The Personal Data Authority (AP) has imposed a fine of 150,000 euros on the Sociale Verzekeringsbank (SVB) for inadequate identity checks by the telephone helpdesk (1). Because of this inadequate check, SVB customers with AOW benefits ran the risk that (sensitive) information about them would end up with unauthorized persons. This fine, imposed for inadequate identification, appears to be at odds with an earlier fine by the AP for "overidentifying" data subjects. In this blog, we discuss the AP's fine decision to the SVB and provide some practical tips for establishing and implementing an appropriate security and authentication policy.
The AP concludes in its decision on fines that the SVB, in the context of telephone customer contact, did not take sufficient appropriate measures to ensure a level of security commensurate with the risk of its processing activities. The foregoing constitutes a violation of Article 32 of the AVG. The AP emphasizes that a thorough "risk inventory" is necessary to identify and assess the risks associated with the processing activities. After all, it is only on this basis that a security policy can be implemented in line with the AVG that is tailored to the risks relevant to processors associated with their processing activities. The SVB did not have an adequate risk inventory.
According to the AP, in this particular case, such an inventory by the SVB should have shown that the risks associated with the telephone service had to be considered "high." Factors that factor into this are (i) the scope of the processing (all AOW customers), (ii) the nature of the data processed (including financial and criminal data), (iii) the large number of employees who have access to these data(all 1,500 service employees), and (iv) the frequency of telephone contact with the SVB (an average of 20,000 times per week). In its (14-year-old) risk analysis, the SVB did mention the risk of a caller falsely posing as a client, but in doing so did not identify all the risks, did not address the (severity of the) adverse consequences thereof, nor the likelihood of the risk materializing. Moreover, the AP concludes not only that the risk analysis is incomplete, but also that it is very dated because there has been no interim reassessment.
The AP continues that the measures taken by the SVB are inadequate in terms of customer authentication during telephone contact, awareness among employees of the authentication policy and monitoring compliance with it. Finally, regarding the implementation costs that would be involved in implementing appropriate security measures, the AP notes that these are not disproportionate. This weighs in the assessment of whether the security measures are "appropriate.
The penalty decision provides guidance on how to properly establish appropriate security measures. In addition, some key take-aways follow from the penalty decision that are useful for organizations when verifying the identity of data subjects, such as customers.
First, it is important to draw up a risk inventory that identifies and documents the specific risks of the processing operation(s). Based on probability of the risk materializing and the severity of the adverse consequences for the persons involved in that case, appropriate security measures must then be drawn up. More specifically with respect to (telephone) authentication of customers, the AP emphasizes the importance of establishing an unambiguous (authentication) policy, for example with standard verification questions and guidelines on how to handle situations in which there is doubt about the identity of the customer. Employees must also be aware of their responsibilities, for example, by offering them regular (mandatory) training on the internal security policy and not only when they are hired. In this way, employees stay abreast of the (most) recent instructions. Furthermore, internal compliance with such security measures (often laid down in a policy) should be checked regularly. For example, by working with fixed mandatory formats for telephone notes that include how identity has been established. Finally, it is important to regularly review this documentation and renew it where necessary, especially when there are new or changed business processes or when relevant developments in the market or technology warrant it.
Furthermore, we note, specifically in the context of authentication and authentication policy, that an organization need not go so far as to request or collect more personal data than necessary for the sole purpose of authentication. Last year the AP imposed a fine for (unnecessarily) requesting a copy of an identity document as a means of establishing a person's identity after receiving a request for inspection or deletion. This method not only resulted in too much (personal) data being (unlawfully) processed (sometimes including BSNs), but also made it too complicated for data subjects to exercise their privacy rights. This was in violation of Article 12(2) of the AVG. Although strictly speaking this case was not about setting up an appropriate security policy, it is important because it shows that organizations must ensure that measures taken do not result in unnecessary data processing.
In a general sense, according to the AP, requesting a copy of an identity document should always be handled with caution. This is because the AP takes the position that even if parts of the identity document are shielded, a "copy passport" is often too heavy a means of establishing the identity of data subjects.
Unfortunately, there is no "one-size-fits-all" security policy. Thus, which technical and organizational measures can be considered appropriate always depends on the risk of the processing(s) and must be assessed on a case-by-case basis. In all cases, it is important for organizations, as part of their accountability under the AVG, to properly document and keep up to date the security policy, the associated risk assessment and the choices made based on this.
https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-svb-na-gebrekkige-identiteitscontrole
