Corporate personhood is the notion that corporations have rights and responsibilities similar to those of an individual person. It follows that if a corporation has the same rights and responsibilities as a person, it can also have an identity and thus be the victim of identity theft.
National Public Radio (NPR) recently reported on the growing trend of business identity theft in which perpetrators pose as legitimate businesses to steal customers or to gain access to the business or to customers’ financial information.
Other tactics identity thieves may use include establishing lines of credit under the business’s name or resurrecting defunct businesses without the original business owners’ knowledge and taking out loans and lines of credit.
Standard commercial property and liability insurance covering tangible property generally does not adequately address cyber risks, such as corporate identity theft. Coverage can be obtained for some exposures under a cyber liability policy. These policies contain coverage for losses such as privacy notification expenses—the cost to notify customers of security breaches that have left their financial information exposed—e-business interruption, e-theft, and e-vandalism.
While insurance is one way to manage the risk of corporate identity theft, it obviously does not come into play until the damage is done. It may be a long time before the identity theft is discovered, and the company’s reputation could already be in jeopardy at that point. The best practice is to take steps to avoid or minimize the risk. Some areas businesses should consider when framing an anti-identity-theft plan include the following:
- Protect personal information. Most companies maintain some sort of files containing personal information, be it credit card numbers, patients’ medical histories, or employees’ or job applicants’ Social Security numbers. This information may be received via Web sites, email, and call centers as well as in person. This information can be stored in a variety of computers, flash drives, filing cabinets, copiers, or mobile devices. Steps must be taken to secure personal information, either physically behind lock and key or electronically using network security measures. Employee training on the proper way to handle, store, and dispose of this type of information is also vital.
- Protect business records. In addition to hacking into company networks and using other high-tech methods, identity thieves continue to use low-tech methods such as intercepting mail, stealing trash, or physically taking documents. Companies should evaluate what records are needed to maintain the business, inventory those records, and use electronic statements to limit the amount of mail containing company information. The company should never share financial details or documents through email.
- Monitor credit and other activity. Businesses should check credit reports on a regular basis and be on the lookout for unexpected charges or bills.
The Federal Trade Commission’s Web site (business.ftc.gov) provides many tools businesses can use to formulate a plan and to protect themselves and their customers from identity thieves.