New consumer privacy laws and innovative fraudsters have given security professionals much to do in a supercharged digital economy. As our digital footprints widen, bad actors are finding increasingly sophisticated ways to access troves of personal information and sensitive data.
Globally, lawmakers are introducing privacy laws with the intention of empowering consumers to know which companies have collected their data and for what purposes. However, regulations meant to protect consumers can be exploited by bad actors to commit identity theft and other types of fraud.
The compliance challenge
An example of privacy legislation in the United States is the California Consumer Privacy Act (CCPA). The CCPA was passed in June 2018 and in a nutshell it allows any consumer to demand to see all the information a company has saved on them, including third parties that may have access to their data.
Companies are supposed to support consumer-initiated data subject requests (DSRs), which when managed properly, adhere to the original principles of the legislation, which is to put the consumer back in control of their information. The legislation is based on a principle of "data minimization" which is avoiding the collection of extraneous information on customers and only using data for its intended purpose.
CCPA is patterned off of the European Union’s General Data Protection Regulation (GDPR) legislation that requires businesses to secure the personal data and privacy of European citizens for any transaction that takes place within its member states.
As expected, other regions are following suit and passing similar legislation. Colorado has become the third state to enact data privacy rules, the Colorado Protection Act (CPA), which will come into effect in 2023.
Soon, it will be a core business practice to allow consumers to access, amend and request deletion of their data around the world. Security leaders preparing to comply with these privacy laws must also consider some corresponding threats.
When poorly administered, processing DSRs can become a vector for fraud, specifically identity theft. Imagine a fraudster goes online to a large eCommerce site or bank and submits a DSR purporting to be Johnathon Doe, a genuine resident of 1234 Main Street, Los Angeles, CA. In processing the request, the unsuspecting retailer or bank might not verify or authenticate the identity before releasing Jonathon’s data, therefore providing the fraudster with sensitive information that could be used to commit other crimes.
The identity challenge
It is complex to become CCPA-compliant. A company must provide a consumer-facing portal to submit DSRs. The request generates a search for all personal data corresponding to the subject of the request. The data is compiled into a report that is provided to the consumer who may then ask the organization to correct or delete certain data. The enterprise must then confirm that the follow-up request has been completed. The entire process must be secure and must generate an audit trail to demonstrate compliance.
Most companies have turned to third-party platforms to meet each of these requirements. In fact, companies must pair their CCPA-compliance procedures with the proper identity verification steps to prevent the unauthorized access of a consumer's personal information. Meanwhile, there are several new, powerful technologies focused on helping companies meet these needs in a manner that is both safe and convenient for consumers.
Security professionals have allies in their compliance and risk-management objectives. Instead of homegrown solutions, risk managers can turn to industry specialists offering technologies built to meet challenging privacy requirements and identity-related threats.
Another growing threat troubling security departments is the emergence of synthetic identity fraud, which is the creation of a fictitious identity. Fraudsters build synthetic identities, sometimes using entirely fake data, and other times borrowing an element or two from a legitimate person. For example, there are many individuals legitimately named Michael Jordan as well as hundreds of fictitious identities with that name and fake Social Security Numbers, email addresses, phone numbers and date-of-birth.
Committing identity theft is inconvenient for fraudsters because victims will complain about a fraudulent credit card charge or a new account opened using their legitimate, personal information. When a synthetic identity is used to take out a loan or to rent a car, there is typically no victim affected and the defrauded lender is none the wiser.
Identity verification providers can mitigate the growing threat of synthetic identity fraud around the world. Risk managers can avoid the challenge of finding disparate data sources in every jurisdiction where their company operates.
Solutions can be easy
While regulators continue to tip control of personal data into the hands of consumers, fraudsters will create more ingenious schemes to exploit vulnerabilities, hence investing in technology tools to keep them away is mandatory. Rolling out a strategic identity verification program can help companies comply with consumer privacy regulations and responsibly and securely collect and handle sensitive data.
The repercussions of subpar data collection and identity verification processes are grave: not only are there steep fines for non-compliance, security breaches or lapses in protecting identities erode consumer trust and loyalty.
The reality is that technology is evolving at a fast pace and fraudsters are keeping up. Those who don’t prepare now and partner with the right solutions provider will certainly face even bigger challenges in the near future as the world increasingly becomes more digital.
This article first appeared in Security Magazine.