{"id":2902,"date":"2019-12-04T11:56:00","date_gmt":"2019-12-04T17:56:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2902"},"modified":"2024-12-17T09:07:43","modified_gmt":"2024-12-17T15:07:43","slug":"automated-dsr-fulfillment-dos-attacks","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/automated-dsr-fulfillment-dos-attacks\/","title":{"rendered":"Automated DSR Fulfillment to Avoid Denial of Service Attacks"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Automated DSR Fulfillment to Avoid Denial of Service Attacks<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tAnnie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

In the wake of GDPR, law firm Squire Patton Boggs\u00a0reported a \u201csharp increase\u201d<\/a>\u00a0in the number of UK residents who initiated data subject access requests (DSARs)<\/a>, fulfilling the same number of DSARs in the first five months of 2019 as they\u2019d handled during the\u00a0entire year<\/i>\u00a0of 2018.<\/p>\n

CCPA data subject requests (DSRs) will likely have the same effect on California-based organizations. With a 45-day deadline for fulfillment, companies that don\u2019t implement automated DSR fulfillment are at an increased risk of Denial of Service (DoS) attacks.<\/p>\n

How are denial of service attacks performed?<\/h2>\n

DoS attacks happen when legitimate users are unable to access information systems, devices, or other network resources due to cyber criminal activity that floods a host or network with traffic until it cannot respond or simply crashes, preventing access to email, online accounts, and websites.<\/p>\n

These attacks disrupt a company\u2019s online presence by keeping its web servers so busy with network requests that they cannot load web pages or Internet resources, costing organizations time and money. In contrast, their resources and services are inaccessible.<\/p>\n

A DoS attack can happen when a company is inundated with DSRs<\/h3>\n

It overwhelms the CSR and IT staff, who are forced to respond to requests manually and eventually reach a breaking point in which the company can\u2019t safely respond to requests within the required timeline.<\/p>\n

With CCPA right around the corner, there\u2019s no time like the present to start thinking about your company\u2019s plans to circumvent DoS attacks and streamline DSR processes.<\/p>\n

According to the new regulations the process must now include identity verification prior to fulfilling each request. Technology can help teams automate\u00a0manual processes, which helps save time and promote consistency.<\/p>\n

But it\u2019s important for businesses to be aware of potential DSR threats like DoS attacks that can jeopardize fulfillment and result in both frustration and noncompliance.<\/p>\n

Lessons learned from GDPR<\/h2>\n

Many companies started preparing for GDPR<\/a> by hiring lawyers and consultants to conduct privacy impact assessments (PIAs)<\/a>, data mapping, understanding workflows, manually surveying data sets, and introducing internal guidelines.<\/p>\n

These steps were certainly helpful and necessary, but because the work had to be applied to multiple sets of data repositories, companies found they were duplicating efforts over and over.<\/p>\n

Operationalizing CCPA<\/a> with automation requires companies to leverage existing IT security tools and systems (e.g., SIEM, ticketing, data governance).<\/p>\n

Thus, it\u2019s critical to get buy-in from CTOs, CISOs, CPOs, and\u00a0data governance\u00a0teams from the beginning in order to\u00a0execute processes correctly the first time<\/strong>.<\/p>\n

Taking the time to prepare and automate DSR fulfillment processes can help mitigate the onslaught of DSRs, which result in DoS attacks.<\/p>\n

GDPR rights of the data subject<\/h3>\n

GDPR Chapter III,\u00a0Rights of the Data Subject<\/em>\u00a0outlines the requirements. Article 12 through Article 23 cover areas such as Article 17 \u2013 Right to erasure (\u2018right to be forgotten\u2019), which has been the hot topic of discussion.<\/p>\n

Questions such as\u00a0What if my company doesn\u2019t have the technology to read that data anymore?<\/em>\u00a0have left privacy teams stumped.<\/p>\n

You can get started in answering this question by following these steps:<\/strong><\/p>\n