Could the GDPR 'Right to Access' Make Personal Data More Vulnerable?
Under the EU's GDPR consumers may request a copy of the data companies have collected from them. But if a bad actor takes control of that account, it could put the data at greater risk.
January 23, 2019 at 10:30 AM
4 minute read
In life there's always a catch-22, only in the case the General Data Protection Regulation (GDPR) it's more like an Article 23. The Right of Access established in the European Union's landmark privacy regulation allows consumers to request a copy of all the data that an organization has collected them.
But in doing so, the GDPR may have inadvertently made that same data more vulnerable to bad actors or identity thieves who surreptitiously take control of an EU citizen's account, and make the request on their behalf. What's more, the GDPR doesn't make it easy for businesses to verify a consumer's true identity.
“It raises the stakes, that's for sure,” said Robert Braun, a partner at Jeffer Mangels Butler and Mitchell LLP.
By handing over data to a impersonator, companies could potentially be dealing with a double-edged sword — the ramifications of both a data breach and failure to adequately verify a consumer's identity. To make matters even more complicated, the GDPR doesn't specify what steps a company or an organization needs to take in order to ascertain the veracity of a request made under the Right to Access provision — just that steps have to be taken.
Braun said that many companies are falling back on whatever identity verification process they used to establish a consumer's account in the first place, but that those measures typically don't amount to much. In the event of a consumer's data being handed over to an imposter, the adequacy of a company's identify verification process would be viewed almost exclusively in hindsight.
“You'll have to defend what you did and that could be a challenge,” Braun said.
But while Right to Access presents a challenge, it may not be a complete game changer.
Jennifer Beckage, founder of the Beckage firm, doesn't think that hackers need take advantage of the GDPR in order to gain access to someone's personal information. If they want something, they'll figure out a way to get it.
“I've been practicing in this space for a really long time before data breaches were data breaches and impersonation and fraud have been around since the beginning of time. We're always going to see those things at play but the ability to access data is not entirely new,” Beckage said.
Potentially of more concern to businesses is the verification process itself, which runs the risk of violating the GDPR's data minimization principle. Article 23 of the regulations stipulates that organizations should collect or process only as much data as is necessary to complete a given task.
Imagine the last time you had to reset the password to your social media or online banking accounts. There's usually at least one pre-established question you to correctly answer in order to verify your identity, only this time it doesn't hinge on the name of somebody's first pet.
“[Companies] don't want to collect information more than what they already have or try to collect sensitive information that they may not need to authenticate,” Beckage said.
She suggests that companies consider the type of information that they are trafficking in when establishing an infrastructure to deal with Right to Access requests. A social security number may require more stringent verification procedures than an address.
“Rome wasn't built in a day and it's going to take time for organizations to find out what's working and not working and going through the assessment process and determining the best methods,” Beckage said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250