The EDPB Releases Draft Practical Guidelines on Personal Data Breach Notification

Keeping the firmware, operating system and application software on the servers, client machines, active network components, and any other machines on the same LAN (including Wi-Fi devices) up to date.

Ensuring that all reasonable IT security measures are in place, are effective and regularly updated when processing or circumstances change or evolve. This includes keeping detailed logs of which patches are applied at which timestamp.

Designing and organising processing systems and infrastructure to segment or isolate data systems and networks to avoid propagation of malware within the organisation and to external systems.

The existence of an up-to-date, secure and tested backup procedure. Media for medium- and longterm back-up should be kept separate from operational data storage and out of reach of third parties even in case of a successful attack (such as daily incremental backup and weekly full backup).

Having /obtaining an appropriate, up-to-date, effective and integrated anti-malware software.

Having an appropriate, up-to-date, effective and integrated firewall and intrusion detection and prevention system.

Directing network traffic through the firewall/intrusion detection, even in the case of a home office or mobile work (e.g. by using VPN connections to organizational security mechanisms when accessing the internet). 

Training employees on the methods of recognising and preventing IT attacks. The controller should provide means to establish whether emails and messages obtained by other means of communication are authentic and trustworthy. Employees should be trained to recognize when such an attack has occurred, how to take the endpoint out of the network and their obligation to immediately report it to the security officer.

Emphasize the need for identifying the type of malicious code to see the consequences of the attack and be able to find the right measures to mitigate the risk. In case a ransomware attack has succeeded and there is no back-up available, tools available such as the ones by the “no more ransom”(nomoreransom.org) project may be applied to retrieve data. However, in case a safe backup is available, restoring the data from it is advisable.

Forwarding or replication all logs to a central log server (possibly including the signing or cryptographic time-stamping of log entries).

Strong encryption and authentication, in particular for administrative access to IT systems (2FA), appropriate key and password management.

Vulnerability and penetration testing on a regular basis.

Establish a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) within the organization, or join a collective CSIRT/CERT.

Create an Incident Response Plan, Disaster Recovery Plan and a Business Continuity Plan, and make sure that these are thoroughly tested.

When assessing countermeasures – risk analysis should be reviewed.

State-of-the-art encryption and key management, especially when passwords, sensitive or financial data are being processed.

Cryptographic hashing and salting for secret information (passwords) are always preferred over encryption of passwords. The use of authentication methods obviating the need to process passwords on the server-side is preferable.

Keeping the system up to date (software and firmware).

Ensuring that all IT security measures are in place, effective and regularly updated when processing or circumstances change or evolve. The controller should maintain a record of all updates performed, including also the time when they were applied.

Use of strong authentication methods like two-factor authentication and authentication servers, complemented by an up-to-date password policy.

Secure development standards include the filtering of user input (using whitelisting as far as practicable), escaping user inputs and brute force prevention measures (such as limiting the maximum amount of retries). “Web Application Firewalls” may assist in the effective use of this technique.

Strong user privileges and access control management policy should be in place.

Use of appropriate, up-to-date, effective and integrated firewall, intrusion detection and other perimeter defence systems.

Systematic IT security audits and vulnerability assessments (penetration testing).

Regular reviews and testing to ensure that backups can be used to restore any data whose integrity or availability was affected.

No session ID in URL in plain text.

Periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data

Developing an awareness program to remind employees of the most commons errors leading to personal data breaches and how to avoid them.

Establishment of robust and effective data protection and privacy practices, procedures and systems

Evaluation of privacy practices, procedures and systems to ensure continued effectiveness

Making proper access control policies and forcing users to follow the rules.

Implementing techniques to force user authentication when accessing sensitive personal data.

Disabling the company related account of the user as soon as the person leaves the company.

Checking unusual dataflow between the file server and employee workstations.

Setting up I/O interface security in the BIOS or through the use of software controlling the use of computer interfaces (lock or unlock e. g. USB/CD/DVD etc.).

Reviewing employees’ access policy (e.g. logging access to sensitive data and requiring the user to input a business reason, so that this is available for audits).

Disabling open cloud services.

Forbidding and preventing access to known open mail services.

Disabling print screen function in OS.

Enforcing a clean desk policy.

Automated locking all computers after a certain amount of time of inactivity.

Use mechanisms (e.g. (wireless) token to log on/open locked accounts) for fast user switches in
shared environments.

Use of dedicated systems for managing personal data that apply appropriate access control mechanisms and that prevent human mistake, such as sending of communications to the wrong subject. The use of spreadsheets and other office documents is not an appropriate means to manage client data.

Setting exact standards for sending letters/e-mails.

Adequate training for personnel on how to send letters/e-mails.

When sending e-mails to multiple recipients, they are listed in the ’bcc’ field by default.

Extra confirmation is required when sending e-mails to multiple recipients, and they are not listed in the ’bcc’ field.

Application of the four-eyes principle.

Automatic addressing instead of manual, with data extracted from an available and up-to-date database; the automatic addressing system should be regularly reviewed to check for hidden errors and incorrect settings.

Application of message delay (e.g. the message can be deleted/edited within a certain time period after clicking the press button).

Disabling autocomplete when typing in e-mail addresses.

Awareness sessions on most common mistakes leading to a personal data breach.

Training sessions and manuals on how to handle incidents leading to a personal data breach and who to inform (involve DPO).