Caveat Data Processor.

Italian Data Protection Authority, Garante, has issued a 50,000 EUR fine against a data processor platform for its failures to implement several information security measures.

Service providers should ensure that the data entrusted to them by their data controller customers is adequately protected. Some specific measures addressed by Garante:

  • conducting periodic vulnerability assessments
  • ensuring timely implementation of patches
  • requiring strong passwords
  • adopting secure network protocols and digital certificates to secure data in transit
  • adopting secure method for password storage
  • mandatory logging of actions in the database
  • secure storage of the logs
  • avoiding shared accounts (especially for admin’s)
  • adopting effective anonymization techniques

Details from Garante.