As CCPA is poised to take effect, companies must ensure they don’t put personal information in the wrong hands
The lines between the digital and physical world are continuing to blur and companies need to be ready to differentiate the two. A 2018 Pew Research study found that 25% of Americans are online almost constantly, and 75% go online at least daily. Consumers are leaving behind an infinite digital trail of information—requesting a ride, sending money to a friend, opening a bank account, renting a vacation home and more—and this data can be used against them if it falls into the wrong hands.
The California Consumer Privacy Act (CCPA) goes into effect Jan. 1, 2020, and will be an unprecedented privacy law that grants California residents sweeping rights concerning the collection and use of their information. Once the law becomes effective, impacted businesses can expect a flurry of consumer requests, which may encompass information from Jan. 1, 2019, and on. But what if a criminal impersonates a consumer to request personal CCPA information from a company under false pretenses?
Companies that are bound by CCPA, based on their size or type of business, need to understand what information is regulated by this law and how they can protect consumers’ personal information from getting into the wrong hands by thoroughly verifying the digital identity of the consumer requesting it to make sure they aren’t enabling fraud.
What is the CCPA?
The CCPA affords California residents new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other protections, the CCPA gives consumers the right to request the deletion of personal information, opt-out of the sale of personal information and access the information in a “readily usable format” that enables its transfer to third parties at ease.
Furthermore, this will have global ramifications to businesses as the regulation impacts any business with a California customer, regardless of where the business is located. Come 2020, the CCPA will be the strictest data privacy law in the United States and will impose data privacy protections and requirements like those imposed by the EU’s GDPR. While this upcoming data privacy law will put power back into the hands of consumers when it comes to requesting personal information, this law also puts more pressure on companies when sharing this information following a flood of requests.
Verifying Consumers Requesting Information
In today’s digital economy, businesses struggle to know if a consumer’s digital identity matches their physical identity when conducting business online. In the case of CCPA, how can the business be sure that the consumer who is requesting this personal data is the actual account owner?
This question is becoming more difficult to answer thanks to the rise of data breaches, the amount of personal information and passwords available on the Dark Web and the increase of account takeover attacks.
With more than 11 million records now exposed, account takeover has emerged as a popular form of online fraud involving fraudsters gaining unauthorized access to a user’s account. Large-scale data breaches, phishing and social engineering attacks have made it easier for fraudsters to assume the online identities of legitimate account owners by weaponizing stolen or exposed identities to take over additional accounts. This means that if a CCPA request is submitted through a password-protected account maintained with the business online, it could be requested by a fraudster through account takeover to gain access to even more personal information.
Businesses must ensure they do not inadvertently divulge personal information to cybercriminals. And traditional methods of authentication, including SMS-based two-factor authentication and knowledge-based authentication, are outdated and no longer reliable. Companies need to adopt innovative methods to ensure a person is who they claim to be online. Face-based biometric authentication is not only more convenient for consumers but also the most secure means of authentication available today. Face-based authentication dramatically reduces the risk of account takeover because it doesn’t rely on a username and password that may be easily accessible on the dark web for purchase. This type of authentication enables companies impacted by the CCPA to reliably authenticate CCPA requests and ensure information is only shared with legitimate customers—not bad actors posing as customers to secure personal information.
But, biometric authentication is susceptible to “presentation attacks” that attempt to defeat a biometric verification using spoofing attacks to acquire someone else’s privileges or access rights. They do this by using a photo, video or a different substitute for an authorized person’s face. That’s why leading authentication solutions also leverage liveness detection to defend against these types of attacks and ensure that the user is physically present when they’re authenticating.
Companies are now working against a six-month countdown to CCPA going live and need to have a digital identity verification strategy in place to ensure they aren’t giving out classified consumer privacy information to cybercriminals. If this doesn’t happen, cybercriminals will have another avenue to gain access to personal information when posing as someone else online. The scary part is that once an organization inadvertently surrenders personal information to a fraudster, it expands the consumer’s digital fraud footprint and makes it even easier for other criminals to append more of the consumer’s data in future attacks. Together, all this data empowers fraudsters to do even more damage, and there is no way to unexpose information that is shared on the Dark Web.