ICT Legal Consulting is an international law firm founded in 2011 with offices in Milan, Rome, Bologna, Amsterdam, Athens, Madrid, Helsinki and Melbourne, and a presence in 49 other countries: Albania, Austria, Bangladesh, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria, Canada, China, the Czech Republic, Denmark, France, Germany, Ghana, Hungary, India, Indonesia, Ireland, Israel, Japan, Kenya, Luxembourg, Mexico, Moldova, Montenegro, New Zealand, Nigeria, North Macedonia, Norway,the Philippines, Poland, Portugal, Romania, Russia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sweden, Switzerland, Taiwan, Thailand, Turkey, the UAE, Uganda, the UK, the US and Vietnam.
ICT Legal Consulting was established in 2011 by Paolo Balboni and Luca Bolognini, who have successfully assembled a network of trusted, highly skilled lawyers specialising in the fields of information and communication technology, privacy, data protection/security and intellectual property law.
ICT Legal Consulting’s highly skilled lawyers advise companies and businesses, including multinationals, on legal, ethical and technological issues in the areas of privacy, data protection, and data valorisation, digital rights, IoT, AI, TMT, IP, data governance and integrated compliance models offering a strategic and holistic approach to turn legal advice into a competitive advantage for clients.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
In recent years, we have witnessed the creation of a body of legislation that is as innovative as it is admirable, aimed at protecting the activities of the state entity. In particular, the first piece at the European level is represented by Directive (EU) 2016 2016/1148 of 6 July 2016 on network and information security (the NIS Directive), implemented in Italy through Legislative Decree No. 65 of 18 May 2018, which was followed by Decree-Law No. 105 of 2019 (converted and amended by Law No. 133 of 18 November 2019) that formally established a National Cybersecurity Perimeter (PNSC). It aims to ensure a high level of security for networks, information systems and IT services of both the public administration and national, public and private services, entities and operators. Subsequently, in implementation of Decree Law No. 105 mentioned above, Prime Ministerial Decree No. 131 of 30 July 2020 provided the criteria for identifying the subjects included in the PNSC and the related obligations from the point of view of national security protection. Among the subjects that are part of it, we find the operators of the various sectors (eg, space and aerospace, energy, telecommunications, transport, digital services, health and social security institutions), which will have to indicate in advance the ICT assets that they consider necessary to carry out the activities described above, in order to ensure the integrity, efficiency and security of data and all the information they process. In this sense, the subjects included in the Perimeter will have to carry out various activities, such as – by way of example but not limited to – the annual updating of the lists of their ICT assets, the risk assessments aimed at identifying risk factors (precisely) and the management and implementation of the necessary security measures.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
A security breach may result in the destruction, loss, modification, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. It may occur unlawfully or accidentally and may compromise the confidentiality, integrity or availability of personal data. For example, we speak of access to personal data when the following events occur (even simultaneously and cumulatively): access or acquisition of data by unauthorised third parties; theft or loss of computer devices containing personal data; loss or destruction of personal data due to accidents; and unauthorised disclosure of personal data. The data controller – whether it is a public entity, a company, an association, and so on – must notify the breach to the Italian Data Protection Authority for the protection of personal data without undue delay and, where possible, within 72 hours of the moment it became aware of it. Similarly, the data processor who becomes aware of a possible violation must promptly inform the data controller, so that the latter can take action. It should also be noted that the notification made to the Italian Data Protection Authority after the deadline of 72 hours must be accompanied by the reasons for the delay. Finally, the violation of personal data must be communicated to the persons concerned if it may involve a high risk for the rights and freedoms of individuals. It should be borne in mind that, independently of the notification to the Italian Data Protection Authority, the owner or the person in charge of the processing are required to document all violations by means of a special register, in order to allow the performance of any verification activities by the Authority in accordance with the regulations.
However, in terms of assessment, the impact of the data violation is related to the nature of the data breached. If the breach concerns sensitive data (such as, for example, financial information, or data relating to health, religious or political orientation), it is highly likely that this will involve a risk for those concerned. On the other hand, a breach involving only general information (such as, for example, name, surname and email address) is less likely to pose a risk to data subjects. Moreover, always in optics of evaluation, it is necessary to verify if as a consequence of the violation physical persons can suffer a physical, material or immaterial damage. The occurrence of a personal data breach, especially a sensitive one, may generate impacts of a discriminatory, reputational or financial nature. Therefore, this assessment must be carried out individually for each incident, as – depending on the concrete case – seemingly similar breaches may lead to very different outcomes.
In this sense, the Recommendations provided by ENISA offer valuable support in identifying a methodology for assessing personal data breaches. Furthermore, the Guidelines provided by the European Data Protection Board (EDPB) not only represent a collection of examples of notifications received over the years, but also provide support for data controllers throughout the entire process (ie, from the initial assessment of the risk and the related threat to the evaluation of preventive measures and, finally, the occurrence of the incident).
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
The effects that can derive from a security incident are multiple and vary according to the type of organisation that has suffered the attack, the data violated and the ability to manage the incident. In order to mitigate the impacts that may result from an incident, it is of fundamental importance to equip the organisation with technical and organisational measures aimed at mitigating the incident. From an organisational perspective, an IT security incident response plan must be prepared, documented and regularly updated, including the activation of relevant functions for proper and efficient incident management. This gives you a better chance of mitigating any associated risks and limiting the impact of the incident. In addition, the presence of an effective incident management plan ensures a greater ability for the organisation to continue its ‘critical’ activities and thus ensure business continuity without impacting its reputation. On the other hand, from a technical point of view, the organisation should implement incident detection solutions, such as, for example, the use of a SIEM (security information and event management) or a SOC (security operations centre). In the first case, this is a system that centrally collects logs and events generated by networked applications and systems, allowing security analysts to reduce the time required to resolve and investigate security alerts and incidents. In the second case, however, the SOC is nothing more than a structure in which all information about the security status of the IT of one or more companies is centralised (in this case, the SOC belongs to a managed security service provider, MSSP).
In addition, it is essential that clear roles, tasks and deadlines are assigned to each manager and that these are formally set out in a procedure. A key role is also played by the emergency response team, whose task is, first, to assess the incident and ascertain whether it should be considered a data breach. Next, if the incident consists of a data breach, the organisation will need to verify whether, under article 33 of the GDPR, the incident should be notified to the Authority and the data subjects whose data was breached. To best perform this activity, it is advisable for the organisation to have both a data breach assessment unit and a data breach management unit. It should also be pointed out that the risk could be made public even if the event does not have to be communicated to the data subjects, for example, if a firm suffers a phishing attack from a hacker. This could result in both an economic impact on the organisation – caused by the imposition of fines on the organisation – and a reputational impact that could also lead to contractual losses with partners and suppliers.
As such, we advise our clients to maintain a proactive approach to data breach communication. It is precisely for this reason that many companies decide to inform data subjects of a breach, despite the fact that it is not legally required by the GDPR. In this way, the organisation demonstrates to its customers that it is taking all necessary measures, generating a relationship of trust with them. It is crucial for organisations not to underestimate the impact of a data breach and be perceived as trustworthy by their customers. This can be achieved by implementing all appropriate technical and organisational measures, including the introduction of staff training to minimise the risk of human error. Finally, if the incident has been caused by an intentional action, it is advisable to report the incident to the police, in order to avoid possible accusations of complicity or co-responsibility with the attackers.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
One of the most important security measures followed by organisations is the scheduling of training courses for personnel. The aim is, on the one hand, increasing the level of preparation and awareness of their employees, and, on the other hand, preventing human error. Human error represents one of the highest risks for company personnel if not subjected to continuous training. Therefore, training should cover both the main threats to cybersecurity and the behavioural norms that must be adhered to in order to limit those threats. Digital platforms are the best solution for conducting targeted courses (eg, webinars, training events, tests and, in general, all training activities) aimed at increasing staff awareness through theoretical notions and practical activities (eg, final learning tests) on cybersecurity and privacy issues. Another security measure is the formalisation of the best practices adopted by organisations, in compliance with the main international standards on privacy and cybersecurity, through the presence of appropriate policies and procedures. Finally, the implementation of adequate controls on human resources is also a valid security measure, aimed at reducing the probability of accidental or malicious threats, for example, background and competency checks on all candidates for employment.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
The increasing use of the cloud for information storage has increased the focus on protecting the data it contains. In particular, the security of such information becomes essential in the case of clouds that store personal data. In this context, there are two international standards of reference, namely, the ISO 27017 standard and the ISO 27018 standard. These two standards extend the controls of ISO/IEC 27001 and introduce specific additional controls.
Specifically, ISO 27017 ‘Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services’ defines general security controls for both cloud service providers and their customers.
ISO 27018 ‘Code of Conduct for the Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Managers’ is a code of conduct for cloud providers that focuses on the protection of personally identifiable information (PII) in public cloud services, constituting guidelines for cloud providers acting as data controllers. Both standards should be integrated into ISO 27001 certification when the scope includes cloud services. They also imply the need for specific training on the cloud, particularly its critical aspects and the management of related access rights. Training, therefore, should be targeted at administrators, users, employees and third parties.
When moving to a cloud hosting environment, it is also essential to ensure business continuity, as regulated by ISO 22301 ‘Societal security – Business Continuity Management Systems – Requirement’. This standard concerns the construction and continuous improvement of the level of business resilience. Specifically, it defines the requirements necessary for the planning, implementation and monitoring of a documented management system, aimed at the continuous improvement of the management system. In particular, compliance with this standard ensures not only greater protection of the organisation’s information, thereby reducing the likelihood of business or security incidents, but also optimises response times and recovery activities following a security incident.
In addition to these, there is also the ANSI/TIA-942 standard for data centre protection. The American National Standards Institute (ANSI) is a body that certifies the guidelines on how infrastructures must be built; while the Telecommunications Industry Association (TIA) is an ANSI-accredited association created to voluntarily develop standards based on the consensus of organisations for a wide variety of ICT products.
In this regard, there are two other codes of conduct for personal data protection and cloud computing to refer to, which have been endorsed by the EDPB for personal data protection and cloud computing: the EU Cloud Code and the Cloud Infrastructure Service Providers Code.
In accordance with the above, organisations should perform a number of checks and evaluations against cloud solution providers. First, they should verify the technical and organisational security measures offered by the cloud solution provider and pay particular attention to the location of data centres. This is also relevant by virtue of the fact that many cloud providers use data centres located in different countries, even outside the European Economic Area, as indicated by article 46 of the GDPR, which provides appropriate safeguard clauses for this type of transfer aimed at data protection. Moreover, when a company relies on a cloud provider, it should ensure the legitimacy of the data transfer, also in light of the requirements established by the European Court of Justice – following the well-known Schrems II judgment – and the recommendations provided by the EDPB. Finally, the customer who relies on the cloud service provider should carry out an assessment of the risks arising from the transfer of data, calculating the likelihood of that risk occurring and the impacts it could generate. In this assessment, it is necessary, therefore, to analyse the security measures implemented by the provider aimed at limiting the impacts, as well as the additional security measures to be implemented aimed at mitigating any impacts. Such an assessment is necessary because, according to the recommendations provided by the EDPB and in accordance with the Schrems II judgment, if the security measures envisaged are not adopted or are adopted only in part, so as to be insufficient, the transfer should be suspended, or the competent supervisory authority should be notified.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
The Italian government has set up an Italian national police unit that aims to conduct investigations into cybercrimes and cyberterrorism and the protection of critical national infrastructure. Moreover, with Legislative Decree 65/2018, the Italian Computer Security Incident Response Team (CSIRT) was established within the Department for Information Security of the Presidency of the Council of Ministers, whose mandate is to monitor incidents at the national level. Also, part of the CSIRT network is a network composed of CSIRTs appointed by EU member states. Further tasks of the CSIRT concern the issuing of early warnings, alerts and announcements, the dissemination of information to interested parties on risks and incidents and, above all, the intervention in the case of cybersecurity incidents. With regard to the computer crimes punished within the Italian criminal law, we find lots of crime punished by the Penal Code. For example, abusive access to computer systems, damage to computer systems and computer fraud, respectively under articles 615-ter, 635-bis and 635-quater, and 640-ter of the Penal Code. These are regulations can be committed by anyone and cover most of all the action can committed by informatic instruments. Those crimes have severe punishment if committed by someone that can be qualified as system administrator and become prosecutable ex officio. Recently, the Italian Supreme Court interpreted digital documents as an asset having content susceptible to apprehension and capable of integrating the case of theft punished by article 624 of the Penal Code. In the Italian criminal legislative landscape, the computer crimes mentioned above are also relevant under the provision of Legislative Decree 231/2001, article 24-bis. This means that if those crimes are committed on behalf of the legal entity, the company will be responsible for those crimes.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
In the evaluation that companies put in place during M&A transactions, one of the most important aspects to take into account relates to the level of IT risk of the target organisation and the security measures of the latter, placed to protect its information assets. In this sense, it is good to talk about data protection compliance and cybersecurity due diligence. In fact, it is good to underline how accurate compliance with privacy and a careful protection of data and its quality, which can influence the actual value of the databases and information resources of the target organisation, are fundamental evaluation parameters. As an example, consider the fact that a large database of clients or potential clients can be a valuable resource that carries weight in negotiations, but if the database has not been developed in full compliance with all the provisions of privacy law (for example, if consent of data subjects has not been properly provided), there is a serious risk that the entire data set will be unusable and need to be deleted. Concomitantly, the security risk-based approach should also be taken to objectively determine and assess cybersecurity threat scenarios that could impact the target organisation, accompanied by the likelihood of their occurrence and potential impact. In fact, as a first step, an assessment should be made that includes all aspects that have a major impact on the business and the potential threats that could affect the stakeholders, before, during and after the M&A process. In particular, the cyber governance of the target organisation should be assessed, considering the technical and organisational measures implemented, the resources employed and the level of corporate awareness. In this regard, it is of fundamental importance to verify that the target organisation conducts regular training on privacy and cybersecurity aspects and that it implements internal security measures aimed at certifying the effectiveness and efficiency with which all cybersecurity-related activities are conducted. Here are a few examples: software and firmware updates, review of authorisation profiles, firewall rules and other configurations, management of an inventory of resources, prevention and detection of possible attacks both from outside and inside organisational environments and management of incident response and recovery activities.
Quantifying the value of all the target organisation’s information assets (for example, if these assets are part of the core business), is also important for assessing the impact of potential security incidents. This impact sometimes depends on the type of technology platforms used by the target organisation (eg, cloud, on-site, physical machines or virtual machines, choice of operating systems and databases) and, consequently, the security measures implemented.
Finally, consideration should be given to whether the target organisation has (third-party) vendors. If so, it is prudent to conduct an assessment of the security measures implemented by those vendors within their organisation and in relation to the service/product offered to the target organisation, through second-party audits of each vendor’s technical and organisational infrastructure.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
With the accelerated growth of the digital security market, the demand for competent and up-to-date cybersecurity specialists is increasing. This type of consultancy requires continuous professional training , multidisciplinary skills in privacy, a good knowledge of how technology works and good communication skills.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
The GDPR requires organisations to comply with the principle of accountability, implementing all appropriate technical and organisational measures to ensure – and demonstrate – that data processing is carried out in accordance with this Regulation. Data protection has taken on a central role, and the development of new technologies must be carried out in compliance with international standards and the GDPR, with a view to privacy by design and privacy by default, namely right from the design phase.
How is the privacy landscape changing in your jurisdiction?
The Italian landscape in the field of privacy has undergone an enormous evolution with the introduction of the GDPR first, and then with the ePrivacy Regulation. Therefore, important challenges have been posed for a variety of organisational realities, both public and private in terms of personal data protection. However, the EU privacy rules will have finally completed their modernisation process.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
The Clusit Report 2022 – March 2022 Edition shows that global attacks increased by 10 per cent compared to the previous year, and that these attacks are more serious. In particular, attacks towards Europe have grown to 21 per cent of the total, up from 16 per cent in the previous year. Cybercriminals are no longer hitting multiple targets, but very specific targets. A large portion of data breaches also occurs due to human error, which be mitigated through staff training.
