The Conference of the Independent Data Protection Authorities of the Federal and State Governments (DSK, Data Protection Conference) is a body that deals with and comments on current data protection issues in Germany. One of DSK’s main tasks is to achieve uniform application of European and national data protection law. Although DSK resolutions and statements are non-binding, they must absolutely be taken into account by data protection managers when transposing the statutory provisions, as these resolutions and statements specify in further detail the supervisory authorities’ views on data protection issues.
On April 5, 2019, the Data Protection Conference “Technical and Organizational Data Protection Issues” Working Group published an orientation guide on measures to be taken by online services with respect to secure access. The document is aimed at providers of online services that are processing personal data of users. Such companies fall under the provisions of the GDPR and must therefore comply in particular with the provisions on security of processing (Article 32 GDPR). This includes measures to secure access to the services. In the opinion of the data protection supervisory authorities, the measures described in the document correspond to the state of the art and guarantee effective protection of users’ personal data.
The following measures are described in the orientation guide:
- measuring and displaying password strength
- forcing password change only in special cases
- procedure for handling failed login attempts
- handling compromised services
- meaningful notifications
- secure password reset
- encrypted transmission of passwords
- encrypted storage of passwords
- securing password databases against unauthorized access
- training of employees
- offering two-factor authentication
- separation of authentication and user data
- information about password manager
- security as an integrated task
In addition to the aforementioned measures, DSK expressly refers to the recommendations of the Federal Office for Information Security (BSI) in the IT Baseline Protection Compendium on Identity and Authorization Management (such as Basic Requirement ORP.4.A8 “Rules on password use” or ORP.4.A11 “Resetting passwords”).
The recently published orientation guide is to be particularly observed by online service providers because the Bavarian Office for Data Protection Supervision, as the supervisory authority, already examined at the beginning of February how website operators are handling their users’ passwords (link to the examination of the Bavarian Office for Data Protection Supervision (in German): https://www.lda.bayern.de/media/sid_ergebnis_2019.pdf). 20 very popular online services in Germany – ranging from social networks to video streaming portals and online stores – were reviewed more closely. The authority found that none of these services require strong passwords from their users and frequently even very weak passwords such as “123456,” “password,” or even “0000” are possible. Additionally, only a smaller number of services offered additional security measures and assistance to protect the accounts. It is therefore more than likely that the supervisory authorities will continue to pay attention to the guaranteeing of secure access to the services and will carry out appropriate checks. In this context, the supervisory authorities are expecting the implementation of sufficient measures to secure access.
Practical tip for companies:
Providers of online services are strongly advised to review the security of access to their services taking into account the measures recommended by DSK and BSI.