Identity theft hits businesses

It doesn’t take much to become the victim of identity theft: just a name, address and birthday are all crooks need. Our personal and financial information is so valuable that some experts say we should treat it as carefully as we do cash — because that’s what it’s worth to the crooks.  

Unfortunately, identity theft isn’t just a problem affecting individuals: Big or small, businesses are also the target of thieves. The crime can impact their reputation and income — and put customers at risk.

What is business identity theft?

We know how identity theft or fraud affects individuals: someone steals your information and uses it to commit fraud — like apply for loans or credit cards, rob your bank account, rent property or obtain an I.D., for instance.

How does it affect businesses? They have an “identity” too — that is, they have accounts, assets, property, licenses and brands. Even their name and logo can be used to defraud others. For instance, one of the most common scams in Canada is the computer virus scam in which crooks use the name of legitimate companies like Microsoft to fool their prey. You may also have seen, phishing emails, fake business ads or fraudulent solicitations. Well-known charities and the Better Business Bureau (BBB) have had their names, logos and reputations used to perpetuate fraud.

As damaging as these tactics can be, there are even costlier threats. Crooks can use sensitive information to access company assets, exploit company resources (like credit cards and phone systems) and even use their identity to secure new clients and payments. For example, a crook could steal a business’s information to place a large order from one of its suppliers. And when the bad guys take off with the goods, guess who’s left with the bill?

Businesses are also the target of identity theft because they collect a lot of information about customers. In recent years, we’ve seen a few security breaches at major companies like Sony and Target where crooks have compromised their databases — or the database of their marketing company — and stolen customer data.

However, theft doesn’t always involve the internet. All that information is stored somewhere, like on a computer or hard drive which can be lost or stolen.

The theft isn’t always high-tech: even an unlocked file cabinet can tempt an unscrupulous employee or fake service person. Unfortunately, some cases of identity fraud are "inside jobs" and some businesses have even been targeted by their clients, suppliers and competitors.

And no, size doesn’t matter. Bigger companies can become targets because they have well-established brands and a wealth of consumer data. However, small businesses are also attractive because they don’t have the financial resources or personnel to deal with data security.

What are businesses legally required to do?

We’re careful with our own information, but we have to trust others to be careful with it too. According to the Office of the Privacy Commissioner of Canada (OPC), businesses are required by law to protect their customers’ information under the Personal Information Protection and Electronic Documents Act. (Some provinces like Alberta and Quebec have their own regulations too.) 

Essentially, the legislation states that businesses have to have systems and policies in place to make sure that its suppliers’, partners’ and customers’ information is accurate and secure. If there’s a security breach, crooks could use this information to commit fraud using the business’s identity in dealing with its contacts, or the contacts themselves could be the victim of identity theft.

While the law governs the security side of things, it’s up to businesses to decide what information they collect, how they store it, how they use it and when to discard it. (You can learn more in the Guide for Businesses and Organizations: Your Privacy Responsibilities and Build a Privacy Plan for Your Business.)

However, one thing businesses aren’t legally required to do is report a security breach to the police, customers or the OPC. As with identity theft against individuals, not all cases of business identity theft are reported, say experts.

As damaging as admitting a security breach can be to businesses, most experts agree that not reporting a problem can be much worse. As this article in the Wall Street Journal reports, it can be a tricky and lengthy process to recover from a breach.

What businesses should do

How can businesses protect themselves and their customers? In addition to the legal requirements, experts recommend these steps:

Collect and store only the information it needs. More information means more risk and more damage in the event of a security breach. The OPC warns businesses to be aware of what information it collects and have a plan to destroy or delete it when no longer in use.

Stake its claim — and monitor it. The BBB warns businesses to keep their licenses, registration and contact information up to date in directories (including business names, addresses and phone numbers). Then, use web alerts to track their information to spot unauthorized listings and information.

Provide a way for customers or clients to alert them to problems. Often businesses aren’t aware of the problem until a customer or client complains. If you’re a business owner, how would someone report a problem to you? How would your business handle it?

Keep a paper trail. When complaints come in or fraud is spotted, experts recommend that businesses keep accurate, detailed records.

Report the crime. Businesses are encouraged to report the crime to the local police and the OCP. If there’s a risk of identity fraud, they should also contact credit reporting bureaus.

Notify customers. Transparency is key, say experts. Businesses should promptly alert their customers to any problems — either through personal contact, the media or social media. Such warnings should include the steps the business is taking to rectify the problem as well as contact information for people who have questions.

Investigate and implement new strategies. The OCP recommends that businesses find out what went wrong and take steps to make sure it doesn’t happen again — like implementing new policies and procedures.

What consumers can do

It can be scary to trust organizations, but there are some things we can do as consumers to protect ourselves:

Know how to avoid scams. It’s hard to stay ahead of the cons, but learning the hallmarks of scams and identity theft can help you avoid them. (For tips, see our previous articles for warnings on unsafe emails, ways to stop the scammers and how to keep your identity to yourself.)

Be cautious giving out your information. You have the right to ask why the organization needs the information and how they plan to use it. Employees should be trained to answer your questions.

When in doubt, don’t give out any information over the phone, online, through email or in person unless you are absolutely certain you know with whom you are dealing.

Know your rights. The links we provided above aren’t just for business owners — they can help consumers understand what’s going on behind the scenes. For example, you have a right to access and challenge any information a business has on record about you. You can report any privacy concerns to the OCP.

Keep an eye on your accounts and credit reports. Keeping an eye on your financial statements and ordering a regular credit report is a good habit to have regardless if you think your information has been compromised.

Take action if you’re affected. If you think you’ve been the victim of identity fraud, report it and take steps to recover. The longer you leave the problem, the harder it will be to repair it. (Not sure where to start? See our previous article on what to do if you’re affected by identity theft.)

Unfortunately, the incidence of business identity theft isn’t likely to decline any time soon. It’s impossible to conduct business without some gathering and exchange of information, but both businesses and consumers alike can take steps to reduce their risk of fraud.

For more information on business identity theft, visit:
The Better Business Bureau: Identity Crisis Targets Businesses
The Globe and Mail: A primer on identity theft
Office of Consumer Affairs: Identity Theft Kit for Businesses
OPC: Businesses and Identity Theft fact sheet