Technical Security Requirements
Section 28 of the rules, entitled Guidelines for Technical Security Measures, offers the following direction:
Where appropriate, personal information controllers and personal information processors shall adopt and establish the following technical security measures:
a. A security policy with respect to the processing of personal data;
b. Safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;
d. Regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a personal data breach;
g. Encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access.