Reproduction permitted for personal use only. For reprints and reprint permission, contact

Identity theft: The business time bomb

Most everyone has heard of identity theft (IDT), yet unless you have been a victim, few people consider that they are at high risk. An alarming figure is that over half of the 10 million new IDTs each year originate from a place of business, employer, or other entity (not-for-profit or local, state, or federal government).

All entities and certain individuals are required under one or more federal and state laws to implement measures, policies, procedures, and employee training on privacy and security of nonpublic personal information to bring IDT under control. Violations of these laws carry substantial penalties and open entities to legal risks.

What is identity theft? Simply and broadly stated, it is the misuse of personal or business identifiers by an imposter for their advantage, which may be financial, non-financial, or both.

Personal identifiers include name, date of birth, social security number, and others, including account and biometric information.

Business identifiers include the business name and Federal Tax ID, business indicia, account information, and the personal identifiers of management and employees, which can be used to authenticate a business identity.
A name and Federal identifier can be misused to commit a wide variety of identity theft crimes that even the savviest business or consumer would not detect for months, years, or at all. Most people are familiar with financial IDT. However, the most publicized IDT is the less frequent "existing account fraud." For example, misuse of an existing credit card.

Some experts eschew categorizing such fraud as IDT because it diminishes the severity of true identity theft. The more frequent and most devastating identity theft crimes include (a) establishing "new" finances in a victim's name and (b) non-financial IDT, which can be the most insidious.

IDT has severe consequences to victims, their families, and employers. On average victims spend as much as 600 hours in resolution and $1,500 in expenses, excluding attorney fees, and victims contend with disputed debt that averages nearly $100,000 and extreme emotional stress.

Business vulnerability

The major risks to businesses include:

• Victimization of owners, mangers, employees, customers, clients, and vendors.

• Fraudulent use of the business identity.

• Public, legal, and financial consequences of privacy, security, and regulatory breaches.

When any person with a relationship to a business becomes a victim of identity theft, the business is potentially at risk. Identity theft can have a significant impact on the management, operations, financial credit, public credibility, and income of a business.

The business, itself, can become a victim of financial and non-financial types of IDT. Privacy or security breaches will leave a business reeling to address the ensuing employee and client public relations crisis. The impact to the business will be multifaceted in terms of lost business, lost work time, regulatory issues, fines, legal expenses, and civil law suits.

Laws to protect non-public personal information

Violations of the following federal laws include hefty federal and state fines as high as $1 million per occurrence, civil liability for victim losses (including class actions), and in some instances the legislation provides for removal and imprisonment of culpable business executives.

Fair and Accurate Credit Transactions Act Disposal Rule

This provision of FACTA (aka FACT Act) requires reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. This rule applies to any person that maintains or possesses consumer information, and it applies to individuals such as landlords, all businesses, and entities (government and non-profits) that possess consumer information. Employees are considered consumers under the law.

Gramm-Leach-Bliley Act Safeguards Rule

The GLBA Safeguards Rule requires any financial institutions to implement policies and procedures to maintain the security and confidentiality of nonpublic personal information. A financial institution is defined as a business significantly engaged in providing financial services or products for personal, family, or household use.

It applies to check-cashing and payday loan services companies, mortgage brokers, non-bank lenders, personal property and real estate appraisers, professional tax preparers, credit reporting agencies, ATM operators, debt collectors, financial advisors, insurance agents, agencies and brokers, and a variety of other businesses that fit the definition.

Health Insurance Portability and Accountability Act

HIPAA rules apply to any individual or organization that collects or retains protected health information in paper or electronic form. It also requires all businesses with small self-insured or fully-insured health plans to maintain the confidentiality, integrity, and security of employee health information.

Wisconsin Senate Bill 164 (Act 138)

Wisconsin requires any entity that conducts business in Wisconsin and maintains nonpublic personal information to notify the individuals whose nonpublic personal information is compromised in a security breach. Failure to comply with this law may be used as evidence of negligence or breach of duty in civil and class action lawsuits against the entity.

Other states have similar laws for businesses who have even a single customer in their state.

Other considerations

There are a number of legal, regulatory, human resource, and business insurance issues that employers must consider. For example, some businesses and entities are taking an affirmative defense against penalties, lawsuits, and business interruption by offering some form of identity theft risk mitigation service to employees and even to their customers when appropriate.

The aim is minimizing lost work time, penalties, lawsuits, and compensatory damages that may result from workplace identity theft.

What you can do:

• Understand what legislation may apply to your business.

• Appoint an information security officer if HIPAA or GLBA applies.

• Develop policies, procedures and training for FACTA and other applicable legislation.

• Conduct and document employee training on IDT and confidentiality.

• Take an affirmative defense against penalties, litigation, and business interruption.

You can defuse the business time bomb by taking appropriate steps to minimize business risks and by accepting broader responsibility to protect the nonpublic personal information of employees, customers, and others.

Disclaimer: The author is not an attorney; therefore, information provided herein should not be construed as legal advice. Each entity is different and requires consultation with qualified risk managers and legal counsel. This article is abridged from a white paper by the author.

Related stories

Wisconsin investors will make their pitch to IPIC

Managing the nightmare of identity theft

Gov. Jim Doyle: Cracking down on identity theft

Businesses can't hide personal information losses, theft

Joe Campana is a certified identity theft risk management specialist. He is a frequent regional speaker on identity theft, and he founded the LegalEase Group of Madison. He can be reached at 608-244-4772 or

The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of the Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.


Darrell Pruitt DDS responded 8 years ago: #1

The HIPAA blunder by our government will significantly reduce computerization in dental offices. In dentistry, there never were advantages to electronic health records which justify the liability. Modernization, thank goodness, is still optional. Paper works fine for us, and as for security? A noisy metal file cabinet is more secure than a two-ton safe. Darrell Pruitt DDS

Dan Deiter responded 8 years ago: #2

In today's global economy it is more important than ever for companies to be diligent in there protection of personal info - both customer and employee. Many contract for services that are provided as 'benefits' to employees. What they don't realize is many of these service providers actually house the data overseas (e.g., India). How secure is this data? Once it leaves our shores, all bets are off.

John Collier responded 8 years ago: #3

What this article does not stress near enough (in my opinion, at least) is that even the self employed are required to comply to the FACTA regulations if they have any personal information from any source at all.

This basically means that anybody who collects payment for any service from anybody is responsible for the same types of things mentioned above. How many self employed people do you know that could handle the $1 million dollar fine of an accusation from any source?

Mix that with the fact that, under the current wording of the various different regulations mentioned above, most companies and entrepreneurs will fall under the umbrella of more than one of the acts mentioned above and you have a true hornetÂ’s nest that should terrify anybody in business today.

The FACTA document alone is 600+ pages long and even most of our lawyers have not studied it enough to fully understand the ramifications of the entire document.

Of course, there are ways for the small business people and the entrepreneurs to protect themselves (as well as the large businesses). For more information on some of the more cost-effective ways to do so, I suggest checking into a web site such as and perhaps calling or emailing for an appointment to discuss your options further.

Of course, this is only my opinion. Perhaps you can afford not to if you have the funds to defend yourself and/or your business from the inevitable assaults from the fallout of these documents. For the rest of us, the web site might be a good idea, at least for a place to start...

Joe Campana responded 8 years ago: #4

Identity theft is a global economical threat, and it is being addressed in many countries.

Businesses have a responsibility to have policies, procedures, and employee training not just for their local operations, but for all operations whether they on located on American soil or not. Furthermore, a responsible business will also require their affiliates to do the same. The Gramm-Leach-Bliley Act actually requires covered businesses to insure that their affiliates are in compliance too.

A detailed white paper is available by contacting the author of the column.

Peter Marshall responded 8 years ago: #5

Joe - you make excellent points, and cover an often-overlooked but critical aspect of identity theft. There have been almost 94 MILLION identity records lost or stolen from corporate databases (as tracked by the Privacy Rights Clearinghouse, at, and as you cited, over half are employee data. And now, with new notification and liability laws, companies bear major liability for any identity thefts with this data, and major fines even if no actual ID fraud occurs.

dane elder responded 8 years ago: #6

I am an ID theft victim. The weakest link in my case was the corporate misuse of my personal information to manufacture a false contract to lie to shareholders. That info was not supposed to get out to collectors but it did. As long as businesses are allowed to amass and compile information, and consolidate that info further by creating affiliations and mergers, our very livelihoods, not just our identities, are at risk. Because hardly any of the businesses ever bother to check the integrity of the info...

Mrs. C. Boyd responded 8 years ago: #7

Unfortunately, there is no stopping Identity Theft. The FTC now says it's just a matter of "when" and not "if."

Unfortunately, we ALL are at risk of becoming the next victim.

For anyone who might be interested, I'd like to share how I keep my mind at ease when it comes to this dreadful, fastest growing, white-collar crime in America.


Mrs. Boyd

Jerry responded 7 years ago: #8

There is a site that I found that contains much of the same information - but in an audio format. You can listen online, but I just subscribed to the podcast. Good stuff!

-Add Your Comment


Comment Policy: WTN News accepts comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources. Comments are moderated and are not immediately posted. Your email address will not be posted.

WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you believe this comment section is being abused, contact

WTN InGroup
FusionCIO InGroup
SupraNet Communications

-More Stories

WTN Media Presents