Reporting Cybersecurity Incidents as a US Homeowner
Cybersecurity incidents affecting residential households — from smart home device compromises to identity theft and ransomware targeting home networks — fall across a fragmented reporting landscape involving federal agencies, state attorneys general, financial regulators, and law enforcement. Understanding where to report, what qualifies as a reportable incident, and how different reporting channels function is essential for homeowners seeking remediation, documentation for insurance claims, or law enforcement engagement. This page maps the reporting structure, key agency jurisdictions, and decision logic that determines which channel applies to a given incident type.
Definition and scope
A cybersecurity incident in the residential context refers to any unauthorized access, disruption, misuse, or compromise of a homeowner's digital assets, devices, accounts, or network infrastructure. This includes unauthorized access to home Wi-Fi routers, compromise of smart home systems (cameras, locks, thermostats), phishing attacks that yield credential theft, email account takeovers, financial fraud originating from credential compromise, and ransomware infections on personal computers.
The scope of reportable residential cyber incidents is broader than most homeowners recognize. The Federal Trade Commission (FTC) holds primary federal jurisdiction over consumer identity theft and fraud, while the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) is the designated national intake point for cybercrime complaints under FBI authority. The Cybersecurity and Infrastructure Security Agency (CISA) focuses primarily on critical infrastructure but operates a 24/7 reporting line that accepts residential incident reports relevant to broader threat intelligence.
State-level jurisdiction adds another layer: all 50 states have enacted data breach notification laws requiring businesses that hold consumer data to notify affected residents, but homeowners themselves are not subject to mandatory reporting requirements under federal law. Incident reporting by homeowners is voluntary at the federal level, though it feeds into aggregate intelligence used by agencies including CISA and the FBI.
How it works
Residential cybersecurity incident reporting follows three parallel tracks that are not mutually exclusive — a homeowner may file with all three simultaneously depending on the incident type.
-
Federal intake via IC3: The FBI's IC3 accepts online complaints at ic3.gov for internet-facilitated crimes including fraud, ransomware, business email compromise affecting personal accounts, and device-level intrusions. IC3 routes complaints to federal, state, or local law enforcement as appropriate. Submitting a complaint creates a documented record usable in subsequent legal proceedings.
-
Consumer protection reporting via FTC: The FTC's IdentityTheft.gov platform handles identity theft reports specifically and generates a personalized recovery plan tied to the report. Standard fraud complaints (non-identity-theft) are submitted via the FTC's ReportFraud.ftc.gov portal. FTC data feeds the Consumer Sentinel Network, which is accessible to over 2,800 law enforcement agencies (FTC Consumer Sentinel Network).
-
State attorney general or state cybercrime unit: Forty-seven states maintain dedicated consumer protection divisions that accept cybercrime and fraud complaints. Several states — including California, New York, and Texas — operate dedicated cybercrime units within their attorney general offices. State reporting is particularly relevant when a local business's breach compromised the homeowner's data, triggering state notification law requirements.
Additionally, financial account compromise must be reported directly to the relevant financial institution and, if debit or credit fraud is involved, to the Consumer Financial Protection Bureau (CFPB). Under the Electronic Fund Transfer Act (15 U.S.C. § 1693), liability limitations for unauthorized electronic fund transfers are time-sensitive, making prompt reporting to the financial institution legally consequential.
Common scenarios
Three incident types account for the majority of residential cybercrime reports filed with IC3 annually.
Phishing and credential compromise: An email or SMS message harvests login credentials for banking, email, or smart home platforms. The reporting path leads to IC3 for the crime itself, IdentityTheft.gov if accounts were used to open credit lines, and the relevant financial institution if funds were transferred.
Smart home device compromise: A router vulnerability or weak IoT device password allows unauthorized access to security cameras, smart locks, or HVAC systems. CISA publishes guidance on securing home networks and accepts incident reports through its reporting portal. This scenario is explored further in the context of the broader home security providers sector covered across this reference network.
Ransomware on personal devices: Malware encrypts files and demands payment. IC3 is the primary reporting channel. The FBI advises against paying ransoms but documents these incidents for threat intelligence. CISA's #StopRansomware resource provides structured reporting guidance.
For homeowners navigating the service landscape — including professional remediation providers — the home security provider network purpose and scope explains how service categories are organized within this reference network.
Decision boundaries
Determining which reporting channel to prioritize depends on incident classification:
| Incident Type | Primary Channel | Secondary Channel |
|---|---|---|
| Identity theft / credit fraud | IdentityTheft.gov (FTC) | IC3, State AG |
| Financial account fraud | Financial institution + CFPB | IC3 |
| Ransomware / malware | IC3 | CISA |
| Smart home / IoT compromise | CISA | IC3 |
| Phishing (no financial loss) | ReportFraud.ftc.gov | IC3 |
| Data breach by a business | State AG | FTC |
The contrast between FTC and IC3 jurisdiction is operationally significant: the FTC's authority is civil and consumer-protection-oriented, while IC3 routes matters toward criminal investigation. Filing with both is not redundant — each serves a distinct institutional function.
Homeowners uncertain about whether an incident meets a reporting threshold should consult how to use this home security resource for orientation within this reference network's service-sector framing, or review the CISA incident reporting guidance directly for threshold definitions.