Start-ups have enough challenges– from raising funds to generating sales—yet sometimes the biggest threat comes from within.  Businesses that take payments via credit card or PayPal should be aware that customer information theft is on the rise and your business can be sabotaged if you don’t have the proper checks and balances in place.

Case in Point:  A company paying thousands per month for advertising/Google adwords was growing their online business exponentially.  Suddenly, sales started to trickle down to almost nil. At the same time, the company began receiving various reports of unauthorized credit card charges.  After the company received notice from a local police department, I was retained by the Board to look into the matter.

 Me:  I have two questions for you – who handles the new customer inquiries? Who takes the payment information   from the customers?

Him:  The same person – our General Manager.

After requesting a customer list and copies of emails reporting credit card fraud, I noticed a large discrepancy – those complaining of credit card fraud did not appear on the company’s client roster.  We soon determined that someone internally was taking customer orders and billing them directly, albeit under the company’s name.  While these customers believed they were being serviced by my client, in reality, their accounts were being diverted elsewhere and subsequently, their credit cards misused.

While we were hopeful that the police investigation would conclusively show the General Manager as the culprit here, it was later discovered that the company emails were set up such that passwords and terminals were used on a shared basis; this means that anyone could have facilitated this fraud under another person’s identify/account. To be sure, I then had PayPal account records subpoenaed. After waiting several weeks, what was ultimately sent were summary account statements that did not provide any level of specificity – not helpful at all.

After reviewing the evidence, the police determined there was not enough to convict any one individual and the investigation was closed.  It was recommended, however, that the company file a civil suit where the burden of proof would be based on a “preponderance of evidence” — much lower than a criminal case which requires “beyond a reasonable doubt.” Suffice to say, by this time, the company was in financial ruins and unable to afford the cost of civil lawsuit.  The story ends like this: The thief got away, the company was ultimately responsible for the credit card theft (due to their lax security policies) and they have now ceased operations.

What can you do to prevent this tragedy from happening in your organization?

First and foremost, common sense would dictate that the practice of allowing the same person who takes orders to also process payment details exposes any company to risk. Without proper oversight and checks and balances in place, lax security procedures enable anyone lacking scruples to sabotage a business. Next, ensure employees/contractors do not share passwords or have access to one another’s passwords or computers – otherwise, fingers can be pointed such that no one person would appear to be responsible in the event of theft. Lastly, if you take customer orders via your website or an 800 number, record those calls and also be certain that there are several people that are copied on the email correspondence (e.g., send to in order to track the progress of the order and payment confirmations.

Advances in technology have made it easier for unscrupulous employees to steal customers and their information – whether changing payment instructions or even using a card skimmer — it is recommended that you implement tactics to prevent internal fraud:

  • Reconcile your accounts weekly rather than monthly and by more than one person
  • Use or your bank to process online transactions so that employees do not get access to customer credit cards.
  • Check PayPal accounts or Bank Wiring details regularly– (even if you are not concerned with employee theft, a website can potentially be hacked into and payments diverted).
  • Always secure your POS device.
  • Have a separate authorizer of credits from the one who onboards the customers.
  • Make sure all credits have accompanying internal documentation of customer information (name, contact information).
  • Conduct regular internal audits at random times and intervals.
  • Review any volume spikes in sales activities and reconcile with website traffic reports and 800 number call volume.
  • Protect your passwords and verify internal access controls for online account reporting, email address contacts and checking account change requests.

While an atmosphere of trust is essential for all businesses, protecting the financial stability of your company is just as, if not more important. Hopefully, the suggestions I’ve outlined above will get you thinking about building a plan that will mitigate risk for your company.  If you’ll like further information or a consultation, please email me or leave a comment!


Employees vs. Independent Contractors and why it matters.

When starting a business and bringing staff on board, you must decide whether those individuals providing the services are employees or independent contractors. This post provides important information about how to classify your workforce and avoid costly penalties.

In my experience, many start-ups bring on initial staff as Independent Contractors — this way, they don’t have to withhold payroll taxes or provide benefits such as sick days or workers compensation.  However, according to the Department of Labor, up to “30% of companies misclassify their workers”  (See Statement by Deputy Secretary of Labor, Seth Harris, June 17, 2010; this results in billions of dollars of losses for the IRS so naturally they are now cracking down.

As of January 2013 when payroll taxes increased from 4.2% to 6.2%, a new level of scrutiny will applied to companies to make sure they are properly classifying their workers.  If you are later found to have misclassified an Employee as an Independent Contractor, the IRS can retroactively assess back payroll taxes and slap on penalties.

To be clear, Independent Contractors are generally those people you hire to complete a specific task or project; they work intermittently or on a temporary basis. in Examples include: accountants, lawyers marketing consultants, trainers or outsourced developers. These people tend to work primarily from their own homes/office and at their own hours and serve clients other than you. In other words, unlike an Employee, you do not control their “when, where and how” work is to be performed. For this reason, a company does not need to withhold taxes or provide benefits to Independent Contractors.  At the end of the year, your company issues them an IRS Form 1099 reporting all the monies that were paid to each individual.  It is the individuals’ responsibility to file returns and pay their own taxes for the amounts received.

Once you have set up an LLC or Corporation and start to bring on a workforce, follow the link below to review the IRS’s 20 Factor Test to find out whether someone should be classified as an Employee or Independent Contractor. If you think you have misclassified a worker — not to worry — as of 2011, the IRS began offering a Voluntary Classification Settlement Program to change the status of workers without penalty.  Click here for more information.

This is one area you don’t want to procrastinate — a falling out with an outside contractor that leads to litigation can open up a can of legal worms. States are working more closely than ever with the IRS to ensure that they are not missing out on the additional 2% of flesh from each worker’s paycheck. For more information, check out Forbes article, New Crackdown on Using Independent Contractors (Nov. 12, 2012).

Lastly to note, if you have determined that someone is legitimately an Independent Contractor, be sure to sign an agreement that obligates them keep your information confidential, requires that they transfer rights to intellectual property and itemizes the work product they have committed to deliver (and you have agreed to pay for), to avoid any disputes down the line.

Any doubts or questions as to whether you are properly classifying your workforce? Free to email me or post your questions below.

Is there a topic you would like to see covered on BrillsonLaw? Would you like to be a guest blogger?  Email



Digital Law Group

Reach beyond the "norm" in order to see and achieve what is possible...

The Gust Blog

Truth and Technology Trumps Legalese and Bureaucracy

Truth and Technology Trumps Legalese and Bureaucracy


Truth and Technology Trumps Legalese and Bureaucracy

The EmpLAWyerologist Firm

The Employer's Legal Wellness Professional

Law Firm Transitions Blog

Truth and Technology Trumps Legalese and Bureaucracy

Blogs from Andrew Romans

Truth and Technology Trumps Legalese and Bureaucracy


Simeon Simeonov on entrepreneurship, innovation & venture capital