Which type of 2FA do I need to use under the GDPR in the Netherlands?

It happens on a daily basis: a client has completed treatment and the associated data needs to be transferred. And the data transfer needs to be secure. How do you make that happen? In order to hand off client data to the next step in the process, the nurse will have to send the client’s file to another organisation. This file contains quite a lot of information, including the client’s Citizen Service Number, and is therefore classified as sensitive information. The General Data Protection Regulation (GDPR) states that appropriate data security is mandatory. If the nurse sends the file as an email attachment, it is not secure. Besides how easy it would be to accidentally send the message to the wrong recipient, the recipient could also easily forward the message, or leave their laptop unlocked. As a result, unauthorised parties could have access to the file. If that happens, you are dealing with a data leak.

But what would be a secure way to share sensitive data? Case studies are still inconclusive. When can you say that security is appropriate? Do the security measures that need to be taken depend on the data you are protecting? Perhaps future court cases will lead to more clarity on this topic, but it would be best not to wait for jurisprudence before taking steps to secure the data.

Two-factor authentication

So how do you send sensitive information securely? To make that possible, your organisation needs to start using TLS, encryption and two-factor authentication. This blog will discuss the various forms of two-factor authentication. Two-factor authentication or 2FA is a security technique that uses two factors to protect a computer system or to verify a person’s identity. It operates on the principle that a single factor is not sufficient.

In 2FA, security is safeguarded by a combination of multiple factors, such as:

-        Something that the user knows. That is usually a combination of a user name and password or PIN code.

-        Something that the user has. For instance by sending a text message containing a verification code to the user’s phone or using apps that generate single-use codes or passwords, hardware tokens or cards.

-        Something that the user is. This category covers security measures based on user biometrics. This includes facial recognition (like the iPhone X), a fingerprint or an iris scan.

So there are multiple 2FA options to protect data. For instance, a password and verification code by text message, a password and fingerprint, or a PIN code and a card. What combination do you use for different types of information?

What do government bodies say about 2FA?

In addition to legislation, there is a considerable amount of supplementary documentation available from government bodies regarding protection of personal data. In these publications, the government provides further guidance on the use of 2FA.

In 2016, for example, the Dutch Data Protection Authority (Dutch DPA) specifically indicated that hospitals need to use 2FA in patient portals:

‘That is why hospitals need to use two-factor authentication. That means that it is not considered secure enough when patients log in with just a user name and password, but that an additional means of verification is necessary. For instance a token or a code sent by text message.’

It can be concluded that the Dutch DPA believes that medical data, which is sensitive personal data according to the GDPR, needs to be secured with 2FA. The Dutch DPA provides examples, but they do not clearly describe what 2FA should look like. The National Cyber Security Centre (NCSC) provides more clarity on 2FA. In a factsheet from 2015, the NCSC states:

‘The NCSC advises using two-factor authentication whenever possible. Another name for this is two-step verification. It consists of authentication by means of two factors from different categories. An example is the use of a password and a single-use authentication code sent by text message. Another option is the combination of a fingerprint and a password. In a few cases, a third factor is added to that.’

Based on the advice of the NCSC, you could say that e.g. using two passwords is not sufficient. That means that the second security factor really needs to be in a different category than the first.

It is not documented anywhere in the law that 2FA is mandatory. There is also no legislation or case law regarding implementation of 2FA. Theoretically, you can therefore implement 2FA in various ways. However, given the clear advice of both the Dutch DPA and the NCSC, it does seem that you would be taking a huge risk if your organisation does not protect your sensitive data with 2FA. You are also running a risk if you use a type of 2FA that uses two different factors from the same category (for instance two passwords).

Conclusion

The recommendations provided above are as clear as the Dutch Data Protection Authority and the National Cyber Security Centre get on the topic of 2FA. They advise using two-factor authentication, but they do not clarify which type of 2FA is best or which situations are ideal for 2FA use. For that reason, it is important to draft company policy for which types of 2FA are ideal for various applications. Not all data is equally sensitive, but medical files, for example, should definitely involve ‘appropriate measures’. To give an example, a person’s timekeeping records will probably be less sensitive. Determine the sensitivity of various types of data, and try to categorise them. Decide which type of data should be protected by mandatory 2FA. Applying 2FA to your own account is easy, but how do you deal with sending sensitive data from your organisation to external parties? To return to the example at the start of this blog: what is the policy on sending medical files to other organisations? How do you ensure that 2FA is used on the recipient’s end? If you use ZIVVER, it is easy to set up 2FA from Outlook. Watch this video or read more about it in this article.

And remember to communicate the policy clearly to your employees, so they know when to use which type of 2FA. Since 2FA has become commonplace by now (examples include the random reader, e-dentifier or authentication app), you can thankfully assume that your employees will accept 2FA without protest.

Please note: according to the GDPR, appropriate data protection involves more than just two-factor authentication. Also consider using TLS and encryption.

 

Create awareness about privacy and the GDPR


To make sure that employees deal with sensitive information properly, it is key that they are aware of the importance of secure information processing. The reason that it is so important is because 46% of all data leaks are caused by employees handling sensitive data carelessly. But how do you resolve that problem? In this e-book, we provide an answer to this question and offer some practical tips.

Go to the e-book

RELATED
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
The User Representatives - Always here to help you!

The User Representatives - Always here to help you!

  At ZIVVER the success of our customers is paramount! For that reason, we have a dedicated Customer Success team to help our customers maximize their value from our product. Part of the Customer Success team are the User Representatives. Their ultimate goal is to create happy ZIVVER users, by solving all issues, providing information and representing their voice […]

Read more
Your_Success_our_primary Mission_The Customer Success team_ZIVVER_EN_blog

Your Success, our primary Mission! - The Customer Success team

At ZIVVER the success of our customers is paramount! Our purpose is to add real value to your organization. That’s nothing new, but now we even have a dedicated Customer Success team to help you achieve your desired goals with our product.  […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more