Federal Identity Theft & Consumer Fraud Protection
Identity theft affects 15-20 million Americans per year with losses exceeding $20 billion annually — making it one of the most common financial crimes in the U.S. Federal law under 18 U.S.C. § 1028 criminalizes identity theft with penalties up to 15 years imprisonment (and a mandatory 2-year consecutive sentence for "aggravated" identity theft involving specific serious crimes). For consumers, the most powerful protective tools are free: since 2018, anyone can place a credit freeze with each of the three major bureaus at no cost, which prevents new credit from being opened in your name without lifting the freeze — a simple, effective protection that far too few people use proactively. Fraud alerts (1-year initial, 7-year extended for verified victims) are less protective but don't require lifting before applying for credit yourself. The FTC's IdentityTheft.gov provides a personalized recovery plan for victims. Beyond identity theft, the FTC Act's Section 5 prohibition on "unfair or deceptive acts or practices" is the FTC's broad enforcement authority used against deceptive advertising, data brokers, and fraud schemes — the legal foundation for most FTC consumer protection actions.
Current Law (2026)
| Parameter | Value |
|---|---|
| Core statutes | Identity Theft and Assumption Deterrence Act (1998), 18 U.S.C. § 1028; FACTA (2003), amending FCRA; FTC Act Section 5, 15 U.S.C. § 45 |
| Enforcement | FTC (civil enforcement, consumer education); DOJ (criminal prosecution); CFPB (financial institutions) |
| Identity theft victims annually | ~15-20 million Americans |
| Annual financial losses | ~$20+ billion |
| Credit freeze | Free nationwide since 2018 (Economic Growth Act); blocks all access to credit file |
| Fraud alerts | Initial (1 year); extended (7 years for identity theft victims); active duty (1 year for military) |
| Criminal penalties | Identity theft: up to 15 years; Aggravated identity theft: mandatory 2-year consecutive sentence |
| FTC Act Section 5 | Prohibits "unfair or deceptive acts or practices" in commerce — the FTC's broadest enforcement authority |
Legal Authority
- 18 U.S.C. § 1028 — Fraud and related activity in connection with identification documents (see also Computer Fraud and Abuse Act for related federal cybercrime statutes) (criminalizes producing, transferring, or possessing false identification documents; identity theft: knowingly using another person's identification to commit a federal crime or any unlawful activity; penalties up to 15 years)
- 18 U.S.C. § 1028A — Aggravated identity theft (mandatory 2-year consecutive prison sentence for using stolen identity during specified felonies — immigration fraud, theft of government benefits, wire/mail fraud, terrorism; sentence runs consecutive to, not concurrent with, the underlying offense)
- 15 U.S.C. § 1681c-1 — Identity theft prevention: fraud alerts (consumers may place fraud alerts requiring creditors to verify identity before extending credit; initial alerts last 1 year; extended alerts for confirmed victims last 7 years)
- 15 U.S.C. § 1681c-2 — Block of information resulting from identity theft (consumer reporting agencies must block reporting of information that the consumer identifies as resulting from identity theft, upon submission of an identity theft report)
- 15 U.S.C. § 45(a) — FTC Act Section 5 (unfair or deceptive acts or practices in or affecting commerce are declared unlawful; the FTC is empowered to prevent such practices — the broadest federal consumer protection authority)
How It Works
Identity theft is the fastest-growing category of consumer crime in America, affecting 15-20 million people annually. Federal law attacks the problem from multiple angles: criminal prosecution of identity thieves, consumer rights to protect and repair credit, and FTC enforcement authority over unfair and deceptive practices.
Federal criminal law targets identity theft under 18 U.S.C. § 1028 — the Identity Theft and Assumption Deterrence Act makes it a federal crime to knowingly transfer, possess, or use another person's identification with intent to commit any unlawful activity, with penalties up to 15 years for basic theft, 20 years when connected to drug trafficking, and 30 years for terrorism-related cases. The aggravated identity theft statute at 18 U.S.C. § 1028A adds a mandatory 2-year consecutive sentence whenever stolen identity is used during specified federal felonies — this sentence must be served in addition to the underlying crime's sentence, removing judicial discretion and creating a powerful deterrent for crimes like wire fraud and bank fraud.
On the civil side, FACTA (2003) amended the Fair Credit Reporting Act to arm consumers with prevention and recovery tools: 1-year fraud alerts (7-year extended alerts for confirmed victims) requiring creditors to verify identity before extending credit; free credit freezes that block all file access; and free annual credit reports (weekly since 2023) to monitor for unauthorized accounts. Section 5 of the FTC Act is the broader enforcement lever — declaring "unfair or deceptive acts or practices" unlawful and empowering the FTC to challenge deceptive advertising, telemarketing fraud, fake reviews, undisclosed endorsements, and data security failures. The "unfairness" prong requires substantial consumer injury that is not reasonably avoidable; the "deception" prong requires a material misrepresentation likely to mislead a reasonable consumer. Through Section 5 enforcement, the FTC has become the de facto federal data security regulator — dozens of consent orders have established de facto standards for encryption, access controls, vulnerability testing, incident response, and vendor management when companies fail to protect consumer data.
How It Affects You
If you're an identity theft victim or suspect your information has been stolen: Go to IdentityTheft.gov (the FTC's official recovery site) immediately — it creates a personalized recovery plan, generates the official FTC Identity Theft Report you'll need to dispute fraudulent accounts, and walks you through each step. Simultaneously, place a credit freeze at all three bureaus (Equifax, Experian, TransUnion) — free online or by phone — to prevent new accounts from being opened. If you're a confirmed identity theft victim, you can place a 7-year extended fraud alert (§ 1681c-1), which forces creditors to take steps to verify your identity before extending credit. Credit bureaus must block fraudulent information from your report when you submit an identity theft report (§ 1681c-2) — use this to remove fraudulent accounts quickly. Report to local police and keep the report number. For tax-related identity theft (someone filed a return using your SSN), contact the IRS Identity Protection Specialized Unit at 1-800-908-4490 and request an IP PIN. For medical identity theft, contact your insurer and the relevant healthcare providers to correct fraudulent records.
If you want to prevent identity theft before it happens: The credit freeze is the single most effective preventive tool — it costs nothing (since 2018), and you can freeze and unfreeze at each bureau individually online in minutes. Freeze all three bureaus, not just one. Monitor your reports weekly at AnnualCreditReport.com (free since 2023). Sign up for IRS Identity Protection PIN (irs.gov/ippin) to prevent tax refund fraud even if you haven't been victimized. Use unique, complex passwords and enable multi-factor authentication on financial accounts — credential stuffing attacks use leaked passwords from one site to access another. Be extremely cautious with unsolicited calls, texts, or emails claiming to be from the IRS, SSA, or banks: the IRS does not initiate contact by phone or email; the SSA will not call threatening arrest. Report suspicious contacts at ReportFraud.ftc.gov.
If you're a business or organization handling consumer data: The FTC treats inadequate data security as an "unfair practice" under FTC Act Section 5 — this is the FTC's primary enforcement authority and does not require a specific data security statute. FTC enforcement actions have established de facto minimum standards: encryption of sensitive data at rest and in transit, access controls limiting who can see consumer data, vulnerability testing, incident response plans, and vendor management for third parties with access to your systems. A data breach resulting from failure to meet these standards can trigger both FTC enforcement and state breach notification obligations (all 50 states require consumer notification of security breaches). If you collect consumer financial data, the FTC Safeguards Rule (16 CFR Part 314) under the Gramm-Leach-Bliley Act imposes specific security requirements on non-bank financial institutions — including auto dealers, mortgage brokers, and many fintech companies.
If you've been harmed by a deceptive or fraudulent business practice: File a complaint at ReportFraud.ftc.gov — the FTC uses complaint data to identify enforcement targets, and a critical mass of complaints about a particular business or practice significantly increases the likelihood of investigation. While the FTC generally cannot recover money for individual consumers (it seeks injunctions and industry-wide remedies), state attorneys general can bring parens patriae actions under state "mini-FTC Acts" and often recover consumer restitution. For specific fraud types: investment fraud → SEC (investor.gov) or FINRA; wire fraud → FBI Internet Crime Complaint Center (ic3.gov); mail fraud → USPS Inspector General; telemarketing fraud → FTC's Do Not Call registry complaint. Private plaintiffs have limited direct FTC Act claims, but many fraudulent practices also violate specific statutes that do provide private rights of action (FCRA, FDCPA, state consumer protection laws).
State Variations
- All 50 states have identity theft criminal statutes
- State credit freeze laws preceded and influenced federal law (now largely superseded by the federal free freeze)
- State data breach notification laws (all 50 states) require businesses to notify consumers of breaches — these are NOT preempted by federal law
- State consumer protection statutes (mini-FTC Acts) provide state-level enforcement and private rights of action for unfair/deceptive practices
- Some states provide additional identity theft victim rights beyond federal law
Implementing Regulations
-
12 CFR Part 41 — OCC identity theft red flags (detection, prevention, mitigation duties)
-
12 CFR Part 222 — Federal Reserve identity theft red flags
-
12 CFR Part 334 — FDIC Fair Credit Reporting (Identity Theft Red Flags and Disposal): the FDIC's FCRA implementing regulation for insured state nonmember banks and state savings associations — applying the identity theft detection, prevention, and mitigation requirements under FCRA Sections 114 and 315. Key provisions:
- § 334.83 — Disposal of consumer information: covered institutions must properly dispose of any consumer information derived from a consumer report — including credit bureau data, credit scores, and any information obtained in connection with a consumer financial transaction; "proper disposal" means taking reasonable measures to protect against unauthorized access during disposal, including burning, pulverizing, or shredding paper records; destroying or erasing electronic records so that the information cannot practicably be read or reconstructed; hiring a qualified disposal service; the obligation applies to consumer information regardless of how long ago it was obtained
- § 334.90 — Identity theft red flags (detection, prevention, and mitigation program): FDIC-supervised financial institutions and creditors must develop and implement a written Identity Theft Prevention Program (ITPP) for covered accounts; the program must include: (1) policies to identify relevant "red flags" (patterns, practices, or activities indicating possible identity theft); (2) procedures to detect red flags in the ordinary course of business; (3) responses to red flags that are detected — including contacting the customer, monitoring the account, not opening an account, or notifying law enforcement; (4) periodic updates to reflect changes in identity theft risks; the program must be approved by the board of directors or a board committee; staff must be trained
- § 334.91 — Address change duties for card issuers: if a card issuer (debit or credit) receives a request to change a cardholder's address and within 30 days receives a request for an additional or replacement card, the card issuer must not issue the new card until: (1) it notifies the cardholder of the address change request (using the old address or another previously established method), and (2) it provides the cardholder with a means to report any error; this provision targets a common identity theft vector — fraudsters change a victim's card billing address then immediately request a new card sent to the fraudster's address
Part 334 is the FDIC's parallel to the Interagency Red Flags Rule jointly issued by federal banking regulators — all four federal banking regulators (OCC in 12 CFR Part 41, Federal Reserve in 12 CFR Part 222, FDIC in 12 CFR Part 334, NCUA in 12 CFR Part 717) issued substantively identical red flags regulations for their respective supervised institutions. The disposal requirement in § 334.83 applies broadly to any consumer information derived from consumer reports — banks must have procedures for secure destruction of credit data from onboarding that may date back years. The red flags program in § 334.90 operates through a list of warning signs: calls from someone claiming they haven't received their card; new account applications with SSNs on the Social Security Administration's death list; addresses inconsistent with credit bureau file addresses; credit freezes preventing account opening; or presentation of identification documents that appear altered. Recent rulemakings: 72 FR 63718 (2007) — joint final rule for identity theft red flags; 74 FR 22639 (2009) — delayed effective date.
-
12 CFR Part 717 — NCUA identity theft red flags
Pending Legislation
- HR 7270 — Treasury grants for states to build secure digital IDs against identity-driven fraud. Status: Introduced.
- HR 7658 — Chip-enabled EBT cards, stronger online security to modernize SNAP payments. Status: Introduced.
- HR 5345 (Rep. Kustoff, R-TN) — SSA single point of contact for identity-theft victims. Status: Passed House.
- S 1666 (Sen. Grassley, R-IA) — SSA trained team to help identity-theft victims. Status: Introduced.
- HR 5594 (Rep. McDonald Rivet, D-MI) — Add identity theft to VAWA cybercrime grants. Status: Introduced.
Recent Developments
- Identity theft has evolved from primarily financial fraud to include synthetic identity theft (creating fictional identities using real and fake information), tax refund fraud, and medical identity theft
- The FTC's data security enforcement has intensified, with major actions against companies for inadequate protection of consumer data
- AI-powered identity verification and fraud detection are improving, but AI also enables more sophisticated identity theft (deepfakes, voice cloning)
- The FTC has expanded Section 5 enforcement to address dark patterns, subscription traps, and AI-related deceptive practices
- State comprehensive privacy laws (CCPA, Virginia CDPA, Colorado CPA, etc.) increasingly overlap with and supplement federal consumer protection