The IT Law Wiki



Canadian federal law defines identity theft as:

  • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
  • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of or recklessness as to the possible criminal use of the information; and,
  • Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.[1]

United States[]

Identity theft is

the acquisition and use of another person's PII in a way that involves fraud or deception, typically for economic gain.[2]

Federal law defines identity theft as:

knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.[3]

Identity theft is also defined in the Code of Federal Regulations (CFR) as

fraud committed or attempted using the identifying information of another person without permission.[4]

The Federal Trade Commission (FTC) defines identity theft as

a fraud committed or attempted using the identifying information of another person without authority.[5]


The OECD has stated that:

ID theft occurs when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes.[6]

The U.N. Intergovernmental Expert Group has defined identity theft as:

occurrences in which information related to identity, which may include basic identification information and in some cases other personal information, is actually taken in some manner analogous to theft or fraud, including theft of tangible documents and intangible information, the taking of documents or information which are abandoned or freely available, and the deception of persons who have documents or information into surrendering them voluntarily.[7]

United Kingdom[]

Identity theft is defined in the United Kingdom as

the act whereby someone obtains sufficient information about an identity to facilitate identity fraud ('ID fraud'), irrespective of whether, in the case of an individual, the victim is alive or dead.[8]


Identity theft is a form of fraud in which the personally identifiable information of an individual, such as a Social Security number, name, or date of birth, is co-opted by another person to facilitate committing a criminal or fraudulent act by impersonating the victim. As Senator Jon Kyl, Chairman of the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information put it, "there are few clearer violations of personal privacy than having your identity stolen and used in the commission of a crime."[9] Until 1998, identity theft was not a federal crime.

Identity theft is the fastest growing type of fraud in the United States; in 2008 about 9.9 million Americans were reportedly victims of identity theft, an increase of 22% from the number of cases in 2007.[10] According to the FTC's survey on identity theft, approximately 8.3% of the U.S.’ adult population may have fallen victim to identity theft.[11] With recent data indicating that the number of identity theft incidents is on the rise, the current proportion of the population falling victim to identity theft may be even higher than the level estimated by the FTC in 2005. In addition, the Federal Trade Commission (FTC) estimates that it costs consumers about $50 billion annually.[12] More recently, a survey by a private research firm, Javelin Strategy & Research, using the methodology developed by the Federal Trade Commission, found that in 2009, a total of 11.1 million U.S. adults (representing 4.81% of the U.S. population) had become victims of some form of identity fraud, with an aggregate loss (to both individuals and corporate victims) of US $54 billion.[13]

Identity theft (also sometimes referred to as identity fraud)[14] does not usually occur as a stand-alone crime. Instead, identity theft is often committed as part of some other fraud or white-collar crime, including fraud on existing accounts — such as unauthorized use of a stolen credit card number — or fraudulent creation of new accounts — such as using stolen data to open a credit card account in someone else's name.

An identity thief could also take other actions on behalf of the victim, such as establishing residency/citizenship, securing employment, obtaining government benefits, and committing other crimes in the victim’s name. In addition, identity theft can play a facilitating role in potentially more violent crimes such as drug trafficking, people smuggling, and international terrorism.[15]

An increase in globalization and a lack of cyber borders provide an environment ripe for identity thieves to operate from within the nation’s borders — as well as from beyond. Federal law enforcement is thus challenged with investigating criminals who may or may not be operating within U.S. borders; may have numerous identities — actual, stolen, or cyber; and may be acting alone or as part of a sophisticated criminal enterprise.

How personal information is obtained[]

Identity theft can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information,[16] in a variety of ways, including:

  1. Dumpster diving. They rummage through trash looking for bills or other paper with personal information on it.
  2. Skimming. They steal credit/debit card numbers by using a special storage device when processing the card.
  3. Phishing. They pretend to be financial institutions or companies and send spam or pop-up messages to get the victim to reveal his or her personal information.
  4. Changing address. They divert a victim's billing statements to another location by completing a change of address form.
  5. Old-fashioned stealing. They steal wallets and purses; mail, including bank and credit card statements; pre-approved credit offers; and new checks or tax information. They steal personnel records, or bribe employees who have access.
  6. Pretexting. They use false pretenses to obtain personal information from financial institutions, telephone companies, and other sources.

A particular crime of identity theft may include one or all of these stages:

  • Stage 2: Use of the identity for financial gain (the most common motivation) or to avoid arrest or otherwise hide one's identity from law enforcement or other authorities (such as bill collectors). Crimes in this stage may include account takeover, opening of new accounts, extensive use of debit or credit cards, sale of the identity information on the street or black market, acquisition ("breeding") of additional identity-related documents such as driver's licenses, passports, visas, health cards, etc.), filing tax returns for large refunds, insurance fraud, stealing rental cars, and many more.
  • Stage 3: Discovery of the theft. While many misuses of credit cards are discovered quickly, the "classic" identity theft involves a long period of time to discovery, typically from six months to as long as several years. Evidence suggests that the time it takes to discovery is related to the amount of loss incurred by the victim.[17]


Increasing globalization and the expansion of the Internet have provided a challenging environment for law enforcement to both identify and apprehend identity thieves targeting persons residing in the United States. For one, these criminals may be operating from within U.S. borders as well as from beyond. There is no publically available information, however, delineating the proportion of identity theft (or other crimes known to be identity theft-related) committed by domestic and international criminals.[18]

Secondly, while some identity thieves operate alone, others operate as part of larger criminal networks or organized crime syndicates. The FBI has indicated that it, for one, targets identity theft investigations on larger criminal networks.[19] These networks may involve identity thieves located in various cities across the United States or in multiple cities around the world, and these criminals may be victimizing not only Americans, but persons living in countries across the globe. A third challenge includes identifying identity thieves operating under multiple identities, such as their actual identities, various stolen identities, and cyber identities and nicknames.

What data thieves do with the information[]

These data thieves then sell the information or use it themselves. While identity theft is not solely an Internet issue, a number of high profile data security breaches involving the personally identifiable information (PII) of citizens and consumers has drawn significant attention to the issue.

Once they have the victim's personal information, identity thieves use it in a variety of ways.

Credit card fraud:

  • They may open new credit card accounts in the victim's name. When they use the cards and do not pay the bills, the delinquent accounts will appear on the victim's credit report.
  • They may change the billing address on the victim's credit card so that the victim no longer receives bills, and then run up charges on the victim's account. Because the victim's bills are sent to a different address, it may be some time before the victim realizes there is a problem.

Phone or utilities fraud:

  • They may open a new phone or wireless account in the victim's name, or run up charges on the victim's existing account.
  • They may use the victim's name to get utility services like electricity, heating, or cable TV.

Bank/finance fraud:

  • They may create counterfeit checks using the victim's name or account number.
  • They may open a bank account in the victim's name and write bad checks.
  • They may clone the victim's ATM or debit card and make electronic withdrawals, draining the victim's accounts.
  • They may take out a loan in the victim's name.

Government documents fraud:

  • They may get a driver's license or official ID card issued in the victim's name but with their picture.
  • They may use the victim's name and Social Security number to get government benefits.
  • They may file a fraudulent tax return using the victim's information.

Other fraud:

  • They may get a job using the victim's Social Security number.
  • They may rent a house or get medical services using the victim's name.
  • They may give the victim's personal information to police during an arrest. When they fail to show up for their court date, a warrant for arrest may be issued in the victim's name.

Investigations and prosecutions[]

Identity theft is defined broadly, and it is directly involved in a number of other crimes and frauds. As a result, there are practical investigative implications that influence analysts’ abilities to understand the true extent of identity theft in the United States. For instance, only a proportion (the exact number of which is unknown) of identity theft incidents are reported to law enforcement. While some instances may be reported to consumer protection agencies (e.g., the FTC), credit reporting agencies (e.g., Equifax, Experian, and Trans Union), and law enforcement agencies, some instances may be reported to only one. For example, the FTC indicates that of the 82% of identity theft complaints that included information on whether the theft was reported to law enforcement, 35% were reported to law enforcement.[20]

Another issue that may affect analysts’ abilities to evaluate the true extent of identity theft is that law enforcement agencies may not uniformly report identity theft because crime incident reporting forms may not necessarily contain specific categories for identity theft. In addition, there may not be standard procedures for recording the identity theft component of the criminal violations of primary concern.[21] Issues such as these may lead to discrepancies between data available on identity theft reported by consumers, identity theft reported by state and local law enforcement, and identity theft investigated and prosecuted by federal law enforcement.

Various federal agencies are involved in investigating identity theft, including the Federal Bureau of Investigation (FBI), the United States Secret Service (USSS), the United States Postal Inspection Service (USPIS), the Social Security Administration Office of the Inspector General (SSA OIG), and the U.S. Immigration and Customs Enforcement (ICE). In addition, federal law enforcement agencies may work on task forces with state and local law enforcement as well as with international authorities to bring identity thieves to justice. The Department of Justice (DOJ) is responsible for prosecuting federal identity theft cases.

Impact of identity theft[]

According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all 50 states, and accounts for over 35% of the total number of complaints the Identity Theft Data Clearinghouse received for calendar years 2004, 2005, and 2006. In calendar year 2006,[22] of the 674,354 complaints received, 246,035 or 36% were identity theft complaints.[23] With continued media reports of data security breaches,[24] concerns about new cases of identity theft are widespread.

The U.S. Department of Justice estimates that over 10 million Americans are victims of identity theft each year.[25]

Victims of identity theft may incur damaged credit records, unauthorized charges on credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims must change their telephone numbers or even their social security numbers. Victims may also need to change addresses that were falsified by the impostor. With media reports of information security breaches increasing, concerns about new cases of widespread identity theft have received significant attention in Congress. A survey by the Federal Trade Commission states that victims of identity theft can spend up to 130 hours reconstructing their identities (e.g., credit rating, bank accounts, reputation, etc.) following an identity crime.[26]

In 2007, identity theft alone cost businesses over $40 billion.[27] The average data breach today will cost businesses $192 per-incident.[28] According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach.[29]

Public disclosures of identity thefts have heightened interest in the security of sensitive personal information;[30] security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers;[31] liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization;[32] prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.[33]

Federal legislative activities[]

Congress continues to debate the federal government’s role in (1) preventing identity theft and its related crimes, (2) mitigating the potential effects of identity theft after it occurs, and (3) providing the most effective tools to investigate and prosecute identity thieves.

With respect to preventing identity theft, one issue concerning policymakers is the prevalence of personally identifiable information — and in particular, the prevalence of social security numbers (SSNs) — in both the private and public sectors. One policy option to reduce their prevalence may involve restricting the use of SSNs on government-issued documents such as Medicare identification cards. Another option could entail providing federal agencies with increased regulatory authority to curb the prevalence of SSN use in the private sector. In debating policies to mitigate the effects of identity theft, one option Congress may consider is whether to strengthen data breach notification requirements. Such requirements could affect the notification of relevant law enforcement authorities as well as any individuals whose personally identifiable information may be at risk from the breach.

In April 2007, the President’s Identity Theft Task Force issued a report titled Combating Identity Theft: A Strategic Plan, which contained recommendations to combat identity theft, including specific legislative recommendations to close identity theft-related gaps in the federal criminal statutes. In a further attempt to curb identity theft, Congress directed the FTC to issue an Identity Theft Red Flags Rule (effective June 1, 2010), requiring that creditors and financial institutions with specified account types develop and institute written identity theft prevention programs.

Several laws restricting the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts have been enacted at the federal level, including:

Congress also has passed several laws specifically related to identity theft:


  1. Bill S-4, An Act to amend the Criminal Code (identity theft and related misconduct).
  2. Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, at 1 n.2.
  3. 18 U.S.C. §1028(a)(7).
  4. According to the CFR definitional section for the Fair Credit Reporting Act (16 C.F.R. §603.2), "[t]he term 'identifying information' means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any—(1) Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. §1029(e))."
  5. 69 Fed. Reg. 63933 (Nov. 3, 2004).
  6. OECD, Online Identity Theft (2009) (full-text).
  7. U.N. Intergovernmental Expert Group, "Fraud and the Criminal Misuse and Falsification of Identity" (2007).
  8. Home Office Identity Fraud Steering Committee (2006).
  9. Identity Fraud Protection, Hearings on Identity Theft Before the Subcomm. on Technology, Terrorism, and Gov't Info., 105th Cong. (May 20, 1998).
  10. Javelin Strategy & Research, "Latest Javelin Research Shows Identity Fraud Increased 22 Percent, Affecting Nearly Ten Million Americans: But Consumer Costs Fell Sharply by 31 Percent" (Feb. 9, 2009) ([1]).
  11. Federal Trade Commission, 2006 Identity Theft Survey Report (Nov. 2007) (full-text).
  12. As referenced in Nikki Swartz, "Will Red Flags Detour ID Theft?" 43 Infor. Mgmt. J., Jan/Feb 2009, at 38-41. In addition to the costs incurred by consumers, identity theft presents cost burdens to the financial services industry as well.
  13. See Javelin Strategy & Research, 2010 Identity Fraud Survey Report 7 (Feb. 2010).
  14. "Identity theft" and "identity fraud" are terms that are often used interchangeably. Identity fraud is the umbrella term that refers to a number of crimes involving the use of false identification — though not necessarily a means of identification belonging to another person. Identity fraud became a federal crime through the False Identification Crime Control Act of 1982 (Pub. L. No. 97-398), and it is codified at 18 U.S.C. §1028. Identity theft is the specific form of identity fraud that involves using the personally identifiable information of someone else. Both identity fraud and identity theft are crimes often committed in connection with other violations, as mentioned above. Identity theft, however, may involve an added element of victimization, as this form of fraud may directly affect the life of the victim whose identity was stolen in addition to defrauding third parties (such as the government, employers, consumers, financial institutions, and health care and insurance providers, just to name a few). This report, however, maintains a focus on identity theft rather than the broader term of identity fraud.
  15. Identity Fraud: Prevalence and Links to Alien Illegal Activities, at 10.
  16. Personal information can include name, SSN, account number, password, or other information linked to an individual.
  17. Graeme Newman & Megan McNally, "Identity Theft Literature Review," National Criminal Justice Reference Service (NCJRS), at v (2005) (full-text).
  18. Statistics are available on the proportion of cyber-related crimes committed by perpetrators from various countries. However, only a proportion of those crimes are identity theft crimes, and analysts therefore cannot reliably extrapolate the proportion of identity theft crimes committed by domestic and international criminals.
  19. Federal Bureau of Investigation, Financial Crimes Report to the Public, Fiscal Year 2006 (full-text).
  20. Federal Trade Commission, "Consumer Sentinel Network Data Book for January-December, 2008 (Feb. 2009) (full-text).
  21. Graeme R. Newman & Megan M. McNally, “Identity Theft Literature Review,” prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement, Contract #2005-TO-008 (Jan. 2005) (full-text).
  22. The last year for which Identity Theft Victim Complaint Data is available.
  23. Federal Trade Commission, "Identity Theft Victim Complaint Data" (Feb. 7, 2007) (full-text).
  24. See Nancy Trejos, "Identity Theft Gets Personal: When a Debit Card Number Is Stolen, America’s New Crime Wave Hits Home," Wash. Post, Jan. 13, 2008, at F01.
  25. U.S. Department of Justice, Office of the Inspector General, "The Department of Justice’s Efforts to Combat Identity Theft," (Mar. 2010) (full-text).
  26. Federal Trade Commission, 2006 Identity Theft Survey Report (Nov. 2007).(full-text).
  27. Javelin Strategy and Research survey (Feb. 2008)[2]
  28. Ponemon Institute, 2007 Annual Study: Cost of Data Breach (full-text).
  29. Id.
  30. BNA Privacy & Security Law Report, "Data Security Legislation Expected to Face Big Challenges," 8 PVLR 51, Jan. 12, 2009.
  31. See Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 56.
  32. See Federal Laws Related to Identity Theft.
  33. See Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws.


See also[]