Which type of 2FA do I need to use under the GDPR in the Netherlands?

It happens on a daily basis: a client has completed treatment and the associated data needs to be transferred. And the data transfer needs to be secure. How do you make that happen? In order to hand off client data to the next step in the process, the nurse will have to send the client’s file to another organisation. This file contains quite a lot of information, including the client’s Citizen Service Number, and is therefore classified as sensitive information. The General Data Protection Regulation (GDPR) states that appropriate data security is mandatory. If the nurse sends the file as an email attachment, it is not secure. Besides how easy it would be to accidentally send the message to the wrong recipient, the recipient could also easily forward the message, or leave their laptop unlocked. As a result, unauthorised parties could have access to the file. If that happens, you are dealing with a data leak.

But what would be a secure way to share sensitive data? Case studies are still inconclusive. When can you say that security is appropriate? Do the security measures that need to be taken depend on the data you are protecting? Perhaps future court cases will lead to more clarity on this topic, but it would be best not to wait for jurisprudence before taking steps to secure the data.

Two-factor authentication

So how do you send sensitive information securely? To make that possible, your organisation needs to start using TLS, encryption and two-factor authentication. This blog will discuss the various forms of two-factor authentication. Two-factor authentication or 2FA is a security technique that uses two factors to protect a computer system or to verify a person’s identity. It operates on the principle that a single factor is not sufficient.

In 2FA, security is safeguarded by a combination of multiple factors, such as:

-        Something that the user knows. That is usually a combination of a user name and password or PIN code.

-        Something that the user has. For instance by sending a text message containing a verification code to the user’s phone or using apps that generate single-use codes or passwords, hardware tokens or cards.

-        Something that the user is. This category covers security measures based on user biometrics. This includes facial recognition (like the iPhone X), a fingerprint or an iris scan.

So there are multiple 2FA options to protect data. For instance, a password and verification code by text message, a password and fingerprint, or a PIN code and a card. What combination do you use for different types of information?

What do government bodies say about 2FA?

In addition to legislation, there is a considerable amount of supplementary documentation available from government bodies regarding protection of personal data. In these publications, the government provides further guidance on the use of 2FA.

In 2016, for example, the Dutch Data Protection Authority (Dutch DPA) specifically indicated that hospitals need to use 2FA in patient portals:

‘That is why hospitals need to use two-factor authentication. That means that it is not considered secure enough when patients log in with just a user name and password, but that an additional means of verification is necessary. For instance a token or a code sent by text message.’

It can be concluded that the Dutch DPA believes that medical data, which is sensitive personal data according to the GDPR, needs to be secured with 2FA. The Dutch DPA provides examples, but they do not clearly describe what 2FA should look like. The National Cyber Security Centre (NCSC) provides more clarity on 2FA. In a factsheet from 2015, the NCSC states:

‘The NCSC advises using two-factor authentication whenever possible. Another name for this is two-step verification. It consists of authentication by means of two factors from different categories. An example is the use of a password and a single-use authentication code sent by text message. Another option is the combination of a fingerprint and a password. In a few cases, a third factor is added to that.’

Based on the advice of the NCSC, you could say that e.g. using two passwords is not sufficient. That means that the second security factor really needs to be in a different category than the first.

It is not documented anywhere in the law that 2FA is mandatory. There is also no legislation or case law regarding implementation of 2FA. Theoretically, you can therefore implement 2FA in various ways. However, given the clear advice of both the Dutch DPA and the NCSC, it does seem that you would be taking a huge risk if your organisation does not protect your sensitive data with 2FA. You are also running a risk if you use a type of 2FA that uses two different factors from the same category (for instance two passwords).

Conclusion

The recommendations provided above are as clear as the Dutch Data Protection Authority and the National Cyber Security Centre get on the topic of 2FA. They advise using two-factor authentication, but they do not clarify which type of 2FA is best or which situations are ideal for 2FA use. For that reason, it is important to draft company policy for which types of 2FA are ideal for various applications. Not all data is equally sensitive, but medical files, for example, should definitely involve ‘appropriate measures’. To give an example, a person’s timekeeping records will probably be less sensitive. Determine the sensitivity of various types of data, and try to categorise them. Decide which type of data should be protected by mandatory 2FA. Applying 2FA to your own account is easy, but how do you deal with sending sensitive data from your organisation to external parties? To return to the example at the start of this blog: what is the policy on sending medical files to other organisations? How do you ensure that 2FA is used on the recipient’s end? If you use ZIVVER, it is easy to set up 2FA from Outlook. Watch this video or read more about it in this article.

And remember to communicate the policy clearly to your employees, so they know when to use which type of 2FA. Since 2FA has become commonplace by now (examples include the random reader, e-dentifier or authentication app), you can thankfully assume that your employees will accept 2FA without protest.

Please note: according to the GDPR, appropriate data protection involves more than just two-factor authentication. Also consider using TLS and encryption.

 

Create awareness about privacy and the GDPR


To make sure that employees deal with sensitive information properly, it is key that they are aware of the importance of secure information processing. The reason that it is so important is because 46% of all data leaks are caused by employees handling sensitive data carelessly. But how do you resolve that problem? In this e-book, we provide an answer to this question and offer some practical tips.

Go to the e-book

RELATED
shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more
vlag3

The 3 most important things you need to account for in order to become GDPR compliant

The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation […]

Read more
Untitled design

4 misconceptions about safe email

The European General Data Protection Regulation (GDPR) made the topic of privacy protection an important agenda item for every company. Almost all the time, risk analysis brings up email traffic as a very risky part. In the meantime however, I often encounter organisations that are pretty sure in their statement that the have their email traffic safe and under control. […]

Read more