Ryan Holeywell is a staff writer at GOVERNING.E-mail: firstname.lastname@example.org
In 2010, businesses across
Eventually, investigators learned, more 300 business had become targeted as part of a $3.5 million scam. Today, businesses across the country are still vulnerable, largely due to a glaring security vulnerability facing business records held by state governments.
In most states, corporations are required to maintain a record of their basic business information with the secretary of state. Those files include the names of company officials and the company’s address. But in many states, those records can be edited by just about anybody. Essentially, the contents of those records are about as immune from edits as a Wikipedia page.
That’s because many state secretaries lack the budgets – or even the legal authority – to question the validity of changes made to those records. “They essentially take it at face value, as long as the information is complete,” says Michael Barnett, executive director of the Identity Theft Protection Association.
That means that criminals are able to hijack companies and rack up debts on their dime. There are many types of scams, but the typical one goes like this: a criminal will name himself a director of an existing company, change its address to match an office he already has access to, and then start applying for credit using the company’s name.
Retailers check with business credit rating agencies to make sure an applicant’s information is accurate. But according to state secretaries, they often can’t detect the fraud, because they typically compare an applicant’s information to the very state records he’s altered.
Once the crook gets a business account with a retailer, he can start making purchases using the company’s name. And when he’s done, the business is left with the debts and the devastated credit. The fraud is especially attractive since in some circumstances, a retailer may be willing to offer more credit with less scrutiny than would typically be offered to an individual.
While most personal consumers are aware of the threat of identify theft, the same can’t be said of businesses. “I think most business owners are somewhere between not knowledgeable and totally clueless,” says North Carolina Secretary of State Elaine Marshall.
Most business record databases lack the basic password protections that are standard on just about every website that has user accounts, whether they be for shopping, social media or games. In many places, a business owner’s fantasy baseball lineup is less susceptible to tampering than his company’s records.
But state secretaries are hoping to change that. In October, state secretaries convened in
Other states are making security enhancements as well. In
In a departure from past policy, if a business owner today tries to revive his dissolved corporation, he’ll get a notice from the secretary’s office alerting him to the change and requesting that he follow-up if it wasn’t authorized. The state is also using fraud detection software to identify questionable changes to its records. An address that was updated in the middle of the night, for example, may be a red flag that someone edited it from abroad, a possible indicator of fraud.
Meanwhile, state secretaries across the country are launching education campaigns to warn business about the issue. Later this year, the National Association of Secretaries of State will launch a website in conjunction with Barnett’s organization, businessidtheft.org, that will provide tips on business identify theft prevention and links to agencies that businesses should contact in the event they are victimized.
The new proactive approach represents a challenge for state governments, who have historically sought records systems that were simple and unlikely to cause complications for business owners. Now, that old approach is appearing vulnerable. “The more technology we embrace, the more anonymity comes with it,”
Barnett says that, because business don’t have the same type of protections as consumers, they might actually be on the hook for some of the debt racked up in their name. It can be a difficult crime to track, since many businesses don’t want to come to the authorities when they’ve been victimized for fear of concerning their shareholders. In many cases, experts say, some corporations just consider identify theft as a cost of business.
Meanwhile, it’s often difficult to prosecute those who commit business identify theft, since many states lack laws that specifically identify it as a crime. It was only in 2006 that
Colorado Secretary of State Scott Gessler said it only cost $70,000 to $80,000 to create the password system, but the payoff will be huge. Now, he’s urging his fellow state secretaries to do the same. “I tell my brethren, you better do something,” Gessler says. “They’re no longer in
Homepage photo via Shutterstock.