Corporate personhood is the notion that corporations have rights and responsibilities similar to those of an individual person. It follows that if a corporation has the same rights and responsibilities as a person, it can also have an identity and thus be the victim of identity theft.
National Public Radio (NPR) recently reported on the growing trend of business identity theft in which perpetrators pose as legitimate businesses to steal customers or to gain access to the business or to customers’ financial information.
The NPR story focused on the owner of a pest control business who opened the Yellow Pages to find three other listings with the same company name, none of which were affiliated with him. While he had no way of knowing for sure, he assumed customers were calling the impostors thinking it was, in fact, his business. He worried that impostors would either harm his company’s reputation by providing inferior services or use his name to acquire customer information.
Other tactics identity thieves may use include establishing lines of credit under the business’s name or resurrecting defunct businesses without the original business owners’ knowledge and taking out loans and lines of credit.
Standard commercial property and liability insurance covering tangible property generally does not adequately address cyber risks, such as corporate identity theft. Coverage can be obtained for some exposures under a cyber liability policy. These policies contain coverage for losses such as privacy notification expenses—the cost to notify customers of security breaches that have left their financial information exposed—e-business interruption, e-theft, and e-vandalism.
Cyber Liability Programs
The policies can usually be underwritten on either a package or a stand-alone basis, depending on the company’s size. Stand-alone programs for larger risks are available on a modular or menu-driven framework and are generally tailored to the company’s specific exposures. Cyber liability programs normally cover both first-party and third-party liability, including errors and omissions.
Coverage for security breaches and identity theft can vary considerably from one company’s Internet liability form to the next. Many provide no coverage or only partial coverage in their base forms for what is often referred to as unauthorized access, unauthorized use, and associated coverages. It is often recommended by cyber risk experts that a policy specifically state that it covers identity theft and/or credit card fraud or that the policy at least grants coverage for negligence generally in the performance of insured services and not contain any applicable exclusion.
While insurance is one way to manage the risk of corporate identity theft, it obviously does not come into play until the damage is done. It may be a long time before the identity theft is discovered, and the company’s reputation could already be in jeopardy at that point. The best practice is to take steps to avoid or minimize the risk. Some areas businesses should consider when framing an anti-identity-theft plan include the following:
- Protect personal information. Most companies maintain some sort of files containing personal information, be it credit card numbers, patients’ medical histories, or employees’ or job applicants’ Social Security numbers. This information may be received via Web sites, email, and call centers as well as in person. This information can be stored in a variety of computers, flash drives, filing cabinets, copiers, or mobile devices. Steps must be taken to secure personal information, either physically behind lock and key or electronically using network security measures. Employee training on the proper way to handle, store, and dispose of this type of information is also vital.
- Protect business records. In addition to hacking into company networks and using other high-tech methods, identity thieves continue to use low-tech methods such as intercepting mail, stealing trash, or physically taking documents. Companies should evaluate what records are needed to maintain the business, inventory those records, and use electronic statements to limit the amount of mail containing company information. The company should never share financial details or documents through email.
- Monitor credit and other activity. Businesses should check credit reports on a regular basis and be on the lookout for unexpected charges or bills.
The Federal Trade Commission’s Web site (business.ftc.gov) provides many tools businesses can use to formulate a plan and to protect themselves and their customers from identity thieves.
While companies may rely on insurance to address some of the losses resulting from corporate identity theft, by taking measures to minimize the risk, a business may avoid damage to its credit history and reputation.