Skip to content

The Glaring Problem with Verifying Consumer Identities

May 28, 2020

What would you do if someone was trying to steal your personal data using data privacy protection laws—which are meant to protect people’s personal information—in a novel, but nefarious way? 

Without robust identity verification steps when processing a person’s request for data access, companies can unwittingly disclose their sensitive information to the wrong people.

Verifying consumer identities to process data privacy requests

Identity verification was recognized as a major weakness in the data subject or consumer request process put forth by some data privacy laws to give people access to the personally identifiable information (PII) that companies hold on them. 

The International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, called out the problems associated with identity verification on page 28 of its recently released Privacy Tech Vendor Report on April 15, 2020.

In California, the attorney general has proposed amendments to Article 4 of the California Consumer Privacy Act (CCPA) regulations to strengthen identity verification protections when processing people’s requests to access, port, or delete their personal data. The proposed regulation stipulates that:

“Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.” 

- CCPA, Article 4. Verification of Request, 999.323. b.1

One solution: Outsource identity verification

Last year, I attended my first IAPP conference (Privacy. Security. Risk. 2019), and walked the vendor booth floor asking the C-suite of several data privacy management software vendors this question: How do you conduct identity verification prior to processing a data subject or consumer access request?

The most common answer was to outsource it to a third-party vendor. 

Related: A Complete Guide to Data Privacy Management

So we created a new category on identity verification software, which can verify identities using a number of different approaches, including photo-based identity documents, biometric data like live selfies, and verification checks against known identity libraries, such as public records. 

But do companies really want to buy another software license to achieve identity verification? Are their users even willing to provide more personal data, like a photo of a driver's license or passport (copies of which can easily be obtained on black markets) to get access to the sensitive personal data that the company holds on them? 

And are companies even willing to bear the risks of storing a person’s additional sensitive data?

Another solution: Use the company’s own data to verify the identity of the person

A new approach to solving this problem is using the data the company already has on the individual to verify their identity. It’s a novel idea which requires no additional licenses to achieve. Data privacy management vendor, DataGrail, provides an example of this novel identity verification method with their Smart Verification, as noted in an April 2020 press release.

A typical, successful identity verification scenario using a company’s own data could look like this:
  • A person fills out a data subject access request (DSAR) form requesting a copy of their data.
  • The company sends them an automated email with a link to verify that they have access to the email account they provided on the DSAR form.
  • Using the link, the company now presents the user with the phone number(s) the company has on file. They have to designate a phone number to receive a SMS text with a code, or a phone call with a voiced verification code. At this step, the requestor cannot provide any other phone numbers to receive these confirmation codes; only the phone numbers the company has on file can be used.
  • Upon getting the SMS or voice call and entering the code on the website, they are finally presented with a knowledge challenge question. This could be something the company knows about the user, such as, “What was the item number of the product you last ordered from our company?”
  • When they successfully answer the knowledge challenge question, their identity is considered "verified" by three different methods (the email link, the SMS or voice code, and the knowledge challenge question), and processing their data subject or consumer request can proceed.
Related: How to Authenticate Remote Workers in a Zero Trust Security Model

In the case of an unsuccessful identity verification scenario, a hacker or unauthorized person would be unable to proceed at one of the three steps mentioned above.

This scenario is particularly useful in cases where the person requesting access to their data does not have a user account with the company.

Data Privacy Software ➜

If you have user accounts, CIAM is an option

The CCPA allows companies to use existing password-protected accounts to process requests for access, porting, or deletion. 

“If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 999.323. The business shall also require a consumer to re-authenticate themselves before disclosing or deleting the consumer’s data.” 

- CCPA, Article 4. Verification of Request, 999.324. a

Companies that have customer-facing self-service user accounts can imbed data access or consumer request forms to access their sensitive data directly within the user account’s applications. To provide a seamless yet secure method of user identity authentication, companies can use customer identity and access management (CIAM) software.

CIAM tools help companies authenticate and manage customer identities and preferences such as consent or contact preferences at large scale. Many CIAM solutions provide advanced multi-factor authentication features such as push notifications on mobile devices, biometrics, or QR codes for authentication, which are considered more secure than one-time passcodes sent to email accounts or via SMS. The latest feature enabled on some CIAM tools is passwordless authentication, which greatly improves security for the company who now no longer have to store passwords. This reduces friction for the end user who can now enjoy an improved customer experience.

Related: The Ultimate Guide to Passwordless Authentication

Identity is the missing link in the trust ecosystem

The “Trust Ecosystem” is often referred to as a three-legged stool composed of security, privacy, and compliance. To make that stool even more secure, however, companies are adding an additional “leg” called identity.

four-legged stool depicting security, privacy, compliance and identity which together make the trust ecosystem more secure

Given the monetary value data privacy regulations have placed on sensitive and personally identifiable data, ensuring this data stays in the right hands by verifying and authenticating identities is now more important than ever. We can expect to see an increasing number of identity companies getting involved in privacy solutions and vice-versa, especially regarding user consent management.

Data Security Software ➜

Don’t fall behind.

Subscribe to the latest software news & updates from the expert analysts at G2.

By submitting this form, you are agreeing to receive marketing communications from G2.