COMMENTARY: Identity theft can hit businesses

Listen to this article

By Elizabeth Millard
Dolan Media Newswires

Minneapolis — “Identity theft” conjures images of hackers using stolen credit-card information to buy high-ticket items or opening fraudulent accounts with stolen Social Security numbers.

“When you think about identity theft, you usually imagine something being stolen or taken physically,” said Craig Wilson, director of information technology at Minneapolis-based law firm Winthrop & Weinstine PA. But many businesses are prime candidates for identity thieves.

Steve Cox, former Better Business Bureau CEO, said professionals in any industry should be concerned about identity theft.

“From a criminal’s perspective,” he said, “it is significantly more cost-effective to steal business identities than consumer identities.”

Once thieves become a firm’s fraudulent representative, they can open lines of credit, buy equipment and electronics, and even rent temporary office space.

Companies can take steps to control that risk. Here are some ideas about how to combat identity theft:

Classify and manage data

The first step toward preventing commercial identity theft is classifying data, said Jeremiah Talamantes, founder and managing partner of Minneapolis-based consulting firm RedTeam Security Corp. A written policy should classify data based on the elements that make up the data and how the organization handles it.

For example, information about the firm’s financials should be classified as confidential, with a mandate that employees encrypt it in electronic form. Hard copies should be shredded once digitally stored. That classification and management will thwart identity thieves seeking unprotected data for impersonating a company representative.

Include social media training for associates and partners

“We have a controlled environment, so identity theft would be very difficult for someone to pursue inside our firewall,” Wilson said. “However, we’ve heard stories about how it’s blossoming in social media, and we do take measures to make sure our firm is secure.”

For example, Wilson said, an attorney from another firm had his identity stolen though a fraudulent profile on LinkedIn. The thief set up the system to capture emails meant for the attorney. To prevent that type of career-killing move, Winthrop and Weinstine’s marketing department made sure that every attorney set up a LinkedIn account when the site first went up.

“This aided in controlling the information the public had access to,” Wilson said, “as well as preventing false impersonations.”

Keep financial information offline

According to the Small Business Administration, one sure way to put a company at risk of identity theft is to put sensitive information online. That can include an employer identification number, account numbers or financial documents. If a company must use an online service that requires that information, that company should make sure the site is secure and the security certificate is updated.

Control access to prevent internal threats

Not all commercial fraud and identity theft comes from external bad guys, Talamantes said. The thief may be a company insider.

“In an effort to deter internal theft,” he said, “the concept of separation of duties becomes quite useful.”

That involves requiring more than one person to complete a task or approve a process.

Internal identity theft risk also can be lowered by establishing access-level controls. For example, an intern should not have the same access to data as a firm’s partner.

Monitor credit reports

Firms can use credit-monitoring services with all three major business credit agencies: TransUnion, Experian, and Equifax. Those services offer email alerts about any new or potentially malicious activity occurring on a company’s credit file.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek and TechNewsWorld.