On 13 February 2019, the data protection officer for the German state of Baden-Wuerttemberg published a guideline on password security under the EU General Data Protection Regulation (GDPR). The guideline aims to advise data controllers (e.g., service providers, administrators) on how to set up effective password policies and securely store passwords, and data subjects (users) on how to choose secure passwords.

The guideline acknowledges that a password-username authentication is a technical and organizational measure pursuant to Art. 32 of the GDPR, and that data controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk that the processing would otherwise present to individuals. Such measures must, inter alia, include the ability to ensure the ongoing confidentiality and integrity of processing systems and services. Thus, passwords should never be stored unencrypted. Data controllers should also consider implementing a two-factor authentication and to protocol failed attempts to log into a user's account. The guideline also recommends that data controllers and processors give guidance to their users on how to set up secure passwords and, as a best practice, implement minimum requirements for users to set and to periodically update their passwords. For failing to comply with these requirements, data controllers and processors can be subject to fines up to EUR 10,000,000 or 2 percent of an undertaking's total worldwide annual turnover, whichever is higher (Art. 83(4)(a) GDPR).

For the user, the guideline recommends that he or she use different passwords for each account. The differences between each password should be substantial, and a secure password should contain at least 12 characters, including capital letters, digits and punctuation. The guideline also recommends that users lie when setting answers to security questions.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.