Italian Data Protection Authority, Garante, has issued a 50,000 EUR fine against a data processor platform for its failures to implement several information security measures.
The DPA launched an investigation into the breach of various websites connected to the 5 Star Movement. At the conclusion of the investigation, the agency decided to hand out the penalty to the data controller, the Rousseau Association. The Garante also listed out responsibilities for Rousseau and the 5 Star Movement to carry out as a result of its findings.
Service providers should ensure that the data entrusted to them by their data controller customers is adequately protected. Some specific measures addressed by Garante:
- conducting periodic vulnerability assessments
- ensuring timely implementation of patches
- requiring strong passwords
- adopting secure network protocols and digital certificates to secure data in transit
- adopting secure method for password storage
- mandatory logging of actions in the database
- secure storage of the logs
- avoiding shared accounts (especially for admin’s)
- adopting effective anonymization techniques
Details from Garante.