Wrosch of Oregon said the same is true in his state, acknowledging that the state's business registry can be manipulated or out of date, and shouldn't be the final word on the ownership of a company.
"We tell businesses: if you're relying on our database to show ownership or authority (of a company), then you're enabling business identity theft. Our registry is not the best indicator or the sole indicator of who is the owner or person in charge of a business."
Business identity theft wouldn't be a problem, he said, if "the people who had the money – whether that's a bank or a credit card company – didn't rely on the business registration ... what they see on our system."
That's a shocking admission, but Wrosch's sentiment is backed up by data. The firm Dun & Bradstreet estimates that approximately 20 percent of the registration data in government databases is inaccurate, complicating tax collection and enabling fraud.
Besides, Wrosch said, business identity theft isn't a front burner issue in his state. "We're not hearing about it from local law enforcement or anecdotally," he said. That could be because there are no crimes to report, or because businesses are loath to admit when they've been defrauded. Whatever the case, with few reports, it's hard to justify dedicating the resources and money to address the problem, Wrosch said. Add to that the fact that, in many states, implementing new and more secure business registries requires legislative action of some kind to approve the additional budget to fund the new system. In Colorado, despite public attention to the problem, it's still a year to win funding to implement business registry security features, said Secretary of State Gessler.
A 2011 position paper by the firm Dunn & Bradstreet said that online business registries have improved the speed and ease of registration over older, paper-based processes and can "strengthen agencies' mission capabilities in such areas as regulation and oversight, collection of revenue and fees, transparency, and economic development." But state agencies must fix the problem of what D&B called "inadequate data-quality checks" that have "enabled criminals to use government websites to steal the identities of legitimate businesses to perpetrate crimes."
The firm said states should take a number of steps to secure their filing systems and make them more akin to private sector systems. Those steps include proving the identity of those registering a new business or attempting to alter data for an existing firm, then providing them with a unique identifier and password to limit access to that data. But states will also need to invest significantly in support, management and oversight to ensure the continued integrity of their business registries and the data in them, D&B said.
The NASS also recommended a series of changes in their report, chief among them the establishment of cyber security policies and practices to secure online business records and prevent unauthorized changes. NASS also called for better reporting and tracking of business identity thefts and new laws that empower secretaries of state to investigate fraudulent filings, raise the burden of proof for those seeking to resurrect a dissolved business entity and impose stiff penalties for cases of proven business identity theft.
The efforts of NASS and others appear to be working. Colorado's Secretary of State, Scott Gessler, who chairs the NASS Business Identity Theft Taskforce, said that awareness of the problem has grown tremendously in the states where NASS has held workshops. "We have a lot of people who are interested in doing the things we're doing in Colorado," he said.
That's as it should be because criminals will be quick to shift from higher- to lower security states when changes start to be implemented. "I tell my counterparts in other states that there's no question that if we stymie crooks in our state, they're coming your way instead," Gessler said.