In this blog entry we will demonstrate some measures such as device encryption to limit damage when portable devices such as a laptop computer, a smartphone, a tablet or an external storage device, are lost or stolen.
What are the risks involved in using these devices?
In a completely globalised and interconnected world, it is normal to have to exchange information or access and use it at multiple locations and in a flexible manner, both at a personal as well as a professional level.
Portable devices have become popular due to their versatility and affordable prices, as they make it easy for us to access work reports, presentations that we are scheduled to make, photos, or any other information that we are required to use flexibly from multiple devices. Smartphones, tablets and laptop computers are essential work tools in this day and age.
Portability, which is the main advantage of these devices, is also an additional risk factor, given the possibility of their loss or theft. Let’s not forget that these devices, like any other IT equipment, are susceptible to risks that must be dealt with adequately.
In the case of loss or theft of a portable device, we are faced with a breach of confidentiality due to possible unauthorised access to the data stored on the device, and/or a breach of availability if a backup copy of the data is not available. These data breaches make up approximately 22% of the data breach notifications received by the AEPD, which is why it is worthwhile to demonstrate the security measures that may help to mitigate the consequences of the loss or theft of this type of device.
As a general rule and in accordance with the GDPR principle of data minimisation, personal data stored/processed on portable devices and their remote access must be minimised as much as possible.
There are three security measures that are especially effective in minimising possible damages caused by a data breach owing to the loss or theft of a portable device.
Data encryption in the portable device is an effective measure to prevent unauthorised access to data in case of loss or theft. It is important to remember that personal data, although encrypted, is still data of a personal nature.
Maintaining a copy of the data in another device/format or a backup copy is an effective measure against the loss of data availability.
Lock screen password and/or user authentication on devices, which are strong and securely saved. This last security measure is not applicable to removable storage devices.
These three measures are important and effective with regard to different aspects of device security, which is why they must be used jointly.
In most modern smartphones and tablets, encryption is usually activated by default, however we must still make sure if it is really activated and whether the encryption key is strong and secure enough.
For more information on these security measures, consult Section 1 of the Guide to Privacy and Security of the AEPD.
In any case, before using portable devices, all organisations must regulate their use in the security policy, based on an analysis of the risks depending on the specific characteristics of its data processing.
The security policy must specify whether its use is permitted or not, and when affirmative, the measures to be applied in order to minimise risks, such as establishing what devices can be used, what information may be stored in these devices, the categories of data, setting size limits, authorising only those that are strictly necessary, maintaining an inventory of these devices, guaranteeing the security of these devices and/or equipment that are connected to them, and to train and spread awareness among employees regarding risks, encryption and backup copies. Above all, the risk of loss or theft of these devices must be factored, and an action plan for a rapid and effective response must be drawn up.
Both the effectiveness of the applied measures, and the convenience of using these devices or their replacement with other solutions must be subjected to periodic checks within the risk management plans of the organisation.
What to do in case of loss or theft?
Once we are aware of the loss or theft of a device, we must act as soon as possible.
If the device contains personal data, then the obligations laid down in the Articles 33 and 34 of the GDPR must be fulfilled at the very least. Generally, the first step will be to notify the data controller so they may activate the action plan. The controller must know exactly what information was stored on the device and have an action plan to manage the security incident.
Especially, if it is a security breach that affects personal data, the AEPD must be notified when there is a risk to the rights and freedoms of natural persons, within a timeframe of 72 hours from the awareness of the incident, and the data subjects must also be informed when the risk is high.
The assessment of these circumstances and the decision to notify the AEPD and the data subjects are the responsibilities of the data controller.
Generally, for removable storage devices, provided these devices are encrypted with a cryptographically secure algorithm, the encryption key is strong and has not been compromised, and a backup copy of the data is available, it may be deemed that data confidentiality and integrity has not been compromised and therefore it is not necessary to notify the AEPD or the data subjects of the breach, if the main risk is the lack of availability of said information.
In case of devices with an operating system such as smartphones, tablets and laptop computers, it must be considered whether the user authentication mechanisms and credentials in the operating system, or the unlock pattern/PIN in case of smartphones and tablets, are sufficiently strong and have not been compromised by the decision to notify the data breach.
In any case, the details of the data breach must be included in the organisation’s register of security incidents.