According to the Federal Trade Commission (FTC) data from its Consumer Sentinel Network (CSN), an online database of consumer complaints available only to law enforcement, identity theft was the top consumer complaint in 2011, accounting for 17% or 287,232 complaints of the 1.8 million received; 990,242 of these cases involved fraud.

There are no reliable federal or state statistics that specifically track business identity theft, but various studies suggest that businesses do not report the crime because of the stigma attached to it. The company’s credibility and trust of its clients may never recover if they admit to being a victim.

Business identity theft comes in many forms. Posing as a look-alike or sound-alike business, and impersonating owners, officers or employees to illegally get cash, credit, and loans, is just one example. Thieves typically steal a business’ identity by gaining access to its bank accounts and credit cards, or by stealing sensitive company information, such as its tax identification number (TIN) and the owners’ personal information. Elaine Marshall, North Carolina’s Secretary of State, sees an increasing number of cases involving falsified documents. Marshall says that “the easiest targets are dissolved corporations, because whoever ran those defunct businesses usually no longer pays attention. Somebody comes 20 years later and reinstates it, and it looks like it’s a 40-year-old corporation. And if it was in good standing financially when it was dissolved, then

[the thief] will capitalize on that good standing.”

Indeed businesses have become easy targets for identity theft. Almost anyone can obtain a business’ tax identification number. A merchant’s basic financial information, including bank account numbers, may be known to hundreds of its customers and suppliers. Data access can be exploited by employees and insider theft, and fraud is often difficult to detect, especially when carried out by trusted employees. Many businesses do not review their own credit information for fraud and may be lax in shredding or disposing of documents. Although more businesses are conducting background checks on employees and suppliers, only a few ensure the integrity of their commercial shredding contractors and even fewer conduct background checks on in-house or contracted cleaning staff. And many companies are simply complacent in data security.

The Internet carries the highest perpetration of criminal theft and fraud. Since 2002, the FBI has recorded an 84% increase in the number of computer intrusion investigations. Cyber thieves use the web to obtain goods, services, and money while exploiting time-lags in discovery and investigation. They also prowl for valuable non-ID specific business data including confidential e-mails, customer and marketing data, bid and pricing sheets, and trade-secrets. In the financial services sector, the vast majority of transactions, including credit cards and debit cards, and even mortgage funding, occur online in virtual anonymity without the risks associated with in-person transactions. Because such identity theft crimes take place in cyber-space, police often must coordinate with other state, federal, or international agencies. And even when jurisdictional issues are resolved, often only high-profile offenders actually face criminal prosecution.

In this complex and dangerous environment, a proactive approach to preventing business identity theft is critical, and should include:

  • Security policies based on the highest reasonably assessed risk, including limiting the number of persons with a valid need to access sensitive information;
  • Corporate governance which advocates strong security planning;
  • System audits and tests to ensure detection of inappropriate usage and other vulnerabilities;
  • Background checks of all employees, key vendors, and contractors including document shredding entities, cleaning personnel, etc.;
  • Annual reviews of Secretary of State and other public filings;
  • Annual or more frequent reviews of Dun & Bradstreet reports, and if applicable, small business reports with Equifax, Experian and TransUnion;
  • Practice of excluding sensitive personal or business information in public filings;
  • Shredding or destroying business records as applicable;
  • Securing paper documents in locked cabinets in restricted areas;
  • Using privacy screens with smart phones, laptops, etc., when accessing sensitive information while traveling; and
  • Obtaining business insurance that covers potential business identity theft losses.

There are many online information and action resources for identity theft. The FTC provides comprehensive guidelines for prevention and recovery from identity theft, along with complaint forms. The Identity Theft Resource Center also contains excellent reference materials, including links to state and local agencies, as do the Privacy Rights Clearinghouse and the National Consumers League.