Skip to Main Content
Main Menu

Automated DSR Fulfillment to Avoid Denial of Service Attacks

Annie Greenley-Giudici

In the wake of GDPR, law firm Squire Patton Boggs reported a “sharp increase” in the number of UK residents who initiated data subject access requests (DSARs), fulfilling the same number of DSARs in the first five months of 2019 as they’d handled during the entire year of 2018.

CCPA data subject requests (DSRs) will likely have the same effect on California-based organizations. With a 45-day deadline for fulfillment, companies that don’t implement automated DSR fulfillment are at an increased risk of Denial of Service (DoS) attacks.

How Are Denial of Service Attacks Performed?

DoS attacks happen when legitimate users are unable to access information systems, devices, or other network resources due to cyber criminal activity that floods a host or network with traffic until it cannot respond or simply crashes, preventing access to email, online accounts, and websites.

These attacks disrupt a company’s online presence by keeping its web servers so busy with network requests that they cannot load web pages or Internet resources, costing organizations time and money. In contrast, their resources and services are inaccessible.

A DoS Attack Can Happen When a Company is Inundated with DSRs

It overwhelms the CSR and IT staff, who are forced to respond to requests manually and eventually reach a breaking point in which the company can’t safely respond to requests within the required timeline.

With CCPA right around the corner, there’s no time like the present to start thinking about your company’s plans to circumvent DoS attacks and streamline DSR processes.

According to the new regulations the process must now include identity verification prior to fulfilling each request.

Technology can help teams automate manual processes, which helps save time and promote consistency.

But it’s important for businesses to be aware of potential DSR threats like DoS attacks that can jeopardize fulfillment and result in both frustration and noncompliance.

Lessons Learned from GDPR

Many companies started preparing for GDPR by hiring lawyers and consultants to conduct privacy impact assessments (PIAs), data mapping, understanding workflows, manually surveying data sets, and introducing internal guidelines.

These steps were certainly helpful and necessary, but because the work had to be applied to multiple sets of data repositories, companies found they were duplicating efforts over and over.

Operationalizing CCPA with automation requires companies to leverage existing IT security tools and systems (e.g., SIEM, ticketing, data governance).

Thus, it’s critical to get buy-in from CTOs, CISOs, CPOs, and data governance teams from the beginning in order to execute processes correctly the first time.

Taking the time to prepare and automate DSR fulfillment processes can help mitigate the onslaught of DSRs, which result in DoS attacks.

GDPR Rights of the Data Subject

GDPR Chapter III, Rights of the Data Subject outlines the requirements. Article 12 through Article 23 cover areas such as Article 17 – Right to erasure (‘right to be forgotten’), which has been the hot topic of discussion.

Questions such as What if my company doesn’t have the technology to read that data anymore? have left privacy teams stumped.

You can get started in answering this question by following these steps:

  • Ensure fundamental understanding of what data you process.
  • Establish a process to intake requests (one that is easy on the individual and ensure this process is well-communicated throughout the organization.
    • A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law).
  • Once the request is received, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions.
  • Have a response process.
  • Have an appeals process that goes beyond the individual whose request was denied.
  • Retain documentation throughout the process.

Coordinated Data Subject Requests

Through the use of social media, online networking platforms, and other less obvious sources, many data subjects can quickly and easily coordinate to submit DSRs on behalf of people who may or may not exist, all at the same time.

The most recent example of this was executed under GDPR law, when Blizzard Entertainment stripped the World of Warcraft Tournament Champion of his title after publicly claiming support for Hong Kong protesters, which triggered the gaming community.

Multiple gaming sites, and even Reddit posts like this, instructed angry gamers who were upset with Blizzard how to exercise their rights under GDPR Article 15.

The weaponization of DSRs quickly caught on, and led to an influx of requests that was very difficult for Blizzard to manage.

Even for large organizations with robust processes and automated systems for managing DSRs, such a large number of coordinated requests are likely to have a lasting impact.

Attacks tend to cause an excessive and manual workload by clogging automated systems with complicated requests.

Not limited to large corporations, the coordinated DSR attacks will actually do more harm to smaller businesses that don’t have the resources to deal with the tidal wave of requests.

But it’s important to note that even moderate levels of DSR traffic can overwhelm organizations if they’re not properly prepared.

Automated DSR Fulfillment Recommendations

The first step is to build an effective intake form for DSRs that are visible, have predefined requests that the data subject can select from, and can be automated to fulfill requests quickly.

Automation tools also exist that can help businesses centralize requests in a single dashboard, automate notifications, track deadlines, and establish processes for individuals who are involved in each step of the workflow.

The second step is to ensure that identity verification techniques, congruent with the sensitivity of the data being requested, are prominently integrated at the very beginning of the DSR process.

This action alone can weed out bad actors and bots attempting to flood business systems with requests.

The more sensitive the data being requested (think: banking, insurance, healthcare, etc.), the higher the verification assurance should be for those submitting requests.

When it comes to preventing DoS attacks, manual DSR processes that require personnel to scan hundreds of systems for every request will not cut it. It’s a big data problem.

Often in the DSR fulfillment process duplicate data sets are the primary culprits for exposure of sensitive data to unnecessary parties.

Tips to Automate DSR Fulfillment

  • Avoid creating additional copies of customer data
  • Reduce PI surface area
  • De-identify but beware of toxic combinations
  • Comply with privacy and security-by-design principles
  • Prepare for a data subject request DoS attack
  • Respond to Data Subject Requests Faster

Individual Rights Manager can help your company with GDPR compliance with regard to individual data protection rights.

This comprehensive 3-in-1 solution combines proven technology with specialized content developed by our privacy experts, and consulting help if needed.

Get the latest resources sent to your inbox

Back to Top