"Identity theft" is defined as "the criminal act of assuming the identity of another person with the expectation of gain." In addressing the prevention of identity theft, this paper focuses on organizations that collect, assemble, process, store, and retrieve information about individuals. Attention is given to the legal and moral responsibilities, risks, and related internal controls in the management of personal information on an organization's customers, employees, and other stakeholders. Following the documentation of identity theft as one of the most pervasive of the financial crimes, the authors outline some of the methods used to commit identity theft. A section then reviews selected laws that apply to identity theft. A discussion of civil liability for identity theft notes that victims are increasingly targeting third parties, including employers and other record-keepers, for failure to protect victims' personal information. It is therefore imperative that organizations which manage personal information evaluate their risks and controls for identity theft. Guidelines for enhancing manual controls recommend controlling the paper trail and destroying outdated records. Employee controls suggested are the institution of effective background checks, mandatory vacations, establishment of a hotline, and the development and enforcement of an information security and privacy policy. Computer controls include the prevention of unauthorized access, keeping identity data confidential, and controlling electronic data storage. Finally, the authors advise organizations to consider insurance as a risk-management tool. 64 references