Global Privacy Lead, Socure
Authentication as an Enabler of Better Privacy
There are two sides to the digital authentication coin when it comes privacy; it helps mitigate privacy risks against unauthorized access to individuals’ information, but it also generates privacy risks such as tracking and profiling when not executed carefully. Public and private sectors have various levels of experience giving citizens access to their data under laws such as the Privacy Act of 1974 and the European General Data Protection Regulation.
Most recently, companies are getting a crash course with the California Consumer Privacy Protection Act and addressing “verifiable consumer requests.” While these are privacy-related regulations, there are provisions requiring organizations evaluate their authentication approaches to ensure the right individual gets access to his or her information. When authentication is executed poorly or naively (or not!), privacy is undermined because consumer data is not protected from unauthorized access. The risk is significant when you realize consumer requests are a “scalable attack vector” for fraudsters. Privacy risks extend beyond unauthorized access concerns and organizations need to take care not to over collect or share PII for authentication purposes.
When executed carefully, authentication can enable privacy rights of individuals without putting them at risk of unauthorized access, modification, deletion, or tracking and profiling. You’ll hear how authentication for subject access requests are executed under these laws from privacy experts in public and private sectors. Speakers will also discuss application of privacy related guidance such at the National Institute of Standards and Technology (NIST) Digital Identity Guidelines and the NIST Privacy Framework.