Datatilsynet - 2019-41-0027

From GDPRhub
Datatilsynet - 2019-41-0027
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: No violation found
Decided: n/a
Published: 5.11. 2019
Fine: none
Parties: State Authorised Public Limited Company (BDO)
National Case Number: 2019-41-0027
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

The Datatilsynet found that the State Authorised Public Limited Company (BDO) complied with Article 32 GDPR.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

The Datatilsynet found that BDO was transmitting confidential and sensitive personal data via e-mail using end-to-end encryption and had carried out a prior risk assessment.

Holding[edit | edit source]

After having carried out its investigation, the Datatilsynetfound that BDO complied with Article 32 GDPR and its guidelines.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.

Audit of treatment security at audit firm
Published 05-11-2019
Decision Private companies
Journal number: 2019-41-0027
Summary
BDO Statsautoriseret auditingaktieselskab (hereafter BDO) was among the companies selected by the Data Inspectorate in 2019. The audit focused on security of processing, including in particular the encryption of e-mails, cf. Article 32 of the. The
Data Protection RegulationData Inspectorate considered that BDO's processing of personal data in relation to the transmission of confidential and sensitive personal data via e-mail over the Internet complied with the rules of the Data Protection Regulation and The Danish Data Protection Agency's guidelines.
The Data Inspectorate's final opinion states, among other things, that BDO uses end-to-end encryption with S / MIME certificates as well as forwarding with forced TLS 1.2, when the company sends e-mails with confidential and sensitive personal information to customers, etc.
In addition, the statement states that BDO has demonstrated that it has prepared a risk assessment which assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
You can read the Danish Data Protection Agency Guidance text on email encryption here.
Decision
BDO Statsautoriseret Revisionsaktieselskab (hereafter BDO) was among the companies that the Data Inspectorate had selected for supervision in the spring of 2019. The Danish
Data Protection Authority's planned supervision focused on processing security, including in particular the encryption of e-mails, cf. Article 32
of the Data Protection Regulation, BDO has in the spring of 2019 in connection with the audit visit, filled out a questionnaire and submitted this as well as additional material for the audit. Thetook place on April 9, 2019.
audit visitAfter the audit visit with BDO, the Data Inspectorate finds a summary to conclude:
That BDO - in accordance with Article 32 of the Data Protection Regulation - uses end-to-end encryption when exchanging the S / MIME certificate over the tunnel mail community (hereafter referred to as tunnel mail) for transmitting confidential and sensitive personal data over the Internet to customers and other recipients on the public tunnel list.
Furthermore, BDO - in accordance with Article 32 of the Data Protection Regulation - uses encryption on the transport layer via forced TLS 1.2 for the transmission of confidential and sensitive personal data to customers over the Internet.
That BDO - in accordance with Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f), cf. 1 and 2 - has demonstrated that a risk assessment has been prepared which assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
That BDO is not aware of cases where confidential or sensitive personal data has been sent unencrypted over the Internet since January 1, 2019.
On this basis, the Data Inspectorate considers the audit to be complete and does not take any further action in this regard.
Below is a detailed review of the Danish Data Protection Agency's conclusion.
1. Use of encryption when transmitting confidential and sensitive personal data over the Internet
BDO has stated prior to the audit visit that the company sends confidential and sensitive personal data via e-mail over the Internet.
BDO has stated that the company rarely sends personal data over the Internet for audit purposes. However, the company has stated that it may happen that BDO, in connection with tax advice, sends confidential information in the form of tax returns containing, inter alia, tax returns. social security numbers via email over the Internet.
BDO has stated that the company communicates with its customers either via MIT BDO - which is a web platform where documents are exchanged securely with BDO's customers - or via encrypted e-mail.
2. About the encryption solution
BDO has stated that the encryption solutions used try to encrypt e-mail in the following priority order:mail
End-to-end encrypted via tunnelto the recipient's domain.
It is investigated whether the recipient has published an S / MIME certificate on the public tunnel mail list, in which case the e-mail is encrypted using that certificate.
It is being investigated whether the email can be sent with encryption on the transport layer via a forced TLS 1.2 connection.
Furthermore, BDO has stated that if none of the three solutions are possible, then the user is presented with an error message that the recipient does not support encryption and that the email will not be sent. From there, it depends on the individual employee's specific assessment whether the employee finds it necessary to encrypt the e-mail. If the employee considers that the email is not necessary, the email will be forwarded with opportunistic TLS.
During the audit visit and at the request of the Data Inspectorate, BDO attempted to send an e-mail with forced TLS to an e-mail server set up by the Authority which does not support receiving TLS. As expected, and as confirmation of BDO's setup, the email in question could not be delivered.
BDO has stated that, when transmitting via tunnel mail, the company has chosen to use the 3DES encryption algorithm, as several recipients do not support newer algorithms.
2.1. Summary
On the basis of the information provided by BDO, the Data Inspectorate assumes that when BDO sends e-mails with confidential and sensitive personal data, BDO uses end-to-end encryption with S / MIME certificates to the extent possible and otherwise forced TLS 1.2 connection. Thus, the Data Inspectorate finds that BDO applies adequate processing security when sending such e-mails.
At the same time, the Data Inspectorate calls on BDO to phase out the use of the 3DES algorithm, as the algorithm does not exist in a timely manner. In this regard, the Data Inspectorate should note that known vulnerabilities[1] of 3DES render the algorithm unsafe in certain applications, but that e-mail is not covered by these applications. However, the Data Inspectorate must still encourage BDO to phase out the use of 3DES, as the algorithm is not up-to-date and because more secure alternatives are freely available.
3. Cases where encryption has not been used
BDO has stated that the company is not aware of cases where confidential or sensitive personal data has been sent unencrypted over the internet since 1 January 2019. BDO has further stated that BDO has not received feedback from employees that this should have happened.
BDO has, by extension, stated that the company has a procedure for how employees should act if confidential and sensitive personal data is sent unencrypted over the Internet. The procedure prescribes that the employee must report such an incident to the IT Security Committee, which consists of several members of management, including the meeting representatives, after which the committee assesses whether the incident should be reported to the Data Protection Agency. BDO has sent a copy of the procedure to the Data Inspectorate.
3.1. Summary
On the basis of the information provided by BDO, the Data Inspectorate assumes that BDO is not aware of cases where confidential and sensitive personal data has been sent unencrypted on the Internet since 1 January 2019.
4. Risk assessment
BDO has submitted a risk assessment to the audit prior to the audit visit which takes into account the transmission of confidential and sensitive personal data over the Internet.
BDO's risk assessment shows that there is a high weighted risk associated with the transmission of confidential or sensitive personal data via e-mail. The risk assessment also shows that this risk is reduced to an appropriate level using the above mentioned technologies, in particular end-to-end encryption whenever possible and, at least, using TLS 1.2 encryption on the transport layer.
In addition, BDO has prepared a guide for its employees on the use of encrypted email, dated December 12, 2018.
Finally, BDO has stated that targeted training of employees in the handling of security breaches has been made in the advisory and social audit departments, just like BDO uses a number of e-learning videos targeted at employees about the use of encrypted e-mail, where management has the opportunity to check what percentage of the videos the employees have seen and that there has also been a follow-up test for the videos that each employee had to complete.
4.1. Summary
It is the Danish Data Protection Agency's assessment that, in accordance with Article 5 (1) of the Data Protection Regulation, BDO. 2, cf. Article 32 (1) (f), cf. Paragraphs 1 and 2, have demonstrated that a risk assessment has been prepared in which the risk associated with the transmission of confidential and sensitive personal data over the Internet is considered.
5. Conclusion
Following the audit visit with BDO, the Data Inspectorate finds a summary to conclude:
BDO - in accordance with Article 32 of the Data Protection Regulation - uses end-to-end encryption when exchanging the S / MIME certificate for the tunnel mail community (hereinafter referred to as tunnel mail) for transmission. of confidential and sensitive personal information over the Internet to customers and other recipients on the public tunnel list.
Furthermore, BDO - in accordance with Article 32 of the Data Protection Regulation - uses encryption on the transport layer via forced TLS 1.2 for the transmission of confidential and sensitive personal data to customers over the Internet.
That BDO - in accordance with Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f), cf. 1 and 2 - has demonstrated that a risk assessment has been prepared that assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
That BDO is not aware of cases where confidential or sensitive personal data has been sent unencrypted over the Internet since January 1, 2019.
 
[1]   See Bhargavan and Leurent On the Practical (In-) Security of 64-bit Block Ciphers (ACM CCS 2016) and NIST SP 800-57 Part 1 Revision 4 (Section 5.6.1)