Until recently, it wasn't a crime to steal a business identity in Florida.
The woman behind new legislation to make that a criminal offense, Carrie Kerskie, recently became director of the Identity Fraud Institute at Hodges University. She plans to apply for $250,000 in state funding for the newly formed institute.
Thieves steal business identities to fraudulently obtain loans, credit cards and even trick banks into wiring money. “We're creating a program to let businesses know the regulations and tools and tips on how they can protect themselves,” says Kerskie, a private investigator and former stockbroker with a finance degree.
Kerskie helped Florida Rep. Kathleen Passidomo and Florida Sen. Garrett Richter pass a bill this year to protect businesses from identity theft. “Now it becomes a crime, and we want to track that information,” she says.
One of the reasons Florida ranks high among targets of identity thieves is the state's liberal open records law. For example, the Florida Division of Corporations publishes identification numbers that could be used by thieves to fraudulently open bank accounts, Kerskie says.
Kerskie, who recently made a presentation at Hertz' headquarters in Estero, says vendors that provide services to larger firms are unwitting portals. “The No. 1 targets are small businesses that are links to bigger fish,” Kerskie says.
For example, the data breach at retail giant Target occurred through a firm that maintained the stores' air-conditioning units and was connected to Target remotely, Kerskie says.
“Technology has advanced so rapidly that [companies] don't understand the information flow,” she says.
Employees are the weak link in many organizations. “You could be the backdoor to a data breach just by checking your Facebook page,” Kerskie says.
Thieves aren't lonely hackers or disgruntled employees. “This is organized crime,” Kerskie says. Criminal organizations operate sophisticated back-office operations with hundreds of employees. “That's what we're up against,” says Kerskie, who plans to send out bulletins and early warnings to businesses about the latest threats.
Education is probably the best defense against business identity theft. “Nothing in digital format can be 100% protected,” Kerskie says. “We were so much better off with paper.”
Safeguard your business identity
Business identity theft has been a growing concern as thieves capture digital information to fraudulently obtain loans, credit cards and even wire cash. Carrie Kerskie, director of the Identity Fraud Institute at Hodges University, shares tips with entrepreneurs and executives.
Make it policy that employees can't use company emails, user names and passwords for personal use, such as for social media like Facebook. Criminals use these to access secure networks.
Thieves will impersonate your work colleagues. The innocuous message from the accounting department may be a trick that contains a malicious link or attachment. Train employees to pick up the phone and call the sender before opening attachments or hover your cursor over the sender's address (an email address will appear on the screen) to make sure it's not someone impersonating a colleague. Likewise, you can also hover your cursor — but don't click — over any link to see if it's a legitimate link.
Use encryption software to transmit any sensitive information.
Create a document that identifies the people in your company or outside vendors who have access to your network and data. This could help identify breaches and alert customers in case of a problem.
Where is the cloud? If you're considering storing data on servers outside your business, ask where those servers are physically located. You may be surprised to find out they're in vulnerable locations outside the U.S.
Electronic medical records are vulnerable, too. Much of the software that's been developed in a rush by the health care industry to comply with government mandates lacks updated security.
Employees with mobile devices tied into your company's network must have a password to operate. For example, that can be critical for Realtors who email contracts containing sensitive personal information from their unlocked phones.
General business liability insurance usually doesn't cover data breaches.
Collect as little information about customers as possible; just enough to do the job. “If you don't need it, get rid of it,” Kerskie counsels.
Follow Jean Gruss on Twitter @JeanGruss