Identity Theft – 18 U.S.C. § 1028 & § 1028A Sentencing Guidelines
Identity Theft – 18 U.S.C. § 1028 & § 1028A Sentencing Guidelines
Thanks for visiting Spodek Law Group, a second-generation firm managed by Todd Spodek with over 40 years of combined experience defending clients against federal identity theft charges. Section 1028 criminalizes fraud involving identification documents and authentication features. Section 1028A adds mandatory minimum sentences for aggravated identity theft committed during other felonies. Maximum penalties under Section 1028: 15 years imprisonment; under Section 1028A: mandatory 2-year consecutive sentence that must run after and separate from the underlying felony. These statutes transformed identity theft from state misdemeanor into serious federal crime carrying harsh mandatory sentences.
Identity theft prosecutions exploded after Congress enacted Section 1028A in 2004. That statute’s mandatory consecutive 2-year sentence makes identity theft charges powerful prosecutorial weapons. Prosecutors routinely add Section 1028A charges to other fraud cases because the mandatory minimum increases plea pressure and eliminates judicial discretion at sentencing. A wire fraud defendant facing 3 years suddenly faces 5 years when prosecutors add identity theft count that judge cannot reduce regardless of circumstances.
What Section 1028 Prohibits
Section 1028(a) criminalizes eight different categories of conduct involving identification documents: producing false identification documents, transferring false documents, possessing documents with intent to defraud, possessing document-making implements, possessing five or more false identification documents, possessing authentication features with intent to defraud, and trafficking in false authentication features. Each subsection targets different aspects of identity document fraud.
The statute defines “identification document” broadly: any document made or issued by government that’s commonly accepted to identify the bearer. Driver’s licenses, passports, Social Security cards, birth certificates, government employee IDs—all qualify. But the definition extends beyond government documents to include documents containing identifying information: credit cards, debit cards, access cards that identify the bearer.
That expansion means Section 1028 overlaps substantially with access device fraud (Section 1029) and document fraud (Section 1546). Prosecutors charge all three statutes for conduct involving false identification documents used to commit fraud. The overlapping jurisdiction gives prosecutors maximum charging flexibility and creates multiple avenues for conviction when one statute might not apply cleanly.
The Five-Document Threshold
Section 1028(a)(3) criminalizes possessing five or more identification documents other than those issued to the possessor. This provision targets identity thieves who accumulate multiple identities to commit fraud. But it criminalizes possession alone without requiring proof of fraud or intent beyond the possession itself.
The five-document threshold is arbitrary. Why is possessing four documents lawful but five criminal? Congress decided that possessing multiple IDs suggests identity theft schemes rather than innocent possession. But the assumption is crude. Someone might possess multiple IDs for legitimate reasons—storing family members’ documents, having multiple driver’s licenses from different states during moves, collecting documents for estate administration.
Prosecutors need only prove knowing possession of five documents—they don’t need to prove defendant intended to use them fraudulently or that the documents were false. Possession with knowledge the documents weren’t issued to you suffices for conviction. That strict liability approach criminalizes possession of others’ documents even when no fraud occurred and none was intended.
Aggravated Identity Theft: The Mandatory Minimum Problem
Section 1028A imposes mandatory 2-year consecutive sentence (5 years for terrorism-related offenses) when defendants commit identity theft “during and in relation to” enumerated felonies including fraud, immigration violations, firearms offenses, and terrorism crimes. The mandatory minimum must run consecutive to the underlying offense sentence—judges cannot impose concurrent sentences or reduce the 2-year term regardless of circumstances.
This mandatory minimum is prosecutorial sledgehammer. Adding Section 1028A charge to any fraud case involving someone else’s identification information adds automatic 2 years that judge cannot mitigate. Defendants with strong mitigation—first offense, minor role, extraordinary rehabilitation—still receive the mandatory 2 years stacked on top of their underlying sentence. The statute eliminates judicial discretion and proportionality in sentencing.
The Supreme Court in Flores-Figueroa v. United States narrowed Section 1028A slightly by requiring proof that defendants knew the identification information belonged to another person. Prosecutors must prove knowledge that the identity was real, not just that defendant used false identification information. That requirement prevents prosecuting defendants who used completely fabricated identities—the identity theft aggravator applies only when real people’s identities were stolen.
When Immigration Cases Become Identity Theft
Many Section 1028A prosecutions involve immigration violations. Undocumented immigrants often use Social Security numbers to obtain employment. When they use real SSNs—even randomly chosen numbers without knowing whose they are—prosecutors charge aggravated identity theft under Section 1028A.
These prosecutions are brutal and unjust. Someone fleeing poverty who uses a SSN to work construction, honestly works and pays taxes using that number, harms nobody—but faces mandatory 2-year sentence for aggravated identity theft. The punishment is grossly disproportionate to culpability. These defendants aren’t identity thieves trying to steal from the number’s rightful owners. They’re people trying to work and support families using documentation systems that exclude them.
Courts have struggled with these cases. Some judges openly state they believe the mandatory sentences are unjust but impose them because statute requires it. Others find ways to dismiss Section 1028A charges where evidence doesn’t clearly prove defendant knew the SSN belonged to a real person. The judicial discomfort reflects recognition that mandatory minimums prevent proportionate sentencing.
Sentencing Under Section 1028
Section 1028 violations without aggravated enhancement are sentenced under Guidelines Section 2B1.1 and 2L2.1 depending on the offense. Offense levels are calculated from loss amounts, number of victims, and sophisticated means. Identity theft fraud often affects numerous victims—each person whose identity was stolen is a victim even if they weren’t directly defrauded.
Number-of-victims enhancement adds 2 to 6 levels: 10-49 victims adds 2 levels, 50-249 victims adds 4 levels, 250+ victims adds 6 levels. Identity theft schemes involving stolen databases of personal information quickly reach 250+ victims, triggering substantial sentencing increases. Combined with sophisticated means (another 2 levels) and loss amounts, identity theft sentences can reach 10+ years even before Section 1028A’s mandatory minimum.
The victim count is often contested. Are victims only people whose identities were used to commit fraud, or does the count include everyone whose information was stolen even if unused? If defendant stole database with 10,000 Social Security numbers but only used 50 of them, are there 50 victims or 10,000? Courts generally count everyone whose information was compromised, not just those whose identities were actively misused. That approach dramatically increases victim counts and sentences.
Loss Calculations in Identity Theft
Measuring loss from identity theft is complex. Victims suffer direct financial losses when identities are used to open accounts or make purchases. But they also incur costs repairing credit, disputing fraudulent charges, and monitoring for future misuse. Should these consequential damages count toward loss calculations?
Guidelines say actual and intended loss both count. Prosecutors argue that defendant who possessed 1,000 stolen identities intended to use all of them even if caught after using only a few. The intended loss from potentially using all 1,000 identities becomes sentencing basis even though 950 identities were never misused. Defense must show that defendant had limited ability to use stolen identities, that many were non-functional or outdated, that government’s hypothetical loss calculation is speculative.
The Database Breach Phenomenon
Modern identity theft often involves database breaches where hackers steal millions of identity records. Equifax breach compromised 147 million people’s data. Capital One breach affected 100 million. These massive breaches create unprecedented identity theft prosecutions with victim counts and loss amounts that dwarf anything contemplated when Congress enacted identity theft statutes.
Calculating sentences for database breaches poses enormous challenges. If someone hacked into database and stole 10 million identity records, guideline calculations would reach offense levels requiring life sentences. Judges facing those calculations recognize they’re absurd. Some impose substantial variances below guidelines; others find ways to limit victim counts or loss amounts to keep sentences within rational bounds.
The problem is that sentencing guidelines were designed for individual offenders stealing dozens or hundreds of identities. They don’t scale to cybercrimes involving millions of identity records. Applying traditional fraud guidelines to modern database breaches produces mathematically correct but substantively absurd sentencing ranges that even prosecutors acknowledge are unreasonable.
When Synthetic Identities Complicate Prosecutions
Synthetic identity fraud involves combining real identifying information with fabricated data to create identities that don’t correspond to actual people. A fraudster might use real Social Security number with fake name, birth date, and address to create synthetic identity that passes basic verification but doesn’t belong to a real person.
Do synthetic identities violate Section 1028A? That statute requires using “means of identification of another person”—but synthetic identities aren’t real people’s identities. Courts split on whether using components of real identities (like actual SSNs) in synthetic identities qualifies as identity theft. Some hold that using any identifying information belonging to a real person suffices; others require that the identity as a whole belong to a real person.
This distinction matters for mandatory minimums. If synthetic identities don’t trigger Section 1028A, defendants avoid the mandatory consecutive 2 years. Prosecutors therefore argue that any use of real identifying information constitutes using another person’s means of identification. Defense argues that synthetic identities combining real and fake information don’t steal anyone’s actual identity—they create new non-existent identities.
Defending Identity Theft Prosecutions
Challenge knowledge elements under Flores-Figueroa. Section 1028A requires proof defendant knew the identification information belonged to another person. When defendants used randomly selected or purchased information without knowing it belonged to real people, knowledge element may not be satisfied. This defense is particularly important in immigration cases where defendants used SSNs to work without intending to assume anyone’s identity.
Contest victim counts by excluding people whose information was stolen but unused, people who suffered no harm, duplicate victims counted multiple times, or people whose information wasn’t actually identifying information within statutory definition. Victim counts drive substantial sentencing enhancements; accurate counting prevents inflated sentences.
Dispute loss calculations by demanding evidence of actual losses rather than speculative intended losses. Government must prove losses beyond reasonable doubt. Estimates based on assumptions that defendant would have used all stolen identities are speculative and shouldn’t drive sentencing.
Argue against stacking Section 1028A charges. Prosecutors sometimes charge multiple Section 1028A counts, each carrying mandatory 2-year consecutive sentence. If defendant used five different identities in single fraud scheme, should that yield five consecutive 2-year sentences adding 10 years on top of underlying fraud sentence? That stacking seems excessive for what’s essentially a single course of conduct.
If you’re under investigation for identity theft or facing charges under Sections 1028 or 1028A, contact Spodek Law Group immediately. Identity theft investigations often involve Secret Service or FBI reviewing extensive financial records, account applications, and personal identifying information. By the time charges are filed, prosecutors have traced identity use through multiple accounts and compiled victim lists. Early representation allows us to challenge knowledge elements before prosecutors build comprehensive cases, engage forensic accountants who can contest loss and victim calculations, and present mitigation showing conduct wasn’t aggravated identity theft warranting mandatory minimums. We represent defendants charged with everything from immigration-related SSN use to sophisticated identity theft rings. These cases require understanding both criminal law and identity verification systems. We’re available 24/7.