The “security principle” under the General Data Protection Regulation (GDPR) requires that organizations process personal data securely by means of “appropriate” technical and organizational measures. This month, the United Kingdom’s Information Commissioner’s Office (ICO) issued new guidance focused on two specific measures the ICO recommends that companies consider in complying with the GDPR security requirements: encryption and passwords.
With respect to encryption, the ICO guidance notes that encryption is a tool that is both widely available and that can be deployed at relatively low cost. Further, the ICO notes that in numerous data security breaches, the harm caused could have been reduced or even avoided if encryption had been used. Accordingly, the guidance recommends the use of encryption for storage and transmission of personal data and suggests that the loss or destruction of unencrypted personal data may trigger regulatory action by the ICO.
In implementing an encryption policy, the ICO recommends that companies consider four factors: (1) choosing the right encryption algorithm (and regularly assessing whether the encryption method remains appropriate); (2) choosing an encryption key size that is sufficiently large to protect against an attack over the lifetime of the data; (3) choosing encryption software that meets current standards; and (4) keeping the encryption key secure, including having processes in place to generate new keys when necessary.
With respect to passwords, the ICO provides guidance on how organizational password policies can adhere to the security principle under GDPR. Among the topics addressed in the ICO guidance are recommendations for the following:
- How to store passwords?
- Recommendation: Do not store passwords in plaintext –use a suitable hashing algorithm (or other mechanism).
- How users should enter passwords?
- Ensure that login pages are protected with HTTPS or an equivalent level of protection.
- Make sure password hashing is carried out server-side, not client-side.
- Do not prevent users from pasting passwords – while often seen as a security measure, preventing pasting of passwords impedes people from using password managers effectively.
- What requirements should be set for passwords?
- Set a minimum password length, but not a maximum length.
- Allow the use of special characters, but do not mandate it.
- Utilize “password blacklisting” to prevent users from setting a common, weak password.
- What should be done about password expirations and resets?
- Do not set password expirations unless absolutely necessary – having passwords that regularly expire encourages the use of a series of weak passwords.
- Ensure that the password reset process is secure, that passwords are not sent over email, and that there are time limits on password reset credentials.
- What defenses can be put in place against attacks?
- Rate limit or “throttle” the number and frequency of incorrect login attempts.
- Consider use of “CAPTCHAs”, whitelisting IP addresses, and time limits or time delays after failed authentications.