It's a big problem that companies are loath to discuss. But California's amended identity theft laws show that offering protections to smaller companies on par with those for individuals helps tremendously
An overwhelming majority of identity theft schemes take advantage of personal identification, but businesses and organizations are also vulnerable.
Most companies are protected by a network of copyright, patent, and trademark laws that safeguard their corporate identification rights. Federal laws against credit, mail, and wire fraud—not to mention the legal firepower of corporations—threaten severe punishment and serve as a daunting deterrent.
But small and midsize companies can be tempting targets for criminals looking to exploit extensive credit lines, cash reserves, and business relationships.
Given this exposure, California has led the way in offering identity rights to organizations. In 2006 the state legislature expanded the definition of "person" in identity theft cases to include associations, organizations, partnerships, businesses, trusts, companies, and corporations. The bill, authored by former Assemblyman Ron Calderon, also includes logos and "photographic representation" as legitimate personal identifying information.
The bill was supported by the state attorney general, the California Small Business Assn., California State Sheriffs' Assn., California Manufacturers & Technology Assn., and California Medical Assn., among others. Both the House and Senate voted unanimously to pass Calderon's amendment. Calderon, now a senator, says the issue came to a head after the California District Attorney Assn. and the state's attorney general complained that it was difficult to prosecute business identity theft cases. Since amending the law, Calderon said the frequency of such theft has dropped. "As a deterrent, I'm sure it's working," he says.
Robert Morgester, a California deputy attorney general who specializes in identity theft and computer crime, was instrumental in pushing for the expanded law. Morgester stresses that while there are statutes to prosecute fraud and forgery, California's identity theft law is a "gateway" charge that helps establish a base for prosecution. This initial hook allows law enforcement to write search warrants and access fraudulent records. Under federal law, prosecutors have to prove that a fake Social Security number belongs to a real person before pursuing identity theft charges. The Golden State amendment removes this hurdle. "This gives us greater leeway in figuring out who the bad guys are," Morgester says.
same name, different recipients
A common scheme California has seen is criminals renting out virtual office space, assuming the name of one of the building's businesses, and ordering everything from corporate credit cards to computers to hot tubs. With these rogue charges often mingled among other business expenses, corporate victims might not notice the items until six to eight months later. "It's easier and safer to pretend to be a corporation," Morgester says of identity thieves.
California's ID theft laws often serve as a leading indicator for national trends. In 1998, California was the first to require that police in the victim's jurisdiction take the identity theft report, alleviating the confusion of what is typically a geographically hazy crime. Three years later, the state required credit reporting agencies to provide consumers with their credit information after an identity breach. The federal government followed suit with the Fair Credit Reporting Act of 2004, which required consumer reporting agencies to establish a centralized source for report requests, provide free credit reports every 12 months, and provide a credit report after instances of fraud. California's Anti-Phishing Act of 2005 made it illegal to use the Internet to "solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business," a defense against the uptick in identity theft schemes.
From 2004 to 2008, the percentage of Americans who said they received what appeared to be a phishing attempt jumped from 40% to 80%, according to Gartner Inc. (IT), a Stamford (Conn.) information technology research firm. While almost 120 million Internet users reported being solicited, only 300,000 lodged complaints in 2008 with the Federal Trade Commission, the agency charged with keeping track. Since 1999 the FTC has logged 2 million complaints—less than a quarter of the total number of victims estimated by Betsy Broder, assistant director of the FTC's division of privacy and identity protection. This "crime of substantial proportions," says Broder, spurred the creation of a federal task force in 2006, consumer hot lines, and a new database to track identity theft.
targeting larger lines of credit
Without the type of IT security measures larger companies employ, smaller businesses and organizations needed the additional legal protection, California advocates say. As individuals, small-business owners are 25% more likely to be victims of identity theft, according to recent studies by Javelin Strategy & Research, a Pleasanton (Calif.) firm that focuses on financial services. With typically larger lines of credit, business owners are often hit for larger amounts than the average fraud victim and spend more time resolving the issue. Insurer Hartford Financial Services (HIG) sells protection for owners and employees of small businesses, but not for the business itself. "Arguably, business identity can be a very ephemeral thing," says Jeff Olmstead, a property underwriter for small commercial insurance at Hartford.
Jay Foley, executive director of San Diego's Identity Theft Resource Center, recounts the nightmare of one Sacramento law firm bilked by identity thieves. Over just a few weeks, perpetrators moved into the same building—under the firm's name—billed the firm for $70,000 worth of computers and furniture, hired a moving truck, and then disappeared. In Salt Lake City, he says, a physicians' group is dealing with American Express (AXP) about resolving purchases identity thieves made in the practice's name. With the same protection as individuals, the group would have been able to quickly wash the charges off its record, clear its name, and move on, Foley says. Visa (V) and MasterCard (MA) have erased the distinction between small-business and individual credit-card fraud, enabling organizations to erase thieves' purchases. American Express says it offers the same protections across its product portfolio.
While business identity theft is a serious, common threat, the details typically fly completely under the radar. Experts say the lack of publicity is as simple as embarrassed companies trying to keep their victimization under wraps. "If you're the one that's on the hot seat because you're the goober, there are a lot of people that will say: 'I'd rather not tell anybody,' " Foley says. Companies are required by federal law to notify consumers if their data have been breached, but not if the identity of the business itself was stolen. In January 2007, T.J. Maxx's parent company, TJX Co., (TJX) reported that hackers stole 45 million credit- and debit-card numbers, a highly publicized breach that cost TJX more than $170 million. Last year identity thieves broke into databases at Heartland Payment Systems (HPY) in Princeton, N.J., in what is estimated to be the largest breach ever.
There is no data on losses from business identity theft and little incentive for companies to come clean about being duped. "People don't want to talk about it," says Gartner analyst Avivah Litan. "We don't know how that would sit with shareholders." She estimates that 10% to 30% of reported credit-card fraud is actually identity fraud. Attempting to compile information is costly and time-consuming for research companies; large business organizations operate with atomized receiving and payment divisions, and pulling together information on what transpired across an organization can be a tricky task, Litan says. As Calderon, the California lawmaker, wrote in his bill, the purchase of "100 notebook computers, for example, may not raise suspicion." Moreover, without laws and penalties for business identity theft, companies simply have no incentive to admit they've been defrauded. Says the FTC's Broder, "the legal system has been built around identifying and addressing individuals."