Aug 19 2019

BOSTON—The California Consumer Privacy Act (CCPA) is a bold new attempt to protect consumer privacy. But despite its good intentions, the CCPA may actually expose consumers to a new and damaging type of data theft, as Womble Bond Dickinson attorney Peter McLaughlin and Socure Privacy Officer Annie Bai write in a new Privacy Perspectives article.

The problem, according to McLaughlin and Bai, is that the CCPA requires that requests for access and deletion must be “verified.” However, the law does not define what “verified” means—and that is problematic.

“So, similar to what we’ve seen for the EU General Data Protection Regulation, companies will be taking on a range of low-tech solutions to satisfy the verification requirement. Current concerns center on responding to requestors invoking their privacy rights — without a serious contemplation of what it is to respond to a right to access or delete to an imposter,” they write. “Those who have been in this space for a while will recall the 2004 ChoicePoint breach in which the data aggregation company inadequately screened its customers such that identity thieves were able to set up fake businesses as a way to buy personal information.”

McLaughlin and Bai see a scenario in which cyber criminals forge or steal documents in order to become “verified,” thus giving them access to customer information.

“It is a new door for improper data access — not a back door, but an actual, legit front door — for fraudsters to obtain all manner of valuable personal information,” they write.

Privacy Perspectives is a publication of the International Association of Privacy Professionals (IAPP). Click here to read “Why the CCPA's 'verified consumer request' is a business risk” in Privacy Perspectives. The article ranked #2 on IAPP’s list of most-read privacy articles for the week of Aug. 12.

Also, click here to read McLaughlin’s recent article on “Is Insurance Coverage for Cyber Claims Barred by a War Exclusion?” in The Privacy Advisor.

Peter McLaughlin is a Privacy & Data Security attorney who advises clients with respect to a broad range of technology transactions, privacy and security issues. While maintaining a broad privacy practice, McLaughlin focuses on innovative uses of data, especially with the life sciences and digital health sectors. He also guides clients in their domestic and international handling of personal information; new product development; and the assessment of legally defensible cybersecurity programs.