What would you do if someone was trying to steal your personal data using data privacy protection laws—which are meant to protect people’s personal information—in a novel, but nefarious way? 

Without robust identity verification steps when processing a person’s request for data access, companies can unwittingly disclose their sensitive information to the wrong people.

Verifying consumer identities to process data privacy requests

Identity verification was recognized as a major weakness in the data subject or consumer request process put forth by some data privacy laws to give people access to the personally identifiable information (PII) that companies hold on them. 

The International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, called out the problems associated with identity verification on page 28 of its recently released Privacy Tech Vendor Report on April 15, 2020.

In California, the attorney general has proposed amendments to Article 4 of the California Consumer Privacy Act (CCPA) regulations to strengthen identity verification protections when processing people’s requests to access, port, or delete their personal data. The proposed regulation stipulates that:

“Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.” 

- CCPA, Article 4. Verification of Request, 999.323. b.1

One solution: Outsource identity verification

Last year, I attended my first IAPP conference (Privacy. Security. Risk. 2019), and walked the vendor booth floor asking the C-suite of several data privacy management software vendors this question: How do you conduct identity verification prior to processing a data subject or consumer access request?

The most common answer was to outsource it to a third-party vendor. 

So we created a new category on G2.com: identity verification software, which can verify identities using a number of different approaches, including photo-based identity documents, biometric data like live selfies, and verification checks against known identity libraries, such as public records. 

But do companies really want to buy another software license to achieve identity verification? Are their users even willing to provide more personal data, like a photo of a driver's license or passport (copies of which can easily be obtained on black markets) to get access to the sensitive personal data that the company holds on them? 

And are companies even willing to bear the risks of storing a person’s additional sensitive data?

Another solution: Use the company’s own data to verify the identity of the person

A new approach to solving this problem is using the data the company already has on the individual to verify their identity. It’s a novel idea which requires no additional licenses to achieve. Data privacy management vendor, DataGrail, provides an example of this novel identity verification method with their Smart Verification, as noted in an April 2020 press release.

In the case of an unsuccessful identity verification scenario, a hacker or unauthorized person would be unable to proceed at one of the three steps mentioned above.

This scenario is particularly useful in cases where the person requesting access to their data does not have a user account with the company.

If you have user accounts, CIAM is an option

The CCPA allows companies to use existing password-protected accounts to process requests for access, porting, or deletion. 

“If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 999.323. The business shall also require a consumer to re-authenticate themselves before disclosing or deleting the consumer’s data.” 

- CCPA, Article 4. Verification of Request, 999.324. a

Companies that have customer-facing self-service user accounts can imbed data access or consumer request forms to access their sensitive data directly within the user account’s applications. To provide a seamless yet secure method of user identity authentication, companies can use customer identity and access management (CIAM) software.

CIAM tools help companies authenticate and manage customer identities and preferences such as consent or contact preferences at large scale. Many CIAM solutions provide advanced multi-factor authentication features such as push notifications on mobile devices, biometrics, or QR codes for authentication, which are considered more secure than one-time passcodes sent to email accounts or via SMS. The latest feature enabled on some CIAM tools is passwordless authentication, which greatly improves security for the company who now no longer have to store passwords. This reduces friction for the end user who can now enjoy an improved customer experience.

Identity is the missing link in the trust ecosystem

The “Trust Ecosystem” is often referred to as a three-legged stool composed of security, privacy, and compliance. To make that stool even more secure, however, companies are adding an additional “leg” called identity.

Given the monetary value data privacy regulations have placed on sensitive and personally identifiable data, ensuring this data stays in the right hands by verifying and authenticating identities is now more important than ever. We can expect to see an increasing number of identity companies getting involved in privacy solutions and vice-versa, especially regarding user consent management.