Table of Contents 

 

Identity theft invades Main Street businesses

Small to mid-sized companies face exposures resulting from personal data they collect

By Phil Zinkewicz


In the 1950s television series titled “Alfred Hitchcock Presents,” one episode starred actor Tom Ewell, playing a stodgy, conservative businessman who discovers that his exact “double” is taking over his life. Ewell’s “double” precedes him into Ewell’s office where he makes business decisions, into Ewell’s bank where he makes withdrawals, and even takes on the role of husband to Ewell’s wife. In order to outfox his “double,” Ewell changes his lifestyle. He begins wearing flashy clothes and acting in ways that are totally out of character. The “double,” however, retains Ewell’s former characteristics and, in an eerie confrontation scene, manages to convince everyone that he really is Ewell. The real Ewell is taken away to an asylum, screaming that his life has been usurped. No one believes him.

Of course, when this episode was aired, the very concept of identity theft was the stuff of which science fiction films were made. Moreover, the key to this particular TV segment was the use of the “double” or doppelganger to pull off the identity theft. However, in today’s almost faceless Internet society, no doppelganger is needed.

These days, a great many financial transactions take place without any face-to-face contact, and these transactions occur based upon names and numbers—addresses, account numbers, Social Security numbers. People use their credit cards to make online purchases, or a bank’s Web site to pay their bills. The numbers are out there.

The Federal Bureau of Investigation reports that identity theft is the fastest growing crime in the United States. It is also the number one consumer complaint received by the Federal Trade Commission, accounting for approximately 255,565 complaints in 2005. The FTC reports that identity theft accounts for about $54 billion in direct and indirect costs to U.S. businesses and individuals.

In addition, more than 30 states have enacted legislation requiring companies to notify consumers if their personal information may have been compromised. Even in states where notification is not required by law, failure to notify an individual of a potential identity breach may result in severe civil, regulatory and legal liability costs, as well as potential damage to a company’s reputation and loss of consumer confidence.

Of course the insurance industry has responded to this relatively new area of exposure. There are insurance coverages that individuals can purchase, usually as an add-on to their homeowners insurance packages. And, commercial establish-ments can purchase insurance to protect the company and its employees in the event that an identity fraud has taken place.

But what about taking steps to mitigate identity fraud before it becomes a claim? Let’s say that a bank, nursing home, new car dealership or even a restaurant—any business interest that amasses information on customers, such as credit card numbers, Social Security numbers, addresses, telephone numbers—discovers that a breach has occurred that allows that information to move into cyberspace. What are the options in this instance?

National Union Fire Insurance Co. of Pittsburgh, a member company of American International Group, recently announced the release of AIG Corporate Identity Protection, a new business insurance policy designed to protect small and mid-sized companies from financial exposures related to identity theft or the threat of identity theft.

Nancy Callahan, vice president, AIG Identity Theft and Fraud Division, says that the new product is “ideal for companies in Main Street industries with revenues up to $100 million or holding up to one million identities. The product provides coverage to the insured company for legal liability damages, defense costs, regulatory action expenses, notification costs, crisis expenses and post event services, including identity theft recovery services, such as education, assistance and credit monitoring for victims. Companies can obtain a policy with limits starting at $100,000 up to $5 million.

“The fact is that most companies collect and hold personal data from employees and customers,” says Callahan. “The way these companies handle that information, the way they safeguard it is of paramount importance to the company and the company’s employees and customers. Some states demand that companies give notice of a breach of sensitive information to those who might become victims of identity theft or fraud. But even in states that don’t have such a requirement, companies will probably want to give notice to mitigate the misuse of that information. Just giving notice itself can be an expensive proposition.”

In addition, says Callahan, a company may want to provide individuals who might be affected by the breach assistance in terms of credit monitoring or an IT specialist to prevent information misuse. “Our product provides reimbursement of expenses for these situations,” she says.

“Dealing with regulators or even civil cases where liability on the part of the business owner has been alleged can also be very expensive,” she continues. “We had one case where a disgruntled employee, intent upon damaging the employer, published sensitive data regarding employees on a Web site. The employer immediately gave notice to its employees and offered free credit monitoring, but somehow the information got into the press. In this case, there were no regulatory problems and no civil suits resulted, but there were a couple of days of loss of production while everything was sorted out. The employer had his expenses reimbursed.”

Callahan says that banks, restaurants and nursing homes are not the only ones who could be affected. “Third-party administrators, who collect customer information on the part of the broker and on the part of the insurance company, could encounter this kind of trouble, as well as brokers and agents themselves. Any business that routinely collects private information from its customers might need this coverage.”

In fact, according to Callahan, AIG developed this product, in part, because of inquiries from its own agents and brokers. “With the rise in the number of states that were instituting notification laws, we saw the need for companies to protect themselves in the event of a breach of information. At the same time, our producers were asking whether we could come up with a product that addressed the new exposure,” says Callahan.

One such producer was Ralph Blust, executive vice president, binding authorities unit in the Chicago office of BISYS/Tri City, a wholesale broker. “Many of our retail agents were coming to us, inquiring whether such a product could be designed for the small and mid-sized market,” says Blust.

“We met with AIG to discuss the opportunities for our clients in this area. AIG designed the product and we have been involved in the later stages, analyzing the opportunities from a distribution standpoint. The key to AIG’s new product, and what makes it unique, is that the coverage trigger is an event where data has been compromised. From that trigger, AIG offers reimbursement for expenses before a liability claim has been made. In that sense, it is a proactive approach to dealing with potential identity theft.” *

 
 

“We saw the need for companies to protect themselves in the event of a breach of information. At the same time, our producers were asking whether we could come up with a product that addressed the new exposure.”

—Nancy Callahan
Vice President
AIG Identity Theft and Fraud Division

 
 
 
 
 
 
 
 
 
 
 
 

 

CONTACT US | HOME