It is estimated that over 15 million Americans had their identity stolen in 2016 (most recent study data). In addition to accidental (although inexcusable) exposure by companies, there is “phishing,” which includes those seemingly-authentic e-mails requesting verification information for accounts (e.g. Citibank or PayPal), but instead coming from other parties seeking your personal information. Lastly, there is the most intrusive act, that of actual hacking into computer systems. All of these occurrences have brought identity theft squarely into the public’s attention. Although many people now know of the problem, few know what to do to rectify the problem once it occurs. They are often overwhelmed and do not know their rights or what to do. What follows are the steps to follow in the event of identity theft, which I would recommend be taken in order, if not simultaneously:
1. Contact a credit reporting agency
Contact any of the three major credit reporting agencies (“CRA”), Equifax, TransUnion, and Experian, and ask that a fraud alert be placed on your file. This can be done online or by phone. Any CRA contacted must alert the other two once a request has been made. The alert prohibits creditors from extending credit to you without verifying your identity. This alert will remain active for not less than 90 days. This alert also entitles you to one free report from each agency (every consumer in America now has access to one free credit report every 12 months). Be aware that a fraud alert will slow down approval of any authentic credit checks, as the creditor will need to verify your identity; however, you may provide a telephone number in the fraud alert that the creditor may use to contact you for verification purposes.
You can also request that an extended fraud alert be placed on your file, which is active for seven years. This requires you to fill out an identity theft report with the CRA, which can vary in substance, but usually requires the agency form (e.g. affidavit(s), proof of identity, proof of address, etc. ) and a filing with a law enforcement agency. The extended alert entitles you to two free credit reports within twelve months and the CRA will automatically remove you from the marketing pre-screened list for five years unless you ask to be placed back on them before that time.
In addition to the fraud alerts with the CRAs, a Virginia law went into effect on July 1, 2008, which also allows you to place a security freeze on your credit by contacting each of the CRAs. This security freeze prevents your credit file from being shared with potential creditors. As of July 1, 2009, the CRAs have to comply within one business day. The law is fairly detailed and it is important that you follow the procedures carefully.
Beyond the initial 90-day fraud alert call, all steps should be documented in writing and anything sent to a third party during the process of addressing the identity theft should be sent by certified mail; with return receipt requested and copies kept for your records. In addition, all documents given to third parties should be copies. Originals should be stored safely for future use.
2. Close accounts
Close any accounts that were created, or were abused, due to the identity theft. Do this by obtaining the creditor’s fraud department and sending all relevant information with an explanatory letter. You should also ask if the creditor accepts the Federal Trade Commission’s (“FTC”) ID Theft Affidavit (The FTC has set up a site for victims of identity theft to initiate a recovery plan that includes the necessary forms, affidavits, and letters). If not, request each creditor’s specific fraud dispute forms to fill out and return. Once the accounts have been closed and any fraudulent charges reversed, request a letter confirming the actions and status for your records. Unfortunately, often times the old information reappears on your credit and the letters will speed up the process of correcting the information in the future.
When you open new accounts to replace those that you have closed, be sure to place passwords on them, which should not be easy to guess or readily available from your personal information which has already been compromised.
3. Cancel government-issued documents/licenses
Contact any government agency (e.g. Department of Motor Vehicles) that has issued you a license or document and follow its procedures in canceling same and requesting a re-issuance. You should also request that your file/account be flagged to prevent further access to the account from anyone other than yourself and any authorized agent.
4. File a report with the police
File a report with the police and obtain a copy of the report. Sometimes your local police will be reluctant to take an identity theft report, so you may need to try a different jurisdiction (e.g. the jurisdiction where the identity theft took place or where your card/information was used). Try to arrange an in-person meeting to make your report rather than an automated process that may be offered. This will both allow you to present all of your evidence at the outset and will also allow for better verification by third-parties should the need arise.
5. File a complaint with the FTC
File a complaint with the FTC. This will be useful both personally to corroborate to third parties that the act(s) occurred and also to the government to keep track of such crimes and assist in combating them.
6. Clean up your credit
Once you have completed the steps in reporting the identity theft and setting up measures to prevent any future damage, it is important to address your credit itself. The first step is understanding there is law protecting consumers’ credit. The Fair Credit Reporting Act (“FCRA”), 15 U.S.C. §1681 et seq., as amended by the Fair and Accurate Credit Transactions Act of 2003, governs credit reporting and provides for redress for correcting identify theft. The FCRA allows the recovery of both statutory and actual damages suffered by the victim, as well as attorney’s fees and costs against the offending party. This fee-shifting arrangement aids those victims who normally could not afford counsel to assist them in their efforts to clear their credit. As to identity theft, the FCRA usually applies by addressing unauthorized access to a victim’s consumer report and by inaccurate information not being removed from the victim’s report.
Once you have obtained your consumer disclosure from the CRA, or a copy of the consumer report given by the CRA to a third party, you should review them carefully and note any incorrect information. Each CRA disclosure or report will contain different information, as each creditor, or “furnisher” as they are defined under the FCRA, may report to a different CRA. A dispute should be sent to each CRA detailing the inaccurate information. It is especially important that this dispute be in writing (even though you may be able to report same online or over the phone), and sent certified return receipt requested. Should litigation be necessary to resolve the situation, the timing of your disputes and the information provided in them become necessary and important evidence.
Once a CRA receives the dispute, it must forward it, including “all relevant information provided by the consumer,” to the furnishers against whom the dispute pertains. The CRA must update its information, correct any inaccuracies generally within 30 days of receiving the consumer’s dispute, and notify the consumer of the outcome. The CRA can be liable for failing to comply with the various duties and accuracy requirement in the FCRA. The furnishers must conduct an investigation, review the information provided by the agencies, and report the results back to the CRA. If the furnishers fail to perform any of these steps, they too can be liable under the FCRA. These procedures protect the victim of identity theft, as many furnishers fail to adequately investigate disputes. Without the protections of the FCRA, creditors could routinely ignore consumers, and victims would never get out from under the false claims for monies owed and their credit would remain damaged.
Identity theft can be the financial ruin of an individual and often causes tremendous stress and emotional turmoil. It is important to know an individual’s rights and the steps that can be taken to enforce them. An excellent source for information is the FTC’s official ID Theft website. A specific resource within that site provides contact numbers, forms, and other agencies and laws that can assist consumers greatly in their efforts to address identity theft. Either as a consumer facing identity theft, or an attorney contacted by a consumer facing identity theft, the steps detailed here and the resources provided in this article will help in taking back the life stolen by identity theft.
 Equifax Information Services LLC: (1) Call or Write: (800) 525-6285; P.O. Box 105069, Atlanta, GA 30378-5069 ; (2) Online: https://help.equifax.com/s/article/How-do-I-place-a-fraud-alert-or-an-active-duty-alert
TransUnion LLC: (1) Call or Write: (800) 680-7289; P.O. Box 6790, Fullerton, CA 92834; (2)
 (877) 438-4338; Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580; www.ftc.gov
 If at all possible, you should obtain copies of any consumer reports provided to third parties by a CRA. Usually, they exist because it is a denial of credit or a contact from a creditor that alerts an individual that he or she has been the victim of identity theft. The purpose of using the consumer reports as a basis for disputing inaccurate information rather than consumer disclosures is two-fold. First, the information on a consumer report is often different than the consumer disclosure, as the CRA uses a more stringent set of controls for the disclosures than the reports. Second, the CRA’s liability under the FCRA is only triggered when referring to a consumer report, not a consumer disclosure.