At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here).  Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests in her name to more than 150 companies based in the U.S. and UK.  The researcher reported that 24 percent of the companies surveyed ultimately provided personal information in response to the bogus requests.

While the researcher’s study focused on the GDPR, the results are indicative of concerns applicable more broadly to other privacy laws that grant access rights to individuals, including the forthcoming California Consumer Privacy Act (“CCPA”) in California.  This could be particularly problematic in a CCPA context given that the statute defines personal information to include information associated with a consumer’s “household.”

The whitepaper associated with the researcher’s study suggests a number of potential steps that various stakeholders could take to remediate the risk of unauthorized disclosure of personal information in response to access requests.  For instance, the whitepaper suggests that legislators and regulators could reduce these risks by “assuring businesses that rejecting a suspicious right of access request in good faith will not later result in prosecution if it turns out that the request originated from a legitimate but suspiciously-behaving data subject.”

Print:
EmailTweetLikeLinkedIn
Photo of David Bender David Bender

David Bender is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity practice group.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.