Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
The year 2020 brought an important advance with the implementation in Italy of the National Cybersecurity Perimeter, a set of measures aimed at ensuring a high level of security for the public administration networks, information systems and IT services, as well as for national, public and private entities and operators. It includes provision for appropriate measures to ensure the necessary security standards to minimise risks ,while allowing for the most extensive use of the most advanced tools offered by information and communications technology (ICT).
Prime Ministerial Decree No. 131/2020, which entered into force in November 2020, defined the criteria for identifying the entities to be included in the Perimeter and the obligations imposed on them to safeguard national security. .
Entities included in the Perimeterâs scope will have to carry out important tasks, such as updating lists of their ICT assets annually, carry out risk assessments to identify incident risk factors, and manage and implement necessary security measures. Furthermore, the aforementioned entities should indicate the ICT assets they need and the related risk assessments, to ensure their integrity and efficiency and the security of the data and information they contain.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
From a personal data perspective, all data breaches must be notified to the Supervisory Authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Breaches will only be communicated to data subjects when they are likely to result in a high risk to the rights and freedoms of natural persons.
Depending on the nature of the data breach, the assessment should take into consideration different elements. It should consider the kind of personal data affected. A breach that impacts sensitive data (eg, financial information, or data related to health, ethnic origin or political opinions) is generally more likely to result in a risk for the data subjects, compared with a breach that concerns only general information (eg, name, surname, email address). In the event of a confidentiality breach, it is fundamental to verify the likelihood of data subjects being easily identified using the leaked information. More generally, it is necessary to assess whether the individuals involved may suffer physical, material or non-material damage; for example, discrimination, identity theft or fraud, financial loss or damage to reputation. It is important that such an assessment is conducted for every incident, on a case-by-case basis, as similar breaches may have very different outcomes, depending on many factors that are not always easily predictable.
The ENISA recommendations for a methodology for assessing the severity of a personal data breach is a useful tool and may help controllers in carrying out data breach assessments.
In this context, earlier this year, the European Data Protection Board (EDPB) published its âGuidelines 1/2021 on Examples regarding Data Breach Notificationâ for public consultation. Starting from the most frequent cases of notifications received in the past two years by the various European supervisory authorities, the EDPB seeks to support data controllers not only when the incident has occurred, but also, above all, in the phases of risk and potential threat assessment and with respect to the adoption of appropriate prevention measures by identifying cases in which notification should be made. The examples reported in the Guidelines concern ransomware, exfiltration and the theft or loss of devices and paper documents.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
A data security incident may have multiple negative outcomes and not all effects may be immediately evident. The first and most immediate risk is of the inability to detect an incident promptly and activate the relevant functions to manage it correctly in the most efficient way, so mitigating the risks for the individuals involved and limiting the impact of the incident on business continuity and corporate reputation. To address this risk, organisations should already have in place robust technical solutions to detect incidents (eg, security information and event management â SIEM) and procedures that assign clear roles, tasks and timelines to each responsible party.
An emergency response team should be established, with the task of assessing the incident and ascertaining whether it should be considered a data breach (step one). If the incident is determined to be a data breach, the organisation should then assess whether, under Article 33 of the EU General Data Protection Regulation (GDPR), it is necessary to notify the incident to the supervisory authority and to the data subjects whose data has been impacted (step two). In this respect, we typically advise our clients to have a data breach assessment unit in place to address step one and a data breach management unit to handle step two.
Even if the event does not need to be communicated to data subjects, there still is the risk of the incident being made public; for example, where data subjects experience issues accessing their personal data or using a service, or if they are the victim of phishing attacks carried out by hackers using personal data obtained illicitly from an organisation. This may lead to reputational damage for the organisation that suffered the breach. In fact, a data leak not only has an economic impact on an organisation (eg, risk of sanctions, or contractual losses in relation to partners and suppliers), but, as various studies show, very often it also has an impact on brand reputation. In this respect, a proactive approach to data breach-related communication is, in the majority of cases, advisable for corporations. In many cases, in fact, companies decide to inform data subjects that a breach has occurred, even if it is not legally required under the GDPR. This is because it is a matter both of client trust and of reassuring clients that the company is taking all necessary steps to protect them.
It is very important for organisations to be perceived as trustworthy by their customers and having privacy as a key brand value may help to increase trust. To this end, organisations should not underestimate the impact of a data breach. In light of Article 32 of the GDPR, appropriate technical and organisational security measures should be implemented, and considerable importance given to the training of personnel on the proper use of data and on how to avoid cyber risk.
In addition, there may be a risk of incurring contractual liability towards clients on whose behalf the organisation processes personal data. It is therefore good practice also to report the incident to the police, to avoid accusations of complicity or co-responsibility with the attackers (if the incident has been caused by an intentional action).
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
To increase preparedness and awareness concerning the primary cybersecurity threats, organisations need to put in place efficient training programmes for all staff. Training is, in fact, the most important security measure to prevent human errors. A good way to deliver training courses for all personnel is to implement digital platforms containing training courses or tips on cybersecurity and privacy issues. Furthermore, organisations must formalise the technical and organisational security best practices they have adopted, in accordance with the main international standards on privacy and cybersecurity, by drawing up specific organisational policies and procedures. In addition, putting in place adequate and proportionate human resources controls at all stages of employment helps to reduce the likelihood of accidental or malicious threats. In this regard, it is good practice to perform background and competence checks on all employment candidates.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
From a data security perspective, an organisation that decides to move to a cloud hosting environment should refer to the international standard ISO/IEC 27017 âInformation technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud servicesâ. Some of the topics outlined in this standard concern information stored in the cloud computing environment that may be subject to access and management by the cloud service provider, the users of the cloud service and the context in which they use it.
They also address the need for specific training for administrators, users, employees and third parties, on the cloud and its critical aspects, and how to manage access rights in a cloud environment.
Moreover, moving to a cloud hosting environment will certainly enhance the management of corporate business continuity (as regulated by international standard ISO 22301). This is particularly important in terms of protecting the organisation, reducing the likelihood of business or security incidents and optimising response times and recovery activities following a security incident.
In addition, with regard to the assessment of the infrastructure quality of data centres, the Telecommunications Industry Association standard ANSI/TIA-942 is based on an approach that provides a multi-level analysis of the resilience and reliability of data centre infrastructures, classified in tiers ranging from Level 1 to Level 4. The physical security of data centres plays a key role in optimising their performance in terms of availability (ie, uptime), thus reducing downtime due to accidents or sabotage.
Regarding personal data protection, the EDPB recently approved two codes of conduct on data protection and cloud computing â the EU Cloud Code and the Cloud Infrastructure Service Providers Code.
There is also another code of conduct in the pipeline â the Cloud Security Alliance Code of Conduct for GDPR Compliance.
More generally, in addition to conducting a thorough evaluation of the technical and organisational security measures offered by the provider of the cloud solution, particular attention should be paid to the location of data centres to avoid carrying out any unlawful transfer of personal data stored in the cloud. In fact, many cloud providers use data centres located in different countries, including outside the European Economic Area, meaning that transfers should be subject to the appropriate safeguards mentioned in Article 46 of the GDPR. For example, when a cloud provider proposes that clients rely on standard contractual clauses, the client needs to conduct a further assessment to ensure the lawfulness of transfers and compliance with the requirements laid down by the European Court of Justice in the Schrems II case and, more precisely, with the recent Version 2.0 of the EDPB Recommendations on measures supplementing transfer tools to ensure compliance with EU levels of personal data protection.
This implies carrying out a transfer impact assessment, which should ascertain whether the provider (which acts as a processor for its clients) is subject to any local laws or regulations that may require it to process client personal data in ways outside the limits of the clientâs instructions (eg, laws requiring disclosure of client personal data to law enforcement authorities). Where this is the case, it should also be determined whether measures can be effectively implemented to prevent mass or indiscriminate access to client personal data by or on behalf of local law enforcement authorities or other local public bodies. According to the EDPB Recommendations and the Frequently Asked Questions on the Schrems II judgment, adopted by the EDPB last year, where no or insufficient measures are implemented, the transfer should be suspended or a notification sent to the competent supervisory authority.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
There is a unit of the Italian National Police dedicated to conducting investigations into cybercrime, including cyberterrorism and the protection of critical national infrastructures.
Furthermore, Legislative Decree 65/2018 established the Italian Computer Security Incident Response Team (CSIRT) within the Information Security Department of the Presidency of the Council of Ministers.
The CSIRTâs remit includes the monitoring of incidents at national level. The CSIRT issues early warnings, alerts and announcements, and disseminates information to stakeholders on risks and incidents. It intervenes in the event of cybersecurity incidents and participates in the CSIRT network, a network composed of EU Member Statesâ appointed CSIRTs.
The principal cybercrimes punished in the Italian Criminal Code concern abusive access to computer systems, damage to computer systems, and computer fraud, under Articles 615-ter, 635-bis and 635-quarter, and 640-ter of the Code respectively. These provisions criminalise the most important forms of cybercrime that can be committed by an organisationâs employees or by cybercriminals, such as unauthorised access to employeesâ email accounts, and phishing and ransomware attacks.
Additionally, Article 24-bis of Legislative Decree 231/2001, on âComputer crimes and unlawful data processingâ, punishes organisations where the type of criminal conduct mentioned has been committed in the interest of and to the advantage of the organisation. Notably, this Decree also provides that conduct punishable as a cybercrime may also result in the liability of an organisation itself where the conduct is committed to the advantage of that legal entity.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
Nowadays, one of the most important evaluation elements in M&A transactions is certainly the cyber risk of the target organisation, as well as the way in which the target protects its information assets. In this regard, we can talk about data protection compliance and cybersecurity due diligence. A thorough privacy compliance assessment should be carried out to understand the targetâs compliance posture, which may affect the actual value of its databases and information assets. We suggest that our clients focus on data quality. For example, a large database of customers or prospects may be a valuable asset, one that carries weight in the negotiations, but if the database has not been developed in full compliance with all the applicable provisions of privacy law (eg, if the consent granted by data subjects cannot be duly evidenced), there is a serious risk that the whole dataset may be unusable and should be deleted.
Complementarily, a security risk-based approach should be adopted to objectively determine and assess cybersecurity threat-scenarios that could occur with respect to the target organisation, accompanied by the probability of their occurrence and potential impact. As a first step, it is important to consider the potential threats that could target the parties concerned, before, during and after the M&A process. This assessment includes all aspects that have a major impact on the business. In particular, the cyber governance of the target organisation should be assessed (ie, how cybersecurity is managed within the organisation, considering the technical and organisational measures implemented, the resources employed, awareness of cybersecurity issues, etc). It is important to ensure that the target organisation carries out regular training on cybersecurity issues and implements internal security measures aimed at certifying the effectiveness and efficiency with which cybersecurity activities are conducted, (ie, regarding software and firmware updates, the review of authorisation profiles, firewall rules and other configurations, the management of an asset inventory, the prevention and detection of possible attacks from both outside and inside the organisational environments, the management of incident responses and recovery activities).
As a second step, it is important to quantify the value of all the target organisationâs information assets (eg, whether those assets are part of its core business), to better assess the impact of potential security incidents. This usually depends on the kind of technological platforms used by the target organisation (eg, cloud, on-site, physical or virtual machines, choice of operating systems, and databases) and, consequently, the security measures implemented.
The third element to take into consideration is the presence of the target organisationâs suppliers (ie, third parties). In this case, it will be necessary to carry out a security assessment and a second-party audit of each supplierâs technical and organisational infrastructure.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Lawyers that provide legal cybersecurity consultancy should possess multidisciplinary expertise in privacy, cybercrime and cybersecurity from a legal point of view and some degree of knowledge of how the technology works. They should have good communication skills, be capable of working under pressure and able to deal with a range of stakeholders. Finally, they should always be up to date with new international security regulations, standards and guidelines, as well as with world news about cyberattacks and known vulnerabilities.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Following the 2018 amendments to adapt Italyâs pre-existing legislation to the GDPR, data protection took centre stage, creating a new challenge for professionals. Technologies such as artificial intelligence and cloud computing, in combination with big data, have created incredible opportunities for the development of new products and services, but these developments need to be carried out in compliance with data protection and data security by design.
How is the privacy landscape changing in your jurisdiction?
Italian privacy legislation can be divided into the pre- and post-GDPR eras. It is impossible to say what the outcomes of the many challenges that the GDPR has posed will be, but the next significant piece of legislation will be the ePrivacy Regulation. With it, the EU privacy rules will finally have completed the process of modernisation.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Companies should give special consideration to ransomware attacks, as well as to phishing and spear-phishing attacks. According to âThe State of Ransomware 2021â, 31 per cent of Italian organisations were subject to ransomware attacks in 2020, with an average remediation cost of US$680,000. Nonetheless, as most data breaches occur because of human error, training and awareness play a paramount role.
Gloss