By Joan Goodchild, Card Not Present Staff
With the clock ticking on compliance with the California Consumer Privacy Act (CCPA), many business are still ill-prepared for the legislation to go into effect. A recent survey from personalization data vendor PossibleNOW of 1,500 businesses finds only eight percent think they are ready—and the soon-to-be law could open merchants up to litigation and other business risks. Some fraud experts are even more worried that the law will actually create vulnerabilities criminals can exploit in card-not-present scenarios.
CCPA will go into effect on January 1, 2020 and gives Californians the right to opt out of the sale of their personal information. Much like the European Union’s General Data Protection Regulation (GDPR), which went into official enforcement in 2018, residents of the state can also ask to have their data deleted and to know what information about them has been collected. The requirements apply to for-profit businesses that have annual revenues of more than $25 million, possess the personal information of 50,000 or more consumers, households, or devices; or earn more than half of their annual revenue from selling consumers' personal information.
The law will apply to every online retailer that sells to California consumers, as most merchants collect a consumer’s name, location, IP address and identifiers that track their web and app use on internet-connected devices. Business face steep fines if they don’t comply, including a civil penalty of up to $7,500 per record for each intentional violation, and $2,500 per record for each unintentional violation.
While the research from PossibleNOW finds that most businesses (78 percent) are aware of or are educating themselves about CCPA, clearly there is long way to go before merchants feel prepared to put compliance practices into place.
Karen Schuler, principal and national governance & compliance practice leader with BDO USA, an assurance, tax, and financial advisory services provider, said she is hearing similar sentiments from her clients, echoing the kind of confusion and concern heard before the GDPR went into official enforcement last year.
“We have a private-equity client that provides loyalty card and marketing support for food chains in California. It was interesting to hear that they didn’t even know where to start. I was surprised and we are in September,” said Schuler. “It’s reminiscent of before GDPR when companies were saying 'we don’t know where to go with this'.”
More so than the financial penalties involved, Schuler said she is concerned the legislation will open the door to costly litigation against companies.
“I think the bigger implication for companies is the fact that there is a right for private action,” she said. “As soon as you can file a lawsuit, class-action suits will follow. That’s where we think companies are going to get hit.”
Opening the door for potential fraud
For merchants and others that collect customer information, ramifications of the law go beyond data protection and privacy. Many are worried that it will actually increase fraud. A fraud department executive with a major national retailer spoke with Card Not Present and voiced both concern and frustration with the legislation’s demands.
“There is a tremendous learning curve here,” he said. “No one feels like they can get a handle on it at this at this point.”
Chief among his worries is a potential for exploitation of the law by criminals. Much like GDPR ensures EU citizens the right to find out what data a company is holding on them, and to have it deleted, so does the CCPA. He thinks this will lead to fraudulent acts and data theft.
He pointed to a presentation made at security industry event Black Hat 2019 this past summer as proof of his underlying concern. In the presentation, a security researcher demonstrated how he was able to convince companies to reveal personal information about his partner by making a bogus demand for the data by citing rights under the EU privacy law.
Security expert James Pavur contacted dozens of U.K. and U.S.-based firms to test how they would handle a "right of access" request made in someone else's name. In each case, he asked for all the data that they held on his fiancée. One in four companies revealed PII to Pavur. The information he received included the results of a criminal activity check conducted on his fiancée, her credit card information, travel details, account logins and passwords, and her social security number.
The point of the presentation was that, in the wrong hands, this data could be used for criminal intent—but was easily obtained under the guise of GDPR rights. As a fraud professional, this worries him. This is the kind of social engineering currently in favor with fraudsters who go on to use the information to complete synthetic identities and engage in ATO and other attacks.
“We need to make sure hackers and bad actors don’t get in,” said our retail source. “This law makes that more difficult.”
The International Association of Privacy Professionals recently published commentary that echoes this anxiety.
“There is a simple and innocuous-sounding CCPA requirement stating that requests for access and deletion must be ‘verified.’ However, the law does not clarify what qualifies as verified,” IAPP authors Annie Bai and Peter Mclaughlin said in the post. “In the name of empowering consumers, the law is actually introducing threat vectors that can be manipulated by fraudsters. This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a consumer’s data access request.”
But Neira Jones, an independent advisor and international speaker on payments, financial technology, cybersecurity and fraud, believes pointing to some missteps on the part of organizations to verify is a mistake and an unusual scenario. GDPR, as it is written, is not a failure.
“I have heard (not often here I have to admit) of this,” she said in an email exchange with Card Not Present. “But I think over here we understand quite well that there is need for verifying identities before releasing any kind of personal information. Clearly, what was demonstrated at Black Hat is merely another example of the combination of 1) social engineering, 2) lack of governance from the entity to which the request was made, and 3) lack of awareness of the regulation from the same entity.”
Schuler thinks CCPA may make fraud a larger possibility—but for different reasons than verification of identity. She believes arming consumers with the right to opt out of having data collected on them could even potentially cost merchants in chargebacks.
“If I want to opt out of giving you my data, it is going to be hard to rely on it going forward if you have incomplete data sets,” she explained. “If I say: ‘I request you delete all my information’ and then go back to ask: ‘Why did you charge me for this?’, there is no record for the merchant to maintain the proof of purchase.”
While Schuler notes this could be a far-reaching scenario, it is something she is keeping her eye on.
Getting things in order to comply with CCPA
Schuler and BDO are making the following recommendations to merchants feeling overwhelmed and unprepared for CCPA.
Create a data inventory
Schuler advises them to start with the basics. What information is currently being stored and collected? Once that has been examined, ask next: Where is the data going? Are you transferring it? Sharing it? Selling it? Analyzing? If so, why?
“Then we advise clients take a GDPR or HIPAA approach to figuring out if they need all of that data. Ask: Why are we processing this information?”
Integrate CCPA response and management programs
Next, tackle the question of response. If a consumer asks for access to their information, what will you do? Do you have a plan?
“If I were to request for my information, can you even tell me that today? That’s going to be the toughest part—processing the request and getting it to consumer in a timely manner,” said Schuler.
Other issues to work out include who will be in charge of responding. Will it require human interaction? Will you have a quality self-service option? Or a call center?
Evaluate your data governance and privacy maturity
Other considerations, according to Schuler, include evaluating your vendor agreements and third-party relationships for privacy. How are the third-party organizations you work with storing and handling data? And take a look at your privacy maturity organization wide.
“When you stand up a new website or capability, are you even looking at privacy by design? That literally means at the onset of that project,” she said.
BDO also recommends businesses start training employees around privacy and security awareness in their ramp up to CCPA. And take a hard look at your external and internal privacy policies.
“We find contradictions between many policies,” she said. “This could be relevant to compliance because if your employees have to handle personal data, you need to make sure policies are aligned and not contradicting each other.”