Fonte: Gaming Tech Law
The Italian data protection authority challenged the lack of implementation of adequate security measures under the GDPR
The first GDPR fine was issued in Italy by the Garante for the lack of implementation of privacy security measures following a data breach on the so called Rousseau platform operating the Movimento 5 Stelle websites.
The fact of the case relating to the Rousseau platform
A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.
The lack of privacy related security measures challenged
While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of the following GDPR related security measures:
- a vulnerability assessment to be periodically repeated which was performed on the platform, but according to the Garante left issues around the usage of an old platform which was no longer updated by the supplier that made the implementation of patches extremely complicated and time consuming;
- a system aimed at strenghtening passwords to be used for the creation of the accounts and to avoid the risk of brute force attacks which was adopted on the platform;
- secure protocols and digital certificates to protect data during their transit and reduce the risk for users to be attracted by fake sites which are measures that were put in place on Rousseau platform;
- solutions aimed at increasing the level of security of the storage of passwords due to the weak cryptographic algorithms which was sorted in relation to the majority of users;
- auditing measures obliging to keep the recording of the accesses and operations completed (the so called logs) on the database of the Rousseau system in order to guarantee the integrity of data and at least the ex-post control of the activities carried out on the system which were not fully implemented.
In particular, the dispute was mainly focused on the lack of adoption of the measures relating to the storage of log files which were not fully put in place with reference to the activities performed by the IT support personnel of the platform for which only their access to some pages could be tracked, while no recording of performed operations occurred.
Additionally, the Garante challenged that shared accounts were used by system administrators with a quite large privilages in the operation of the platform. This was a major issue, also in the light of the possibility for such system administrators to access to special categories of personal data, such as those on political opinion.
Clique aqui e leia a matéria completa.