Please ensure Javascript is enabled for purposes of website accessibility
Home / Expert Opinion / Commentary / Commentary: How to protect your firm from identity theft

Commentary: How to protect your firm from identity theft

When most people think of identity theft, they tend to imagine a hacker using stolen credit card information to buy high-ticket items, or utilizing Social Security numbers to open fraudulent accounts.

“When you think about identity theft, you usually imagine something being stolen, or taken physically,” says Craig Wilson, director of information technology at law firm Winthrop & Weinstine. But many businesses, including law offices, may be prime candidates for identity thieves.

Steve Cox, of the Better Business Bureau, notes that business identity theft should be a concern for professionals in any industry. He says, “From a criminal’s perspective, it is significantly more cost-effective to steal business identities than consumer identities.” Once these thieves become a firm’s fraudulent representative, they can open lines of credit, purchase equipment and electronics, and even rent temporary office space.

When assessing your firm’s security plan, be sure to create more awareness about this specific risk, and put controls in place that can help. Here are some ideas to reduce your theft risk:

Classify and manage data: According to Jeremiah Talamantes, founder and managing partner of Minneapolis-based consulting firm RedTeam Security, the first step in preventing commercial identity theft begins with taking steps to formally classify data. A written policy should classify data based on the elements that make up the data in terms of how the organization typically handles it.

For example, information about the firm’s financials should be classified as confidential, with a mandate that employees encrypt it in electronic form. Hard copies should be shredded once they’re input into digital storage. This classification and management will thwart identity thieves who are trying to find unprotected data they can use to impersonate a company representative.

Include social media training for associates and partners: In addition to other security topics, address identity theft over social media channels, advises Wilson. “We have a controlled environment, so identity theft would be very difficult for someone to pursue inside our firewall,” he says. “However, we’ve heard stories about how it’s blossoming in social media and we do take measures to make sure our firm is secure.”

For example, Wilson noted that an attorney from another firm had his identity stolen though a fraudulent profile on LinkedIn. The thief set up the system so that emails meant for the attorney would go to him instead. To prevent this type of career-killing move, Winthrop and Weinstine’s marketing department was very proactive when LinkedIn first went up, making sure that every attorney set up an account. Wilson says, “This aided in controlling the information the public had access to, as well as preventing false impersonations.”

Keep the firm’s financial information offline: According to the Small Business Administration, one of the surefire ways to put your company at risk for business identity theft is to put sensitive information online. This can include an employer identification number, account numbers or financial documents. If you have to use an online service that requires this information, make sure the site is secure and its security certificate is up to date.

Control access to prevent internal threats: Not all commercial fraud and identity theft originates from external bad guys, says Talamantes. The perpetrator may be a company insider, acting within the firewall. “In an effort to deter internal theft, the concept of separation of duties becomes quite useful,” he says. This involves having more than one person required to complete a task or approve a process. For instance, an arrangement could be made with the organization’s bank to require two separate approvals in order to establish a line of credit.

Internal identity theft risk can also be lowered by establishing good access-level controls. An intern shouldn’t have the same access to data as a firm’s partner, for example. Talamantes says, “Access control provisions must be put in place to prevent unauthorized disclosures of information from individuals who do not have a business reason for viewing it.”

Monitor credit reports more often: Similar to individuals checking their credit histories with reporting bureaus, firms can utilize credit monitoring services with all three major business credit agencies (TransUnion, Experian and Equifax). These services generally offer email alerts about any new or potentially malicious activity occurring on a company’s credit files. If your “accounting manager” is attempting to open a line of credit at 3 a.m., in other words, you’ll want to know about it.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld. A version of this column originally appeared in Minnesota Lawyer, sister publication to The Daily Record.