Cybersecurity is fast becoming a significant concern for many startups in 2021 with data breaches carrying major legal ramifications. Every business must put in place appropriate technical and organizational data security measures to protect their clients’ data and prevent cyber-attacks.

Foreign countries’ practice shows that companies are generally subject to higher or lower fines for breaching GDPR for the implementation of inadequate security measures, which lead to the leak of personal data. Also, the data subjects can meanwhile ask for compensation from the company for the leak of their data.

The ECOVIS ProventusLaw Data Protection, Cyber, and IT Security, Operational Risk Team has developed prepared the following reminder how to act in case of a data breach:

Recommendations for business:

• implement breach detection, investigation, and internal reporting procedures at your company. You will be prepared in advance for crisis management, this will facilitate decision-making, responsible persons to deal with, etc.;
• keep a record of any personal data breaches and an investigation report;
• report certain personal data breaches to the relevant supervisory authority. It must be done within 72 hours of becoming aware of the breach;
• where feasible ensure fair communication with affected data subjects, explain to them how to mitigate the risks. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay;
• ensure both external and internal communication about what happened;
• make an action plan how to prevent similar issues in the future;
• train your staff;
• use salt (cryptographic) method for passwords, where certain characters are inserted in each password during encryption. In that case, stealing the password hashes would be worthless.
• ensure continuous monitoring of IT systems, improvement of cybersecurity systems;
• perform regular IT security tests or/and audits;

Recommendations for consumers: 

• to change the leaked email password;
• do not use the same passwords for different logins into different systems;
• do not use work e-mail accounts for personal services;
• use a password manager to create different passwords for all sites;
• consider changing personal documents (to prevent your data from being used for fraudulent purposes);
• warn the relatives of possible cases of fraud and false reports against them;
• do not distribute or share stolen personal data or references to it, as such behavior only contributes to the committed crime.

Such experiences also encourage businesses to take appropriate action in further activities.

20 minimum organizational and technical requirements and measures shall be implemented in each organization.

10 minimum requirements for organizational data security measures:

1. Personal data security policy and procedures. The security of personal data and their processing in the organization must be documented as part of the information security policy.
2. Roles and responsibilities. Roles and responsibilities related to the processing of personal data must be clearly defined and distributed in accordance with security policy.
3. Access control policy. Each role related to the processing of personal data must have specific access control rights.
4. Resource and asset management. An organization must have a register of IT resources used to process personal data, and the management of the registry must be assigned to a specific person.
5. Change management. The organization must ensure that all changes to the IT systems are monitored and registered by a specific person.
6. Data processors. Data controllers and processors should be defined before any personal data processing activity is initiated, document and reconcile mutual formalities. The data processor must immediately notify the controller of any personal data breach detected.
7. Personal data security breaches and incidents. An incident response plan must be established in a comprehensive manner. Violations against personal data must be immediately reported to the management and competent authorities.
8. Business continuity. The organization must establish the basic procedures to be followed in case of an incident or personal data breach, in order to ensure the necessary continuity and availability of personal data processing by IT systems.
9. Staff confidentiality. The organization must ensure that all employees understand their responsibilities and responsibilities related to the processing of personal data.
10. Training. The organization must ensure that all employees are properly informed about the security controls of IT systems related to their daily work.

10 minimum requirements for appropriate technical data security measures:

1. Access Control and Authentication. An Access Control System must be implemented for all users of the IT system. The Access Control System must allow the creation, validation, revision, and removal of user accounts. Shared user accounts must be avoided.
2. Technical journal entries and monitoring. The records of technical journals must be implemented for each IT system, application program used for processing personal data. Technical journals must display all possible types of access to personal data records (such as date, time, review, change, cancellation).
3. Protection of servers, databases. The databases and application server servers must be configured to work properly and use a separate account with the lowest operating system privileges assigned. Databases and Application Servers must process only those personal data that is required for work that meets the data processing objectives.
4. Workstation protection. Users should not be able to turn off or bypass, avoid security settings. Antivirus applications and their virus database information must be updated at least weekly. Users must not have the privilege of installing, removing, administering unauthorized software. IT systems must have a set session time.
5. Network and communication security. When access to used IT systems is carried out online, it is imperative to use an encrypted communication channel, i.e. cryptographic protocols (such as TLS, SSL).
6. Backups. Backups and data restoration procedures must be defined, documented, and clearly linked to roles and responsibilities.
7. Mobile, portable devices. The procedures for administering mobile and portable devices must be identified and documented, with a clear description of the proper use of such equipment. Mobile, portable devices that will be used to work with information systems must be registered and authorized before use.
8. Software Security. Software used in information systems (processing personal data) must comply with software security best practices, software development structures, and standards.
9. Data removal. Before removing any data storage media, all data contained in it must be destroyed using software designed for that purpose, which supports reliable data-erasure algorithms.
10. Physical safety. The physical protection of the environment, premises in which the IT system infrastructure is located, must be implemented from unauthorized access.

The implementation of these requirements will help organizations to ensure compliance with the General Data Protection Regulation. It is important to note, depending on the activities and collected data, the organizations shall implement additional measures to protect their clients‘ personal data.

Recommendations are prepared by certified as Information Privacy Professional/Europe by the International Association of Privacy Professionals (IAPP) ECOVIS ProventusLaw Data Protection Team Lead – attorney at law Ms. Loreta Andziulytė (CIPP/E).