The first fines issued under GDPR will hardly become storylines for the next blockbuster movie, however they could make an appearance in a Netflix or Prime original documentary - provided that they’re spiced up a bit. OK - quite a lot.
The first official fines issued under GDPR, which came in to force across Europe in May 2018, have been issued in Germany and Portugal. Initial predictions were that we would not see fines under GDPR until midway through or late 2019 due to length of time investigations can take and the process involved. However, it appears the Data Protection Authority (DPA) of the German state of Baden-Württemberg and the Portuguese authority (CNPD) acted promptly.
Both fines have a common theme – user access governance. It’s one of the basic components of any good security programme and a core element of any information security framework, like ISO 27001 or Cyber Essentials.
It’s a problem that an alarming number of organisations face. A recent study by Thycotic has highlighted that, “7 out of 10 companies would fail access control audits.” The report sums up what many in information security already knew: Companies are not developing effective internal policies, processes and controls.
Other findings in Thycotic’s 2018 report on privileged access management include:
- 64 percent of companies fail to include privileged accounts and passwords in access control policies.
- 73 percent fail to audit and remove test or modify default accounts before moving applications to production.
- 70 percent of organisations fail to fully discover privileged accounts and 40 percent do nothing at all to identify privileged accounts.
- 55 percent fail to revoke access after an employee is terminated.
- 70 percent fail to limit third-party access to privileged accounts.
What can be done? What can you do? It can all seem overwhelming, especially if your organisation doesn’t have a dedicated security team or individual.
First GDPR fines imposed on two companies
Taking a closer look at the GDPR fines levied in Germany and Portugal can help you learn how to reduce the risk of a breach in your organisation.
The personal information of over 330,000 users of the Knuddel chat platform was made publicly available after hackers compromised the website in September of 2018.
The platform provider in their breach notification stated that the users’ passwords were stored in an unencrypted format. The Authority deemed this to be a violation of the obligation to implement adequate security measures - Article 32 GDPR. The €20,000 fine imposed took into consideration that the provider:
- notified the breach to the DPA and to the data subjects in due time.
- cooperated fully with the DPA.
- promptly followed the DPA' s recommendations for how to increase the implemented level of data security.
An article by Dr. Ana Menezes Monteiro for the IAPP News feed reports that the Portuguese hospital, Centro Hospitalar Barreiro Montijo has been fined €400,000 for:
- Article 5(1)(c), a minimisation principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. (Fine: €150,000)
- A violation of integrity and confidentiality as a result of non-application of technical and organisational measures to prevent unlawful access to personal data under Article 5(1)(f), and also of Article 83(5)(a), a violation of the processing basic principles. (Fine: €150,000)
- Article 32(1)(b), the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organisational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organisational measures to ensure the security of the processing. (Fine: €100,000)
The factors contributing to the violations were:
- There was no documented definition of the rules for creating users of the systems.
- Nine technical employees were assigned access rights reserved for medical staff which created the risk of these users being able to consult the clinical process.
- Significant excess user accounts compared to the number on HR systems (985 accounts compared to 296 on record).
- Existence of access credentials that allowed any doctor access to any data at any time regardless of their speciality that was deemed to have violated the "need to know" principle and the data minimisation principle.
- Lack of maintenance of unused profiles for doctors who no longer provide services to the hospital.
- There were only 18 user accounts that were inactive and the last one was deactivated in November 2016.
The striking fact about this fine is that the CNPD acted upon a newspaper article and not on a complaint.
The challenge: A better approach
Both of these security incidents highlight the need for basic security controls that are clearly documented and then followed. Access Governance is a fundamental security requirement – whether physical or logical.
The more sensitive the data is to customers or staff, the more care an organisation should take in protecting it. Users should be clearly identified, the access or activities surrounding key data should be tracked and user process needs to be followed (Starters/Movers/Leavers).
Basic security activities that will address the fundamental security requirements expected by Data Protection Authorities include:
- User Accounts: Do not use or strictly limit the use of generic accounts such as ‘test’, ‘admin’ or ‘helpdesk’. These accounts do not clearly identify the individual accessing the data. This can make it impossible to assign appropriate access levels appropriate to the individual’s role. It can also prove very unhelpful if/when an incident occurs in tracing the event.
- Passwords: Never record or store passwords in clear text. Never. We have seen too many security incidents and data breaches in recent years where this control would have reduced the impact of the breach.
- Suitable Authorisation: Users should only be granted access to data that they need to perform their job duties. The principle of “need to know”. This will require you to a) understand the roles in your organisation and b) understand the various types of your data and risks associated with each type.
- Documentation: Decide how you are going to approach your user access governance strategy, draft your policy, your minimum standards and your procedures. And once you have them written, approve and implement them.
- Implement Access Controls: Train your IT team to follow the clear procedures that you documented. Explain why it’s important that they do so and demonstrate when and how to handle exceptions to predetermined controls.
- Review, Review, Review: Some organisations’ employees remain in their roles a long time while others change regularly. Either way, you should at least annually review the access all users have. If you have a high number of privileged users (those with a higher then normal access such as the IT Admin Team) you should review their access at least every six months.
- Movers and Leavers: Employees change role or, sadly, leave the organisation. Make sure the move and departure process ensures that access to data, both physical and logical, is amended or deleted.
Get started and keep it simple
Experienced information security professionals can relay countless stories of overly complicated or sloppy user access governance. Thankfully, though, they will also have a collection of organisations where access governance was done simply, efficiently and with great effect. We have now seen that Data Protection Authorities will start with security basics when assessing an organisation’s compliance with Article 32 of GDPR. They have demonstrated how they look at security practices that “ensure a level of security appropriate to the risk” (A.32.1)
Thankfully, less than a year in, the message is now becoming clearer than ever. Start with basic security practices, keep them simple, keep them relevant and follow through on your actions.
This blog and its content is provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.