The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Cryptography

In a press release dated Dec. 12, 2023, the Italian Data Protection Authority announced the adoption of guidelines on cryptographic functions, created with the Agency for National Cybersecurity (ACN), in particular, on password retention.

The guidelines were adopted by a decision of the Authority dated Dec. 7, 2023 (Web Doc. No. 9962283).

The purpose is to provide guidance to data controllers and data processors for the adoption of appropriate measures – identified in cryptographic functions – to overcome the practice of storing passwords in plain text, which can expose to the risk of their abusive acquisition by unauthorized parties.

Password as “personal data” and as a “measure”

The authority emphasizes the dual value of the password, given its nature as “personal data” on the one hand, and its function as a security measure on the other.

It, in fact, “constitutes personal data referable to the user who set it and uses it to access a computer system or online service.” At the same time, “the password represents a security measure, being an element, belonging to the category of knowledge (something that only the user knows), on which computer authentication procedures are based for access to most computer systems and online services and, therefore, to the personal data processed therein, referable to the same user or other interested parties.

Because of this dual aspect, “the storage of passwords as part of computer authentication systems, or other systems, can pose significant risks to the rights and freedoms of individuals in the event of abusive acquisition,” often resulting in identity theft.

These considerations, along with the fact that there is “limited application of technical measures to effectively protect passwords,” have led the Authority to direct controllers and processors to adopt measures that reduce the risk of unlawful acquisition of plaintext passwords.

Obligations of the controller and the processor

The data controller and any processors/sub-processors (as specified in Article 32(1) of the GDPR) are responsible for ensuring that the security measures implemented to manage risks to the rights and freedoms of data subjects are effective. Data security, in fact, is a mandatory requirement for all subject roles under the GDPR.

Developers, too, must “design and implement their computer systems and online services in accordance with the principle of integrity and confidentiality and the obligations regarding security of processing (Articles 5(1)(f) and 32 of the Regulation)“. In such a case, the system developer will be required to comply in this respect both at the design stage, as data controller, and at the eventual stage of service delivery to its customers, plausibly in the role of data processor.

In relation to the management of the password storage system, the data controller must define the division of tasks with the data processors, since part of the management is normally entrusted to third-party vendors.

Cryptographic measures must undergo regular audits, evaluations and assessments to ensure their effective adequacy [Art. 32(1)(d), GDPR]. One way to do this is through audits, through which the effectiveness of the policies, procedures, and technical and organizational measures for the processing activity being carried out is verified.

The technical measures identified by the provision and the Guidelines for the storage of passwords are deemed necessary when the processing involves the passwords of

  • a large number of users
  • users who have access to databases of considerable importance or size
  • users who, in a systematic and automated manner, handle data belonging to special categories or relating to criminal convictions and offenses.

In other cases, if measures other than those identified in the document are taken, proof that they guarantee a level of security appropriate to the risk will be required.