Understanding the Identity Theft Enforcement and Restitution Act

Learn how the Identity Theft Enforcement and Restitution Act strengthens federal prosecution of identity theft and expands restitution rights for victims.

By Medha deb
Created on

The Identity Theft Enforcement and Restitution Act of 2008 (ITERA) is a key federal law that expanded the U.S. government’s ability to prosecute identity theft and computer-related fraud, while improving the way courts compensate victims for the harm they suffer. It builds on earlier identity theft legislation and responds to the rapid growth of online crime and data misuse.

This guide explains what ITERA does, how it fits into the broader framework of identity theft laws, and what practical rights and protections it offers to individuals and organizations impacted by identity-related crimes.

Background: Why ITERA Was Needed

Before ITERA, federal identity theft enforcement was based largely on earlier statutes, including the Identity Theft and Assumption Deterrence Act of 1998 and the Identity Theft Penalty Enhancement Act of 2004. These laws criminalized identity theft and created enhanced penalties for aggravated identity theft, but they left gaps in jurisdiction, coverage of victims, and compensation for the time victims spent repairing damage.

Congress enacted ITERA in 2008 to close several of these gaps and modernize federal law to address increasingly sophisticated cybercrime and cross-border computer fraud. The law specifically targets problems such as:

  • Difficulty prosecuting identity theft when the victim and offender are in the same state.
  • Limitations on what courts could include in restitution orders, particularly the value of victims’ time spent fixing identity theft issues.
  • Restrictions on federal computer fraud prosecutions, such as minimum damage thresholds and narrow jurisdictional rules.

How ITERA Fits Within the Identity Theft Legal Framework

ITERA is part of a broader legal ecosystem designed to prevent, punish, and remediate identity theft and related financial fraud. Together, these laws provide overlapping protections:

Law Main Focus Key Contribution
Identity Theft and Assumption Deterrence Act (1998) Defines identity theft as a distinct federal crime against individuals. Makes it illegal to knowingly use another person’s identifying information without lawful authority.
Identity Theft Penalty Enhancement Act (2004) Aggravated identity theft and increased penalties. Creates enhanced penalties when identity theft is used to commit certain felonies, including terrorism and immigration crimes.
Identity Theft Enforcement and Restitution Act (2008) Expanded federal jurisdiction and restitution for victims. Allows broader prosecution of identity theft and computer fraud, and authorizes restitution including victims’ time spent on remediation.
Read More

Understanding Mortgage Brokers: Roles, Benefits and Key Decisions >

Understanding Mortgage Brokers: Roles, Benefits and Key Decisions

In addition, consumer protection laws like the Fair Credit Reporting Act (FCRA)Fair and Accurate Credit Transactions Act (FACTA) give victims rights to dispute inaccurate information, obtain credit reports, and place alerts to help limit damage from identity theft.

Core Objectives of the Identity Theft Enforcement and Restitution Act

ITERA is designed to achieve two major objectives:

  • Strengthen federal enforcement of identity theft and computer fraud by expanding the situations in which federal prosecutors can bring charges.
  • Improve restitution so that courts can more fully compensate victims, including the value of time spent dealing with identity theft-related problems.

To accomplish these goals, ITERA amends several provisions of the federal criminal code, notably in Title 18 of the United States Code.

Expanded Federal Jurisdiction Over Identity Theft and Computer Fraud

One of ITERA’s most significant changes is its expansion of federal jurisdiction, making it easier for federal courts to hear identity theft and computer fraud cases even when communication or damage is not interstate in nature.

Prosecution When Victim and Offender Are in the Same State

Prior to ITERA, federal prosecutors often needed to show that an offender used interstate or foreign communications to commit identity theft or computer fraud. This requirement could prevent federal charges when a crime was carried out entirely within a single state.

ITERA removed that barrier for certain prosecutions, explicitly allowing federal courts to hear cases where the victim and criminal reside in the same state and interstate communication is not central to the offense. This expansion helps ensure federal tools are available even for locally executed identity theft schemes.

Elimination of the $5,000 Damage Threshold

ITERA also modified provisions that previously required a minimum amount of damage for certain computer-related offenses to be prosecuted federally. Under earlier law, prosecutors generally needed to show at least $5,000 in aggregate damage to a victim’s computer systems over a one-year period for certain unauthorized access crimes.

The Act removed this fixed damage threshold, which allows prosecutors to pursue cases even where monetary losses are lower but the conduct is serious or involves sensitive systems. This is particularly important for cases involving non-financial harms, such as compromise of medical records or confidential information.

Protection of Multiple “Protected Computers”

ITERA introduced new offenses related to attacks on multiple computers used by the federal government or financial institutions. It made it a felony to damage ten or more protected computers within a one-year period, even if individual damages are relatively small.

The term “protected computer” generally includes systems used by or for the federal government, financial institutions, and computers used in interstate or foreign commerce or communication.[10] By focusing on the number of protected computers affected, the Act targets wide-scale attacks such as mass deployment of spyware, keyloggers, or other malicious tools.

Clarification and Expansion of Computer Fraud Offenses

In addition to jurisdiction, ITERA clarifies and broadens the range of computer-related conduct that can be prosecuted as fraud or extortion.

Expanded Definition of Cyber Extortion

ITERA amends the definition of cyber extortion to cover demands for money or other value made in connection with damage to a protected computer, including damage intentionally caused to facilitate extortion. This expansion recognizes that modern extortion may involve threats to delete data, disable systems, or publicly expose sensitive information unless payment is made, rather than purely physical threats.

Conspiracies to Commit Computer Fraud

The Act also expressly prohibits conspiracies to commit computer fraud, treating conspiratorial conduct as a felony violation for purposes of aggravated identity theft and related offenses. This enables prosecutors to target not only the person who executes the attack but also those who plan, coordinate, or assist in computer fraud schemes.

Broader List of Predicate Offenses

ITERA expands the list of underlying crimes (predicate offenses) that can trigger aggravated identity theft and other enhanced penalties. Examples include:

  • Counterfeiting or possessing forged securities.
  • Mail theft and certain types of tax fraud involving personal identifying information.

By broadening predicate offenses, the Act ensures that the enhanced identity theft penalties apply to a wider range of serious financial and government-related crimes.

Enhanced Restitution Rights for Identity Theft Victims

ITERA’s changes to restitution are particularly important for victims, because identity theft often requires extensive time and effort to undo, even when direct financial losses are limited.

Restitution for the Value of Victims’ Time

The Act amends 18 U.S.C. § 3663(b) to make clear that restitution orders in identity theft cases may include an amount equal to the value of the victim’s time spent remediating actual or intended harm. This means that when a court convicts an identity thief, the judge can order compensation not only for stolen funds or damaged property, but also for practical efforts such as:

  • Contacting banks, credit card issuers, and other financial institutions.
  • Disputing fraudulent accounts or charges.
  • Working with credit bureaus to fix credit reports.
  • Consulting with law enforcement or legal counsel.

This recognition of victims’ time reflects the reality that identity theft can cause substantial non-monetary burdens, including stress, lost work hours, and administrative tasks.

Restitution in Cases Involving Organizations

ITERA also expands identity theft and aggravated identity theft crimes to include offenses committed against organizations, not just natural persons. This change allows restitution orders and enhanced penalties to apply when an identity thief misuses organizational identifiers—such as employer identification numbers or financial account credentials—to commit fraud.

Organizations may thus be compensated for investigative costs, remediation activities, and other expenses incurred due to identity-related crimes targeting their data or systems.

Interaction with Other Consumer Protections

While ITERA addresses criminal prosecution and restitution, victims also benefit from civil and regulatory protections under other statutes, particularly in the credit reporting and debt collection context.

Credit Reporting Rights

Under the Fair Credit Reporting Act and amendments like FACTA, consumers are entitled to:

  • Obtain free annual credit reports from each of the three major credit reporting agencies.
  • Dispute inaccurate information, which credit reporting agencies and creditors must investigate and correct if the data is wrong.
  • Place fraud alerts and sometimes security freezes on their credit files to help prevent new accounts from being opened in their names.

These rights are critical for identity theft victims seeking to repair their credit profiles and minimize ongoing harm, and they complement ITERA’s provisions on criminal restitution.

Debt Collection Protections

Laws like the Fair Debt Collection Practices Act allow consumers to challenge debts that may have been incurred through identity theft, ensuring they are not improperly held responsible for obligations they never authorized. Successful challenges can reduce the need for victims to pay fraudulent debts, which also affects the scope of restitution claims.

Practical Implications for Victims and Defendants

ITERA has concrete implications for individuals and organizations affected by identity theft, as well as for defendants facing charges.

What Victims Can Expect from Restitution

When a defendant is convicted under identity theft or related computer fraud statutes, courts may issue restitution orders that include:

  • Reimbursement of direct financial losses (such as stolen funds or unreimbursed fraudulent charges).
  • Compensation for the reasonable value of time spent responding to and correcting identity theft harms.
  • Potential recovery of certain remediation and investigative costs, especially for organizational victims.

Victims can support restitution claims by documenting their time, out-of-pocket expenses, and steps taken to repair the damage.

Consequences for Defendants

Defendants convicted of identity theft, aggravated identity theft, or related computer fraud offenses face a combination of penalties, which may include:

  • Criminal fines and imprisonment; in aggravated identity theft cases, statutes provide mandatory additional prison terms.
  • Restitution obligations, including compensation for victims’ time and losses.
  • Potential forfeiture of property used to commit computer fraud offenses, such as equipment or funds.

ITERA also directed the U.S. Sentencing Commission to review and update sentencing guidelines to reflect increased penalties for identity theft, computer fraud, and certain privacy-related offenses.

Key Takeaways in Bullet Form

  • ITERA is a 2008 federal law that strengthens identity theft and computer fraud enforcement and expands restitution for victims.
  • Federal courts can prosecute certain identity theft cases even without interstate communications, including cases where victim and offender are in the same state.
  • The Act eliminates the prior $5,000 damage threshold for some computer crime prosecutions and creates a felony for damaging ten or more protected computers in a year.
  • Cyber extortion definitions are broadened, and conspiracies to commit computer fraud are explicitly prohibited.
  • Restitution can now include the value of a victim’s time spent remediating harm, not just direct financial loss.
  • Organizations, not just individuals, are protected under expanded identity theft and aggravated identity theft provisions.

Frequently Asked Questions (FAQs)

1. What is the main purpose of the Identity Theft Enforcement and Restitution Act?

The main purpose is to enhance federal prosecution of identity theft and computer fraud and to ensure that courts can provide more complete restitution to victims, including compensation for the time they spend addressing identity theft-related issues.

2. Does ITERA only apply to online identity theft?

No. While ITERA has strong relevance to online and computer-based crime, it applies to identity theft and computer fraud offenses irrespective of whether they occur purely online, offline, or through a combination of methods, as long as the conduct meets federal statutory requirements.

3. Can victims recover lost wages under ITERA?

ITERA allows courts to include the value of the time reasonably spent by victims on remediation in restitution orders. Depending on the circumstances and court findings, this can encompass lost wages or comparable time-value calculations, but the specific amount and methodology are determined case by case.

4. How does ITERA interact with state identity theft laws?

ITERA does not replace state identity theft laws; it operates alongside them. States can still prosecute identity theft under their own statutes, and federal and state authorities may coordinate enforcement depending on the nature and scale of the offense.

5. Does ITERA protect businesses as well as individuals?

Yes. ITERA expands certain identity theft and aggravated identity theft provisions to cover offenses committed against organizations, allowing businesses and other entities to seek restitution for harm related to misuse of their identifying information or protected computer systems.

6. What should victims do to support a restitution claim?

Victims should carefully document:

  • All financial losses and unreimbursed charges.
  • Time spent contacting creditors, banks, credit bureaus, and law enforcement.
  • Any professional fees or out-of-pocket costs for remediation.

Such records can help courts accurately calculate restitution amounts under ITERA and related laws.

References

  1. H.R.6060 – Identity Theft Enforcement and Restitution Act of 2008 — U.S. Congress. 2008-09-26. https://www.congress.gov/bill/110th-congress/house-bill/6060
  2. Identity Theft and Financial Fraud — Office for Victims of Crime, U.S. Department of Justice. 2010-09-01 (content describing identity theft statutes including ITERA). https://ovc.ojp.gov/sites/g/files/xyckuh226/files/pubs/ID_theft/idtheftlaws.html
  3. Identity Theft Under Consumer Protection Laws — Justia. 2021-05-01 (approx. last updated, discussing ITERA and related statutes). https://www.justia.com/consumer/identity-theft/
  4. Identity Theft Enforcement and Restitution Act – FindLaw Overview — FindLaw. 2022-03-15 (approx. last updated, consumer-focused summary). https://www.findlaw.com/consumer/online-scams/the-identity-theft-enforcement-and-restitution-act.html
  5. Identity Theft Enforcement and Restitution Act — Lexology analysis of computer crime provisions. 2008-11-10. https://www.lexology.com/library/detail.aspx?g=b9502763-47d8-4800-9691-a6a91b7d6cee
Medha Deb is an editor with a master's degree in Applied Linguistics from the University of Hyderabad. She believes that her qualification has helped her develop a deep understanding of language and its application in various contexts.

Read full bio of medha deb