Does GDPR enable identity theft?
Under GDPR you'll be able to ask organisations to hand over all the data they hold on you. But what happens when a cyber criminal is able to pass himself off as you, and force firms to tell him everything?
There are fears that GDPR could enable identity theft, with new rights conferred to data subjects, allowing them to request that organisations hand over all data they hold on them.
This means that a malicious actor could get hold of a person's name and address, from a discarded utility bill for example, and use that to identify themselves to a data controller. If successfully duped, that data controller would hand over all information they hold on that person, massively enriching the original identity theft, and enabling the criminal to more easily approach other organisations and repeat the process.
What happens if they refuse to pass on information because the identity can't be adequately verified? Are they in breach of GDPR because they aren't meeting the requirements of data access?
And how can organisations create a scaleable way to verify identity for all data requests that come in? Interestingly, it's easily scaleable for the scammer, as they can ask for the information in a machine readable format.
Computing put these questions to Kuan Hon, Director, Privacy, Security & Information, at Fieldfisher.
Kuan Hon: The GDPR does say, "where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21 [which spell out individuals' rights regarding their data, like the access right], the controller may request the provision of additional information necessary to confirm the identity of the data subject."
A lot of this involves having decent systems/processes - and applying plain common sense.
Organisations need to put in place risk-appropriate systems and processes for authentication and identity verification (including training for employees), so that their employees will know in what situations they should ask for extra information to confirm the identity of the individual, and what extra information would be good enough. In some cases, this might depend e.g. on how the request comes through (in person, by email, etc). And by the way, is asking for date of birth or home address, or other information that can be easily found online, really good enough in this day and age?
But also, organisations should put in place systems and processes to control where the answers to requests get sent to, and how they get sent.
If a man shows up in person at your office with a woman's electricity bill, asking you to give him box-loads of information about her, I hope you're going to query his request!
If a request comes in by email, but it's from an email address that's been registered with your organisation for that individual, and the request asks you to send the information to the home address registered with your organisation for that individual, then the risk seems low. But in these sorts of situations, I've encountered organisations that go too far the other way - if you're asking (by phone or email) for some info just to be posted to your registered home address, do they really have to give you the third degree before they're willing to do anything?
Of course, Jim could have hacked your systems to change Jane's registered email address and home address, but in that event you might have bigger problems to think about, like your security! (And if Jim can hack your systems to do that, he could well get Jane's information directly from your systems too, without having to go to the trouble of faking a request from Jane).
Jim could have hacked Jane's email account, and emailed you Jane's electricity bill. So, then, maybe you want to post the info to Jane's registered address with you, or telephone Jane to check with her first that the request was really from her. If he managed to change her registered address or phone number on your systems, see above!
Or some organisations are considering or even creating dashboards or other systems allowing individual customers to login and access, edit, export etc. their own personal data, on a self-service basis. Obviously proper controls have to be put in place, e.g. enforcing long passwords and not letting the customer set up "password" or "123456" to use as their password, and extra checks when it comes to deleting all data about a particular individual. But as long as there are good controls, there's no reason why this sort of approach shouldn't work scalably (once suitable systems are built) to help organisations comply with their obligations to respond to individuals' requests to access their data, etc.
None of this is set out in the GDPR, but it shouldn't need to be. As I said, it's just having decent systems/processes (including good security questions), and applying common sense. Organisations should certainly be looking at these issues as part of their GDPR preparation, but really they should already have good identity verification systems/processes, GDPR or not. Of course, some organisations, even big ones, have been bitten on that front - e.g. the well known incident involving Wired journalist Matt Honan, who got hacked because of security flaws (including identity verification flaws) at, not just one, but two large tech companies. Organisations' to-do lists can only get longer…
So, giving someone's personal data to a fraudster who poses as the individual will be a breach of the GDPR's security obligation, as obviously it's a breach of confidentiality. It doesn't matter how the bad guy got the info. Organisations who handle personal data have to take risk-appropriate security steps to protect the data - whether the measures are for identity verification, or to prevent SQL injection attacks, etc.
Finally, you said scammers can ask for people's personal data in a machine-readable format. That's not fully accurate. When an individual makes a request electronically (e.g. by email), organisations have to give them the information "by electronic means where possible, unless otherwise requested by the data subject". So, if an electronic format is not possible, the organisation doesn't actually have to give the info electronically (although most organisations should have scanners these days). Or, if the individual asks for the info to be posted to them in hard copy, then the organisation doesn't need to give it electronically. The organisation has to give the info in machine-readable format in only one situation: where the individual exercises their "data portability" right, which is a new right under the GDPR. However, this right only applies in limited circumstances, and only to some (not all) the individual's personal data.
NIST has published helpful recent digital identity guidelines at https://pages.nist.gov/800-63-3/
Kuan states that the above is designed to be general information, not legal advice.