What's Your Story Idea July 9, 2009, 7:22PM EST

Taking On Small-Business Identity Theft

It's a big problem that companies are loath to discuss. But California's amended identity theft laws show that offering protections to smaller companies on par with those for individuals helps tremendously

Related Items

The idea for "Taking On Small-Business Identity Theft" came from BusinessWeek reader Carol Klimas, public relations director at Off Madison Ave. in Phoenix.

Story Tools

An overwhelming majority of identity theft schemes take advantage of personal identification, but businesses and organizations are also vulnerable.

Most companies are protected by a network of copyright, patent, and trademark laws that safeguard their corporate identification rights. Federal laws against credit, mail, and wire fraud—not to mention the legal firepower of corporations—threaten severe punishment and serve as a daunting deterrent.

But small and midsize companies can be tempting targets for criminals looking to exploit extensive credit lines, cash reserves, and business relationships.

Given this exposure, California has led the way in offering identity rights to organizations. In 2006 the state legislature expanded the definition of "person" in identity theft cases to include associations, organizations, partnerships, businesses, trusts, companies, and corporations. The bill, authored by former Assemblyman Ron Calderon, also includes logos and "photographic representation" as legitimate personal identifying information.

The bill was supported by the state attorney general, the California Small Business Assn., California State Sheriffs' Assn., California Manufacturers & Technology Assn., and California Medical Assn., among others. Both the House and Senate voted unanimously to pass Calderon's amendment. Calderon, now a senator, says the issue came to a head after the California District Attorney Assn. and the state's attorney general complained that it was difficult to prosecute business identity theft cases. Since amending the law, Calderon said the frequency of such theft has dropped. "As a deterrent, I'm sure it's working," he says.

Robert Morgester, a California deputy attorney general who specializes in identity theft and computer crime, was instrumental in pushing for the expanded law. Morgester stresses that while there are statutes to prosecute fraud and forgery, California's identity theft law is a "gateway" charge that helps establish a base for prosecution. This initial hook allows law enforcement to write search warrants and access fraudulent records. Under federal law, prosecutors have to prove that a fake Social Security number belongs to a real person before pursuing identity theft charges. The Golden State amendment removes this hurdle. "This gives us greater leeway in figuring out who the bad guys are," Morgester says.

same name, different recipients

A common scheme California has seen is criminals renting out virtual office space, assuming the name of one of the building's businesses, and ordering everything from corporate credit cards to computers to hot tubs. With these rogue charges often mingled among other business expenses, corporate victims might not notice the items until six to eight months later. "It's easier and safer to pretend to be a corporation," Morgester says of identity thieves.

California's ID theft laws often serve as a leading indicator for national trends. In 1998, California was the first to require that police in the victim's jurisdiction take the identity theft report, alleviating the confusion of what is typically a geographically hazy crime. Three years later, the state required credit reporting agencies to provide consumers with their credit information after an identity breach. The federal government followed suit with the Fair Credit Reporting Act of 2004, which required consumer reporting agencies to establish a centralized source for report requests, provide free credit reports every 12 months, and provide a credit report after instances of fraud. California's Anti-Phishing Act of 2005 made it illegal to use the Internet to "solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business," a defense against the uptick in identity theft schemes.