Even with the new Identity Theft Enhancement Act, which creates a separate federal crime known as "aggravated identity theft" (where a stolen identity is used to commit crimes and imposes a mandatory two-year prison sentence in addition to any penalties for the related crime), small businesses are still prone to becoming the latest victims.

So how can these businesses avoid falling prey to identity theft?

"By taking proper safeguards," according to Fiducial's Joseph "Joe" Wheeler. As a forensic accountant who works in the company's Annandale, Va., office, he should know. After all, he worked for the Central Intelligence Agency for 13 years.

Watch what you say

Wheeler advises entrepreneurs to be careful what they say during office phone conversations, avoid giving identifying or financial information over the computer or only on secure pages, and to monitor their monthly statements.

It's also a good idea, he says, for the owner to check their credit and that of their business periodically with credit reporting agencies. They should also be judicious in the use of their Employer Identification Number (EIN) and any Social Security information.

"Never provide these numbers to anyone over the Internet or the telephone if you didn't initiate the contact," said Wheeler. He also strongly suggests safeguarding all passwords and personal identification numbers. "These should not be stored on the computer's hard disk or on post-it notes around the computer. If reminders need to be stored, keep them in a lock box."

Access should also be limited to sensitive information, both by physical barriers such as locked doors and file cabinets and on the Internet through passwords. When properly disposing of sensitive information, Wheeler advocates the use of shredders for all unneeded documents and trash that might have information or identities on it, especially unopened solicitations.

When in doubt, shred it

Indeed, the need for shredding business documents is growing very rapidly in the small business sector, according to Lee Miller, who has operated a Shred-it franchise in Baltimore, MD, since 1997. Billed as the world's leading and largest mobile, on-site document destruction company, Shred-it's trucks are equipped with industrial paper grinders that can shred several thousand pounds of paper per hour.

Until recently, Miller says some businesses such as car dealerships seemed to be pretty blasé over matters of information security and identity theft. But these dealers have now done an about-face after the Federal Trade Commission put pressure on them for laxity when it came to their document disposal methods.

"They didn't really have a defined document management process," he said. "There's no rule that says you have to do it but you do have to have some sort of controls."

After the Gramm-Leach-Bliley Act when into effect in 1999, the FTC came out with a set of regulations that put the onus on smaller businesses that collect financial information from consumers, including auto dealers who finance and lease vehicles. These businesses are obligated to establish procedures to ensure the security and confidentiality of customer records.

"This applies to millions of small businesses who tend to be a little bit naïve about these regulations until you start hearing about someone else that's having a problem," Miller said. "Your antenna goes up and you ask 'what's this all about?'"

Another way that entrepreneurs can protect themselves from identity theft is by hiring a security consultant who understands the issues of managing records.

"It's extremely important to have some sort of records management document that shows here's how you maintain records, how you store them, have access to them and how you dispose of them," he added.

An inside job

An estimated 70 percent of identity crimes in the U.S. start with the theft of personal data by an employee, according to a study by Michigan State University. Instead of stealing merchandise, many employees steal data and get money.

The scope of identity theft has evolved from stealing personal information to taking an individual's entire identity. This includes stealing such vital information as their name, address, Social Security number, credit card number, tax identification number and even their electronic tax filing number with the U.S. Treasury Department.

High-tech savvy criminals can now use this information to open bogus businesses to obtain credit cards, says Judith Collins, an associate professor of criminal justice at Michigan State and an internationally recognized expert on identity theft.

One such case involved a former employee of a Michigan-based food manufacturing company. This employee -- who left under less than favorable circumstances several months earlier -- had access to sensitive company information including the EIN, profit-loss statement and all financial records that are considered business identities. The ex-employee then used this information to open another company using the name of the parent company and then applied for and received a small business loan for $480,000.

What made it so easy for this identity thief, Collins says, is that in most states all that's required to open a business is to file a simple form which can be done electronically, make it look authentic and "voila, you're in business."

But it wasn't until the food company's actual owner received a letter saying this loan was delinquent that the individual realized it might be a case of identity theft.

Identity theft did not become pervasive until the late 1990s. That's why Collins believes it's such a problem and "the criminals are becoming more sophisticated in technology than law enforcement." The sophisticated methodology used in identity crimes "layers" the crime so that it's tougher for the police to track down the culprits.

For instance, an employee downloads a list of 2,000 Social Security numbers and addresses and sells a piece of this list, maybe 10 names, to another individual. Then that person may sell some of those names to a third person who sells several names off that list. Next, these identity thieves might open a post office box to receive fraudulent merchandise.

"They find a street urchin and pay them $50 to open up post office box," she said. "The street urchin has no idea whose name is on the post office box slip. When asked who else receives mail at the p.o. box they'll put down the name of one individual although the post office box is opened in the name on the identification card. It's usually a fake name, usually the name of the victim.

"So here we've got a third party receiver of Social Security numbers who doesn't know where those numbers came from in first place," she said. "That individual is receiving information at the p.o. box that is not registered to them. But that person won't pick up mail—it's another person who perpetrated the crime."

Gone "phishing"

One of the latest, most virulent forms of identity theft takes place on the Internet and is called "phishing." In this scam, recipients will get appears to be a valid email from a legitimate company, asking for an account number and the related password. The explanation used is that the recipient's records are being updated or that there is a new security measure in place that requires confirming the requested information. This "fishing" for information has been used to obtain stolen identities to commit identity crimes, with a single act of phishing generating hundreds of thousands of stolen identities.

A number of well-known institutions have been spoofed successfully because the email contains authentic trademarks, logos, language and even the URLS of the spoofed company. Often, the email contains links to pages that are programmed to look like those on the company's actual site, and only a discerning eye can tell that the pages are not "real."

But just because the email so closely resembles the real thing doesn't mean that this too is an inside job. 

"We've only been hearing about phishing the last several months," Collins said. "Phishing seems like a hacker activity. Phishing is not done by insiders. An insider doesn't have to do phishing. They just have to click the mouse button."

Insiders may not be responsible for phishing but it's no surprise that the U.S. Sentencing Commission is enhancing penalties for insiders who steal data that is then used in identify theft crimes. This includes those with access to personal records through their jobs at banks, government agencies, insurance companies and other storehouses of financial data.

"People don't like to hear that identity theft is an inside job," Collins said. "It's not a good feeling because they fear losing customers. The fact of the matter is that it's the employees' identities that are also stolen. Now they have to be concerned coming to work that their personal information is going to be stolen."

That underscores the importance of a company having the proper controls in place so that only a select few staff members have the necessary permissions to access personal and financial data.

"Make sure that the appropriate people have permissions to see what they need to see," said Mario LaNasa, Fiducial's Senior Network Administrator. "But make sure people who are not in the accounting department don't have access to all files that store sensitive information."

Securing the borders

Professor Collins, who's upcoming book "Identity Theft Prevention and Control: How to Protect Your Business, Customers, and Employees" will be published in December by John Wiley & Sons, asserts that identity theft can largely be prevented by securing the borders of the work place. And the first line of defense is the people who work there.

One of the ways Collins suggests that a company's human resource manager can help prevent identity theft in the work place is by using proven scientifically developed personnel select systems that select employees for honesty and integrity.

These tests can range in price from $5,000 to as much as $150,000 or more depending on whether the company wants to purchase an existing test from a reputable test publisher or if the company wants someone to come in and develop a proprietary test using their own tangible assets.

"It also depends on the size of the organization, how many employees are hired per year, the turnover rate and the complexity of the organization," she said.

Don't get personal

IT professionals recommend that small businesses operating an e-commerce site should use high encryption. This way, when they hit the submit button all the information is scrambled and made unreadable when it goes through the Internet until it's descrambled at the other end.

When on the Web, Fiducial's LaNasa advises that entrepreneurs should watch their steps by looking for proper signs and certifications from other companies that attest to secure sites.

"Go to the Better Business Bureau site and check the list of companies that have had complaints lodged against them," he said. "If you're ordering on line there should be a logo that says they have a secure site. If not, don't do it."

Site visitors should look for a lock logo on the bottom right hand side of the screen. By double-clicking on the logo, it will say it's 128 Bit secure which is the industry standard of encryption to guarantee the confidentiality of the information in transit over the Internet.

The business name should also match up with the company name on the website. Look for the Verisign logo and then click on the logo to get additional information such as the expiration date of the secure certificate.

The key here is looking for a 1-800 phone number which should always be posted on the site. Most legitimate firms have them. If the site is unfamiliar, call the number and see if someone answers the phone. "If not, this should throw some red flags up," he said.

Though it's an obvious suggestion, many companies still need to be reminded not to email sensitive information, especially when it's of a financial nature.

"Email is not a safe way to transmit credit card numbers or account information," LaNasa said. "For the most part it's not encrypted. Even if you send it to the wrong person, they can still get this information."

Stephen Parezo is the Media Manager for Fiducial.