What Are the Consequences for Identity Theft?

By Sarah Morse

Online impersonation may result in a criminal record.
i Wavebreakmedia Ltd/Wavebreak Media/Getty Images

Every year, millions of U.S. citizens become victims of identity theft. As technology improves to protect the consumer, so too does the resourcefulness of cyber criminals. Anyone who stores or uses their information on the Internet is susceptible. Often, these crimes are not prosecuted because the criminals are difficult to find. When they are found, however, they are subject to the growing number of cyber laws and the penalties that come with them.

The ID Theft and Assumption Deterrence Act of 1998

An increase in computer and Internet activity in the late-1990s led lawmakers in 1998 to strengthen federal anti-fraud laws. The ID Theft and Assumption Deterrence Act made it a separate federal crime to steal identification information with criminal intent. Before the law, it was illegal to possess or produce fake identification documents; afterward, it became illegal to steal that information, which closed an important loophole.

Breaking this law carries a maximum prison sentence of 15 years, a fine and criminal forfeiture of any property that the perpetrator used to commit the crime. If during the process of stealing, the perpetrator also engages in identification fraud, credit card fraud, computer fraud, mail fraud, wire fraud or financial institution fraud, as defined by federal law, they could go to jail for much longer. Some of these offenses carry 30-year maximum prison sentences.

Identity Theft Penalty Enhancement Act of 2004

The Identity Theft Penalty Enhancement Act of 2004 established a new punishable offense: aggravated identity theft. Aggravated identify theft is when someone uses stolen identification information to commit certain felonies such as immigration and firearm violations.

This is a separate offense altogether and it carries a mandatory two-year prison sentence on top of any other penalties imposed. If the perpetrator is found to have committed aggravated identity theft in connection with an act of terrorism, a five-year mandatory sentence is imposed. Neither of these sentences can be substituted with probation.

The Identity Theft Enforcement and Restitution Act of 2008

The Identity Theft Enforcement and Restitution Act of 2008 lowered the bar for prosecuting cyber criminals. Before the law, prosecutors had to prove $5,000 in damages before accusing someone of unauthorized computer access. This law eliminates that figure. Before the law, for someone to be convicted of a federal crime connected with computer access, they had to live in different states. After the law, both victim and criminal could live in the same state and the cyber criminal could still be prosecuted. Although this part of the law does not directly apply to identity theft, it is closely related, and does make it easier to prosecute identity theft criminals.

The law does specifically state that when identity theft victims bring their attacker to justice, and the latter are ordered to pay restitution, that restitution should equal the time and money used by the victim to fix the problems brought on by their attacker.

State Identity Theft Laws

Identity theft can be prosecuted on the state level as well as the federal level, depending on the crime and the extent of the crime. All 50 states have laws prohibiting identity theft. Twenty-nine states have restitution provisions and five have forfeiture provisions for items used in the crime.