Identity Crisis: Supreme Court Rules on ‘Identity Theft’ Penalty Enhancement
As part of a suite of statutes, Congress made it a crime to “exceed authorization” to access a computer (CFAA, 18 USC 1030) and to traffic in purloined passwords (18 USC 1029) and “‘Fraud and related activity in connection with identification documents, authentication features, and information’”(18 USC 1028). Congress also created an enhancement to other crimes if, in the course of committing that crime, the offender committed “aggravated identity theft;” that is, essentially, if an offender also misused the identity of another person. The statute, 18 USC 1028A, made it a sentencing enhancement for a crime if an offender “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” So, what does it mean to “use” without lawful authority “a means of identification” of another person? As Lewis Carroll’s Through the Looking Glass observed, “’When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘It means just what I choose it to mean—neither more nor less.’”
On June 8, 2023, the Supreme Court addressed a situation in which a medical practice billed actual patients for actual services performed for those patients, but the services were billed at a rate higher than those authorized by the patient. In addition to prosecuting the physicians/medical practice for Medicaid fraud resulting from the overbilling, the government requested a penalty enhancement, alleging that the patient’s “means of identification” (their Social Security Numbers or Medicaid ID) were used “without lawful authority” when the bills were submitted. None of the patients authorized the medical practice to bill the amount billed for the services. Hence, there was no “lawful authority” for the use of the ID.
In Dubin v. United States, the high court disagreed. Justice Sotomayor, writing for the court, noted that under the rationale that any use of an ID in furtherance of a crime was identity theft, “A lawyer who rounds up her hours from 2.9 to 3 and bills her client electronically has committed aggravated identity theft. The same is true of a waiter who serves flank steak but charges for filet mignon using an electronic payment method.” In fact, this is not too far off from how the Justice Department has successfully wielded the aggravated ID theft enhancement, prosecuting a person for making “a counterfeit handgun permit” for another person, using that person’s real name and at that person’s request, or for unlicensed doctors who issued prescriptions to real people, an ambulance service inflating its reimbursement rates or a massage therapist falsely billing Medicare for “physical therapy” services. It’s not that these things aren’t crimes. But are they “aggravated identity fraud?”
The court looked at the language and history of the statute. The government proffered that any “use” of the identity documents “of another” was sufficient to trigger the statute if that use was “during and in relation to any [enumerated] felony.” Thus, in Sotomayor’s flank steak-purveying waiter example, while the crime is overbilling for filet mignon instead of a flank steak, the patron’s “means of identification”—their credit card—was “used” “during and in relation to” the fraud crime. Voila! Aggravated identity fraud. In other words, any fraud where identity was used triggers the statute.
The high court disagreed and focused on the harm the statute was intended to prevent—identity fraud—not just fraud that involved an identity document. The court relied on plain old dictionary definitions of “identity fraud” to stress that “identity theft” has a focused meaning. One dictionary defines identity theft as “the fraudulent appropriation and use of another person’s identifying data or documents, as a credit card.” Another similarly offers “[t]he unlawful taking and use of another person’s identifying information for fraudulent purposes; specif[ically] a crime in which someone steals personal information about and belonging to another, such as a bank account number or driver’s license number, and uses the information to deceive others.”
The essence of identity fraud is “false personation.” That is, to pretend to be an actual person that you are not in furtherance of a fraud. The court also noted that the use of the identity suggested that the identity documentation must have been in some sense “stolen” or “misappropriated.”
Congress thus employed a trio of verbs that captured various aspects of “classic identity theft.” There is “the defendant [who] has gone through someone else’s trash to find discarded credit card and bank statements,” ibid., and thus has taken possession unlawfully. There is the bank employee who passes along customer information to an accomplice and thus transfers it unlawfully. Then there is use involving fraud or deceit about identity: “[A] defendant [who] has used another person’s identification information to get access to that person’s bank account.” Ibid.
None of this kind of activity occurred in the “non-classic” identity theft example presented. Put simply, the Department of Justice was attempting to stretch the “aggravated identity theft” statute well beyond both its intent and language. The court concluded that, “A far more sensible conclusion from the statutory structure is that §1028A(a)(1)’s enhancement is not indiscriminate, but targets situations where the means of identification itself plays a key role—one that warrants a two-year mandatory minimum. This points once more to a targeted reading, where the means of identification is at the crux of the underlying criminality, not an ancillary feature of billing.”
While the case has limited impact other than in cases in which the government seeks to enhance penalties, its overall approach is to limit the scope of government overreach in the application of criminal statutes. (“This [c]ourt has traditionally exercised restraint in assessing the reach of a federal criminal statute.”) At the end of the day, the court held that “identity fraud” means, well, “identity fraud.”
“‘When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean—neither more nor less.’ The question is,’ said Alice, ‘whether you can make words mean so many different things.’ ’The question is,’ said Humpty Dumpty, ‘which is to be master—that’s all.”