What Are the Legal Steps in a Corporate Identity Theft Dispute?

Perpetrators may file fraudulent tax returns claiming refunds, apply for loans or lines of credit using the corporation's EIN or legal name, open vendor accounts, or establish business credit profiles in the corporation's name. The fraud may be committed by employees with access to corporate information, external actors who have obtained identifying data through breach or public records, or competitors seeking to damage the business. Courts and administrative agencies recognize that corporate identity theft creates distinct harms because the business loses control over its own credit standing and may face liability for obligations it did not authorize.

Corporate identity theft disputes typically involve larger financial exposures, multiple creditors and government agencies, and more complex evidentiary requirements than consumer cases. A corporation must often prove it did not authorize transactions and did not benefit from fraudulent credit or accounts, which requires detailed documentation of authorization protocols and business records. Unlike consumer identity theft, which may trigger automatic fraud alert or credit freeze protections under federal law, corporate disputes often require affirmative action by the business to notify creditors, credit agencies, and government entities of the fraud.

From a practitioner's perspective, the first critical step is creating a verified loss affidavit or detailed declaration that documents exactly what fraudulent accounts or transactions were discovered, when they were discovered, and why the corporation did not authorize them. This affidavit should identify specific creditors, account numbers, dates, and amounts, and should be signed under penalty of perjury. Corporations should also gather internal records showing authorization procedures, employee access logs, and any communications with creditors or agencies that demonstrate the business's lack of knowledge or consent. In New York, when a business later seeks to challenge fraudulent obligations or pursue recovery, courts and creditors often require that the corporation have created a contemporaneous, detailed record of the fraud discovery and the business's immediate response; delayed or incomplete documentation can complicate later efforts to establish that the corporation is a victim rather than a liable party.

Business credit reporting agencies, such as Dun & Bradstreet, Experian Business, and Equifax Business, maintain credit profiles for corporations and report payment history, credit inquiries, and account information to lenders and other businesses. When fraudulent accounts appear on a business's credit report, the corporation can dispute the information directly with the credit agency and request removal or correction. Under the Fair Credit Reporting Act and similar state consumer protection laws, credit agencies must investigate disputes and remove inaccurate information. The corporation should also request that a fraud alert or security freeze be placed on its business credit profile to prevent further unauthorized inquiries or account openings.

If a corporation has been harmed by fraudulent accounts or obligations in its name, it may bring a civil action against the perpetrator for damages, including economic losses, costs of remediation, and in some cases punitive damages if the conduct was particularly egregious. The corporation may also defend against collection actions brought by creditors who relied on fraudulent applications or accounts. Many of these disputes are resolved through negotiation and creditor verification of the fraud claim; creditors often have procedures to remove fraudulent accounts once the corporation provides sufficient evidence of unauthorized use.

When identity theft involves federal crimes such as wire fraud, mail fraud, or tax fraud, the corporation may report the matter to the Federal Bureau of Investigation, the Secret Service, or the Internal Revenue Service. If criminal prosecution results, the corporation may seek restitution as part of the criminal case, though restitution depends on conviction and judicial discretion regarding the defendant's ability to pay. Criminal prosecution does not preclude civil claims by the corporation.

Best practices include limiting employee access to sensitive identifying information such as EINs and credit accounts to only those with legitimate business need, implementing multi-factor authentication for financial accounts and credit applications, monitoring business credit reports regularly, and establishing clear authorization procedures for all credit and account applications. Corporations should also maintain secure records of tax returns, financial statements, and government filings to detect if fraudulent filings have been submitted in the business's name. Training employees on identity theft risks and phishing attempts can reduce the likelihood that corporate information will be compromised through employee error or social engineering.

Legal counsel should be engaged promptly when a corporation discovers or suspects identity theft, particularly if the fraud involves substantial financial exposure, multiple creditors or government agencies, or disputes with creditors over liability for fraudulent accounts. An attorney can help evaluate the scope of the fraud, coordinate responses across multiple agencies and creditors, assess civil and criminal remedies, and develop a strategy to minimize ongoing harm. Counsel experienced in identity theft matters can also advise on documentation requirements and timing issues that affect the corporation's ability to pursue identity theft lawsuits or defend against creditor claims.