WVa scam is rare type of ID theft

Joel Reidenberg in Yahoo! Finance, May 09, 2009

by Tom Breen, Associated Press Writer
CHARLESTON, W.Va. (AP) -- When unknown scammers set up phony bank accounts in the name of legitimate state vendors and snagged nearly $2 million in West Virginia funds, they perpetrated a rare variation of a familiar scam: They stole the identities of companies rather than individuals.

It's rare enough that federal law enforcement agencies don't have separate statistics for cases of corporate identity theft, but when they do occur they can involve millions of dollars in potential losses.

Even worse for companies, because the law is so undeveloped in this area, getting restitution may be harder than it is for individuals -- and attempts at making such corporate identity thefts harder could clash with existing freedom of information statutes.

"This is probably the first major public case of corporate identity theft," said Fordham University law professor Joel Reidenberg, who is also director of the school's Center on Law and Information Policy.

"This case could be the tip of the iceberg for corporations," he said. "It's going to be very challenging for policy-makers and for companies to deal effectively with this."

West Virginia's state Auditor Glen Gainer III announced this week that his office had paid nearly $2 million to bank accounts it thought belonged to legitimate state vendors. The office had received paperwork asking for deposits in the new accounts that checked out: It had all the required information to make the switch.

But those accounts -- and a third, which auditors caught before any money changed hands -- were created by unknown scammers, with at least some of the money going overseas.

Gainer declined to release the names of the vendors, but Deloitte Services in New York and Memphis-based Sedgwick Claims Management Services confirmed that they were the vendors defrauded.

Deloitte has a contract with the state Department of Health and Human Resources. Sedgwick is a vendor for the state Insurance Commission.

Both declined to elaborate, saying their firms are cooperating with the ongoing investigation.

Corporate identity theft is far less common than individual identity theft. Researchers at the National White Collar Crime Center in Fairmont -- an organization that has Gainer as the chairman of its board -- found a single comparable example, although in that case the scammers were unsuccessful.

A company in Michigan called Executive Outcome Inc. tried to take advantage of a case of mistaken identity by wringing $23 million from the West African government of Sierra Leone, which owed the money to a South African firm called Executive Outcomes.

The FBI intervened before any money changed hands, and in 2007, John DiPofi, the head of the Mount Clemens-based company, was sentenced to more than three years in federal prison for conspiracy, wire fraud and other charges.

Corporate ID theft may be growing, though, preying particularly on smaller, independently owned firms without the resources to detect what's happening, according to Judd Rousseau, chief fraud officer of information security firm Identity Theft 911.

"We're seeing more of it with small doctors' offices, with construction companies, where people impersonate those companies and obtain credit that way," he said. "Criminals are not dumb. They see what works and imitate it."

Gainer said this week that he knew of similar fraud attempts involving the governments of Florida, Massachusetts, Maine and North Carolina. Officials in the latter two states said they had no knowledge of such scams, while a spokeswoman for the Massachusetts attorney general's office declined to comment.

In Florida, though, state officials did catch on to a similar scheme earlier this year and stopped it before any money was lost, according to Kyra Jennings, spokeswoman for state Chief Financial Officer Alex Sink. Florida authorities are still investigating the incident, she said.

"It's going to really be incumbent for businesses to come up with practices to protect themselves against this," Rousseau said.

Businesses, though, face a more challenging landscape than individuals who, for example, have bogus charges added to their credit cards. Because corporate identity theft is so rare, there are no clear practices in place for businesses seeking restitution, particularly if the wrongdoers aren't caught.

Gainer has said the state won't reimburse the two companies for the nearly $2 million, and the law may not be clear on whether the vendors should expect restitution from West Virginia, Reidenberg said.

"The corporation clearly has a set of civil claims they could bring against the wrongdoer, if the wrongdoer is found," he said, "but the vendor's right to recover against the state would be whatever West Virginia law provides, and it's probably an area that isn't well-developed."

And corporations looking to avoid similar predicaments will have a harder time making information confidential, since government contracts contain a wealth of information that's required to be public, although exemptions exist for sensitive information like tax identification numbers.

"We don't want the state contracting with private parties secretly, so that's got to be public," Reidenberg said. "That's going to be a real challenge."

Identity Theft 911: http://identitytheft911.org

Contact: Joel Reidenberg
Email: jreidenberg@law.fordham.edu