Criminal Activity

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

New Regulations for California Employers Regarding Criminal Background Checks

What this is about:
The Department of Fair Employment and Housing (the “DFEH”) recently enacted regulations (“Regs”) for California employers that impose new requirements when considering criminal history information in employment decisions.

Effective date:
July 1, 2017

What this means:
Substantially based on the enforcement guidance issued by the Equal Employment Opportunity Commission in April 2012, the Regs prohibit employers from using a candidate’s criminal history in personnel decisions, if such information will have an adverse impact on individuals in a legally protected class. The Regs also expand the types of records that California employers are already prohibited from considering. Namely, any non-felony conviction for possession of marijuana that is older than two years is now off-limits.

Requirements:
If an employer obtains conviction information from a source other than the candidate — consumer report or internally performed search — the employer must first notify the candidate that he/she has been screened out because of a conviction before taking any adverse action. This notice requirement differs from that of the Fair Credit Report Act (the “FCRA”), which mandates notices only if the employer takes adverse action based on information contained in a third-party report. Ban-the-box city ordinances, such as those in Los Angeles and San Francisco, have yet different requirements, providing that a notice may be required if the adverse action is based on criminal history information from any source, including disclosure by the candidate.

The Regs also mandate that the candidate is given a reasonable opportunity to demonstrate that the exclusion should not be applied due to his/her particular circumstances, and consideration whether any additional information provided by the candidate or otherwise obtained by the employer warrants an exception.

According to the Regs, the candidate bears the initial burden of proof for establishing that the employer’s background screening policy has an adverse impact on a protected class. If an adverse impact is demonstrated, the burden shifts to the employer to show that its policy is “job-related and consistent with a business necessity,” and based on an individualized assessment, considering factors such as:

  • the nature and gravity of the offense or conduct
  • the time passed since the offense was committed and/or completion of the sentence
  • the nature of the job sought or held

Recommendations:
Employers in California should review their policies on the use of criminal history information in employment decisions and modify any practices to ensure compliance with the new Regs, the FCRA, analogous state law, and applicable local ban-the-box ordinances.

California’s marijuana laws present challenges for employers

Even for those not partaking in marijuana, the various California laws regulating its use can be confusing – particularly for employers.

The trend in state legislatures to permit the recreational and/or medicinal use of marijuana began with California’s Compassionate Use Act in 1996, which allowed state residents to use the drug for medical purposes and decriminalized possession of less than 28 grams. Complicating the matter, however: marijuana use remains prohibited by federal law.

With limited use of marijuana legal in the state, how can employers find out about a worker’s use of the drug or limit it without running afoul of state law?

Employers have two options, either try to get their hands on historical information, such as criminal convictions, or seek out current input via drug testing.

Criminal history related to drugs in many instances is off-limits for employers. Job applicants cannot be required to disclose an arrest that did not result in a conviction or participation in a pretrial or post-trial diversion program. Any criminal history that has been expunged, sealed, or dismissed will be unavailable as are marijuana-related convictions dating back more than two years.

While California has not banned the box for private employers, local jurisdictions such as San Francisco have, requiring employers to wait until after a live interview or determining that an applicant meets the qualifications for the position before inquiring into criminal history. Background checks – whether performed in-house or by a third party – require compliance with federal law (the Fair Credit and Reporting Act (FCRA) as well as California’s counterpart, the Investigative Consumer Reporting Agencies Act (although the legality of the state statute is unclear, see story below for more detail). And such investigations into applicants’ history are a current target for the Equal Employment Opportunity Commission – which has filed multiple lawsuits (https://scherzer.co/eeoc-loses-again-in-challenge-to-background-checks/) against employers alleging their background checks constitute disparate impact discrimination against protected groups like African-Americans – and a popular basis for class actions. Recent cases have settled with multi-million awards, including a $2.5 million payout by Domino’s Pizza and a $6.8 million deal between Publix Super Markets and a class of applicants alleging the company violated the FCRA.

Drug tests can be viable option for employers. Once a job offer has been made, an employer may require an applicant to pass a drug test as a condition of employment (as long as all potential employees are subject to the same requirement). After a worker has been hired, drug tests may be used if an employer has a reasonable suspicion that the employee is under the influence. Certain jobs – such as those in the transportation industry like truck drivers – may permit such testing more freely. If a test comes back positive, employers do have the discretion to discipline, terminate, or choose not to hire an applicant even if the individual legally holds a medical marijuana card issued by the state. In addition, despite the requirements under the Americans With Disabilities Act and California state law to provide reasonable accommodations to employees considered disabled, neither federal nor state law requires employers to permit marijuana use as such an accommodation.

Right to be Forgotten movement gains backers in the U.S.

Seeking to expand recognition of the Right to be Forgotten to the United States, a consumer group has filed a petition with the Federal Trade Commission (the “FTC”) requesting that Google be required to remove links upon request.

Last year, the European Court of Justice ordered Google to remove links about the financial history of a Spanish attorney, finding that the links to stories about his debts were “inadequate, irrelevant or no longer relevant, or excessive,” establishing the Right to be Forgotten (“RTBF”). Over the last 12 months, Google has received 274,462 removal requests and evaluated 997,008 URLs for removal from its search results.

In the hopes of bringing the RTBF to the United States, Consumer Watchdog recently filed a petition with the FTC. The group argued that by providing the ability to request removal of links to European consumers in Europe, Google engaged in unfair and deceptive practices in violation of the Federal Trade Commission Act. Not offering Americans the right to request removal – while providing it to millions of users across Europe – is unfair, the group argued to the FTC. And Google’s claims in its privacy policy that “

[p]rotecting the privacy and security” of customer information “is a top priority,” are deceptive because the company limits protections by denying the RTBF, the consumer group added.

Consumer Watchdog listed several examples of U.S. citizens who have been harmed without the RTBF in this country, ranging from a guidance counselor who was fired after photos of her as a lingerie model from 20 years prior surfaced online to a woman whose mug shot appeared online after she was arrested defending herself against an abusive boyfriend. The group also told the FTC that Google already removes certain types of links from search results in this country (such as revenge porn), meaning it has the capability to remove other links as well.

“As clearly demonstrated by its willingness to remove links to certain information when requested in the United States, Google could easily offer the RTBF or the Right To Relevancy request option to Americans,” Consumer Watchdog wrote. “It unfairly and deceptively opts not to do so.”

The RTBF doesn’t implicate First Amendment concerns or constitute censorship, the group said, because the content remains on the Internet. The right “simply allows a person to request that links from their name to data that is inadequate, irrelevant, no longer relevant, or excessive be removed from search results,” according to the petition. “Americans deserve the same ability to make such a privacy-protecting request and have it honored.”

Further, the right isn’t automatic. “Removal won’t always happen, but the balance Google has found between privacy and the public’s right to know demonstrates Google can make the RTBF or Right To Relevancy work in the United States,” Consumer Watchdog concluded.

Meanwhile, the issue of expanding the RTBF has also come up in Europe. In July, a French regulatory authority ordered Google to remove all the links from its search pages including Google.com in the U.S. – not just the European pages. Google refused to comply and filed an appeal of the order. “We believe that no one country should have the authority to control what content someone in a second country can access,” Google’s global privacy counsel Peter Fleischer wrote on the company’s blog.

Read Consumer Watchdog’s petition to the FTC.

Asset searches: who can get bank information and why

Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.

Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.

Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.

International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).

What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.

Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.

For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.

Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.

Going global: international background checks

As the business world increasingly goes global, even small or medium-sized companies may have international outposts or employees located beyond the U.S. border. In addition, with security – both physical and digital – an important issue, employers want to know everything they can about their employees.

Many employers are turning to international background checks. But a criminal record or a credit report like those used in the United States can get lost in the translation.

First up: cultural norms. What may seem perfectly routine and acceptable in the United States may confuse or offend those in other countries. For example, things like credit checks and drug tests are virtually unheard of abroad and cultural differences may yield what might by American standards be unusual answers in a personality test. A second important consideration: the law. Just as the U.S. has the Fair Credit Reporting Act (FCRA) and other regulations setting the boundaries of background checks, foreign jurisdictions have their own laws of the land. The French Labor Code, for example, requires that its “works council” review employment screening procedures prior to an employer’s use.

One huge legal complication can be found in the area of privacy law. The European Union imposes restrictions on obtaining information about employees or applicants, the way in which such information can be used, and how the information can be shared or transmitted. To alleviate some of the liability concerns, the U.S. has entered into a Safe Harbor framework with the European Commission, which requires compliance with seven principles of data security. And while the EU leads the pack, other countries (like Australia, Canada, Hong Kong, and Japan) also pose challenges with their strict regulation of privacy.

Having an applicant sign a consent form to release information may be of little help as several EU countries also recognize a presumption against enforcement of such agreements on the basis that employees and applicants have limited bargaining power in the employment context. Alternatively, employers may have better luck by having applicants do the work themselves, providing their own background information to avoid implicating data privacy laws. Of course, this raises authentication and accuracy questions.

The collection of criminal information can also present logistical challenges. Many countries do not have an organized court system, and records, if available, may have to be searched on a regional or town-by-town basis, or at multiple agencies (like the police, the court venue and a government agency, for example). Certain countries offer what is known as a “police certificate” which will confirm the information about an applicant found in police records. Some countries, like Poland, have banned the collection of criminal records altogether; Spain prohibits the possession of records but an applicant could, in theory, show an employer his or her record.

If the screening is being conducted by a consumer reporting agency located in the United States, the FCRA requirements also come into play. International background checks are not impossible, but they do pose a number of legal and cultural risks that can be tackled with the right planning and professional assistance from an experienced background screening company.

Pennies add up to $18.7 million in allegedly illicit gains

A bit different from the billion dollar frauds that frequently made the headlines in the years past, a complaint filed on October 5, 2014 by the justice department in the federal district court in Manhattan accuses two former New York brokers of securities fraud and conspiracy for secretly adding a few pennies to the cost of securities trades they processed to generate $18.7 million in gains. The SEC also filed civil charges against the men, and added another broker as a defendant. The SEC’s complaint alleges that from at least 2005 through at least February 2009, the defendants perpetrated the scheme by falsifying execution prices and embedding hidden markups or markdowns on over 36,000 customer transactions. According to the SEC, the defendants charged small commissions—typically pennies or fractions of pennies per share; the scheme was devious and difficult to detect because they selectively engaged in it when the volatility in the market was sufficient to conceal the fraud. One of the defendants, who was in charge of entering the prices into the trading records and playing a critical role by controlling the flow of information, already pleaded guilty to securities fraud and conspiracy.

San Francisco enacts ordinance for using criminal records in employment decisions

Effective August 13, 2014, under San Francisco’s Fair Chance Ordinance, companies with 20 or more employees are prohibited from inquiring about an applicant’s criminal history on the employment application or during the first live interview. Along with banning the box, the ordinance imposes several additional restrictions and mandates certain considerations for individualized assessment. San Francisco employers must also ensure that their notice and consent forms for criminal background inquiries later in the process comply with the guidelines that will be published by San Francisco’s Office of Labor Standards Enforcement (OLSE) as well as with the already existing background check disclosure/authorization requirements under California’s ICRAA and the FCRA.

San Francisco is the ninth jurisdiction with legislation that affects private employers. The remaining eight are the states of Hawaii, Massachusetts, Minnesota, Rhode Island, and the cities of Buffalo, NY, Newark, NJ, Philadelphia, PA, and Seattle, WA. Multi-state employers should consider whether their particular circumstances warrant adopting individualized employment applications for jurisdictions with ban-the-box laws, or whether to use a nationwide standard form. Employers who opt for a standard electronic application for all locations need to include a clear and unambiguous disclaimer for applicants in each applicable ban-the-box jurisdiction. It is uncertain whether such disclaimers are sufficient for paper applications of multi-state employers in at least one ban-the-box jurisdiction (Minnesota) or if the box must be removed altogether.

For more information on ban-the-box legislation, see the recently published briefing paper by the National Employment Law Project titled Statewide Ban the Box – Reducing Unfair Barriers to Employment of People with Criminal Records.

Note: Effective August 13, 2014, with our California employment-purpose disclosure/ authorization form, we will be including a supplemental disclosure/authorization notice as prescribed by the OLSE, to use by San Francisco employers. 

New law prohibits North Carolina employers from asking about expunged records

Effective December 1, 2013, employers in North Carolina will not be able to ask job applicants about arrests, criminal charges, or convictions that have been expunge SB 91 prohibits inquiries into expunged matters both on applications and during interviews, and was enacted to clear the public record of any arrest, criminal charge, or conviction that was expunged so that the subject is legally entitled to withhold all information about it from potential employers and others. Notably, employers will still be allowed to ask about arrests, criminal charges, or convictions that have not been expunged and can be found in public records.

FTC says data brokers willing to sell consumer information and disregard FCRA

On May 7, 2013, the Federal Trade Commission (the “FTC”) announced the results of its testing operation, revealing that 10 companies out of the 45 that the FTC approached seemed to be willing to sell consumer information without complying with the Fair Credit Reporting Act (“FCRA.”) The FTC reported that its staffers asked the companies about buying the information for purposes such as determining creditworthiness, suitability for employment or eligibility for insurance.

Six of the 10 companies appeared willing to sell consumer information for employment purposes, two for insurance decisions and two for pre-screened lists of consumers to use in making firm offers of credit. The data brokers were contacted again by the FTC, but this time in the form of letters, warning that their practices may violate the FCRA. The warning letters are part of an ongoing international effort spearheaded by the Global Privacy Law Enforcement Network, an informal group of consumer protection and privacy agencies. 

Go to Top