In May of 2020, substantial guidance on email encryption was issued by the German Data Protection Authorities (German DPAs) specific to personal data transferred via email. These guidelines recommend reducing the risks of a personal data breach with both end-to-end encryption and transport encryption.
The new guidelines build on previous requirements, including technical guidelines from the German Federal Office for Information Security, and clarify which encryption measures controllers, processors, and email service providers must have in place when sending personal data via email.
What Are the German DPAs?
Every EU Member State has a Data Protection Authority (DPA) on hand to supervise how data protection laws are followed and applied. Each country’s DPA provides expert advice on data protection in general, as well as the GDPR and nation-specific laws. It also has the ability to investigate and make corrections to how the law is applied.
The German DPA, Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, is located in Bonn and splits some duties among various data protection supervisory authorities throughout Germany.
What Are the New German DPA Email Encryption Guidelines?
The new guidelines:
- Establish minimum legally-accepted encryption requirements to which organizations and public email services providers must adhere.
- Outline procedures for sending and receiving emails, all of which apply to data controllers, processors, and public email service providers.
- Differentiate between “high risk” and “normal risk” based on previous material, Risks to the Rights and Freedoms of Individuals.
For “normal risk” data transfers, a.k.a. scenarios in which a data breach wouldn’t unduly impact the rights and freedoms of data subjects affected, transport encryption must establish a TLS (Transport Layer Security) encrypted communications channel, either via the SMTPS protocol or the SMTP command STARTTLS.
If the data transfers involve more sensitive or identifiable information that would put any data subjects impacted at “high risk,” data controllers must use both end-to-end encryption and qualified transport encryption regularly:
- End-to-end encryption can employ either S/MIME and OpenPGP to meet the guidelines, and files should be protected both in transport and at rest. However, neither OpenPGP nor S/MIME can completely eliminate risk for high-risk data transfers, even with qualified transport encryption. For example, an exposed key may put multiple messages at risk of decryption.
- Qualified transport encryption to ensure protection against active attacks. Qualified transport encryption should also involve technology that protects against forged DNS data, such as DANE or DNSSEC, or both.
While senders are largely responsible for securing their emails containing personal data – in particular data controllers under a statutory obligation of confidentiality – data recipients must have a secure connection.
Read the full guidelines online.
How to Follow the New Email Encryption Guidelines
Ensure your organization has an appropriate secure email system in place for the type of data you are exchanging:
- TLS and SSL allow SSL-enabled servers and clients to authenticate one another and protect communications between them.
- S/MIME encrypts your emails, and can be used for both sending and receiving email.
- Secure email solutions give you the ability to send your messages and files as secure “packages” as needed.
Related Reading: Email Encryption Best Practice Guide
What Led to the German DPAs New Email Encryption Guidelines?
Personal data protection has been top-of-mind for some years now and was brought to the forefront due to the GDPR, which went into effect 2018. In response to new and existing personal data guidelines, authorities around the globe are working to clarify best practices and requirements across all types of data collection, transfer, and storage.
Get the Guide: Meeting GDPR Requirements with GoAnywhere MFT
Recent security flaws and attacks on German companies uncovered by security researchers have revealed how much information can be accessed and leaked due to unsecure practices, wreaking havoc from both a cybersecurity and a data protection perspective.
German law differentiates between cybersecurity and data protection according to Mondaq, with “data protection” being a subset of the umbrella term “cybersecurity.” Cybersecurity is essentially security within IT systems, with the objective of preventing “data destruction, loss, alteration, or unauthorized disclosure by implementing hardware and software solutions” for any data. On the other hand, data protection refers specifically to protecting information about a person, whether they are explicitly identified or are potentially identifiable – which requires a high degree of cybersecurity.
The TVSmiles Data Breach
TVSmiles, a Berlin-based app whose nearly 3 million users can earn digital currency for taking quizzes, watching videos, and otherwise interacting with branded content, suffered a data breach that exposed users’ personal and device information. Luckily for the app and its’ users, the data was breached by UpGuard, a security researcher that reported the breach back to TVSmiles.
An unsecured Amazon S3 bucket containing emails, country codes, first and last name, gender, birthdate, address, phone number, passwords, and a collection of “insights” such as psychographic qualities, and more, was uncovered by UpGuard. TVSmiles was able to secure the bucket immediately and, despite being left unsecured for years, logs showed no unauthorized access outside of UpGuard.
As TechCrunch points out, “even an app with a relatively small user base (single digit millions) can be sitting atop a massive repository of tracking data.” The TVSmiles data breach led privacy researchers to call for investigation into both this data breach and a deeper investigation into whether the amount of personal data being collected and processed was lawful.
COVID-19 Task Force Phishing Attack
As if a global pandemic wasn’t enough, a Germany-based company tasked with procuring personal protective equipment for healthcare providers is suffering an ongoing phishing attack. The goal of the attack seems to be Microsoft credentials, according to a report released by security researchers at IBM X-Force Incident Response and Intelligence Services, which would open the door to gain access to account information, company data, and a route through internal IT networks.
Related Reading: How the Coronavirus is Impacting Your Data Security
As the amount of personal data users share grows and as hacking attempts become more pervasive and sophisticated, so too does the need for better cybersecurity and data protection. While email has long been a quick and easy way to share information, email containing sensitive information needs to be better protected, which the German DPAs have both understood and taken steps to realize.
Encrypting Your Emails
Ensure the personally identifiable data you’re sending is protected and trackable. A secure solution using end-to-end encryption can help you send and receive data securely, whether you share it via email or another method.
Every day, organizations send hundreds, if not thousands, of emails – but standard email is far from the most secure option for file sharing. Secure Mail, a GoAnywhere tool, helps you secure the files you send via email by sending your recipient a link to the file to view as a secure download. Secure Mail also gives you the ability to track views and downloads and set expiration dates on the links you send.
Data visibility can also provide content oversight. All organizations have sensitive data throughout their organization, although sometimes its hidden in plain sight. Adaptive data loss prevention (A-DLP) solutionsmonitor this information before it leaves your organization through email, websites, social media, or other applications. Traditional DLP solutions can “stop and block” questionable data transfers, A-DLP automatically applies the optimal security treatment based on specific data content, context and required regulation policy. This includes real-time redaction, encryption, blocking or deleting.