In Florida, officials at the Division of Corporations uncovered 40 known cases of fraudulent business filings with damages of up to $360,000 in one case, said Karen Ellis who was hired by the State of Florida in May to spearhead its efforts to stem the business identity fraud and abuse.
Ellis says that poor communication between law enforcement and secretaries of state, who often manage corporate filings, is one major obstacle to stopping identity theft. Since starting work for the State of Florida in May, Ellis says that she has improved communication between the Division and law enforcement. But bigger changes that can actually stop identity theft have been slower coming, she said. "Right now in Florida we still have fair faith filing. That means I can get on a computer and go and alter things on an LLC, NPO or corporation. I just need to send in the form and pay my $25 charge for the amendment," she said. "We've left ourselves wide open."
The loose security around business filings is no accident. In many states, secretaries of state are confined by law to a "ministerial" role with regard to business filings, without the authority to question the details of filings that meet the state's guidelines. When fraud occurs, secretaries of state are often hamstrung in investigating suspicious filings, according to a January, 2012 report by the National Association of Secretaries of State (NASS).
That means that, despite increased awareness of the problem of identity theft, would-be identity thieves can easily exploit online registries of corporations to glean the information needed to impersonate the firm, and then abuse Web- and fax-based filing systems to hijack the firms' identities without concern about getting caught.
In Oregon, the problem has been identity thieves reinstating old mining companies to steal their corporate identity, said Tom Wrosch, that state's Commercial Registries Manager. In response, the state set up limits on how long a company could be dormant before it is reinstated, he said.
Colorado Secretary of State Scott Gessler said that his state has seen a spike in cases of corporate identity theft stretching back to 2009 and 2010, under his predecessor. The problem was big enough to become an issue in a hotly contested political race for the Secretary of State's seat, with Gessler promising to be more aggressive in combating corporate identity thieves if elected.
Since winning the race, he said he has made good on his campaign promise: getting legislative approval and funding to expand an existing program to notify business owners by e-mail if their business registration information changed. Business owners in Colorado can now protect their business filings with a password protection – the first such system in the nation.
"The password feature is straightforward, but it's new and unusual in the context of central business registries," Gessler said. The system went live in January and, to date, just over 26,000 businesses have registered for Secure Business Filing accounts, according to data provided by the Secretary of State's office. The system is voluntary for business owners and Gessler admits that cajoling established businesses to set up an account has been a challenge. But Colorado has made it a default option when citizens set up a new business, with most taking advantage of the feature.
The data, so far, is encouraging. Reports of business identity theft average about six per month so far in 2012, down from an average of 11 per month in 2011 and 18 a month in 2010.
But Colorado is the exception rather than the rule. Even with greater attention to business identity theft, most states have little or any security built into their business registries. In states like California, for example, the form to amend a limited liability company (LLC) can be downloaded from the Secretary of State's Web page and mailed- or faxed in with payment, but no proof of identity. That allows identity thieves to act without fear of getting caught.
Texas doesn't provide either an e-mail notification program or a way to password protect a business entity record, though the state is constantly reviewing its procedures in an effort to maintain the security of business records and appropriate public access to them, said Richard Parsons, the Communications Director for Secretary of State Hope Andrade.
Even states that have implemented security features often fall short of the mark. Massachusetts' Secretary of State's office has password protected online filing. However, scammers can obtain a user name and password from the Secretary of State's office with nothing more than a valid e-mail address and the name of the LLC or LLP they are targeting.
Don Huntting, the president of Huntting Investigative Services in Westlake Village, California said that California, like other states, is behind the curve, with state agencies mired in bureaucracy and slow to process changes in business filings - let alone spot fraud in real time. He said that, in his state, it often falls to banks, which have higher standards of proof when setting up business accounts - to actually spot and stop business identity theft fraud. "The state is dropping the ball," Huntting said.