Privacy Law – How Do You Verify the Identity of a Data Requestor?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA.  By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.

 

The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.

 

With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity.   With data minimization principles in mind, it is important to recognize privacy risks to avoid.  Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request.  Also, avoid asking for sensitive documents such as a passport.

 

A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.

 

If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as  NIST. A good (but technical) explanation Guidelines on verifying identity.  If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.

 

Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:

 

  1. Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.

 

  1. Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.

 

  1. Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?

 

  1. Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.

 

For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.

 

FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.

Three Things I Learned About Personal Cybersecurity At RSAConference That You Should Be Doing Right Now

Image representing CloudFlare as depicted in C...
Image via CrunchBase

I just returned from RSAConference 2013 where I had the privilege and honor of giving a presentation of the legal risks caused by social media in the workplace. As a speaker-attendee, I had the priceless benefit of access to all the other speakers and programs held during the conference.

One such program I attended was “We Were Hacked: Here’s What You Should Know”. The speakers, Matthew Prince (@eastdakota) CEO of CloudFlare, and Mat Honan (@mat) writer for Wired Magazine, shared their common experience as targets of high profile hacks. Hearing the details from them first hand, including information from interviews with the hackers themselves, I learned how easy it is to be the victim of hacking and how it’s the little things that create exploitable seams in our information security barriers.

Rather than rewrite their stories, I thought I would share three simple lessons I learned that I’ve already implemented and you should too. Besides, Matt does a better job telling his own story which can be found here.

Here are the three things I learned about how you can protect yourself and others in your organization.

First, security attacks go after the “low hanging fruit” and that often means figuring out a way to exploit your personal email address. With so many web-based services and so much login information to remember, many of us use our personal email as our username for everything from the web sites on which we comment, to our online photo gallery, to our online banking service. Unfortunately, this is probably the address we use for password recovery if we forget. Given that our digital lives are easily mapped, hackers already have one piece of the two-piece login puzzle: they know your user name.

TIP NO. 1: Use a private, obscure email address for your more sensitive information.

Second, once a hacker has accessed your accounts, your computer and your files, the fun has just begun for them. As Matt Honan described, these often adolescent script kiddies simply don’t understand the value of your stored memories and other information. In his case, all the photos of his children were permanently deleted. Regardless of a hacker attack, stuff happens and you don’t want to lose everything because you we’re too lazy to back up.

TIP NO. 2: Back Up your digital life, early and often.

Third, today’s’ Internet is an interdependent ecosystem. Just because you or your organization takes security seriously, doesn’t mean that other do as well. Your internal systems are not enough. Like it or not, the seams of your security perimeter are intertwined and permeated by the services and systems of customers and vendors. For most consumers, the there is a Hobbesian choice of Security v. Convenience. Multiple login usernames and super long passwords are difficult to remember and tedious to use. As a result, most people choose the least secure means of authentication on the assumption that using astringent password is enough. Unfortunately, some people don’t even bothers with that. A recent ZoneAlarm study found that “password” was the fourth most commonly used password by consumers.

Google, Facebook and others have started using two-factor authentication. Two-factor authentication requires that one enter a code after entering the username/password combo. The code is sent via, text message, voice call or email. This greatly reduces the chances of unauthorized access because hackers would need to have your phone, in addition to your username/password combo.

TIP NO. 3: Whenever possible enable two-factor authentication.

Please understand that there is no “magic bullet” when it comes to Cybersecurity. Taking these precautions does not guarantee that you won’t be attached or that your account information won’t be accessed. However, these are important and easy steps that you can take to improve your personal data security.

Please comment and follow!

 

Evidentiary Authentication of Social Media Data

Although courts have called the Internet “one large catalyst for rumor, innuendo, and misinformation,” nevertheless, it provides large amounts of evidence that may be relevant to litigation matters. Increasingly, courts are facing presentation of, and challenges to, data preserved from various websites. According to a survey conducted by the X1ediscovery blog, there are over 320 published cases involving social media/web data in the first half of 2012.

Evidentiary authentication of web-based data, whether it’s Internet site data available through browsers, or social media data derived from APIs or user credentials, presents challenges. Given the growing importance of social media posts and data, businesses should be prepared to offer foundational evidence to authenticate any posts that are vital to a case.

Authentication of social media and web data is a relatively novel issue for many courts. Courts have been extremely strict in applying foundation requirements due to the ease of creating a profile or posting while masquerading as someone else. Therefore it is important to go beyond the surface of a social media profile or a post to provide the foundation necessary to authenticate what he evidence for use in court.

Regardless of the type of data, it must be authenticated in all cases. The authentication standard is found in Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

The foundational requirement of authentication is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims. See US v. Tank, 200 F. 3d 627, 630 (9th Circuit 2000) (citing Fed.R.Evid. 901(a)). This burden is met when “sufficient proof has been introduced so that a reasonable juror could find in favor of authenticity.” This burden was met where the producer of chat room web logs explained how he created the logs with his computer and stated that the printouts appeared to be accurate representations. Additionally, the government established the connection between the defendant and the chat room log printouts based on IP addresses.

See also, Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154, and Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing additional elements of “circumstantial indicia” for authentication of electronic evidence).

Clearly, there is an emerging trend in the use of social media and web data as evidence. As the use of this type of evidence increases, so too will the consistency and predictability of the foundational matters required by courts. Thus, businesses are well advised to include web collection and social media support in the investigation process so they are prepared to offer the necessary foundational evidence to authenticate any social media posts that may be vital to a case.

20120809-214100.jpg