Compliance

Privacy at the bank, roles and rules to avoid derailments at the counter

The rules exist what is still lacking is awareness of a sensitive issue

3' min read

Key points

  • Law 90 of 28 June 2024
  • The Gdpr Regulation
  • Defence deficiencies

3' min read

Whether it is a question of unauthorised access to databases by members of the police, or by bank employees suffering from obsessive-compulsive syndromes, it is still a question of unauthorised access. And the theme could be extended to other fields and sectors. For instance to the vast sphere of public and private health, not by chance the primary target of hackers (or crackers) specialised in cyber-extortion.

There is certainly striking empirical evidence: the 'hacking' of databases and the stealing of the information contained therein for the most varied purposes seems to have become an all too common practice. And this in spite of all the national and EU regulations put in place to combat it.

Loading...

Law 90 of 28 June 2024

Immediately after the outbreak of the Pasquale Striano case, the Gdf lieutenant accused by the prosecutors of Perugia of improperly accessing DNA databases, Undersecretary of State Alfredo Mantovano, on 13 March, appeared before the House of Deputies' Constitutional Affairs-Justice Committees and announced a bill to toughen penalties for abusive access to databases. The bill was then effectively implemented in Law 90 of 28 June 2024, which came into force on 17 July. In particular, Article 16, which, inter alia, amended Article 615 ter of the Criminal Code by doubling the prison sentences provided for both in cases of simple unauthorised access and in cases where the unlawful access was committed by public officials.

The Gdpr regulation

The criminal front is not the only bulwark that should shelter citizens from 'data breaches'. On 25 May 2018, the EU Regulation 2016/ 679 better known as Gdpr came into force. With explicit reference to the hypothesis of a breach of or abusive access to databases, Article 55 of the Gdpr lays down the obligation for data controllers to notify any breach to the Privacy Authority, specifically when a database theft occurs or when ransomware or any other subject steals a set of personal data stored within the computerised archives of a company or other legal entity.

The timing

In this case, the timing of the notification to the authorities assumes a fundamental value: the GDPR, in fact, requires the data controller to notify breaches detected without undue delay and, if possible, within 72 hours from the moment of knowledge of the fact. It is obvious that in view of this, the data controller must equip itself with reporting mechanisms to be able to promptly detect such violations and possibly find appropriate solutions to remedy the 'leakage'.

Defensive gaps.

And it is precisely here that the system shows dangerous 'defensive' shortcomings. Roberto De Vita, a criminal lawyer and expert in digital and cybercrime, explains: "While the capacity for (technical and behavioural) defence against attacks from outside the organisation's perimeter has grown and is growing over time, this is not so true with respect to the risk of information compromise and leakage originating from within, from an employee or collaborator who has access privileges and diverts them for illegitimate and even illegal activities. There are numerous cases that demonstrate the weakness of preventive alerts and the timeliness of discovery, as well as a lack of willingness to immediately share with supervisory and judicial authorities'.

Reputational damage

"What holds us back," De Vita continues, "is sometimes the fear of reputational damage, others the fear of potential sanctions arising from organisational and management dysfunctions. But the macroscopic datum,' De Vita adds, 'concerns the structural lack of automated capillary monitoring of accesses to databases, which through algorithms is able to construct behavioural risk indices that would then allow the selective targeting of control on specific accesses and on specific employee conduct. This lack,' De Vita concludes, 'does not depend on particular technical complexities, but on a culpable underestimation of the risk, on a 'proprietary' idea of the data collected, and on a presumption of unquestionability of their internal use.

© REPRODUCTION RESERVED

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti