CCPA is set to go into effect on January 1, 2020, with enforcement—along with predictably steep fines for violations and the possibility of class-action lawsuits for breaches—beginning July 1 of the same year.
Unfortunately, businesses may see an uptick in unauthorized, spoofed, and fraudulent requests for personally identifiable information (PII), particularly as companies scramble to implement identity
verification (IDV) procedures that comply with CCPA regulations.
Fraudsters are adept at making quick adjustments to their processes when the online landscape changes, and CCPA is unlikely to be any different.
Implementing advanced fraud prevention tools helps companies avoid fraudsters that aim to take advantage of the vulnerabilities and unintended security consequences of CCPA.
California’s new consumer privacy regulations are a result of the state addressing the aggressive use of private data by advertisers without consumer knowledge or consent. CCPA grants consumers several specific rights regarding their digital identity. Under CCPA, consumers can:
- Find out what personal information a company has collected on them
- Know whether their personal information has been sold or disclosed and to whom
- Tell an organization not to sell their personal information
- Access their personal information
- Request that a company delete their personal information
The law also stipulates that companies cannot penalize consumers who exercise their privacy rights by restricting access to services or raising prices.
What’s important to bear in mind, however, is that when a consumer submits a request for their data (referred to as a verifiable consumer request [VCR], a subject rights request, or a subject access request), the responding organization must first verify that person’s identity.
Handing over personal information to someone who isn’t who they say they are compromises PII, increases the risk of fraud, harms customer relationships and brand trust, and can ultimately result in major fines, penalties, and lawsuits.
What makes the identity verification process a bit more complex is the fact that CCPA regulations prohibit companies from requiring individuals to create a password-protected online account to submit a VCR. Organizations must also provide consumers with at least two different VCR submission methods, such as an online form, a toll-free phone number, or an in-store form, depending on the primary means of customer interaction.
Any organizations that haven’t put much effort into their identity verification procedures in the past need to work quickly to implement CCPA-compliant solutions before 2019 comes to a close.
Although CCPA regulations differ somewhat from the specifics of GDPR, US companies should pay close attention to indicators of fraud risk that appeared after GDPR was put into place in Europe.
GDPR was widely anticipated, but research suggests that many organizations were underprepared for the influx of consumer information requests they received.
James Pavur, an Oxford University researcher, put these shortcomings into high relief with the study he conducted with security consultant Casey Knerr. Pavur and Knerr designed their study to investigate how fraudsters skilled in social engineering could exploit the weak identity verification systems most companies relied on after GDPR went into effect.
When the results of the study were analyzed, Pavur and Knerr identified several concerning trends:
● Of 150 companies involved in the study, 72 responded to fraudulent requests for consumer data.
● 83 of those 150 companies confirmed to an unverified individual that they had information about a consumer.
● 24 percent of companies contacted in the study released personal information to an individual who provided only an email address and phone number as proof of identity.
● 16 percent of companies in the study attempted to authenticate an individual’s identity with information that is easily forged.
This failure to adequately authenticate identities in the wake of GDPR—whether due to time constraints, lack of knowledge, or insufficient process training—signals a high likelihood that fraudsters can and will exploit companies that are not fully prepared for CCPA.
CCPA is not yet a California law, but it will be officially on the books on January 1, and the likelihood is high that this privacy legislation will become national law in the future.
Companies that haven’t already started to prepare are late to the game—and to add a layer of complexity, there is no magic, one-size-fits-all compliance solution.
Depending on how a given organization is structured, CCPA compliance may mean authenticating identities in person, online, over the phone, via mobile devices, or with some combination of verification methods.
IDology’s analysis puts the number of potential combinations at over 800. An email address and phone number may not be sufficient in all cases—and the penalty, both in terms of expense and company
reputation, is very high.
When companies rely on third-party identity authentication services to handle their identity verification needs, company leaders are then free to focus on the other parts of their business and the CCPA statute.
VCRs must be handled promptly and with care. CCPA compliance is not optional, and it isn’t something to develop on a trial-and-error basis.
In today’s digital age, a company’s security policy is no longer a hidden, behind-the-scenes part of the business—it’s an important part of the organization’s brand, and it must be protected.
Organizations that use an established identity authentication service will be able to ensure the ongoing health of their reputation by complying with CCPA regulations rapidly and with minimal disruption to everyday business functions.
Photo credit: © momius - stock.adobe.com