Surveys show that very few people choose passwords that are strong enough, and many prefer to use the same password on multiple, or even all, online platforms. Similarly to PIN codes, where 1-2-3-4 and other easily solvable combinations are the most popular ones, we are not careful enough about choosing the right passwords.
If users often do very little to protect themselves properly in the online environment, what service providers or data controllers can do to increase the security of data processing, subject to relevant data protection rules?
GDPR introduces integrity and confidentiality as an important principle of data protection. The principle of integrity and confidentiality means that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Maintaining integrity and confodentiality in practice can essentially be through the practical implementation of data security. To do this, it is necessary to design and develop the entire data management process in accordance with the principles of privacy by design and by default.
The GDPR contains the following definition regarding the privacy by design: "Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."
According to the principle of privacy by default: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.”
Data processing that is designed and executed in accordance with the above principles may be capable of protecting the integrity and confidentiality of personal data. Measures to protect data may also include the development of an appropriate password protection system that ensures that unauthorized access is minimized.
Article 32 of the GDPR, by expanding the principles of confidentiality and integrity, lays down data security obligations and general requirements for data controllers and processors. It is important to emphasize that compliance with data protection and data security requirements is not only a one-time task, but that it continually burdens data controllers and data processors, and the developed solutions shall be periodically monitored and reviewed and, if necessary, subject to technological changes and other circumstances, be adapted to the changes.
What follows from the above general obligations regarding passwords?
GDPR does not contain any specific provision for passwords. This would be pointless, as it is necessary to define the appropriate protection measures in relation to the particularities of the given data processing activities, including the development of solutions for proper password protection.
The ICO has recently published a guide on passwords for online services, based on the GDPR rules. This guide can be a useful tool for developing appropriate data security solutions.
The first step in creating an appropriate authorization or authentication system in an online environment is that it shall be examined whether access through passwords is the right solution or the use of another technology can be more secure solution.
If the controller decides to create a system with password protection, among others, the following aspects should be considered:
- How should the passwords be stored?
- How should the users enter their passwords?
- What requirements should be set for user passwords?
- What should the data controller do about password expirations and resets?
- What protection measures can be taken against attacks?
How should the passwords be stored?
One of the first fines based on GDPR was imposed on a data controller in Baden-Württemberg in an amount of € 20,000 for a data protection incident, which affected 330,000 users, and passwords were also stolen. The Data Protection Authority concluded that the data security requirements of the GDPR (Article 32 (1)) were breached, as the passwords were stored in plaintext and not encrypted.
The passwords must therefore be stored in a form that provides adequate security even in the event of a data breach, i.e. the use of suitable hashing algorithm, or another mechanism is essential.
How should the users enter their passwords?
The login pages through which users enter their passwords should also be made secure (e.g. using https protection). An important aspect may be when and where passwords are encrypted (e.g. server-side or client-side encryption).
Note that preventing users from pasting passwords is usually an unnecessary measure. It usually does not enhance security but causes difficulties for users. (You can read more about this topic at the blog of the National Cyber Security Center of the UK.)
What requirements should be set for user passwords?
The controller has the ability to create a system that sets certain requirements for the passwords that can be used. The controller can specify that users can only enter passwords that contain special characters and it has sufficient length. This can prevent the use of too weak passwords, or the use of the same passwords for different platforms, which, as the surveys show, users may otherwise be prone to do.
What should the data controller do about password expirations and resets?
Requiring password changes from time to time can make it difficult to apply the system and you should only apply it if it is absolutely necessary for some reason. In addition to enforcing the use of a strong password, it is advisable to include the obligation of changing password only in cases where this is unavoidable (e.g. in case of a data breach).
The process of requesting a new password or changing a password must also be secure, avoiding passwords sent via email (for example, one-time links can be used). Password reset credentials should also be time-limited.
What protection measures can be taken against attacks?
Additional security measures can be used to protect the system, such as:
- limiting or ‘throttling’ the number and frequency of incorrect login attempts;
- the use of CAPTCHAs;
- whitelisting IP addresses; and
- time limits or time delays after failed authentications.
Of course, due to the specificities of the system and service in question, additional security measures may be considered.
In addition to the above, there is a need to consider and evaluate a number of other aspects, and as it was mentioned above, it is not enough to design the system once and then "leave it" as it is, but the changes shall be continually evaluated with respect to the technological progress and corrections must be made if necessary.
Finally, it is worth noting as a warning (besides the fine imposed in Baden-Württemberg) that in December 2018, the Norwegian Data Protection Authority (Datatilsynet) issued a warning to the Municipality of Bergen on imposing a fine of NOK 1.6 million, as the computer system of schools operating in the territory of the municipality is not complied with data security standards. For example, the municipality had not established two-factor authentication in the login of the system, even though the municipality had knowledge that this should be used. (The authority will later decide on the imposition of a fine in a final decision, but before that, the data controller may also present his position on the matter.)
Data security must be taken seriously by all data controllers, as it is increasingly important due to the growing availability of databases online. Data security can also be of paramount importance when examining data controllers' responsibilities, especially in case of data breaches.