Weaponized DSARs and the automation to come

Weaponized DSAR Blog

With coverage of data breaches and landmark fines rapidly on the rise, how data and information is handled and managed has never been more important for businesses and consumers alike.

Increasing use of Data Subject Access Requests (DSARs) by individuals, activists and cybercriminals is accelerating the move towards improvements in standardized processes and automation for handling DSARs.

The General Data Protection Regulation (GDPR) and other global privacy regulations have put organizations on a positive path to privacy management, which is beneficial for businesses operating in any sector. It has encouraged more responsible data handling, greater transparency of how personal information is processed, controlled and governed.

However, complying with Data Subject Access Requests (DSARs) continues to be a challenging area for most organizations. Many departments from Human Resources to Legal to Compliance are continuing to feel the impact as consumers become more aware of their right to obtain a copy of their personal data in the form of a DSAR.

New privacy laws will come into force this year all around the world including the CCPA in California, the LGPD in Brazil and PDPA in Thailand. With similar bills pending in New York (New York Privacy Act s.5642), Pennsylvania (House Bill 1049) and Massachusetts (Consumer Privacy Bill SD 341), the coming year is going to be another busy year from a DSAR standpoint.

Organizations are likely to see the continued use of DSARS by:

• Individuals curious to see what personal information a company may be processing on them

• Activists attempting to cause disruption to an organization

• Cyber-criminals looking to steal personal information

 In 2019 when Blizzard Entertainment banned one of their customers from accessing their services after they supported protests in Hong Kong, it was demonstrated how Article 15 of the GDPR can be used by activists to flood a company with simultaneous DSARs. 

As these requests can place a significant administrative burden on organizations, we may see more of these protests in future.

There is also the potential for DSARs to be used by cybercriminals as a mechanism to steal personal information. A University of Oxford-based researcher demonstrated in his ‘GDPArrrrr: Using Privacy Laws to Steal Identities’ paper, how organizations lacking a clear and robust method for verifying Data Subjects can be manipulated into sending personal information to the wrong individual.

Is automation needed to handle weaponized DSARs?

Given these challenges and the increasingly changing regulatory landscape, organizations are likely to adopt more robust mechanisms for verifying Data Subjects, make smarter use of data retention strategies, and make further moves towards automation to reduce the resource intensive burden that falls on organizations.

Author: Ciaran Mahon, Consultant – eDiscovery & Digital Forensics