identity theft, or expect that they may become victims, are ³¹
now able to have fraud alerts placed in their files. Pursuant to the new provisions, a consumer
may request a fraud alert from one consumer reporting agency and that agency is required to
notify the other nationwide consumer reporting agencies of the existence of the alert. In general,
fraud alerts are to be maintained in the file for 90 days, but a consumer may request an extended
alert which is maintained for up to seven years. The fraud alert becomes a part of the consumer’s
credit file and is thus passed along to all users of the report. The alert must also be included with
any credit score generated using the consumer’s file, and must be referred to other consumer ³²
reporting agencies.

²⁴^{15 U}^.^S.C^.¹⁶⁸^1n;¹⁵^U^.^S.C^.¹⁶⁸^1o.
²⁵^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹⁵^6.
²⁶^P^.^L^.¹⁰⁸^-¹⁵^9.^F^o^{r ef}^fectⁱ^v^{e d}^a^t^e^s^,^{see 6}⁸^F^R⁷⁴⁴⁶⁷^aⁿ^d⁶⁸^F^R⁷⁴⁵²⁹^(Decem^b^e^{r 2}⁴^,²⁰⁰³^).
²⁷^G^e^ne^r^a^ll^y^,^m^aⁿ^y^of^the^s^e^ne^w^f^e^de^r^a^{l pr}^ov^is^io^ns^pr^e^e^m^{pt s}ⁱ^m^ila^r^sta^t^e^la^w^s^{. For}^m^o^r^e^inf^o^r^m^a^{tion o}ⁿ^the^pr^e^e^m^ptiv^e
^e^ffe^c^t^{s of}^the^Fa^{ir Cre}^d^{it Re}^p^o^rtin^g^Ac^{t, se}^e^{CRS Re}^{port RS}²¹⁴⁴^9,^{Fair Cre}^d^it^Re^porti^ng^Ac^t:^Pr^e^e^m^ptioⁿ^{of S}^t^ate
^Law^,^by^Ma^r^g^a^r^e^t^Miky^ung^L^e^e^.
²⁸^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹¹^4.
²⁹^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹¹^3.
³⁰^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹¹^5.
³¹^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹¹^2.
³²^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹⁵^3.

In addition to the fraud alert, victims of identity theft may also have information resulting from ³³
the crime blocked from their credit reports. After the receipt of appropriate proof of the identity
of the consumer, a copy of an identity theft report, the identification of the alleged fraudulent
information, and a statement by the consumer that the information is not information relating to
any transaction conducted by the consumer, a consumer reporting agency must block all such
information from being reported and must notify the furnisher of the information in question that
it may be the result of identity theft. Requests for the blocking of information must also be ³⁴
referred to other consumer reporting agencies.
Victims of identity theft are also allowed to request information about the alleged crime. A
business entity is required, upon request and subject to verification of the victim’s identity, to
provide copies of application and business transaction records evidencing any transaction alleged
to be a result of identity theft to the victim or to any law enforcement agency investigating the ³⁵
theft and authorized by the victim to take receipt of the records in question.
The Fair Credit Billing Act (FCBA) is not an identity theft statute per se, but it does provide
consumers with an opportunity to receive an explanation and proof of charges that may have been
made by an impostor and to have unauthorized charges removed from their accounts. The purpose
of the FCBA is “to protect the consumer against inaccurate and unfair credit billing and credit ³⁶
card practices.” The law defines and establishes a procedure for resolving billing errors in
consumer credit transactions. For purposes of the FCBA, a “billing error” includes unauthorized
charges, charges for goods or services not accepted by the consumer or delivered to the consumer, ³⁷
and charges for which the consumer has asked for an explanation or written proof of purchase.
Under the FCBA, consumers are able to file a claim with the creditor to have billing errors
resolved. Until the alleged billing error is resolved, the consumer is not required to pay the
disputed amount, and the creditor may not attempt to collect, any part of the disputed amount, ³⁸
including related finance charges or other charges. The act sets forth dispute resolution
procedures and requires an investigation into the consumer’s claims. If the creditor determines
that the alleged billing error did occur, the creditor is obligated to correct the billing error and ³⁹
credit the consumer’s account with the disputed amount and any applicable finance charges.
Similar to the Fair Credit Billing Act, the Electronic Fund Transfer Act is not an identity theft
statute per se, but it does provide consumers with a mechanism for challenging unauthorized
transactions and having their accounts recredited in the event of an error. The purpose of the
Electronic Fund Transfer Act (EFTA) is to “provide a basic framework establishing the rights,

³³^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹⁵^2.
³⁴^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹⁵^3.
³⁵^P^.^L^.¹⁰^8-¹⁵⁹^,^Se^c^tioⁿ¹⁵^1.
³⁶¹⁵^U^.^S^.^C^.¹⁶⁰¹⁽^a⁾^.
³⁷¹⁵^U^.^S^.^C^.¹⁶⁶⁶⁽^b⁾^;¹²^C^.^F.^R^.²²⁶^.¹³⁽^a)^.
³⁸^{15 U}^.^S.C^.¹⁶⁶⁶⁽^c⁾^;¹²^C^.^F^.^R^.²²^6.1³⁽^d⁾⁽¹⁾^.
³⁹¹⁵^U^.^S^.^C^.¹⁶⁶⁶⁽^a⁾^;¹²^C^.^F.^R^.²²⁶^.¹³⁽^e⁾^.

liabilities, and responsibilities of participants in electronic fund transfer systems.”⁴⁰ Among other
things, the EFTA limits a consumer’s liability for unauthorized electronic fund transfers. If the
consumer notifies the financial institution within two business days after learning of the loss or
theft of a debt card or other device used to make electronic transfers, the consumer’s liability is
limited to the lesser of $50 or the amount of the unauthorized transfers that occurred before notice ⁴¹
was given to the financial institution.
Additionally, financial institutions are required to provide a consumer with documentation of all
electronic fund transfers initiated by the consumer from an electronic terminal. If a financial
institution receives, within 60 days after providing such documentation, an oral or written notice
from the consumer indicating the consumer’s belief that the documentation provided contains an
error, the financial institution must investigate the alleged error, determine whether an error has
occurred, and report or mail the results of the investigation and determination to the consumer ⁴²
within 10 business days. The notice from the consumer to the financial institution must identify
the name and account number of the consumer; indicate the consumer’s belief that the
documentation contains an error and the amount of the error; and set forth the reasons for the ⁴³
consumer’s belief that an error has occurred.
In the event that the financial institution determines that an error has occurred, the financial
institution must correct the error within one day of the determination in accordance with the ⁴⁴
provisions relating to the consumer’s liability for unauthorized charges. The financial institution
may provisionally recredit the consumer’s account for the amount alleged to be in error pending
the conclusion of its investigation and its determination of whether an error has occurred, if it is ⁴⁵
unable to complete the investigation within 10 business days.
The President’s Identity Theft Task Force reported its final recommendations April 2007, and
recommended a plan that is intended to harness government resources to crack down on the
criminals who traffic in stolen identities, strengthen efforts to protect the personal information,
help law enforcement officials investigate and prosecute identity thieves, help educate consumers
and businesses about protecting themselves, and increase the safeguards on personal data ⁴⁶
entrusted to federal agencies and private entities. The Plan focuses on improvements in four key
areas: keeping sensitive consumer data from identity thieves through better data security and
education; making it more difficult for identity thieves who obtain consumer data; assisting the
victims of identity theft in recovering from the crime; and deterring identity theft by more
aggressive prosecution and punishment. Several recommendations made by the Task Force are

⁴⁰¹⁵^U^.^S^.^C^.¹⁶⁹³⁽^b⁾^.
⁴¹^{15 U}^.^S.C^.¹⁶⁹³^g⁽^a⁾^{, 12}^C^.^F.R^.²^05.⁶⁽^b)⁽¹⁾^.
⁴²^{15 U}^.^S.C^.¹⁶⁹³^f⁽^a⁾^{, 12 C}^.^F.R^.²⁰^5.1¹⁽^b⁾^a^nd⁽^c⁾^.
⁴³^Id^.
⁴⁴^{15 U}^.^S.C^.¹⁶⁹³^f⁽^b)^.
⁴⁵^{15 U}^.^S.C^.¹⁶⁹³^f⁽^c⁾^{, 12 C}^.^F.R^.²⁰^5.1¹⁽^c⁾^.
⁴⁶^T^h^e^P^r^e^s^ideⁿ^{t’s Ide}ⁿ^tity^T^h^e^f^{t Ta}^sk^Forc^e^,^Comb^atin^{g I}^d^eⁿ^tity^The^{ft: A}^Strate^gⁱ^c^Plaⁿ^{, A}^p^r^il²⁰^{07 a}^t
^http:^//www^.ide^ntity^the^f^t.g^o^v^/^re^po^rts/Stra^te^gⁱ^c^P^la^n.^pdf^.

aimed at closing the gaps in federal criminal statutes used to prosecute identity theft-related ⁴⁷
offenses to ensure increased federal prosecution. They are as follows:
• Amend the identity theft and aggravated identity theft statutes to ensure that
identity thieves who misappropriate information belonging to corporations and
organizations can be prosecuted
• Add new crimes to the list of predicate offenses for aggravated identity theft
offenses
• Amend the statute that criminalizes the theft of electronic data by eliminating the
current requirement that the information must have been stolen through interstate
communications
• Penalize creators and distributors of malicious spyware and keyloggers
• Amend the cyber-extortion statute to cover additional, alternate types of cyber-
extortion
• Ensure that an identity thief’s sentence can be enhanced when the criminal
conduct affects more than one victim
In accordance with the REAL ID Act of 2005, on January 11, 2008, the Department of Homeland
Security (DHS) published the final rule for State-issued driver’s licenses and identification cards
that federal agencies would accept for official purposes on or after May 11, 2008, in accordance ⁴⁸
with the REAL ID Act of 2005. The Real ID Rule establishes standards to meet the minimum ⁴⁹
requirements of the REAL ID Act. These standards involve a number of aspects of the process
used to issue identification documents, including information and security features that must be
incorporated into each card; proof of identity and U.S. citizenship or legal status of an applicant;
verification of the source documents provided by an applicant; and security standards for the
offices that issue licenses and identification cards. All states submitting requests will receive
extensions until December 31, 2009. In addition, states that meet certain benchmarks for the
security of their credentials and licensing and identification processes will be able to obtain a
second extension until May 10, 2011. The Rule extends the enrollment time period to allow states
determined by DHS to be in compliance with the act to replace all licenses intended for official
purpose with REAL ID-compliant cards by December 1, 2014, for people born after December 1,
1964, and by December 1, 2017, for those born on or before December 1, 1964. The rule is
effective March 31, 2008.

⁴⁷^Id^.^at⁴^.
⁴⁸^{73 F.R}^.⁵²⁷¹⁽^J^aⁿ^{. 29}^,²⁰⁰⁸⁾^.
⁴⁹^Se^e^D^e^pa^r^t^m^e^{nt of}^H^o^m^e^la^{nd Se}^c^u^r^ity^{, R}^E^A^L^I^D^Fina^{l R}^u^le^{: Q}^u^e^s^tions^&^Aⁿ^s^w^e^r^s^a^t^http://w^w^w^.dhs^.g^ov^/
^x^p^r^e^v^p^r^o^t/^pr^og^r^a^m^s^/^g^c^_12¹⁴⁴²⁹¹⁹⁷¹⁴^9.s^h^tm^.

^Gin^a^{Marie Ste}^v^ens
^L^e^gⁱ^s^l^at^iv^{e A}^t^torn^e^y
^g^s^t^e^v^eⁿ^s^@^c^rs^.l^oc.g^ov^{, 7}^-²⁵⁸¹