“As a business owner, officer, director, or key executive, you have significantly increased risks over an average consumer because your personal information, credit, and finances are closely intertwined with your business,” according to BusinessIDtheft.org. “If you are a small business owner, you and your business identity may be one and the same — and anything that impacts your business, directly impacts you.”

And there’s more. Most everyone thinks identity theft against businesses is an “on the books” crime, but that is incorrect — very few US states have laws protecting a business’s identity. In fact, until 10 years ago, no state had business identity theft statutes. Therefore, ID thieves have had their way with businesses.

Until recently, business identity theft was a real problem in Florida. The state government consistently reported more identity theft complaints per year than any other state. As to why, Carrie Kerskie, director of ID Fraud Institute at Hodges University in Florida, suggests the following reasons:

  • Business owners are not familiar with business identity theft unless they have been a victim.
  • Florida’s “Open Public Records Law” allows anyone to get identifying information about individuals.
  • The legislators Kerskie spoke with all assumed it was already a crime.

Kerskie adds, “I too thought businesses were included in the state ID theft/fraud laws. That was until I read Florida Statute 817 and discovered the oversight.”

SEE: Identity Theft Protection Policy (Tech Pro Research)

What is business identity theft?

“Business identity theft occurs when someone uses identifying information, such as the official business name, bank account numbers, tax ID numbers, business records, and/or company credit card numbers of a business without the company’s consent,” mentions Kerskie.

As to what happens when ID theft criminals get hold of any of the above information, BusinessIDtheft.org offers the following as likely risks.

Inability to meet payroll, tax obligations, or pay bills: Having funds stolen from business accounts could leave businesses unable to meet their financial obligations.

Personal liabilities: Business owners often have to guarantee credit card accounts or loans, making them personally liable for debt from identity theft. “Business identity thieves often use the owner’s personal information to open new lines of credit, or for the required personal guaranties for new accounts or contracts and large purchases,” notes BusinessIDtheft.org. “Fraudulent business accounts and unpaid purchases may be sent to collections, and collectors may attempt to hold owners personally liable for the business debt until they can prove it was fraudulent.”

State and federal tax consequences: Criminals can fraudulently use the business name and its accounts to create fake tax returns to illicit fraudulent refunds with the IRS, and state tax agencies. BusinessIDtheft.org adds, “Business EINs can be used in tax fraud schemes.”

Business failure: In today’s competitive markets most businesses run on less than optimal margins, meaning that any financial losses could be devastating. To put a point on this, Kerskie quotes a 2013 Florida bill analysis, “The Florida Department of State Division of Corporations estimates that 60 percent of businesses that fall victim to business identity theft will fail within one year of the incident.”

There is some legal progress

In 2006, California became the first state to revise its state identity theft laws to include identity crimes targeting businesses. “The definition of identity theft under California Penal Code section 530.5 does not distinguish between an individual and business,” writes Howard D. Silver, a consumer rights attorney in California. “Section 530.55 of the Penal Code states that ‘person’ means a natural person, living or deceased, firm, association, organization, partnership, business trust, company, corporation, limited liability company, or public entity, or any other legal entity.”

Florida also has taken steps to provide businesses the same protection as individuals when it comes to identity theft. “The bill (F.S. 817 section 568) passed unanimously in both the House and Senate,” notes Kerskie. “The new law became effective October 2015. By changing the word from individual to person, it now includes business entities.”

SEE: AI stops identity fraud before it occurs

Education is the answer

Nebulous crimes like ID theft are hard to police, and devising a technology to prevent them has proven challenging — that is why Kerskie feels education is the way to go. And, Kerskie, in her capacity as director of the Identity Fraud Institute at Hodges University, is focused on making that happen. Her department is currently developing the following student programs.

Identity Theft Restoration Specialist: The ID theft restoration program is designed to train individuals interested in assisting victims in the restoration of their identity. The target market includes attorneys, accountants, and financial advisers.

Data Privacy Specialist: The data privacy program is designed for small to medium sized organizations. The idea is to “train the trainer” on how to conduct a data privacy risk assessment as well as how to develop and implement data privacy best practices for their organization. The program will help address the weak link — humans — in the data privacy chain.

“Ultimately we will develop a bachelor’s degree in risk management with a focus on data privacy and identity theft,” adds Kerskie. “Current degrees in data privacy are concentrated in either IT (technical) or legal studies. My experience shows these are only part of the knowledge required to be an effective data privacy officer.”