INTERNET LAW - INFORMATION SECURITY PRACTICES UNDER ITALIAN LEGISLATION

Organizations deal with vast amounts of information in their activities, using Internet connections to communicate both internally and with clients. At the same time, surveys show that many fail to implement adequate security measures, and have suffered internal and external breaches. These security breaches also end up costing companies, in terms of resetting their systems as well as of lost information. The Act 675/96 and the Presidential decree 318/99 set out the security requirements on businesses that process personal data.

The evolution of information systems has had an incredible impact on the way businesses that handle personal information. Modern technology, in fact, allows for the creation of enormous databases, thus optimizing businesses’ information patrimony. Technological advances, however, have also rendered this asset increasingly vulnerable to internal and external breaches, and studies have shown that many organizations fail to implement adequate measures to protect proprietary information and suffer financial losses because of these breaches.

With the adoption of the Act 675/96 in 1996, businesses operating in Italy must ensure that their processing operations are carried out in compliance with the rules concerning information security, that are found in the Law 675/96 and in the Presidential decree no. 318/99.
�
What security requirements are set out under the Law 675/96?
The obligation to keep and control personal data is found in article 15 of the Act 675/96. In effect, organizations and business must adopt measures that are suitable given the nature of the data and the type of processing operations to be carried out, and in light of the technological advances in this area. This requirement is aimed at reducing, insofar as possible, any risk of intentional or accidental loss, destruction, unauthorized access or unauthorized or inconsistent processing of the data.

From this we are able to identify three aspects regarding data security. When storing paper documents that may contain sensitive personal data, it is necessary to ensure that these are physically secure by using locked filing cabinets. Assigning passwords and user names in order to access individual computers will ensure the logistic security of the systems on which data is stored and/or processed, while organizational security is the aspect that deals with planning and managing the different procedures designed to guarantee that everything is carried out in the foreseen manner.

In considering the suitable measures to put in place, the Controller should take into account the various privacy impacts. As such, the Regulation 318/99 was adopted in order to establish the guidelines for complying with the security requirements and singling out the minimum security measures that those processing personal data must adopt.
�
What are the principle security concepts under the Act 675/96 and the DPR 318/99?

As stipulated in the Act 675/96 security measures must be suited to the type of processing operations and the nature of the data to undergo processing. Is the processing being carried out using computers and does it concern “common” personal data or sensitive data – such as racial or ethnic origins, sexual orientation, criminal records or political views?

Where data processing is effected on computers, the Regulation 318/99 requires that the roles and tasks of all who process personal information be set out in writing. Those entrusted with the processing operations must be assigned individual user names and passwords, that may be disabled if the role or tasks are modified or not used for 6 months, that permit them to access the system. The Italian Data Protection Authority has, moreover, enounced in various decisions, that those entrusted with processing operations should be able to change their user name and password codes on their own upon notice to the system administrator or the person in charge of storing password and user name information.

Operations concerning sensitive data will require businesses and organizations to authorize access, on a yearly basis, to those who either carry out processing operations or systems maintenance. Although, if the computers are not joined on a non-public network, but are accessible on a public telecommunications network, then it will be necessary to issue further authorization with regards to the interconnection tools that may be used. Authorizations for accessing systems should be limited to that which is necessary for processing or maintenance operations, any access requests should be checked beforehand to confirm their validity and simultaneous access must not be allowed using the same user name and password from different workstations.

These conditions are intended to ensure the integrity of the system and the data from unauthorized access and from hacking and viruses that may damage the system.

When processing sensitive data on a system that is connected to a public telecommunications network (modem), it is also necessary to elaborate an analysis of the risks and the distribution of the functions in a data security scheme that is to be drafted and updated yearly. This document must contain the solutions adopted with respect to protecting areas in which sensitive data are stored, the criteria and procedures used to control access to these areas, as well as all that has been put into place to ensure the integrity of the data and security of the transmissions. The data security scheme also incorporates a plan for training those entrusted with processing operations so as to inform them of the risks and how to prevent damage.

The Presidential decree also creates the “systems administrator” who supervises the use and functioning of the operating system or database.
�
What are the penalties for not performing these obligations?
The Act 675/95 compels all public and private entities carrying out processing operations on personal data to establish security measures that ensure an adequate level of protection of this information. Failure to adopt minimum security measures is punishable by up to two years imprisonment or a fine of 5,000 to 40,000 Euros. Those who have been found guilty, though, are allowed to pay a settlement if they have regularized their security situation within a given period, thus extinguishing the offense.

http://www.ibls.com/internet_law_news_portal_view.aspx?
s=articles&id=4B63AEAD-A8E2-4B29-A924-9849B67950DD