CCPA Fines, Fraud, and Fragmented Data
Read the full article on Forbes.com
On July 1, companies doing business in California became liable for following the California Consumer Privacy Act (CCPA), the most comprehensive privacy law in the country. The CCPA gives consumers in California new rights over their personal information collected by businesses.
Because California is such an important market — the fifth-largest economy in the world — doing business in the U.S. usually involves doing business in California. For most companies, it’s more efficient to extend the same rights to all U.S. residents than it is to try to distinguish between Californians and residents of other states.
In addition to the benefits the CCPA provides consumers, it raises challenges for businesses. Two risks, in particular, should not be taken lightly:
- The CCPA opens the door for fraudsters to acquire sensitive consumer data. Companies without a reliable way to authenticate the people making CCPA requests could inadvertently give criminals the opportunity to acquire sensitive personal information, enabling account takeover fraud or other forms of abuse, such as stalking.*
- Businesses are at risk of noncompliance due to fragmented and siloed data. A business might satisfy a consumer's initial CCPA data deletion request but unknowingly neglect to consider incomplete records or records that may not match exactly — for example, due to a name change or to a data entry error that results in multiple files on the same customer.
Both of these risks also give rise to reputational risk. No company wants to make headlines for handing over personal information to fraudsters, or for being on the receiving end of a major fine or class-action lawsuit for failing to adhere to privacy regulations.
How can a business avoid costly missteps and ensure that it is able to completely — and securely — fulfill valid consumer requests? The following are two best practices that can help prevent key compliance failures.
Strong identity verification must be emphasized from the outset of every response. Various solutions or methods can be integrated to validate that the person requesting the customer information is, in fact, the customer. Ensuring the identity of requesters can reduce the risk of fraudsters gaining access to sensitive consumer information.
Complete Identity Resolution must become a prioritized, continuous process to keep up with frequent changes to consumer information (names, addresses, accounts, etc.). Customer relationship management systems aren’t up for this task because often they do not communicate with older datasets to remedy out-of-date information.
Organizations that implement these best practices will significantly mitigate the risks of fraud and noncompliance — and the related risks to brand reputation — and respond to their customers' CCPA requests with confidence. These processes and system improvements will have a positive impact on customer experience and brand trust not only in the immediate CCPA context, but also beyond.
* Security researchers found “a large proportion of organizations [subject to the EU’s General Data Privacy Regulation (GDPR)] inadequately verify the originating identity behind right of access requests and that, as a result, deeply sensitive information can be acquired in a repeatable and scalable manner by social engineers.” Source: https://i.blackhat.com/USA-19/Thursday/us-19-Pavur-GDPArrrrr-Using-Privacy-Laws-To-Steal-Identities-wp.pdf