Identity Theft Laws

New identity theft laws continue to be introduced because although the act of identity theft is an old profession, the impact of this crime has never been greater. This crime has just recently been raised to new levels of awareness due to its growth and impact on individuals and businesses. New laws are introduced to recognize identity theft as a crime and provide tougher punishment for criminals convicted of identity theft. There are also Federal and State identity theft laws requiring businesses to take certain responsibility for protecting consumer personal information collected in the course of their business transactions.

Let's first cover the federal identity theft laws as described in the Federal Trade Commission's web site:


Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) establishes procedures for correcting mistakes on your credit record and requires that your record only be provided for legitimate business needs. The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces the FCRA with respect to consumer reporting companies. The Fair Credit Reporting Act requires each of the nationwide consumer reporting companies – Equifax, Experian, and TransUnion – to provide you with a free copy of your credit report, at your request, once every 12 months to help you detect errors and identity theft. The FCRA promotes the accuracy and privacy of information in the files of the nation’s consumer reporting companies.

Fair and Accurate Credit Transaction Act The 2003 addition of FACTA (Fair and Accurate Credit Transaction Act) to The Fair Credit Reporting Act (FCRA) and identity theft laws was intended to fight identity theft. While FCRA was originally created with the objective to promote the accuracy, fairness, and privacy of consumer information in the files of reporting agencies, the FACT Act was specifically intended to fight identity theft by giving consumers certain rights if they become or suspect of becoming an identity theft victim.

Fair Credit Billing Act This law establishes procedures for resolving billing errors on your credit card accounts. It also limits a consumer's liability for fraudulent credit card charges to $50. The law applies to "open end" credit accounts, such as credit cards, and revolving charge accounts such as department store accounts. It does not cover installment contracts.

Fair Debt Collection Practices Act The Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that your creditor has forwarded for collection. Personal, family, and household debts are covered under the Act.

Electronic Fund Transfer Act The Electronic Fund Transfer Act provides consumer protection for all transactions using a debit card or electronic means to debit or credit an account. It also limits a consumer's liability for unauthorized electronic fund transfers.


The criminal identity theft laws are tightly related to and directly deal with the identity theft issue.

Identity Theft and Assumption Deterrence Act This act is also known as the "Identity Theft Act" and deals directly with the identity theft issue. This law makes it a federal crime when someone:

"knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law."

Identity Theft Penalty Enactment Act This law was passed on July 15, 2004 when President Bush signed a law requiring tougher punishment for criminals convicted of identity theft. This law increases existing penalties for the identity theft crime, identifies aggravated identity theft as a criminal offense, and establishes mandatory penalties for aggravated identity theft.

Anti-Terrorism Laws

USA PATRIOT Act of 2001 The USA PATRIOT acronym stands for Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism act which was established in response to the acts of terrorism in 2001. The USA PATRIOT provisions include:

Customer Identification Program or CIP which requires financial institutions to develop a program to verify their customer identity information and establish the true identities of their customers.

Bank Secrecy Act The Bank Secrecy Act of 1970 (also knows as BSA or otherwise known as the Currency and Foreign Transactions Reporting Act) requires financial institutions in the United States to assist U.S. government agencies to detect and prevent money laundering. The BSA was established in 1970 and has become one of the most important tools in the fight against money laundering.

Anti-Money Laundering In its mission to "safeguard the financial system from the abuses of financial crime, including terrorist financing, money laundering and other illicit activity," the Financial Crimes Enforcement Network acts as the designated administrator of the Bank Secrecy Act (BSA).

Know Your Customer of KYC Know Your Customer (KYC) refers to financial institution due diligence activities related to their customer information for the purpose of doing business with them. Know Your Customer processes are employed by companies of all sizes for the purpose of ensuring their proposed agents', consultants' or distributors' anti-bribery compliance. Banks, insurers and export credit agencies are increasingly demanding that customers provide detailed anti-corruption due diligence information, to verify their probity and integrity. Know your customer policies are becoming increasingly important globally to prevent identity theft, financial fraud, money laundering and terrorist financing.

Identity Theft Laws

The Red Flags Rule The Red Flags Rule is a US Federal identity fraud prevention regulation that financial institutions and creditors must comply with and implement the necessary controls to prevent, detect and respond to identity theft.

Privacy and Information Security

These identity theft laws relate to certain government agency and private organization responsibilities with regards to personal information privacy and protection:

Driver's Privacy Protection Act of 1994 This law puts limits on disclosures of personal information in records maintained by departments of motor vehicles.

Family Education Rights and Privacy Act of 1974 This law puts limits on disclosure of educational records maintained by agencies and institutions that receive federal funding.

Gramm-Leach-Bliley Act This law requires the FTC, along with the Federal banking agencies, the National Credit Union Administration, the Treasury Department, and the Securities and Exchange Commission, to issue regulations (to be codified at 16 CFR Part 313) ensuring that financial institutions protect the privacy of consumers' personal financial information. Such institutions must develop and give notice of their privacy policies to their own customers at least annually, and before disclosing any consumer's personal financial information to a nonaffiliated third party, must give notice and an opportunity for that consumer to "opt out" from such disclosure.

Health Insurance Portability and Accountability Act of 1996 Also known as HIPAA, this privacy rule regulates the security and confidentiality of patient information. It took effect on April 14, 2001, with most covered entities (health plans, health care clearinghouse and health care providers who conduct certain financial and administrative transactions electronically) having until April 2003 to comply. It requires standards for privacy and security of Protected Health Information or PHI.

HIPAA also requires that entities sign a contract or Business Associate Agreement with their contractors to ensure consumer information will continue to be secure when consumer information is shared with the sub-contractors for business purposes.

Payment Card Industry (PCI) The PCI Data Security Standards (DSS) are explicit guidelines for securing credit card information. MasterCard, Visa, American Express, JCB, and Discover created these standards. These new rules affect any U.S. organization regardless of size that processes, stores, or transmits credit card data. The bank that processes the organization’s transactions may fine an organization that fails to comply with the PCI standards and suffers a data breach. Nonprofit organizations are not exempt.

Articles Related to Identity Theft Laws

Government Red Flag Audit A government Red Flag audit of a company’s identity theft prevention program will cover three major aspects of the Red Flags Rule with 15 examination guidelines.
Red Flags Rule compliance program Consider these 8 steps when implementing a Red Flags Rule compliance program within an organization which has many benefits and can be challenging if a company lacks purpose and vision.
Why Compliance Matters Businesses of all sizes in a regulated environment may wonder why compliance matters and why they should spend money for regulatory compliance. Read this article to discover why.
Identity Management Compliance This article proposes a low cost and effective approach to identity management compliance with various regulations which can be extremely costly, inefficient, and often ineffective.
ERIC Digest Article This ERIC Digest article discusses the privacy laws of student records, the student rights and school obligations.
Invasion of Privacy Laws There are a few identity theft laws related to invasion of privacy that protect individuals from public disclosure of private facts.
Red Flags Rules The Red Flags rules are the set of requirements that financial institutions and creditors must follow to implement the necessary controls to prevent, detect and mitigate identity fraud.

Visit Identity Management Institute for compliance with identity theft laws.

Identity Theft Courses