Statutory Framework

Section summary§1028A creates aggravated identity theft. The 2-year consecutive sentence is mandatory; no parole. The offense attaches to underlying felonies.

§1028A framework:

  • Mandatory 2 years consecutive.
  • No parole.
  • Attaches to specified underlying offenses.
  • Federal sentence (BOP).

Elements

Section summaryKnowing transfer, possession, or use of means of identification of another person without lawful authority during commission of enumerated felony.

Elements:

  • Knowing transfer, possession, or use.
  • Means of identification of another person.
  • Without lawful authority.
  • During commission of enumerated felony.

Knowledge Requirement

Section summaryFlores-Figueroa v. United States, 556 U.S. 646 (2009), held that the defendant must know the means of identification belongs to another person — not just that it was a means of identification.

Flores-Figueroa requirement:

  • Knowledge that identification belongs to real person required.
  • Mere use of false identification not enough.
  • Substantial element raising the government burden.
  • Affects cases using fabricated vs stolen identification.

Underlying Offenses

Section summary§1028A applies to specifically enumerated underlying felonies. CFAA fraud (§1030(a)(4)) and wire fraud (§1343) are among the qualifying offenses.

Common underlying offenses:

  • Wire fraud (§1343).
  • Mail fraud (§1341).
  • CFAA fraud (§1030(a)(4)).
  • Other enumerated felonies.

Mandatory Consecutive

Section summaryThe 2-year sentence is mandatory consecutive to the underlying offense. The court has no discretion to reduce or run concurrent.

Sentencing impact:

  • Mandatory 2 years (5 years for terrorism-related).
  • Consecutive to underlying offense.
  • Cannot be reduced via Guidelines or §3553(a).
  • Major consideration in plea negotiations.

Need defense counsel?

L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.

Call (972) 370-5060 →

Forensic Foundation

Identity Theft and CFAA Overlap cases turn on digital-forensic evidence: device images, file metadata, network logs, cloud-account records, malware reverse engineering, and attribution analysis. Counsel handling a case overlapping identity-theft and CFAA charges must engage with the forensic record at a technical level, not just legal level.

The defense's threshold task is review of the government's forensic methodology. Was the device imaged using accepted procedures? Was the image hash-verified against the original? Did the examiner have appropriate certifications? Did the analysis follow the examiner's lab's standard operating procedures? Each step in the chain produces potential challenges at hearing and trial.

Where the case turns on contested forensic findings, the defense should retain an independent examiner. The defense expert reviews the government's work, performs parallel analysis where possible, and is available to testify if needed. Funding for defense experts is available in federal cases under the Criminal Justice Act (18 U.S.C. §3006A) and in Texas indigent cases under Code of Criminal Procedure Article 26.05.

Van Buren and Authorization Screen

The Supreme Court's decision in Van Buren v. United States, 593 U.S. 374 (2021), reshaped the CFAA "exceeds authorized access" analysis. The Court held that the statute applies only where the defendant accessed an area of a computer system they were not entitled to enter at all — not where they had credentials but used them for an improper purpose. The "gates-up-or-down" inquiry asks whether the user could or could not access the specific area, not why they accessed it.

For a case overlapping identity-theft and CFAA charges (where authorization is in issue), the defense must screen the indictment against the post-Van Buren framework. Cases built on theories that the defendant misused authorized access — rather than entering a system they had no right to enter — should be evaluated for dismissal under Van Buren. Many CFAA charges filed before 2021 survived only because the law had not yet been clarified; charges filed since must satisfy the gates-up-or-down standard.

The defense should also consider whether parallel state charges (Texas Penal Code §33.02) provide the same protection. Texas "effective consent" analysis under Chapter 1 of the Penal Code is broad. A defendant who had colorable authorization — an unrevoked password, a shared account, an implied license — has a defense to the access element under state law that runs parallel to the federal Van Buren analysis.

The overlapping statutory framework for identity theft and CFAA

Federal identity theft is criminalized under 18 U.S.C. Section 1028 and aggravated identity theft under 18 U.S.C. Section 1028A. The provisions reach the use of another person identifying information without authorization in connection with various federal offenses. The Computer Fraud and Abuse Act at 18 U.S.C. Section 1030 reaches unauthorized access to protected computers. The two frameworks overlap substantially in cases where unauthorized access produces identity theft, and prosecutors typically charge both statutes when both elements are present.

Identity theft under Section 1028(a)(7) reaches knowingly transferring, possessing, or using a means of identification of another person without lawful authority with the intent to commit, aid, or abet, or in connection with any unlawful activity that constitutes a violation of federal law or a state law felony. The provision has broad reach because it applies to identification used in connection with virtually any federal or felony state offense. The penalty structure includes up to fifteen years for the most serious offenses.

Aggravated identity theft under Section 1028A imposes a mandatory two-year consecutive sentence when the defendant knowingly uses another person identification in connection with enumerated felony offenses. The mandatory consecutive nature means that the two-year sentence is added to whatever underlying sentence the defendant receives for the connected offense. The Section 1028A enhancement can substantially increase the total sentencing exposure and is a frequent focus of plea negotiations.

The Dubin decision and the connection requirement

The Supreme Court decision in Dubin v. United States, 599 U.S. 110 (2023), substantially narrowed the application of Section 1028A. The Court held that the use of another person identification must be in connection with the predicate offense in a specific way involving the identification being at the crux of the offense. Mere incidental use of identification in connection with an offense does not trigger the mandatory consecutive sentence.

The Dubin framework requires the identification use to be central to the offense rather than merely related to it. A medical provider who fraudulently bills for services using a patient identification number engages in central use of the identification because the billing depends on the identification. A defendant who uses a name to identify himself during a crime does not engage in central use because the identification is incidental to the underlying offense.

The Dubin defense application requires careful analysis of the specific role the identification played in the alleged offense. The defense should identify the specific identification at issue, the specific use the defendant made of it, and the specific connection between the use and the predicate offense. The defense can challenge the centrality of the identification through factual development and legal argument. The Dubin defense can eliminate the mandatory consecutive sentence even where the underlying offense is otherwise established.

Identity theft enabled by CFAA violations

The combination of CFAA and identity theft charges is common in cases involving database breaches, account takeover schemes, and other forms of computer-enabled identity theft. The CFAA charges address the unauthorized access component, and the identity theft charges address the use of obtained identification. The combined charges can produce substantial sentencing exposure that exceeds the exposure under either statute alone.

The Van Buren framework affects the CFAA portion of these cases substantially. Cases involving insider access to identification databases for improper purposes may have CFAA defenses under Van Buren even where the identity theft charges are clearly established. The defense should evaluate the CFAA charges under the Van Buren framework while also developing the identity theft defenses on their own merits.

The defense strategic considerations include the relative importance of defeating each category of charge. The CFAA charges typically carry lower base sentencing exposure than the identity theft charges, but the CFAA conviction can have substantial collateral consequences including effects on technology industry employment. The identity theft charges carry higher base sentencing exposure and the Section 1028A mandatory consecutive sentence. The defense should prioritize the charges that drive the overall exposure while preserving defenses to all charges.

State-law identity theft and the federal-state coordination

Texas state law on identity theft is codified at Texas Penal Code Chapter 32, particularly Section 32.51 (fraudulent use or possession of identifying information). The state framework parallels the federal framework in many respects but has distinct elements and penalty structures. The state provisions can be charged in cases that do not have substantial federal interest or where the federal authorities decline prosecution.

The federal-state coordination in identity theft cases typically involves the federal authorities handling cases with substantial interstate elements, multiple victims, or large losses, while the state authorities handle cases with primarily local impact. The dual-sovereignty principles allow prosecution under both, but coordinated practice typically avoids duplicative prosecution. The defense should understand which forum is likely to handle the case and should develop strategy accordingly.

The negotiated disposition options in identity theft cases include pleas to lesser-included offenses, charge concentration where multiple charges can be reduced to a single count, and elimination of the Section 1028A consecutive sentence in federal cases. The defense should pursue negotiated dispositions that minimize the total exposure across all charges. The Dubin defense provides additional negotiation leverage because the government may agree to drop Section 1028A charges to avoid Dubin litigation. The defense should be familiar with the Dubin application to the specific case and should use the Dubin leverage strategically in the negotiation.

The Identity Theft Enforcement and Restitution Act implications

The Identity Theft Enforcement and Restitution Act of 2008 expanded federal identity theft authority and created specific provisions for restitution to identity theft victims. The Act amended 18 U.S.C. Section 3663(b)(6) to include a broader category of victim losses recoverable through restitution including the value of the time reasonably spent by the victim attempting to remediate the intended or actual harm. The expanded restitution framework substantially affects the long-term financial exposure of defendants in identity theft cases. Restitution can include not only direct losses but also the substantial time and effort that victims spend recovering from identity theft including contacting credit bureaus, freezing accounts, and addressing fraudulent transactions. The defense should evaluate the realistic restitution exposure as part of any plea negotiation, recognizing that the restitution obligation can extend for decades beyond the criminal sentence.

Frequently Asked Questions

Does §1028A apply if I use my own identification?
No. The statute requires use of another person's identification. Using your own identification (even falsely) does not trigger §1028A.
What if the identification is fabricated (not stolen from real person)?
Flores-Figueroa requires knowledge that the identification belongs to a real person. If the identification is fabricated and the defendant did not know it corresponded to a real person, §1028A typically does not apply.
Does §1028A apply to using SSN for employment?
Possibly. Use of another's SSN to obtain employment can constitute identity theft. Recent prosecutions have applied §1028A to employment-related identity use.
Can §1028A be negotiated in plea bargaining?
Limited. The statutory 2-year mandatory is non-negotiable once §1028A is charged. Pre-charge negotiation to avoid §1028A charge is the typical approach.
Part of a larger guide

Read the full Texas Computer Crimes Defense Guide

This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.

Read the Pillar Guide →
⚖️
Texas Bar
Licensed
Bar Nos. 24043266 · 24043514
🏆
40+
Years Combined
Criminal Defense Experience
📞
Free
Consultation
Direct to Attorney
🔓
24/7
Jail Release
Available 7 Days a Week

Practical Checklist

  • Document everything early. Communications, records, and witness contact information lose value as time passes. Preserve them at the start of the case.
  • Identify all parallel proceedings. Criminal, administrative, civil, and regulatory tracks often run in parallel. A statement in one becomes evidence in another. Map the full picture before any disclosure.
  • Calendar every deadline. Filing deadlines, response deadlines, discovery deadlines, and hearing dates all have consequences. Missing a deadline can foreclose defenses that the facts otherwise support.
  • Build the mitigation package early. Witness letters, treatment records, employment verification, and character references take time to gather. Counsel should begin building the package at the first consultation, not as the hearing approaches.
  • Coordinate counsel across forums. Where the matter implicates multiple proceedings, having coordinated counsel (whether one firm or multiple firms in close communication) avoids the strategic errors that inconsistent representation creates.
  • Understand the public-record dimension. Many dispositions create searchable records that follow the licensee, defendant, or respondent for years. The decision to contest versus resolve must account for the public visibility of each path.

For a confidential evaluation of your matter, call L&L Law Group at (972) 370-5060 or email info@landllawgroup.com. Initial consultations are free.

Next Steps

If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.

Reggie London & Njeri London

Co-Founding Partners · L&L Law Group, PLLC

Reggie London (Tex. Bar #24043514) and Njeri London (Tex. Bar #24043266) co-founded L&L Law Group in Frisco, Texas.

This guide was reviewed by Reggie London on May 30, 2026.

Cite this guide

Bluebook: Reggie London & Njeri London, Identity Theft and CFAA Overlap, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/identity-theft-cfaa-overlap/.

APA: London, R., & London, N. (2026, May 30). Identity Theft and CFAA Overlap. L&L Law Group.