Identity theft hits businesses
It doesn’t take much to become the victim of identity theft: just a name, address and birthday are all crooks need. Our personal and financial information is so valuable that some experts say we should treat it as carefully as we do cash — because that’s what it’s worth to the crooks.
Unfortunately, identity theft isn’t just a problem affecting individuals: Big or small, businesses are also the target of thieves. The crime can impact their reputation and income — and put customers at risk.
What is business identity theft?
We know how identity theft or fraud affects individuals: someone steals your information and uses it to commit fraud — like apply for loans or credit cards, rob your bank account, rent property or obtain an I.D., for instance.
How does it affect businesses? They have an “identity” too — that is, they have accounts, assets, property, licenses and brands. Even their name and logo can be used to defraud others. For instance, one of the most common scams in Canada is the computer virus scam in which crooks use the name of legitimate companies like Microsoft to fool their prey. You may also have seen, phishing emails, fake business ads or fraudulent solicitations. Well-known charities and the Better Business Bureau (BBB) have had their names, logos and reputations used to perpetuate fraud.
As damaging as these tactics can be, there are even costlier threats. Crooks can use sensitive information to access company assets, exploit company resources (like credit cards and phone systems) and even use their identity to secure new clients and payments. For example, a crook could steal a business’s information to place a large order from one of its suppliers. And when the bad guys take off with the goods, guess who’s left with the bill?
Businesses are also the target of identity theft because they collect a lot of information about customers. In recent years, we’ve seen a few security breaches at major companies like Sony and Target where crooks have compromised their databases — or the database of their marketing company — and stolen customer data.
However, theft doesn’t always involve the internet. All that information is stored somewhere, like on a computer or hard drive which can be lost or stolen.
The theft isn’t always high-tech: even an unlocked file cabinet can tempt an unscrupulous employee or fake service person. Unfortunately, some cases of identity fraud are "inside jobs" and some businesses have even been targeted by their clients, suppliers and competitors.
And no, size doesn’t matter. Bigger companies can become targets because they have well-established brands and a wealth of consumer data. However, small businesses are also attractive because they don’t have the financial resources or personnel to deal with data security.
What are businesses legally required to do?
We’re careful with our own information, but we have to trust others to be careful with it too. According to the Office of the Privacy Commissioner of Canada (OPC), businesses are required by law to protect their customers’ information under the Personal Information Protection and Electronic Documents Act. (Some provinces like Alberta and Quebec have their own regulations too.)
Essentially, the legislation states that businesses have to have systems and policies in place to make sure that its suppliers’, partners’ and customers’ information is accurate and secure. If there’s a security breach, crooks could use this information to commit fraud using the business’s identity in dealing with its contacts, or the contacts themselves could be the victim of identity theft.
While the law governs the security side of things, it’s up to businesses to decide what information they collect, how they store it, how they use it and when to discard it. (You can learn more in the Guide for Businesses and Organizations: Your Privacy Responsibilities and Build a Privacy Plan for Your Business.)
However, one thing businesses aren’t legally required to do is report a security breach to the police, customers or the OPC. As with identity theft against individuals, not all cases of business identity theft are reported, say experts.
As damaging as admitting a security breach can be to businesses, most experts agree that not reporting a problem can be much worse. As this article in the Wall Street Journal reports, it can be a tricky and lengthy process to recover from a breach.
What businesses should do
How can businesses protect themselves and their customers? In addition to the legal requirements, experts recommend these steps:
– Collect and store only the information it needs. More information means more risk and more damage in the event of a security breach. The OPC warns businesses to be aware of what information it collects and have a plan to destroy or delete it when no longer in use.
– Stake its claim — and monitor it. The BBB warns businesses to keep their licenses, registration and contact information up to date in directories (including business names, addresses and phone numbers). Then, use web alerts to track their information to spot unauthorized listings and information.
– Provide a way for customers or clients to alert them to problems. Often businesses aren’t aware of the problem until a customer or client complains. If you’re a business owner, how would someone report a problem to you? How would your business handle it?
– Keep a paper trail. When complaints come in or fraud is spotted, experts recommend that businesses keep accurate, detailed records.
– Report the crime. Businesses are encouraged to report the crime to the local police and the OCP. If there’s a risk of identity fraud, they should also contact credit reporting bureaus.
– Notify customers. Transparency is key, say experts. Businesses should promptly alert their customers to any problems — either through personal contact, the media or social media. Such warnings should include the steps the business is taking to rectify the problem as well as contact information for people who have questions.
– Investigate and implement new strategies. The OCP recommends that businesses find out what went wrong and take steps to make sure it doesn’t happen again — like implementing new policies and procedures.
What consumers can do
It can be scary to trust organizations, but there are some things we can do as consumers to protect ourselves:
– Know how to avoid scams. It’s hard to stay ahead of the cons, but learning the hallmarks of scams and identity theft can help you avoid them. (For tips, see our previous articles for warnings on unsafe emails, ways to stop the scammers and how to keep your identity to yourself.)
– Be cautious giving out your information. You have the right to ask why the organization needs the information and how they plan to use it. Employees should be trained to answer your questions.
When in doubt, don’t give out any information over the phone, online, through email or in person unless you are absolutely certain you know with whom you are dealing.
– Know your rights. The links we provided above aren’t just for business owners — they can help consumers understand what’s going on behind the scenes. For example, you have a right to access and challenge any information a business has on record about you. You can report any privacy concerns to the OCP.
– Keep an eye on your accounts and credit reports. Keeping an eye on your financial statements and ordering a regular credit report is a good habit to have regardless if you think your information has been compromised.
– Take action if you’re affected. If you think you’ve been the victim of identity fraud, report it and take steps to recover. The longer you leave the problem, the harder it will be to repair it. (Not sure where to start? See our previous article on what to do if you’re affected by identity theft.)
Unfortunately, the incidence of business identity theft isn’t likely to decline any time soon. It’s impossible to conduct business without some gathering and exchange of information, but both businesses and consumers alike can take steps to reduce their risk of fraud.
ON THE WEB
For more information on business identity theft, visit:
The Better Business Bureau: Identity Crisis Targets Businesses
The Globe and Mail: A primer on identity theft
Office of Consumer Affairs: Identity Theft Kit for Businesses
OPC: Businesses and Identity Theft fact sheet
READ MORE
Top scams of 2011
Avoid this hotel scam
Top phishing sites
The best time to buy
12 ways to defeat debt
'%3E %3Cg id='Group'%3E %3Cpath id='Vector_2' d='M12.4876 13.8996V13.4213H0.743091V15.2149H9.18805L9.22196 15.2685C9.19653 15.2272 3.24373 25.2836 0.74521 29.5469C0.420975 30.1015 0.0797856 30.7158 0.0797856 30.7158C0.0713089 30.7323 0.0585938 30.755 0.0585938 30.755H12.1401V28.9614H3.67181L3.6379 28.9078C3.37512 29.1222 12.4876 13.8996 12.4876 13.8996ZM36.1229 22.115C36.1229 26.4896 33.7537 29.18 31.1683 29.18C28.5829 29.18 26.1861 26.4896 26.1861 22.115C26.1861 17.7403 28.5553 15.0231 31.1683 15.0231C33.7812 15.0231 36.1229 17.7403 36.1229 22.115ZM22.0155 22.115C22.0155 26.4896 19.6462 29.18 17.0587 29.18C14.4712 29.18 12.0765 26.4896 12.0765 22.115C12.0765 17.7403 14.4458 15.0231 17.0587 15.0231C19.6717 15.0231 22.0155 17.7403 22.0155 22.115ZM38.223 22.0613C38.223 16.7095 35.0443 13.1492 31.1661 13.1492C27.288 13.1492 24.3402 16.4312 24.0987 21.4326C23.8592 16.4333 20.7842 13.1492 17.0587 13.1492C13.3332 13.1492 9.97427 16.7074 9.97427 22.0613C9.97427 27.4153 13.1785 31.0003 17.0587 31.0003C20.9389 31.0003 23.8592 27.7183 24.0987 22.6922C24.3402 27.7162 27.4406 31.0003 31.1661 31.0003C34.8917 31.0003 38.223 27.4421 38.223 22.0613ZM51.3747 30.755H53.5257L52.3178 13.4213H50.1668L45.797 27.3328L41.4273 13.4213H39.2763L38.0662 30.755H40.2172L41.0352 19.0247L44.7205 30.755H46.8714L50.5567 19.0247L51.3747 30.755ZM53.9453 30.755H62.3797V28.9614H56.0963V22.9293H60.964V21.1357H56.0963V15.2128H61.8859V13.4192H53.9453V30.7529V30.755ZM69.3624 18.2021C69.3624 20.1029 68.1333 21.1625 66.7367 21.1625H64.893V15.2128H66.7092C68.1333 15.2128 69.3624 16.3261 69.3624 18.2021ZM71.5134 18.1753C71.5134 15.2128 69.3348 13.4213 67.0164 13.4213H62.7993V30.755H64.893V22.9313H66.7092L71.5112 30.755H73.997L68.8601 22.4695C70.369 21.8717 71.5134 20.3502 71.5134 18.1773' fill='%23231F20'/%3E %3C/g%3E %3C/g%3E %3C/g%3E %3Cg id='Group_2'%3E %3Cpath id='Vector_3' d='M9.67285 8.56629V3.50513H12.6249V4.11535H10.5947V5.71719H12.2943V6.32742H10.5947V7.954H12.9046V8.56423H9.67285V8.56629Z' fill='%23231F20'/%3E %3Cpath id='Vector_4' d='M17.6819 8.6137H17.2581L15.1855 3.50513H16.1392L17.0822 5.86975C17.2178 6.20991 17.362 6.63872 17.4976 7.05103H17.5188C17.6544 6.64696 17.7879 6.2264 17.9341 5.86975L18.8666 3.50513H19.7482L17.6862 8.6137H17.6819Z' fill='%23231F20'/%3E %3Cpath id='Vector_5' d='M22.4072 8.56629V3.50513H25.3593V4.11535H23.3291V5.71719H25.0287V6.32742H23.3291V7.954H25.639V8.56423H22.4072V8.56629Z' fill='%23231F20'/%3E %3Cpath id='Vector_6' d='M31.6164 8.56629L29.9698 6.32123H29.2959V8.56629H28.374V3.50513H30.0948C30.9552 3.50513 31.805 4.01227 31.805 4.90906C31.805 5.54402 31.3896 5.97283 30.8725 6.16249L32.6654 8.56629H31.6185H31.6164ZM29.9592 4.10711H29.2959V5.71719H29.9592C30.436 5.71719 30.8704 5.43888 30.8704 4.90906C30.8704 4.37923 30.436 4.10711 29.9592 4.10711Z' fill='%23231F20'/%3E %3Cpath id='Vector_7' d='M37.5849 6.27382V8.56629H36.6737V6.28206L34.6943 3.50513H35.667L36.6503 4.90081C36.8156 5.13789 37.0021 5.38528 37.1378 5.59968H37.159C37.3031 5.39353 37.5001 5.11522 37.657 4.90081L38.6403 3.50513H39.5621L37.5828 6.27382H37.5849Z' fill='%23231F20'/%3E %3Cpath id='Vector_8' d='M44.3084 4.11535V8.56629H43.376V4.11535H41.7188V3.50513H45.9656V4.11535H44.3084Z' fill='%23231F20'/%3E %3Cpath id='Vector_9' d='M52.0484 8.56629V6.32948H49.499V8.56629H48.5771V3.50513H49.499V5.71926H52.0484V3.50513H52.9808V8.56629H52.0484Z' fill='%23231F20'/%3E %3Cpath id='Vector_10' d='M56.2129 8.56629V3.50513H57.1453V8.56629H56.2129Z' fill='%23231F20'/%3E %3Cpath id='Vector_11' d='M64.7402 8.64463L62.4091 6.17693C62.0467 5.79553 61.6208 5.31106 61.2796 4.91524L61.2584 4.92349C61.2796 5.3523 61.2902 5.7811 61.2902 6.13776V8.56629H60.3789V3.50513H61.0316L63.1868 5.82233C63.4878 6.14806 63.9222 6.63872 64.2337 7.00362L64.2549 6.99537C64.2337 6.62223 64.2231 6.17899 64.2231 5.83677V3.50513H65.1344V8.64669H64.7402V8.64463Z' fill='%23231F20'/%3E %3Cpath id='Vector_12' d='M70.9048 8.64416C69.4235 8.64416 68.0566 7.69172 68.0566 6.03421C68.0566 4.37671 69.4659 3.41602 70.8752 3.41602C71.5999 3.41602 72.17 3.57476 72.5324 3.78091L72.3883 4.42412C72.0471 4.21797 71.5491 4.05098 71.0002 4.05098C69.9639 4.05098 68.9912 4.77253 68.9912 6.04246C68.9912 7.31239 69.9448 8.01745 70.9599 8.01745C71.405 8.01745 71.7567 7.93911 71.975 7.7948V6.61352H70.8349V6.03421H72.8354V8.12877C72.3586 8.47718 71.7271 8.64416 70.9091 8.64416H70.9048Z' fill='%23231F20'/%3E %3C/g%3E %3Cpath id='Vector_13' d='M0.0839844 1.00212L73.997 1' stroke='%23231F20' stroke-width='1.25' stroke-miterlimit='10'/%3E %3Cpath id='Vector_14' d='M0.0839844 10.9116H73.997' stroke='%23231F20' stroke-width='1.25' stroke-miterlimit='10'/%3E %3Cpath id='Vector_15' d='M4.91016 4.15649L3.55812 4.13794L5.18777 5.7068L0 5.6532V6.5974L5.20049 6.651L3.61321 8.18068L4.96526 8.19718L7.0018 6.20157L4.91016 4.15649Z' fill='%23D71920'/%3E %3C/g%3E %3C/svg%3E)
