Do We Really Have to Give Them That? The Lurking Risk Behind Data Subject Access Requests

Imagine it’s a Wednesday at 3:00 pm and you’re minding your own business at work.  All of a sudden, an email appears in your inbox from John Smith.  The subject line: Right to Know Request.  Intrigued, and maybe a little confused, you open the email and it says “I am a California resident.  Please send me all the specific information you have on me, the sources from which your business collected that information, the purpose for which you use the information, and which of this information you sell to third parties.”  You laugh, thinking this John Smith has quite the sense of humor.  There’s no way you have to comply, right?

You very well may have a responsibility to provide at least some of this information.  Consumers are increasingly gaining rights surrounding, and access to, personal information that companies process.  Known as Data Subject Access Requests (“DSAR”), or Data Subject Rights Requests, the rights underlying these requests, and the requests themselves, are popping up with increasing frequency in jurisdictions around the world.  Depending on the relevant regulatory regime, a DSAR can be a request for all information an organization has on an individual, a request for categories of information, a request to know whom that information has been shared with, a request to correct information, or a request to delete all information.  DSARs can also be used to direct an organization not to sell certain information or process sensitive personal information.

There are exceptions to these rights, and limits to the jurisdictional bounds of the regimes at issue, but more and more, consumers and even employees or business contacts are expecting that organizations will respect and respond to DSARs, even if not required to by law.  And an organization would benefit by looking at its privacy policy to see if it has promised DSAR rights in the policy.  With the effective date of the EU’s General Data Protection Regulation (“GDPR”) in 2018, many organizations updated their privacy policies to include a promise of DSAR rights without either creating a DSAR process internally or engaging in any substantive review of whether GDPR even applied to the organization.  Contrary to common assumption, GDPR is not a “possession” regime, applying to any organization that possesses EU personal data.  Rather, GDPR has strict limitations, outlined in Article 3, “Territorial Scope,” and an organization is well served in determining whether it falls outside the territorial scope of GDPR before adopting a privacy policy granting GDPR-style rights.

As they become more common, DSARs can pose a host of problems for organizations that receive them, and significant risk.  They lead to expense and time lost verifying such requests, gathering information, and formulating a response.  DSARs can also be made in a myriad of ways: orally or in writing, in person or remotely, in passing or formally, by social media or even, conceivably, by carrier pigeon.  Acknowledging this, the California Consumer Privacy Act, for example, directs organizations under its purview to either accept DSARs in whatever form they come in, or direct consumers to the accepted DSAR methods adopted by the organization, e.g., a toll-free number or web form.  See 11 CCR § 999.312.  The one thing no organization can do under any DSAR regime is ignore a DSAR.

As for DSAR risk, there are a number of potential pitfalls to avoid when processing and responding to DSARs.  Initially only a trickle, DSARs are now becoming a flood, with certain companies specializing in mass DSAR issuance, such as Privacy Bee and Mine.  These DSAR platforms scrape the web for DSAR contact information and allow subscribers to send scatter-gun DSARs to any and every organization on the platform’s list.  Akin to denial-of-service requests, an IT or security team, or even the legal team, can become inundated with these requests, reducing the time that team can spend on other key processes, like responding to cyberattacks.

And then there’s the risk of DSAR fraud.  In the early days of GDPR, an Oxford University researcher conducted an experiment, documented in a working paper (humorously named “GDPArrrrrrr, Using Privacy Laws to Steal Identities”), illustrating the DSAR fraud risk.  The researcher used publicly-available information on his fiancé and a fake email address to send DSARs to over 150 companies.  Nearly 25% of the UK and US-based organizations that received these fake DSARs provided highly sensitive personal data with little or no verification, including social security number, credit card details, home address, and account usernames and passwords.  Another 15% requested some sort of verification, but the sort that could likely be falsified such as a signed statement swearing to be the data subject.  A small number, 3%, misinterpreted the request altogether as a request to delete and deleted the fiancé’s account without requiring any additional verification.  And beyond fraudsters using DSARs to collect personal information belonging to others, the DSAR email your organization gets may be phishing email, since attackers know that companies are highly sensitive to responding to DSARs.

What to do in response to these challenges and risks?  Like any data-driven risk, the first step in addressing the risk is to understand the data your organization processes and the purposes for such processing.  A detailed data inventory provides this visibility and allows an organization to then build a DSAR program responsive to regulatory requirements and consumer expectations.  However, DSAR program development is not a one-and-done exercise.  Organizations must review their DSAR practices as laws and expectations change, as well as whenever the organization’s processing activities change.  The one thing an organization cannot do is ignore intriguing incoming data requests or underestimate the risk that our new DSAR-filled world creates.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2021 Harter Secrest & Emery LLP