Could the GDPR 'Right to Access' Make Personal Data More Vulnerable?
Under the EU's GDPR consumers may request a copy of the data companies have collected from them. But if a bad actor takes control of that account, it could put the data at greater risk.
January 23, 2019 at 10:30 AM
4 minute read
The original version of this story was published on Legal Tech News
In life there's always a catch-22, only in the case the General Data Protection Regulation (GDPR) it's more like an Article 23. The Right of Access established in the European Union's landmark privacy regulation allows consumers to request a copy of all the data that an organization has collected them.
But in doing so, the GDPR may have inadvertently made that same data more vulnerable to bad actors or identity thieves who surreptitiously take control of an EU citizen's account, and make the request on their behalf. What's more, the GDPR doesn't make it easy for businesses to verify a consumer's true identity.
“It raises the stakes, that's for sure,” said Robert Braun, a partner at Jeffer Mangels Butler and Mitchell LLP.
By handing over data to a impersonator, companies could potentially be dealing with a double-edged sword — the ramifications of both a data breach and failure to adequately verify a consumer's identity. To make matters even more complicated, the GDPR doesn't specify what steps a company or an organization needs to take in order to ascertain the veracity of a request made under the Right to Access provision — just that steps have to be taken.
Braun said that many companies are falling back on whatever identity verification process they used to establish a consumer's account in the first place, but that those measures typically don't amount to much. In the event of a consumer's data being handed over to an imposter, the adequacy of a company's identify verification process would be viewed almost exclusively in hindsight.
“You'll have to defend what you did and that could be a challenge,” Braun said.
But while Right to Access presents a challenge, it may not be a complete game changer.
Jennifer Beckage, founder of the Beckage firm, doesn't think that hackers need take advantage of the GDPR in order to gain access to someone's personal information. If they want something, they'll figure out a way to get it.
“I've been practicing in this space for a really long time before data breaches were data breaches and impersonation and fraud have been around since the beginning of time. We're always going to see those things at play but the ability to access data is not entirely new,” Beckage said.
Potentially of more concern to businesses is the verification process itself, which runs the risk of violating the GDPR's data minimization principle. Article 23 of the regulations stipulates that organizations should collect or process only as much data as is necessary to complete a given task.
Imagine the last time you had to reset the password to your social media or online banking accounts. There's usually at least one pre-established question you to correctly answer in order to verify your identity, only this time it doesn't hinge on the name of somebody's first pet.
“[Companies] don't want to collect information more than what they already have or try to collect sensitive information that they may not need to authenticate,” Beckage said.
She suggests that companies consider the type of information that they are trafficking in when establishing an infrastructure to deal with Right to Access requests. A social security number may require more stringent verification procedures than an address.
“Rome wasn't built in a day and it's going to take time for organizations to find out what's working and not working and going through the assessment process and determining the best methods,” Beckage said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllJoseph Saveri Law Firm, Co-Counsel File 9th Circuit Appeal in Lawsuit Targeting GitHub's Use of Code to Train AI Models
GCs Face Peril as Foreign Bribery Probes Second-Guess 'Routine' Advice
14-State Coalition Sues TikTok, Alleging Addictive Algorithms Trigger Mental Health Harms in Adolescents
NY Federal Judge Rules Online-Only Retailers Cannot Face ADA Claims
Trending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250