The rules have changed for crimes involving computer fraud with digital-identity substitution, credit-card forgery and privacy offences.
For these violations, companies may be held liable under Legislative Decree 231/2001: there will therefore not only be a direct criminal penalty for the manager or employee personally responsible for the criminal conduct, but also an administrative sanction for the company they belong to, which is accused of a sort of “objective liability”.
For the first two crimes, computer fraud with digital-identity substitution and credit-card forgery, there are no major operational consequences. The matter is different for privacy crimes: the company may face sanctions even if one of its employees unlawfully processes customer data.
It is clear that this possibility can affect any business, permanently changing the behavior of those who operate online. To prevent sanctions, companies will no longer be able to simply adopt the 231 models provided for by the 2001 decree: those models will have to be accompanied by new organizational models, needed specifically to counter the newly introduced crimes.
The rule aims to increase consumers' trust in the use of online services, limiting fraud that today holds back a sector that is certainly expanding rapidly. The sanction can reach significant proportions: the judge may impose a fine between one hundred and five hundred quotas, where each quota can have a value between 258 and 1,549 euros, so the sanction can range from 25,800 to 774,500 euros.
Want to know how exposed your website is?
EasyAudit WEB checks websites, portals and e-commerce with a professional external audit designed for SMEs.