Identity theft: The business time bomb

Identity theft: The business time bomb

Joseph Campana • Published 09/19/06
9/19/2006 – Most everyone has heard of identity theft (IDT), yet unless you have been a victim, few people consider that they are at high risk. An alarming figure is that over half of the 10 million new IDTs each year originate from a place of business, employer, or other entity (not-for-profit or local, state, or federal government).

All entities and certain individuals are required under one or more federal and state laws to implement measures, policies, procedures, and employee training on privacy and security of nonpublic personal information to bring IDT under control. Violations of these laws carry substantial penalties and open entities to legal risks.

What is identity theft? Simply and broadly stated, it is the misuse of personal or business identifiers by an imposter for their advantage, which may be financial, non-financial, or both.

Personal identifiers include name, date of birth, social security number, and others, including account and biometric information.

Business identifiers include the business name and Federal Tax ID, business indicia, account information, and the personal identifiers of management and employees, which can be used to authenticate a business identity.

A name and Federal identifier can be misused to commit a wide variety of identity theft crimes that even the savviest business or consumer would not detect for months, years, or at all. Most people are familiar with financial IDT. However, the most publicized IDT is the less frequent “existing account fraud.” For example, misuse of an existing credit card.

Some experts eschew categorizing such fraud as IDT because it diminishes the severity of true identity theft. The more frequent and most devastating identity theft crimes include (a) establishing “new” finances in a victim’s name and (b) non-financial IDT, which can be the most insidious.

IDT has severe consequences to victims, their families, and employers. On average victims spend as much as 600 hours in resolution and $1,500 in expenses, excluding attorney fees, and victims contend with disputed debt that averages nearly $100,000 and extreme emotional stress.

Business vulnerability

The major risks to businesses include:

• Victimization of owners, mangers, employees, customers, clients, and vendors.

• Fraudulent use of the business identity.

• Public, legal, and financial consequences of privacy, security, and regulatory breaches.

When any person with a relationship to a business becomes a victim of identity theft, the business is potentially at risk. Identity theft can have a significant impact on the management, operations, financial credit, public credibility, and income of a business.

The business, itself, can become a victim of financial and non-financial types of IDT. Privacy or security breaches will leave a business reeling to address the ensuing employee and client public relations crisis. The impact to the business will be multifaceted in terms of lost business, lost work time, regulatory issues, fines, legal expenses, and civil law suits.

Laws to protect non-public personal information

Violations of the following federal laws include hefty federal and state fines as high as $1 million per occurrence, civil liability for victim losses (including class actions), and in some instances the legislation provides for removal and imprisonment of culpable business executives.

Fair and Accurate Credit Transactions Act Disposal Rule

This provision of FACTA (aka FACT Act) requires reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. This rule applies to any person that maintains or possesses consumer information, and it applies to individuals such as landlords, all businesses, and entities (government and non-profits) that possess consumer information. Employees are considered consumers under the law.

Gramm-Leach-Bliley Act Safeguards Rule

The GLBA Safeguards Rule requires any financial institutions to implement policies and procedures to maintain the security and confidentiality of nonpublic personal information. A financial institution is defined as a business significantly engaged in providing financial services or products for personal, family, or household use.

It applies to check-cashing and payday loan services companies, mortgage brokers, non-bank lenders, personal property and real estate appraisers, professional tax preparers, credit reporting agencies, ATM operators, debt collectors, financial advisors, insurance agents, agencies and brokers, and a variety of other businesses that fit the definition.

Health Insurance Portability and Accountability Act

HIPAA rules apply to any individual or organization that collects or retains protected health information in paper or electronic form. It also requires all businesses with small self-insured or fully-insured health plans to maintain the confidentiality, integrity, and security of employee health information.

Wisconsin Senate Bill 164 (Act 138)

Wisconsin requires any entity that conducts business in Wisconsin and maintains nonpublic personal information to notify the individuals whose nonpublic personal information is compromised in a security breach. Failure to comply with this law may be used as evidence of negligence or breach of duty in civil and class action lawsuits against the entity.

Other states have similar laws for businesses who have even a single customer in their state.

Other considerations

There are a number of legal, regulatory, human resource, and business insurance issues that employers must consider. For example, some businesses and entities are taking an affirmative defense against penalties, lawsuits, and business interruption by offering some form of identity theft risk mitigation service to employees and even to their customers when appropriate.

The aim is minimizing lost work time, penalties, lawsuits, and compensatory damages that may result from workplace identity theft.

What you can do:

• Understand what legislation may apply to your business.

• Appoint an information security officer if HIPAA or GLBA applies.

• Develop policies, procedures and training for FACTA and other applicable legislation.

• Conduct and document employee training on IDT and confidentiality.

• Take an affirmative defense against penalties, litigation, and business interruption.

You can defuse the business time bomb by taking appropriate steps to minimize business risks and by accepting broader responsibility to protect the nonpublic personal information of employees, customers, and others.

Disclaimer: The author is not an attorney; therefore, information provided herein should not be construed as legal advice. Each entity is different and requires consultation with qualified risk managers and legal counsel. This article is abridged from a white paper by the author.

Related stories

• Wisconsin investors will make their pitch to IPIC

• Managing the nightmare of identity theft

• Gov. Jim Doyle: Cracking down on identity theft

• Businesses can’t hide personal information losses, theft

Joe Campana is a certified identity theft risk management specialist. He is a frequent regional speaker on identity theft, and he founded the LegalEase Group of Madison. He can be reached at 608-244-4772 or

The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of the Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.

paper shredding services