https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf
Adopted on 14 December 2021
Version 2.0
- mentions a controller internal “Handbook of Handling Personal Data Breah” (as good practice)
- internal documentation required for each and every breach (regardless of risk)
includes:
2 RANSOMWARE
2.1 CASE No. 01: Ransomware with proper backup and without exfiltration
2.2 CASE No. 02: Ransomware without proper backup
2.3 CASE No. 03: Ransomware with backup and without exfiltration in a hospital
- Notification to SA, Communication to Data Subjects
2.4 CASE No. 04: Ransomware without backup and with exfiltration
- Notification to SA, Communication to Data Subjects
2.5 Organizational and technical measures for preventing / mitigating the impacts of ransomware attacks
- Patch management
- Network/system segmentation
- Backups
- Malware controls
- Network security (firewall, IDS)
- Phishing training
- Forensics (identify the type of malicious code, -> nomoreransom.org)
- Central log server
- Strong encryption and MFA (multifactor authnetication), esp. for admins, appropriate key and password management
- Vulnerability/penetration testing
- CSIRT/CERT team
- Reviews/tests/updates of risk analysis
3 Data Exfiltration ATTACKS
3.1 CASE No. 05: Exfiltration of job application data from a website
- Notification to SA, Communication to Data Subjects
3.2 CASE No. 06: Exfiltration of hashed password from a website
3.3 CASE No. 07: Credential stuffing attack on a banking website
- Notification to SA, Communication to Data Subjects
3.4 Organizational and technical measures for preventing / mitigating the impacts of hacker attacks
- Strong encryption, key managemenet. Hashed/salted passwords. Prefer authentication controls without need to process passwords on server
- Patch management
- Strong authentication methods (e.g. 2FA), up-to-date password policy
- Secure Software Development standards (input validation, brute force controls). Web Application Firewalls (WAF) might help.
- Strong user privileges and access control management policy
- Network security (firewall, IDS)
- Security audits and vulnerability assessmnents
- Backup controls are reviewed and tested
- No session ID in URL in plain text
4 INTERNAL HUMAN RISK SOURCE
4.1 CASE No. 08: Exfiltration of business data by an employee
4.2 CASE No. 09: Accidental transmission of data to a trusted third party
4.3 Organizational and technical measures for preventing / mitigating the impacts of internal human risk sources
- Privacy and security awareness training
- Data protection practices, procedures and systems (robust, effective, evaluated and improved)
- Access control policies
- User authentication when accessing sensitive personal data
- Revocation of user access as soon as user leaves company
- Checks for unusual dataflow between servers and clients
- Technical controls on use of portable media (USB, CD, DVD, ..)
- Access policy reviews
- Disabling open cloud services
- Preventing access to known open mail services
- Disable print screen function in OS
- Enforce clean desk policy
- Automatic locking of computers after defined time of user inactivity
- Use mechanisms (e.g. hardware tokens) for fast user switches in shared environments
- Dedicated systems for manageing personal data. – Spreadsheets and other office documents are not appropriate means to manage client data.
5 LOST OR STOLEN DEVICES AND PAPER DOCUMENTS
5.1 CASE No. 10: Stolen material storing encrypted personal data
5.2 CASE No. 11: Stolen material storing non-encrypted personal data.
- Notification to SA, Communication to Data Subjects
5.3 CASE No. 12: Stolen paper files with sensitive data
- Notification to SA, Communication to Data Subjects
5.4 Organizational and technical measures for preventing / mitigating the impacts of loss or theft of devices
- Device encryption
- Use passcode/password on all devices. Encrypt all mobile devices and require complex password for decryption
- Use multi-factor authentication
- Turn on device location services for highly mobile devices
- Use MDM (Mobile Devices Management) and localization, remote wipe
- Use anti-glare filters.
- Close down unattended devices
- If possible, store personal data on central backend server – not a mobile device
- Automatic backup workfolders of mobile clients – when connected to corporate LAN, if personal data unavoidable there.
- Secure VPN
- Locks to physically secure mobile devices while unattended
- Regulate device usage inside and outside the company
- Centralised device management (incl. controls on software installations)
- Physical access controls
- Avoid storing sensitive information in mobile devices and hard drives
6 MISPOSTAL
6.1 CASE No. 13: Postal mail mistake
6.2 CASE No. 14: Highly confidential personal data sent by mail by mistake
- Notification to SA, Communication to Data Subjects
6.3 CASE No. 15: Personal data sent by mail by mistake
6.4 CASE No. 16: Postal mail mistake (another example)
6.5 Organizational and technical measures for preventing / mitigating the impacts of mispostal
- Setting exact standards for sending letters/emails
- User training on how to send letters/emails
- Default use of bcc: to send emails to multiple recipients
- Four-eyes principle
- Automatic addressing (rather than manual)
- Use of message delay (to allow message deletion/editing after hitting “send” button)
- Disable auto-complete when typing email addresses
- User awareness trainings on data breach causes
- Training session and manuals on data breach handling
7 Other Cases – Social Engineering
7.1 CASE No. 17: Identity theft
- Notification to SA, Communication to Data Subjects
7.2 CASE No. 18: Email exfiltration (HR related data)
- Notification to SA, Communication to Data Subjects
