Small Business Identity Theft FAQs

IDWise Logo

What is small business identity theft?

Small business identity theft occurs when thieves exploit small businesses to gather personally identifiable information (PII) from a company, its customers, or its employees, then use that data to sign up for fake accounts and steal money.

Are small businesses more at risk for identity theft than larger organizations?

Small businesses are disproportionately affected by identity theft—a 2012 study by Verizon found that nearly 75 percent of data breaches analyzed affected businesses of 100 employees or fewer. Other research reveals that this number is rising, and yet business owners are woefully underprepared. As many as 83 percent admit they have no formal cybersecurity plan.

Small businesses are more vulnerable than bigger companies, and thieves know that small businesses frequently have more credit or cash on hand than large companies.

Are there different types of small business identity theft?

Corporate identity theft (also called "hijacking") occurs when a criminal obtains PII, such as a tax ID number, from a business and uses it to obtain credit under the company's name. The Center for Identity's Identity Ecosystem project is tracking which identity attributes are most vulnerable.

Another risk is a data breach, which occurs when an unauthorized party obtains personally identifiable information of a company, its customers, or its employees. A data breach can be intentional or accidental, and can come from inside or outside an organization.

Is my company legally obligated to have a data breach prevention and recovery plan?

In 2007 the Federal Trade Commission enacted the "Red Flags Rule," a guide for businesses to develop, apply, and manage an identity theft prevention program. It includes information about how to design a program that takes your business' needs and risks into account. It also includes guidelines for incorporating the program into day-to-day operations.

Only certain business are legally obligated to comply with the Red Flags Rule. These include financial institutions and creditors as well as businesses dealing with "covered accounts," or accounts considered more vulnerable to identity theft.

More detailed information about the Red Flags Rule can be found in our online learning module.

Is a data breach more likely to originate within my company or outside it?

According to a 2009 Verizon study, about 75 percent of data breaches come from outside sources. The other 25 percent come from within, primarily as a result of human error.

How can I protect my small business from being hacked by outsiders?

Preparedness may be your best defense.

  • All information technology systems should have appropriate firewall and antivirus technology
  • Security software patches should be updated in a timely fashion
  • Even if your company isn't bound by the Red Flags Rule, have a clear protocol in place for data breach or corporate hijacking

While these tips may not prevent all instances of theft, they will make recovery easier and less painful.

How can I protect my small business from a data breach from the inside?

Train employees to protect sensitive information, including locking up records and keeping passwords strong. Businesses should also set up clear usage standards for mobile devices and public Wi-Fi.

More detailed information on protecting your business from internal threats is available in our articleMonitoring the Internal Threat.

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

IDWise Logo

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.

Learn More