Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests. But how do you know that the person making the request is actually who they say they are? As we have previously noted on this blog, significant amounts of personal information are publicly available as a result of major data breaches, and that stolen data can be used to make fraudulent access requests. So, how can a company avoid turning a good-faith effort to comply with its GDPR or CCPA access rights obligations into a privacy violation by unknowingly providing the personal information of customer X to someone pretending to be customer X? A recent GDPR enforcement action in Germany, as well as guidance from German and California regulators, shows that companies must exercise diligence in making sure that they have properly authenticated the data subject who is making the access request.
The 1&1 Decision
On December 9, 2019, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) fined the telecommunications service provider, 1&1 Telecom GmbH EUR 9,550,000 (USD 10.7 million) for providing personal information to customers who called its call center and provided only a name and a date of birth. The BfDI considered such an authentication procedure to be in breach of Article 32 of the GDPR, which obliges the controller to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” when processing personal data. Specifically, the procedure lacked appropriate security against fraudulent access requests. BfDI deemed the fine necessary because, in its view, the infringing practice posed a risk to the entire customer base, any of whom might make use of the authentication hotline. 1&1 is appealing the decision.
Notably, the BfDI issued a fine against 1&1 without any evidence of any actual harm. This action, along with an October 30 decision by the German data protection authorities discussed in more detail here, demonstrates the increased enforcement against poor security practices that pose risks to personal data, even in the absence of concrete injury.
Authentication Under GDPR
Under Article 15 of the General Data Protection Regulation (“GDPR”) data subjects have a right to confirmation as to whether or not their personal data are being processed and, if so, the purposes of processing, the categories of personal data concerned, the recipients of the data, the length of data storage, and the sources of the personal data. The controller must respond to such a request from a data subject without undue delay and in any event within one month of receipt of the request. And while Recital 64 to the GDPR explains that a controller should use “all reasonable measures” to verify the identity of a data subject, when in doubt, a controller is entitled, and expected, under Article 12.6, to seek additional information to confirm the identity of a data subject requesting access.
Authentication Under CCPA
Pursuant to Cal. Civ. Code § 1798.100(a), a consumer has the right to request that a business that collects the consumer’s personal information disclose the categories and specific pieces of personal information the business has collected about that person. In addition, the consumer can request disclosure of the sources of the information regarding the consumer, and the categories of third parties with whom the information is shared. Cal. Civ. Code § 1798.110(a). A business that receives such a request has 45 days to respond to a verifiable consumer request upon receipt of the request, with the possibility to extend this period once for an additional 45 days, or it risks possible civil penalties for failure to respond. Cal. Civ. Code § 1798.100(d).
A business is not obligated to provide disclosure or delete the personal information of a consumer if the business cannot verify that the individual making the request is in fact that consumer, or a person duly authorized to act on the consumer’s behalf. Furthermore, under the proposed regulations released by the California Attorney General on October 10, 2019, if a business cannot verify a consumer making a request to disclose specific pieces of information, the business shall not disclose any specific pieces of information. These regulations further note that businesses should not disclose certain sensitive pieces of information in any circumstance, including a consumer’s Social Security number or driver’s license number.
Reasonable Authentication Procedures
To address the risk of fraudulent data access requests, regulators on both sides of the Atlantic have offered guidance on designing authentication programs that comply with legitimate access rights and avoid data leaks to fraudulent requesters. For example, the Bavarian State Commissioner for Data Protection (BayLfD) issued the following guidance in July 2019 on how public bodies should authenticate access requests:
- Compare the information provided by the data requester against existing contact information.
- Send personal data to verified return channels, such as a postal address the company has on file for the data subject.
- If the data subject and the company have previously communicated electronically using a secure authentication means, use the same means for making the access request application.
- When using a previously unknown email address, confirm the application using an already known address for that data subject.
- Use an existing piece of authenticating information (e.g., password, customer number, transaction number).
- Call the data subject at a known number to confirm the identity of the data subject.
- Depending on the importance of the application, conduct an interview with an in-person identification using an official identification document.
The California Attorney General’s proposed CCPA regulations released on October 10, 2019, offer similar guidance on authentication when complying with access requests:
- In determining the method by which the business will verify consumer requests, a business should consider:
- the type, sensitivity, and value of the personal information;
- the risk of harm to the consumer posed by any unauthorized access or deletion;
- the likelihood that fraudulent or malicious actors would seek the personal information;
- whether the personal information to be provided by the consumer to verify their identity is sufficiently robust;
- the manner in which the business interacts with the consumer; and
- available technology for verification.
- If the business maintains a password-protected account with the consumer, the business may use existing authentication practices for the account to verify the consumer’s identity.
- A business should verify a consumer’s identity to a reasonable degree of certainty—which may include:
- matching at least two reliable data points—to disclose categories of personal information or delete less sensitive personal information, and to a reasonably high degree of certainty; and
- matching at least three pieces of personal information and the receipt of a signed verification from the consumer—to disclose specific pieces of personal information or delete more sensitive personal information.
- Where the business cannot verify the consumer’s identity using personal information already collected from the consumer, the business should delete any new personal information collected for verification purposes as soon as practical after processing the consumer’s request.
With CCPA coming into effect on January 1, 2020, many U.S.-based companies will find themselves flooded with access requests, like those already inundating European businesses. To comply with the CCPA access request requirements, companies must develop a system agile enough to identify subject data and respond to requests within the statutory time limits, while also taking reasonable steps to authenticate requesters. Consistent with the recent guidance discussed above, to meet these requirements, companies should leverage existing authentication mechanisms and use more rigorous methods when the requests involve more sensitive data.
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.