Identity TheftIdentity Theft John Bandler

by John Bandler

Identity theft and cybercrime go hand-in-hand, so we cannot talk about one without the other. Let us explore self protection, organization cybersecurity, and government civil and criminal enforcement.

What is identity theft?

ID theft is a crime defined by various federal and state criminal statutes.

In sum, an offender assumes the identity of an individual to fraudulently obtain goods or services or commit another crime. Put another way, the criminal impersonates the victim in order to steal or commit some other type of crime.

A criminal assumes the identity of a victim (impersonate them) by using some type of personal identifying information of that victim. This personal identifying information (PII) might have a different name, and would be defined by statute, but could include things like name, address, date or birth (DOB), social security number (SSN), credit card number, username and password, financial information, and more.

Our personal information and credit is valuable to many, including the credit reporting companies and cybercriminals, as we cover next.

The credit and personal information economy

There is an entire industry surrounding the lawful collection, storage, and sale of our personal information (for example, the big three credit reporting companies referenced later). It exists to sell services to protect us from this crime and the improper use of our personal information (those same credit reporting companies and more). Major players in this industry include Equifax, Experian, TransUnion, and LifeLock, and there are thousands of other companies, all with varying levels of legal compliance and ethics.

They may be called Consumer Reporting Agencies (CRA) and fall under various federal and state laws.

The cybercrime and identity theft economy

Let us talk about the illicit economy of cybercrime and ID theft responsible for billions of dollars of theft every year. This economy is illegal and individuals in it violate many criminal laws.

Nearly every cybercrime involves some form of impersonation, and most ID theft is made possible thanks to cybercrime.

Cybercriminals steal data, including through data breaches. This data is then used to steal identities. Before that, it might be sold and resold, eventually to the criminal who will use it.

The economy requires criminals to pay each other, and to be able to successfully launder their ill-gotten gains. These payments are facilitated with virtual currencies and cryptocurrencies, as well as all forms of traditional value transfer.

Naturally, there are many criminal laws that prohibit all of this conduct. These are people who knowingly violate those laws, many times a day, over the course of days, weeks, months, and years.

Organizations and identity theft

Every organization plays a role with identity theft (and cybercrime) and some have legal duties.

Organizations need to make sure they are not used as tools by identity thieves and cybercriminals. They need to ensure these criminals do not take advantage of lax controls in the organization to impersonate victims and commit theft and other crimes. Some may have legal duties on this, including from the Federal Trade Commission (FTC) ID theft Red Flags Rule.

Businesses also need to make sure consumer data they safeguard is protected from cybercriminals, with good cybersecurity. Data breaches provide cybercriminals with fresh supplies of consumer data that can then be used to impersonate others. So organizations need to have a cybersecurity program and reasonable cybersecurity to protect against this.

Companies can protect themselves with good policies and practices, including use of my Five Components for Policy Work.

Individuals and protecting from identity thieves

Individuals should protect themselves from becoming victims of identity theft. This protection requires knowledge, awareness, and some work. Consumers have rights that can be exercised for free.

Yes, there is extensive marketing and fear tactics that promise magic solutions and protection with a monthly fee, but this is generally not the case.

My prescription for protection is:

  • Continually improve your cybersecurity, including with my tips and Four Pillars of Cybersecurity
  • Obtain free annual credit reports each year from each of the three credit reporting companies
  • If any credit information is inaccurate, it can be disputed and corrected.
  • Use your credit card (not debit card) for regular purchases (assuming you are good managing your credit expenditures)
  • Consider a free credit freeze
  • Review what information is publicly available about you, and consider steps to remove it
  • Be wary of paid services that promise easy guaranteed protection
  • Review and repeat

Individuals and ID theft response

If you are a victim of identity theft you can take action and have rights you can exercise which do not cost you anything.

  • Continually improve your cybersecurity
  • Report to the Federal Trade Commission (FTC)
  • Notify to local law enforcement (law enforcement has jurisdiction to take a report and investigate based upon the location/residence of the victim)
  • Obtain free credit reports you are entitled to as an ID theft victim
  • Gather free annual credit reports each year from each of the three credit reporting companies
  • Document, report, and correct any inaccurate information or detected fraud
  • Consider a free credit freeze
  • Review what information is publicly available about you, and consider steps to remove it
  • Take notes
  • Prepare an accurate summary with all relevant information
  • Ensure your communications are documented, follow up a phone call with a written communication
  • Be wary of paid services that promise easy guaranteed fixes
  • Review and repeat

Government and ID theft

Government plays important roles in many areas, including civil consumer protection and criminal enforcement.

Privacy and consumer protection

Our government plays an important role in protecting consumer privacy from the information economy, and ensuring consumers are protected from criminal use of their information.

Criminal enforcement

The cybercrime and ID theft economy is extremely profitable and also difficult to investigate and prosecute. But it can be investigated, and more offenders can be brought to justice. Government needs to do more on this front. The cases are challenging but important, and detectives, investigators, and prosecutors can learn how to do them and develop their investigative skills in the process and bring justice to where it needs to go.

Like no other criminal offense, cybercrime and ID theft is lucrative and repeated day after day over many years by criminals who hone their skills with little fear of apprehension. Government needs to change the risk calculus of these offenders. These offenders need to realize that government is trying, and eventually they will get caught.

District Attorney Robert Morgenthau created one of the first Identity Theft Units in the country, recognizing the importance of fighting this crime. Resulting cases soon demonstrated the connection between identity thieves and cybercriminals, and it was amazing what cases the unit was able to bring (including the Western Express case) even with relatively limited resources. Prosecutors need to put in the work to bring the type of cases needed to fight this crime.

Follow the money

Implicit in the above is following the money and slowing the profits that flow to criminals. Criminals commit these crimes because they are profitable, and the chances of apprehension are low.

The Western Express case

I spent many years investigating this crime, first as a state trooper, then as an assistant district attorney.

As a prosecutor, I received a report of a single instance of this crime. Investigation led to a virtual currency exchanger located in Manhattan named Western Express International, Inc. This exchanger facilitated payments between U.S. based identity thieves and cybercriminals from former Soviet countries.

I learned a lot during my many years investigating it and it's customers from around the country and globe, and wrote a little more in the linked article below.

Criminal laws

Criminal law exists to accomplish its objectives. For these laws to be effective, crimes need to be investigated by law enforcement, some of the offenders need to be caught, and brought to appropriate justice. Where crimes are not investigated, including more complex crimes like impersonation and cybercrime, the offenders will never be caught.

Some criminal laws that identity thieves commit include:

  • Identity theft
  • Criminal impersonation
  • Larceny (theft)
  • Criminal possession of stolen property
  • Forgery
  • Criminal possession of a forged instrument
  • Money laundering
  • But wait, there's more!

Civil laws

Civil laws and regulations are there mostly to protect consumers. Civil laws are enforced against organizations (sometimes individuals) where criminal prosecution is not warranted. Many organizations take action that protects consumers or respond properly to consumer inquiries because a civil law exists, and the organization chooses to comply with it.

Government can enforce civil laws where organizations do not comply.

Some civil rules that apply include:

  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Red Flags Rule (for organizations to identify and combat identity theft on their platforms)
  • Rules regarding unfair or deceptive trade practices (FTC Act, state laws)
  • Rules on privacy and cybersecurity

It is not always do-it-yourself

Sometimes paid services are needed. But be skeptical of marketing hype, marketing fear, and guarantees.


This crime is pernicious and prevalent, tied to cybercrime, profitable and with low risk for the offenders. Organizations and individuals can play roles to protect themselves and respond to it. Government plays an important role to protect us, and needs to do better.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If you are a victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

On this site

External links

This article is hosted at John Bandler, all rights reserved.

This article is also available on at (though not kept as up to date).

Originally posted 12/23/2022, updated 7/29/2023.