Identity theft is not new, but it is being used as a label to describe the latest trend in fraud.
As businesses become more sophisticated and adopt better security systems, criminals are finding new ways of cirumventing security.
However, businesses do not as yet have a secure and trusted means of identifying individuals when trading online, which means they must rely on more traditional ways to identify customers.
The more "original" a document a customer has, the more accepting most businesses are about their identity. Criminals are collecting original documents based on a real or fictitious individual. Obtaining duplicate documents such as passports, birth certificates and driving licences is not impossible, but the cost required to obtain them must produce a return on investment.
Digging around in household rubbish is probably still the most effective and cheapest way of obtaining copies of bank statements and utility bills. A Google search can quickly provide enough information to build a snapshot of a person's life from information on personal websites or biographies on corporate websites.
As an indicator of the scale of the problem, the National Criminal Intelligence Service has estimated that the cost of identity theft to the British economy is £1.3bn a year. This loss is not just monetary - a business can suffer reputational harm when its security systems are shown to be insecure or inadequate.
Businesses have to asses the risk and cost of fraud. There is no point in implementing hugely expensive security systems if the potential loss is low. Most businesses work on the basis that a percentage will be lost to fraud and bad debts. Provided that loss is acceptable, it will be tolerated.
However, the bigger the business the more likely it is to be subject to some form of regulatory or shareholder pressure. Corporate governance, for example, looks at businesses from a risk perspective.
IT managers are being asked to analyse the risk posed by computer systems and to present their findings formally to the board. This information may then be presented to regulators. Some larger customers also require comfort statements.
To be effective, the IT manager has to work closely with the board and with risk managers. This is not just about firewalls and authorising credit card payments - businesses have to look at all the different functions.
For example, an employee may have a profitable sideline in printing copies of utility bills for certain addresses. Can your computer networks and security systems detect and prevent this? Do you have proper audit trails and exception reporting? What would happen if this anomaly was reported?
Businesses have to recognise that identity theft exists so that measures can be taken to investigate and resolve the matter.
What is probably of greater concern is that businesses may have a greater liability than just the cost of the fraud. If adequate safeguards have not been implemented and it can be proved that a business has been negligent, it may be liable for other losses which were reasonably foreseeable.
What do you think?
What measures have you taken to protect your business from identify fraud? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
George Gardiner is a partner at law firm Stephenson Harwood
This was first published in September 2003