Data Protection and Information Security at the University of Freiburg

A data breach or data protection violation is an incident in which the security of personal data is violated. This means that data are unintentionally or unlawfully destroyed, lost, modified, disclosed, or made available to an unauthorized person. Examples include the loss of files, unauthorized access to an email account, or the theft of a notebook.

An information security incident occurs when protective measures have demonstrably failed, for example because a laptop has been stolen or attackers have succeeded in compromising an IT system via a vulnerability. Such an incident is characterized by a high probability of damage in violation of one of the key protection goals of confidentiality, integrity, or availability.

Incidents that remain undiscovered pose an additional risk.

Data breaches and information security incidents often coincide and are considered in practice from both a data protection and an information security perspective.

For more information, please consult the Circular on Reporting obligations for data protection and information security incidents: https://intranet.uni-freiburg.de/rs/2024/4 (Intranet)

First of all, you should ensure when starting up the laptop that the hard disk is encrypted. If you have done this and the laptop is stolen or lost and falls into the hands of a third party, it is not possible to misuse any data from the hard disk.

Nevertheless, the loss should be regarded as a data breach or information security incident and reported accordingly. Theft must be reported to the police.

As employees’ laptops are state property, they must be handled with care. In the event of reckless behaviour, the department may file a claim for compensation.

Further information is available on the intranet to logged-in users.

Scammers or attackers use phishing emails in various forms to get hold of confidential data or to compromise a user’s computer:

• Link to a fake website: In this case, the attacker “reproduces” a website to get the victim to enter access data for a university system, for example. The attacker can then use these data to access the victim’s email account.
• Defective attachments: A document capable of installing malware on the computer (virus, Trojan) is attached to an email, thus enabling the attacker to control the affected computer.
• Scamming: The attacker pretends to be a person the victim knows in order to engage them in a dialogue. In the course of the dialogue, the victim is asked to do something for the attacker, such as transfer money, purchase gift certificates, or pass on personal data.

Phishing emails often attempt to build up pressure and thus lead the victim to act carelessly.

If access data has been disclosed, this must be regarded as a reportable incident.

If your computer has been compromised by a virus or Trojan, you must disconnect it from the network (Internet, WLAN) immediately and inform your local IT administrator. It must then be checked whether data have been lost or other damage has occurred.

Further material is available on the intranet to logged-in users:

• Phising and other threats in the digital world
• E-Mail-(in)Security

Working away from university premises, whether at home or on a mobile device, entails a number of potential risks that must be taken into account to ensure that university data and systems are adequately protected. For example, some systems require that you connect to a VPN (Virtual Private Network) in order to receive access remotely. The use of two-factor authentification also helps to counteract such risks.

Further recommendations on working securely – also in relation to offices on campus – are available on the intranet to logged-in users.

An important preventive consideration is how to securely store the data you work with. “Secure” means the following:

• Access to the data is regulated, and they are only accessible to those who need them for their work;
• The data are available at the moment when they are needed;
• The data can be restored if they were erased or are no longer directly available for another reason (e.g., loss of a laptop);
• Changes made to the data are documented and traceable.

It is therefore advisable to coordinate regular work processes so that necessary data are securely stored.

For more information, please consult the guideline on secure data storage and encryption of mobile data carriers: https://intranet.uni-freiburg.de/sazs/datenablage

The above guideline is supplemented by recommendations on the disposal of data carriers: https://intranet.uni-freiburg.de/sazs/datentraegerentsorgung

First, consider whether there might not be an alternative to using a USB flash drive. Possibilities include shared data repositories or a personal network drive. Relevant options are described in the guideline on secure data storage and encryption of mobile data carriers. If you do need to use a USB flash drive, you should consider encrypting the data on the drive, at least if it is to be used for sensitive and confidential data.

Processes for the safe disposal of USB flash drives should be established at your department (see the intranet for recommendations). Speak to your local IT administrator or waste management officer for more information.

Secure passwords are characterized by their complexity. In other words, they are generally long passwords including combinations of different types of characters (lower-/upper-case letters, special characters). Another important aspect is how you manage your passwords. Instead of jotting down your passwords on a Post-it note and sticking it your monitor, use a password manager like KeePass. For more information, see the following page on the IT Services website.

For more tips on creating and managing passwords, see the guideline on passwords.