On 13 February 2019, the data protection officer for the German state of Baden-Wuerttemberg published a guideline on password security under the EU General Data Protection Regulation (GDPR). The guideline aims to advise data controllers (e.g., service providers, administrators) on how to set up effective password policies and securely store passwords, and data subjects (users) on how to choose secure passwords.
The guideline acknowledges that a password-username authentication is a technical and organizational measure pursuant to Art. 32 of the GDPR, and that data controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk that the processing would otherwise present to individuals. Such measures must, inter alia, include the ability to ensure the ongoing confidentiality and integrity of processing systems and services. Thus, passwords should never be stored unencrypted. Data controllers should also consider implementing a two-factor authentication and to protocol failed attempts to log into a user’s account. The guideline also recommends that data controllers and processors give guidance to their users on how to set up secure passwords and, as a best practice, implement minimum requirements for users to set and to periodically update their passwords. For failing to comply with these requirements, data controllers and processors can be subject to fines up to EUR 10,000,000 or 2 percent of an undertaking’s total worldwide annual turnover, whichever is higher (Art. 83(4)(a) GDPR).
For the user, the guideline recommends that he or she use different passwords for each account. The differences between each password should be substantial, and a secure password should contain at least 12 characters, including capital letters, digits and punctuation. The guideline also recommends that users lie when setting answers to security questions.
This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated YouTube channel.