Европейски комитет за защита на данните

Italian SA: Users must receive specific, helpful information in case of a data breach

Friday, 7 June, 2019

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it