identity€¦ · customer-friendly identity verification for ccpa compliance. ... •founded in...

Private and Confidential© 2019 IDology, Inc.1

Chris LuttrellCOO

IDology

Erin Illman, Partner and ChairPrivacy and Information Security Practice

Bradley Arant Boult Cummings LLP

Identity Verification and CCPA

Deploying secure, customer-friendly identity verification for CCPA compliance


Agenda

• New CCPA Proposed Regulations

• CCPA and Identity Verification: Mitigating Risk and Enhancing the Experience

• Key Takeaways and Wrap Up


About IDology

• Leading innovator in identity verification, compliance and authentication

• Founded in 2003, high growth, a GBG company

• Anti-fraud consortium network

• Unique scan and mobile solutions

• Dedicated fraud team utilizing machine learning

Key Facts

“2019 Identity Verification Company of the Year”


California Consumer Privacy Act (CCPA) and Identity Verification


The CCPA Identity Verification Business Problem

Key Questions➢ Meet Compliance?➢ Is it Secure?➢ Friendly User Experience?➢ Lower Cost and Increased Efficiency?

“Meet compliance while giving verified requestor access to data in a secure, scalable, automated way that also facilitates a positive customer experience.”

Source: CCPA and Identity Verification White Paper, IDology 2019


New CCPA Data from 7th Annual Fraud Report; GDPR Comparisons and Nationalization

Source: 7th Annual Fraud Report, IDology 2019


Source: Sixth Annual Fraud Report, IDology 2018

Erin Illman, Partner and ChairPrivacy and Information Security

PracticeBradley Arant Boult Cummings LLP

✓ Overview CCPA Requirements

✓ New CA AG Proposed Regulations


CCPA Timeline: 2018 - 2020


CCPA Overview

✓Eight “Consumer” or Individual Rights

✓Additional Business Obligations

✓Security required

✓Private right of action for data breach


California Attorney General’s Proposed Regulations

✓ “Categories of Third Parties”

✓ Notice, Disclosure, and Policy

✓ Offline point of collection disclosure

✓ Various clarifications

✓ New 10-day requirement for confirmation of receipt of VCR

✓ Prohibition of PII and account password/security questions

✓ Specific rules for verification


Verified Consumer Request; Key Considerations

• Requirement Overview:

• Request to Know

• Request to Delete

• Business should consider how it typically interacts with consumers when determining best methods

• VCR for deletion requires two step process

1. Request

2. Separate confirmation of deletion

• If consumer submits a VCR that is NOT one of the business’ designated methods, the business MUST:

1. Treat it as a valid VCR; or

2. Provide specific directions on how to submit the request or remedy any deficiencies with the request.


Verified Consumer Request; Key Considerations

• Business shall confirm receipt of VCR within 10 days

• Response must:

• Indicate how the business will process the request

• Describe business’s verification process

• Detail the expected response

• “Right to Know” requests

• Business MUST NOT disclose…


Identity Verification Methodology

• Match “identifying information” provided to the PI of consumer maintained by business, or use a third-party verification service that complies.

• Avoid collecting SSN, DL#, financial account number, or medical info as part of verification process

• Sliding scale of verification depending on sensitivity

• Consider risk of harm by unauthorized access/deletion and likelihood malicious actors would seek PI

• Sufficiently robust to protect against fraudulent activities

• Consider manner of interaction with consumer and technology


Verification

• Business must implement reasonable security measures to detect fraudulent identity verification activity

• Verification can be made through existing account

• “Reasonable Degree of Certainty” required to disclose categories of personal information

• “Reasonable” may include matching at least two reliable data points provided by consumer and maintained by business

• Example: Business maintains consumer’s name and credit card information


Verification

• “High Degree of Certainty” required to disclose specific pieces of personal information

• “High degree” may include matching at least three reliable data points provided by consumer and maintained by business together with a signed declaration under penalty of perjury that requestor is consumer whose personal information is subject to request

• Deletion may require reasonable or high degree of certainty based on information requested for deletion

• Fact-based verification process may be required if business maintains personal information in a manner that is not associated with a named actual person

• Verification methodology evaluated on yearly basis


Source: Sixth Annual Fraud Report, IDology 2018

✓ CCPA and Identity Verification: Mitigating Risk, Lowering Costs, and Enhancing the Experience Chris Luttrell

COOIDology


CCPA Workflow

White Paper: CCPA and Identity Verification, IDology 2019


CCPA Identity Verification: 100s of Combinations

Infographic: CCPA Identity Verification Work Flows Map, IDology 2019


➢ Among 150 companies, 72 replied to the fake requests with 83 affirming that they had PI.

➢ 24% accepted an email address and phone number as proof of identity.

➢ 16% requested easily forged ID information.

CCPA Compliance CCPA Security: A Lesson from a GDPR Experiment


Source: Second Annual Consumer Digital Identity Survey, IDology, 2019

Key TakeawaysCheck out the CCPA Tools at IDology.com

Consult with an IDology Identity Verification expert

✓ CCPA Identity Verification is mission critical to compliance and security

✓ Multitude of IDV requestors, channels, and methods

✓ Operationalize with self-service, automation, and scale

identity€¦ · customer-friendly identity verification for ccpa compliance. ... •founded in...

Documents