identity€¦ · customer-friendly identity verification for ccpa compliance. ... •founded in...
TRANSCRIPT
Private and Confidential© 2019 IDology, Inc.1
Chris LuttrellCOO
IDology
Erin Illman, Partner and ChairPrivacy and Information Security Practice
Bradley Arant Boult Cummings LLP
Identity Verification and CCPA
Deploying secure, customer-friendly identity verification for CCPA compliance
Private and Confidential© 2019 IDology, Inc.2
Agenda
• New CCPA Proposed Regulations
• CCPA and Identity Verification: Mitigating Risk and Enhancing the Experience
• Key Takeaways and Wrap Up
Private and Confidential© 2019 IDology, Inc.3
About IDology
• Leading innovator in identity verification, compliance and authentication
• Founded in 2003, high growth, a GBG company
• Anti-fraud consortium network
• Unique scan and mobile solutions
• Dedicated fraud team utilizing machine learning
Key Facts
“2019 Identity Verification Company of the Year”
Private and Confidential© 2019 IDology, Inc.4
California Consumer Privacy Act (CCPA) and Identity Verification
Private and Confidential© 2019 IDology, Inc.5
The CCPA Identity Verification Business Problem
Key Questions➢ Meet Compliance?➢ Is it Secure?➢ Friendly User Experience?➢ Lower Cost and Increased Efficiency?
“Meet compliance while giving verified requestor access to data in a secure, scalable, automated way that also facilitates a positive customer experience.”
Source: CCPA and Identity Verification White Paper, IDology 2019
Private and Confidential© 2019 IDology, Inc.6
New CCPA Data from 7th Annual Fraud Report; GDPR Comparisons and Nationalization
Source: 7th Annual Fraud Report, IDology 2019
Private and Confidential© 2019 IDology, Inc.7
Source: Sixth Annual Fraud Report, IDology 2018
Erin Illman, Partner and ChairPrivacy and Information Security
PracticeBradley Arant Boult Cummings LLP
✓ Overview CCPA Requirements
✓ New CA AG Proposed Regulations
Private and Confidential© 2019 IDology, Inc.8
CCPA Timeline: 2018 - 2020
Private and Confidential© 2019 IDology, Inc.9
CCPA Overview
✓Eight “Consumer” or Individual Rights
✓Additional Business Obligations
✓Security required
✓Private right of action for data breach
Private and Confidential© 2019 IDology, Inc.10
California Attorney General’s Proposed Regulations
✓ “Categories of Third Parties”
✓ Notice, Disclosure, and Policy
✓ Offline point of collection disclosure
✓ Various clarifications
✓ New 10-day requirement for confirmation of receipt of VCR
✓ Prohibition of PII and account password/security questions
✓ Specific rules for verification
Private and Confidential© 2019 IDology, Inc.11
Verified Consumer Request; Key Considerations
• Requirement Overview:
• Request to Know
• Request to Delete
• Business should consider how it typically interacts with consumers when determining best methods
• VCR for deletion requires two step process
1. Request
2. Separate confirmation of deletion
• If consumer submits a VCR that is NOT one of the business’ designated methods, the business MUST:
1. Treat it as a valid VCR; or
2. Provide specific directions on how to submit the request or remedy any deficiencies with the request.
Private and Confidential© 2019 IDology, Inc.12
Verified Consumer Request; Key Considerations
• Business shall confirm receipt of VCR within 10 days
• Response must:
• Indicate how the business will process the request
• Describe business’s verification process
• Detail the expected response
• “Right to Know” requests
• Business MUST NOT disclose…
Private and Confidential© 2019 IDology, Inc.13
Identity Verification Methodology
• Match “identifying information” provided to the PI of consumer maintained by business, or use a third-party verification service that complies.
• Avoid collecting SSN, DL#, financial account number, or medical info as part of verification process
• Sliding scale of verification depending on sensitivity
• Consider risk of harm by unauthorized access/deletion and likelihood malicious actors would seek PI
• Sufficiently robust to protect against fraudulent activities
• Consider manner of interaction with consumer and technology
Private and Confidential© 2019 IDology, Inc.14
Verification
• Business must implement reasonable security measures to detect fraudulent identity verification activity
• Verification can be made through existing account
• “Reasonable Degree of Certainty” required to disclose categories of personal information
• “Reasonable” may include matching at least two reliable data points provided by consumer and maintained by business
• Example: Business maintains consumer’s name and credit card information
Private and Confidential© 2019 IDology, Inc.15
Verification
• “High Degree of Certainty” required to disclose specific pieces of personal information
• “High degree” may include matching at least three reliable data points provided by consumer and maintained by business together with a signed declaration under penalty of perjury that requestor is consumer whose personal information is subject to request
• Deletion may require reasonable or high degree of certainty based on information requested for deletion
• Fact-based verification process may be required if business maintains personal information in a manner that is not associated with a named actual person
• Verification methodology evaluated on yearly basis
Private and Confidential© 2019 IDology, Inc.16
Source: Sixth Annual Fraud Report, IDology 2018
✓ CCPA and Identity Verification: Mitigating Risk, Lowering Costs, and Enhancing the Experience Chris Luttrell
COOIDology
Private and Confidential© 2019 IDology, Inc.17
CCPA Workflow
White Paper: CCPA and Identity Verification, IDology 2019
Private and Confidential© 2019 IDology, Inc.18
CCPA Identity Verification: 100s of Combinations
Infographic: CCPA Identity Verification Work Flows Map, IDology 2019
Private and Confidential© 2019 IDology, Inc.19
➢ Among 150 companies, 72 replied to the fake requests with 83 affirming that they had PI.
➢ 24% accepted an email address and phone number as proof of identity.
➢ 16% requested easily forged ID information.
CCPA Compliance CCPA Security: A Lesson from a GDPR Experiment
Private and Confidential© 2019 IDology, Inc.20
Source: Second Annual Consumer Digital Identity Survey, IDology, 2019
Key TakeawaysCheck out the CCPA Tools at IDology.com
Consult with an IDology Identity Verification expert
✓ CCPA Identity Verification is mission critical to compliance and security
✓ Multitude of IDV requestors, channels, and methods
✓ Operationalize with self-service, automation, and scale