The Court of Siracusa, with his judgement dated 15th March 2012, ordered Poste Italiane to pay economic damages suffered by an own customer as a result of a third-party’s unauthorized access to his online personal account and the consequent misappropriation of a large sum of money.
The Sicilian Judge based his ruling on article 31 of Legislative Decree No. 196/2003 (which imposes the adoption of security measures to prevent unauthorized accesses on the controller of personal data), article 15 of Legislative Decree No. 196/2003 (which imposes on the controller to pay damages suffered by third parties as a result of the data processing in case he cannot prove all cautions to prevent damages have been adopted) and 1176 second paragraph of the Italian Civil Code in the field of professional diligence.
The Court of Siracusa has, therefore, adhered to a previous opinion of Court of Palermo (judgement of 20th December 2009) which, in a case concerning an unauthorized bank transfer, had qualified such hypothesis as an identity theft and, as a result, had applied the provisions of the Italian Data Protection Code concerning the liability of the Controller for damages linked to the data processing.
The case at hand of the Court of SIracusa concerned the misappropriation of 10,000 euros from the bank account of a Poste Italiane’s customer by a third-party which has been able to “bypass” security system. This man, after the successful login, transferred the aforementioned sum (at 11:01) to another account and immediately withdrawed such amount of money (at 11:02)
The Sicilian Judge, with reference to such point, found that the anti-fraud security system had registered that the IP address of the applicant was different from the IP address habitually used by the account holder.
Notwithstanding with that, no more verify has been performed.
As a result, the judge has stated the culpable negligence of Poste Italiane for having authorized the bank transfer in a so low interval (1 minute) without having checked the true source of the money order from the account holder.
The aforementioned decision may be appreciated in the point in which recognizes that the implementation of a monitoring system cannot be sufficient to exclude liability for consequent damages.
Some doubts, however, remain with reference to the determination of cautions to be adopted. Given that in the actual state of information society, everyone may access to Internet resources (even a bank account) from any position (PC, notebook, smartphone), we are of the opinion that the criteria of the diversity of IP address respect from the one usually used, cannot alone be considered crucial.
It would be advisable, instead, to adopt a strong authentication system (such as the delivery of an alphanumeric PIN code on a telephone number indicated by the account holder) to increase citizen’s confidence in online transactions.
In any case, we would like to analyze the impact of Legislative Decree No. 11/2010, implementation of Directive 2007/64/EC on payment services which regulates the communication of unauthorized operations (art. 9), the request for refunds (art. 11) and obligations of service provider concerning the systems’ security (art. 8).