How to securely comply with rising CCPA rights requests amid COVID-19
As California Consumer Privacy Act (CCPA) enforcement officially started July 1, affected enterprises (based on size, California customer base and business type) can no longer delay complying with the new law. CCPA grants California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.
A June 2020 survey found that more than 20 percent of organizations were either somewhat unlikely to be, very unlikely to be, or didn't know if they would be fully compliant with CCPA by July 1. With only 14 percent of respondents CCPA compliant and nearly one-third of organizations just starting to plan for CCPA, enterprises need to be prepared for enforcement sooner than later to uphold the rights of California consumers and avoid non-compliance penalties, which can reach up to $7,500 per violation.
COVID-19 Spurs IT Challenges and Rights Requests Amid CCPA Enforcement
However, this enforcement deadline comes as the COVID-19 pandemic has swept the globe, drastically changing IT priorities as employees are forced to work remotely and business has shifted online. A recent survey of 1,000 IT professionals found that technology priorities have changed within 95 percent of organizations during the pandemic with 88 percent of technologists reporting that digital customer experience is now the priority. On top of this, IT professionals are under tremendous pressure to ensure applications and infrastructure remain secure across the new remote workforce with tightened budgets and limited resources.
Despite these new challenges, 56 percent of data privacy professionals expect to see an increase in CCPA rights requests amid the pandemic, putting even more pressure on an enterprise’s strapped IT department. Currently, 51 percent of companies are receiving more than 10 requests a week, and 20 percent are receiving more than 100 requests a week (source: Truyo, April 2020). As operations have shifted online, it can be increasingly challenging to verify that the person making the rights requests is in fact the true account owner and not a cybercriminal looking to steal personal data, putting companies at an increased risk of being victimized by fraud while complying with CCPA. As California consumers are trusting enterprises with disclosing, deleting, and collecting their personal data, these enterprises must maintain this trust by keeping personal data out of the wrong hands.
Under the law, consumers have the right to pursue lawsuits if their data is exposed, with statutory damages ranging from $100 to $750 per consumer per incident, or the cost of actual damages caused by a data breach, whichever is more.
The Need for Digital Identity Verification
Passwords, Social Security numbers, credit card details, home addresses, email addresses, usernames, medical records and full names can be easily accessed on the dark web as this information is often exposed in data breaches and through phishing attacks. Once fraudsters purchase this information (for anywhere from $1 to $2,000 depending on the amount of data within each record), it’s easy to access accounts in order to obtain user benefits (e.g., insurance benefits, subscription access), change passwords to lock the real user out, make fraudulent purchases and even transfer funds. Using a password-protected account to submit a CCPA rights request makes it impossible to know if the requester is the account owner or a fraudster accessing the account with exposed, purchased data from the dark web. If enterprises do not have proper identity verification tools in place to confirm the user logging in is the person they claim to be, businesses can share personal data with a fraudster without even realizing it, subjecting them to compliance fees, lawsuits, and ultimately, loss of trust from their customers.
To maintain this trust while securely complying with CCPA, organizations must be able to verify a user’s digital identity with each rights request. If a user can set up an account with simply a name, phone number and email address, anyone with this information can submit a CCPA rights request, not just the account owner. Biometric authentication (leveraging a person’s unique human traits to verify identity) is the most reliable way to ensure data is shared securely. By requiring a user to submit a photo of a government-issued ID and a real-time selfie when opening an online account (to confirm the two photos match) along with a corroborating selfie each time they log in and make a request, organizations can confirm the person making the request is the true account owner. This authentication method is much more secure than passwords and even SMS-based two-factor authentication and more convenient for consumers.
Looking to the Future
As other states are likely to follow in California’s footsteps in creating similar consumer privacy laws, enterprises would be wise to adopt digital identity verification solutions that offer data security, transparency and retention policies that comply with CCPA. With expanded rights come expanded enterprise responsibilities, and organizations must retain consumer trust to protect both their business and their consumers.
Robert E. Prigge is CEO of Jumio. He is responsible for all aspects of Jumio’s business and strategy. Specializing in security and enterprise business, he held C-level or senior management positions at Infrascale, Secure Computing, McAfee, Quest Software, Sterling Commerce and IBM.