What Is Identity Theft Law?

Business identity theft law protects several categories of corporate assets and credentials. Trade secrets, domain names, business bank accounts, credit lines established in the company's name, and employee credentials used to access company systems all fall within the scope of identity theft statutes and civil claims. When a third party fraudulently assumes a corporation's identity to open accounts, access systems, or misrepresent the business to vendors or financial institutions, the corporation may pursue claims under New York General Business Law, the federal Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028), and common law fraud. From a practitioner's perspective, the breadth of what constitutes identity in a corporate context means that seemingly isolated incidents of credential misuse can aggregate into a pattern of systematic fraud requiring coordinated legal response.

Corporations operate across multiple digital platforms, employ numerous staff with system access, and maintain interconnected financial and operational networks. This complexity creates friction points where credentials can be compromised, stolen, or misused before detection. Unlike individual consumers, businesses often discover identity theft weeks or months after the initial unauthorized access, and by that time fraudsters may have opened accounts, diverted payments, or caused operational damage. The longer the lag between theft and discovery, the greater the difficulty in proving causation and tracing the full scope of harm for litigation or insurance recovery purposes.

In civil litigation, a corporation must demonstrate by a preponderance of the evidence that the defendant used the company's identity without authorization and with knowledge that such use was fraudulent or unlawful. New York courts examine whether the defendant obtained money, credit, goods, or services through the misrepresentation, or caused financial or reputational harm to the business. The corporation's burden includes producing documentary evidence linking the unauthorized activity to the defendant: transaction records, system logs, email headers, financial statements, and testimony from employees or vendors who detected anomalies. When documentation is incomplete or delayed, particularly in cases where a corporation did not discover the theft until months after it occurred, courts may struggle to establish a clear causal chain, which is why contemporaneous record-making and prompt notice to financial institutions and law enforcement can materially strengthen a claim's evidentiary foundation.

Federal identity theft law (18 U.S.C. § 1028) criminalizes knowingly and fraudulently using a business's identifying information to commit any fraud affecting interstate or foreign commerce. Federal prosecution offers corporations certain advantages: federal law enforcement resources, potential restitution orders, and the ability to pursue cases that cross state lines or involve multiple victims. However, federal prosecution is discretionary and typically reserved for cases involving substantial loss, organized fraud rings, or national security implications. Most corporate identity theft claims are resolved through state law civil suits, administrative remedies with credit bureaus or financial regulators, and internal recovery efforts. Understanding when a case may warrant federal referral versus pursuing state remedies directly requires early assessment of the scope and sophistication of the fraud.

In identity theft lawsuits, corporations may seek compensatory damages for direct financial losses, costs of remediation and notification, lost profits, and reputational harm. Injunctive relief, which orders a defendant to cease unauthorized use of the company's identity and return or destroy fraudulently obtained credentials, is often the most practical remedy because it halts ongoing harm. Punitive damages may be available if the defendant's conduct was willful and malicious, though courts award these sparingly and typically only when other remedies prove insufficient. The effectiveness of each remedy depends on the defendant's location, assets, and ability to pay, which is why many corporations prioritize injunctive relief and administrative remedies alongside monetary claims.

Upon discovery of suspected identity theft, a corporation should take the following actions in sequence: (1) secure and preserve all evidence, including transaction records, system logs, and communications; (2) notify financial institutions, credit bureaus, and vendors of the unauthorized activity; (3) file a police report with local law enforcement or the FBI's Internet Crime Complaint Center; (4) contact the company's insurance carrier to preserve coverage; and (5) engage counsel to evaluate whether civil litigation or regulatory complaints are warranted. Timing is critical because financial institutions and credit bureaus often impose deadlines for disputing fraudulent transactions, and delays in filing formal complaints can limit recovery options. In New York state courts, including trial courts in high-volume commercial districts, documentation of the timing of discovery and prompt notice to third parties can become dispositive in establishing whether a corporation acted with reasonable diligence, particularly if the defendant contests liability or seeks to minimize damages by arguing the corporation failed to mitigate harm.

Litigation is expensive and time-consuming, making it most suitable for cases involving substantial loss, identifiable defendants with assets, or situations where injunctive relief is necessary to prevent ongoing harm. For smaller-scale or opportunistic fraud, administrative remedies with credit bureaus, dispute processes with financial institutions, and insurance recovery often provide faster and more cost-effective resolution. However, corporations should consider that litigation creates a record of the theft, can deter future fraud attempts by the same perpetrator, and may yield precedent useful for regulatory or compliance purposes. The decision to litigate should account for the defendant's sophistication, whether the fraud appears to be part of a larger scheme, and whether the corporation's stakeholders, customers, or regulators expect visible enforcement action to demonstrate adequate controls and response.

Before initiating litigation or administrative complaints, corporations should verify that they can document the unauthorized use with specificity: dates, accounts affected, amounts diverted or fraudulently obtained, and the identity or identifying characteristics of the perpetrator. Eligibility for certain remedies depends on whether the corporation reported the theft to law enforcement within a specified timeframe, whether the company maintained reasonable security measures (which may affect insurance coverage or regulatory liability), and whether the corporation can establish that it discovered the fraud with reasonable diligence. Courts and regulators increasingly scrutinize whether a business took adequate steps to detect and prevent identity theft, so contemporaneous documentation of discovery, notification timing, and remedial actions becomes part of the evidentiary record. Organizations should also evaluate whether disclosure obligations to customers, investors, or regulators apply, and whether identity theft remedies interact with data breach notification laws, cybersecurity regulations, or contractual obligations to third parties.