Criminal law profiles of the management of a security incident

Following the occurrence of a security incident there are mainly two types of requirements in relation to which implications of a criminal law nature may also arise.

Under a first profile, as already seen above, it is necessary to notify the Garante of the breach, as well as, in certain cases (e.g. that of subjects falling within the cyber security perimeter) – and also regardless of the occurrence of a personal data breach – to the other competent Authorities (CSIRT, NIS Authority), once the appropriate indicators of relevance are met. The omission, in particular, of the latter communication and notification obligations is usually punished with administrative sanctions, but may, in the most serious cases, also be punishable under criminal law, as is the failure to cooperate with the Authorities and/or to transmit to the latter, during their inspection and assessment activities, untrue data and/or information.

On the other hand, there is the need to proceed with the collection of every element capable of reconstructing the dynamics that characterised the security incident, in order to facilitate the best management and resolution of the consequences derived and, where possible, to identify the perpetrators of any unlawful conduct.

With reference to security incidents, the search and collection of evidence must necessarily be carried out in such a way (i.e. digital forensics activities and techniques) as not only to allow an effective identification of any relevant element but also, and above all, to ensure the reliability and non-repudiation of the results of the collection, as well as the possibility of repeating the investigations in a subsequent judicial proceeding without the object of the first investigations being irreparably changed or altered by them. The latter aspect is in fact central where such elements are to be spent in proceedings, such as criminal proceedings, which are assisted by particular guarantees and prohibitions in terms of the acquisition and use of evidence. The need to rely on specialised personnel, capable of applying the most appropriate and effective forensic investigation techniques, is therefore all the stronger the more complex and invasive the investigations to be undertaken on the computer system involved in the security incident.

Assessing the severity of the incident and notifying the appropriate authorities