Cybersecurity and information security

“knowledge or data set that has value to an individual or organization.”
Thus, information can be stored, transmitted, and processed through different media: paper, a USB memory stick, a DVD, all the way to the human mind. Cybersecurity alone is therefore not a sufficient tool to limit information security risks.
Example: avoiding leaving paper documentation containing personal data or confidential information on the desk in the open space office at the end of the day is an information security measure, not a cybersecurity measure. Installing anti-malware software or enabling disk encryption on one’s PC are information security and cybersecurity measures.

ISO/IEC 27001 defines information security as “preservation of confidentiality, integrity and availability of information”

property of a piece of information not to be available or disclosed to unauthorized individuals, entities, and processes.

Example: a hacker discovers the password to an employee’s corporate email box and accesses it without authorization. The information in the mailbox (emails, personal data, documents, etc.) suffers a loss of confidentiality.

property of accuracy and completeness of a piece of information.

Example: a disloyal employee embezzles funds from his employer after modifying and altering the accounting system, thus causing a loss of integrity of the related information.

the property of a piece of information to be accessible and usable within the prescribed time frame.

Introduction

In recent years, cybersecurity has come to the attention of companies, public administrations and, above all, European and Italian legislators.

The reason for this renewed centrality of cyber security issues is all in the data, in the numbers related to cyber-attacks. A quick search on the internet is enough to discover that the total cost as a result of cyber attacks amounts to over $6 trillion and that the monthly average of serious attacks from 2018 to 2021 has increased by 30% .

This framework has prompted the EU legislator to undertake a series of initiatives of various kinds aimed at raising awareness among operators and citizens about the risks stemming from a lack of attention to cybersecurity. Leaving aside specific sector regulations, the following is a list of relevant initiatives undertaken at the European and national levels to raise the levels of cybersecurity and cooperation in critical sectors for the smooth functioning of the production apparatus and civil society.

GDPR and Privacy Code

Regulation (EU) 2016/679, better known as GDPR, plays a central role among the sources of information security obligations. Although the immediate object of protection of the Regulation is not information security tout court, but the protection of natural persons and their data, the GDPR places an obligation on those who process such data to implement ‘appropriate technical and organisational measures to ensure the level of security appropriate to the risk’.

Article 32 of GDPR, entitled ‘security of processing provides for an obligation to implement a security system that considers and reduces the risks presented by each processing of personal data. The chances to be considered are those related to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in an accidental or unauthorised manner.

The system of security measures must therefore be defined in all its technical, procedural and organisational aspects. The precise identification of the criteria is left to the person who processes the personal data, determining the purposes thereof (so-called Data Controller), or who processes the data on behalf of and under instructions from the Data Controller (so-called Data Processor). Although Article 32 of GDPR provides for a list of potentially adoptable security measures, the legislator has left a wide margin of discretion to the Data Controller and the Data Processor, who are required to make a preliminary and proactive assessment of the measures to be implemented concerning the levels of risk associated with each processing of personal data, taking into account state of the art in any case.

In this last regard, technology’s rapid evolution and innovation mean that the techniques for protecting systems and data, including personal data, are becoming increasingly obsolete. Therefore, what appears to be strong protection measures today may prove outdated and ineffective in a few years. Risk analysis must therefore be carried out rigorously and regularly, updating, where necessary, the safeguards put in place to protect the security of processing.

The entire GDPR is, therefore, strongly characterised by the objective of building a system that makes security one of the cornerstones of the legislation, and this is certainly helping to raise the level of awareness of operators with the issue of security, confidentiality, integrity and availability of data and information processed electronically.

NIS Directive

Alongside the GDPR, the European legislator intended to adopt measures specifically aimed at raising the level of cybersecurity of specific entities and structures deemed particularly ‘critical’ for the national and European systems.

The most significant intervention in this sense is Directive (EU) 2016/1148 of 6 July 2016, “laying down measures for a common high level of security of networks and information systems in the Union“, better known as the NIS Directive, transposed into our law by Legislative Decree 65/2018. The NIS Directive aims to achieve a high network and information system security level in the European Union by introducing several security obligations on operators of essential services (OSEs) and digital service providers (FSDs).

OSE: operators, public or private, of essential services operating in the health, energy, transport, banking, financial market infrastructure, drinking water supply and distribution, and digital infrastructure sectors, identified explicitly by the competent national authorities NIS

FSD: entities offering e-commerce, cloud computing and online search engine services, excluding companies employing fewer than 50 people and with an annual balance sheet total not exceeding EUR 10 million

These include, in particular, the obligations of:

• Take appropriate and proportionate technical and organisational measures to manage risks and to prevent and minimise the impact of network and information system security incidents to ensure service continuity; and
• Notify the Italian  CSIRT (Computer Security Incident Response Team) or the relevant NIS authority without undue delay of computer security incidents having a significant impact.

The details concerning the IT ‘security elements’ that digital service providers must consider when defining their business strategy, as well as the criteria for determining the parameters for considering a security incident ‘relevant’, are also the subject of a specific Implementing Regulation No. 2018/151.

The transposition of the NIS Directive, among other things, provided for the adoption of a national cyber security strategy aimed at delivering preparedness, response and recovery measures following cyber incidents, the definition of a cyber risk assessment plan and cyber risk training and awareness programmes. In addition, the Italian ‘CSIRT’ was established, providing for the merger of the national CERT and CERT-PA.

The administrative penalties in the event of a violation of the provisions of the legislative decree transposing the NIS Directive can be up to EUR 150,000 in the most severe cases.

Trade Secrets Directive

The European legislator with Directive (EU) 2016/943 sought to create a common framework for the protection of know-how and confidential business information, giving trade secrets the same value as patents and other intellectual property rights.

Trade secrets are protected by Articles 98 and 99 of the Industrial Property Code (IPC), as amended by Legislative Decree No. 63/2018 implementing the Trade Secrets Directive, within which they are regulated and expressly included among the “non-titled” rights, with the consequent application of all the rules provided for the protection of industrial property rights. The qualification of business information and experience as trade secrets offers several advantages.

Competitiveness: the protection of corporate information assets as a trade secret has a positive image return for the company, in terms of increased reliability in the eyes of business partners, with a consequent competitive advantage over competitors in the market.

Legal protection: the owner of trade secrets can avail himself of the same protections – and claim the same sanctions – granted by the ICC to registered industrial property rights (patents, trademarks and registered designs).

Increase in corporate value: trade secrets are, to all intents and purposes, a corporate asset that can be enhanced in the context of extraordinary transactions (e.g. mergers and acquisitions), generating significant capital gains.

Scalability: Many security measures taken to protect trade secrets are also suitable to protect the security of corporate computer networks (cybersecurity) and personal data (GDPR).

However, the enjoyment of the advantages mentioned earlier by the company is subject to the qualification of the information and business experience as trade secrets. Not all information assets qualify as trade secrets. According to Art. Ninety-eight of the IPC, only business information and technical-industrial experience, including secret commercial information, that has economic value as a secret. The owner subjects that measure adequate to keep it confidential are trade secrets.

Unlike other industrial property titles, such as trademarks, patents and designs, for which there is a register attesting to the existence of the requirements for the protection of trade secrets, the burden of proving the existence of the prerequisites for protection rests with the owner: it is, therefore, crucial to identify the information and/or experience that one has an interest in protecting as a trade secret, and then proceed to implement the necessary security measures to ensure the adequate confidentiality of that information.

In this respect, the security measures that can potentially be taken are not only of a technical/informational nature but may also consist of organisational measures (such as internal policies governing how information is managed, stored and transferred) and contractual measures (e.g. confidentiality agreements and confidentiality and secrecy clauses).

Cybersecurity Act

Regulation (EU) 2019/881, better known as the Cybersecurity Act, is one of the main pieces of European legislation about the European cybersecurity system. The stated aim of the Cybersecurity Act is to strengthen the European Union’s cyber resilience to cyber attacks and increase consumer confidence in digital services, including creating a single cybersecurity market.

To this end, the Cybersecurity Act acts mainly on two aspects: on the one hand, it significantly strengthens the role of the European Union Network and Information Agency (ENISA); on the other, it establishes a European framework for the certification of information security of ICT products and digital services.

ANISA

The European Network and Information Security were initially established in 2004 to assist the member states and the European institutions – from a technical point of view – in network and information security.

With the Cybersecurity Act, ENISA – which, while retaining its acronym, is now called the European Union Agency for Cybersecurity – broadens its scope and acquires a leading role in the construction of the cybersecurity strategy in the European Union.

ENISA assists Union bodies and institutions, as well as public and private entities. The aid focuses on improving the protection of networks and information systems, developing cyber resilience and response capabilities, and incident management. In addition, ENISA carries out fundamental work to promote knowledge and skills in the field of cybersecurity and promote the use of European certifications.

ENISA Guidelines: As part of its advocacy work, ENISA regularly publishes several guidelines covering multiple topics and affecting numerous sectors that have to deal with cybersecurity issues

⦁    Information security certification of ICT products and services

Another critical element of the Cybersecurity Act is introducing a European cybersecurity certification framework for digital products and services.

The purpose of this system is twofold: it seeks to facilitate the exchange of ICT products and services, thus creating a single market for IT security, with the further aim of strengthening consumer confidence in such products.

Why a European scheme? Almost all Member States already have some kind of cybersecurity certification scheme for digital products and services. However, such systems are usually not effective abroad, so the companies concerned are forced to carry out different certification processes in each Member State.

National Cyber Security Perimeter

In the wake of the European push – which started mainly with the NIS Directive -Italy, too, has started adopting a regulatory system on cybersecurity.

This is a complex regulatory framework consisting of various sources and measures (some of which are constantly being updated and/or not yet fully adopted), which aims to

• identify the sectors (forming the perimeter) that require a high degree of cybersecurity attention
• regulate the obligations and responsibilities regarding IT security of public and private entities carrying out their activities within the identified sectors
• establish a network of bodies and agencies with the specific task of supervising the national cyber security perimeter

All this, to ‘ensure a high level of security of the networks, information systems and computer services of public administrations, bodies and national operators, public and private, on which the exercise of an essential function of the State depends, or the provision of a service essential for the maintenance of civil, social or economic activities fundamental to the interests of the State’.

In addition to Decree-Law 105/2019, which established the security perimeter, several DPCMs are also relevant, including:

• Prime Ministerial Decree 131/2020 identifies the criteria and parameters needed to draw up the list of sectors and entities falling within the security perimeter. In particular, the following sectors were identified as falling within the frame: domestic, defence, space and aerospace, energy, telecommunications, economy and finance, transport, digital services and critical technologies. In addition, the security perimeter entities were required to prepare, on an annual basis, a list of their ICT assets.
• DPCM 81/2021 identifies, through unique tables, the categories of security incidents impacting ICT assets. For each type specified, there is an indication of the timing of the communications to the CSIRT (Computer Security Incident Response Team) that entities within the perimeter are obliged to make
• Prime Minister’s Decree of 15 June 2021, which identifies the categories of assets for which those included in the security perimeter must make the notification for the start of assessments by the competent body (CVCN). These are, in particular, hardware and software components that perform telecommunications network functions and services (access, transport, switching); hardware and software components that perform tasks for the security of telecommunications networks and the data processed by them; hardware and software components for data acquisition, monitoring, supervision, control, implementation and automation of telecommunications networks and industrial and infrastructure systems; software applications for the performance of security mechanisms.

Criminal law

The confirmation of the centrality of the cybersecurity issue emerges clearly in the light of the magnitude of the consequences of a criminal nature that may result from unlawful conduct that compromises IT security and, therefore, also that of information that can be ‘attacked’ in this way. Violations in this area can result in significant offences to assets, reputation and image; they can disrupt or interrupt the regular performance of essential public services and activities; and in some cases, they can be detrimental to national security in delicate strategic sectors.

Over time, therefore, the legislature has laid down various criminal offences to protect the security of information, networks and computer and telematic systems – often also in the implementation of the inputs deriving from European legislation – aimed at repressing conduct aimed, for instance, at unlawfully acquiring and/or using personal data, at unlawfully accessing and/or compromising the operation of the computer or telematic systems (as well as of the relevant communications and information flows), or connected with the violation of specific obligations laid down by the sector legislation.

Lastly, it is essential to point out that many computer security offences have also been included in the so-called ‘predicate offences’ capable of giving rise to administrative liability for violations of entities, according to Legislative Decree 231/01.

The relevant criminal offences can be divided into three areas: (i) that traditionally relate to the so-called computer crimes, which the Criminal Code regulates; (ii) that relate to the collection and processing of personal data, whose criminal offences are provided for in the Privacy Code; and, finally (iii) that relating to the violations provided for by the sector regulations introduced to raise the level of security of networks and information systems concerning specific areas (think, for example, of the violations provided for by the law establishing the national cyber security perimeter) considered strategic at national and European level.

Computer offences

First, with Law 547/1993 and later with Law 48/2008, several so-called ‘computer’ offences were introduced into the Criminal Code, so defined because the element characterising them is precisely that of their being committed through the use of telematic and/or computer technologies. Among the computer crimes capable of impacting the security of information systems, the following stand out in terms of their prevalence in current practice:

• the offences of “unauthorised access to a computer or telematic system” (Article 615-ter of the Criminal Code), “unauthorised possession and dissemination of access codes to a computer or telematic systems” (Article 615-quarter of the Criminal Code) and “dissemination of computer equipment, devices or programmes aimed at damaging or interrupting a computer or telematic system” (Article 615-quinquies of the Criminal Code)
• those of ‘illegally intercepting, obstructing or interrupting computer or telematic communications’ (Article 617-quarter of the criminal code), of which the installation of equipment capable of committing the offence (Article 617-inquires of the criminal code) and the falsification, alteration or suppression of the contents of those types of communications (Article 617-sexies of the criminal code) is also punished
• offences relating to conduct damaging data, information, programmes, computer or telecommunication systems, whether private or public (Articles 635-bis, 635-ter, 635-quinquies of the Criminal Code)
• those of ‘computer fraud’ (Article 640-ter of the criminal code) and ‘falsification of computer documents’ (Article 491-bis of the criminal code)
• Offences under the Privacy Code

On the subject of personal data, the national legislation provides for several criminal offences, contained in the Privacy Code, as updated following the approval of the decree adapting it to the GDPR, and in the Workers’ Statute (Law No. 300 of 20 May 1970) as regards the violation of the rules on remote monitoring of workers. In particular, the two sources under consideration provide for the following criminal offences:

•  Unlawful processing of data (Art. 167 Privacy Code);
• Illegal communication and dissemination of personal data (Article 167a);
• Fraudulent acquisition of personal data (Article 167-ter);
• Interruption of the performance of the duties or exercise of the powers of the Supervisor (Art. 168);
• Failure to comply with orders of the Garante (Art. 170);
• Breaches of remote control of workers (Articles 4(1) and 8 L. 20.5.1970, No. 300).

With specific reference to the majority of the criminal offences contained in the Privacy Code, following the updating decree following the approval of the GDPR, it is now provided, as a necessary element for the offence to be perfected, that damage is also caused, as an alternative to the purpose of obtaining an illicit profit (an aspect, the latter, already provided for previously).

Offences under Law Decree 105/2019 (National Cyber Security Perimeter)

With specific reference to criminal matters, Article 1 of Decree-Law. 105/2019, establishing the national cybersecurity perimeter, provides for an articulated provision introducing several offence hypotheses aimed at sanctioning any person – among those included in the federal cybersecurity perimeter – which obstructs or conditions proceedings or inspection and supervisory activities by providing untrue information, data or factual elements, or fails to communicate within the prescribed time limits such data, information or concrete details, providing for imprisonment from one to three years for all the mentioned hypotheses.

Technical standards focus on the ISO 27000 family.

The abovementioned regulations are all legal regulations with binding force adopted by national or European legislators. Alongside these regulations, so-called ‘technical standards’ have also long since found their place, i.e. technical specifications approved by recognised standards bodies and defining the optimal characteristics and requirements (dimensional, material or performance) of a product, process or service.

Technical regulations (or standards): regulations not resulting from the exercise of legislative power but characterised by the following aspects:

Consensuality: requirements/characteristics are consensually identified by the socioeconomic actors involved in producing and managing that particular product, process or service. Standardisation bodies draw up the technical standard through standard procedures based on consensus. The central standard-setting bodies in Italy are CEI (which deals with the electrical field) and UNI (which deals with all the remaining fields), while at the world level, they are IEC and ISO (with the same thematic subdivision)

Democracy: all stakeholders must be able to participate in the work, and anyone can comment on the process leading up to the final approval of standards. Participation in the process is, in any case, voluntary: the stakeholders support standardisation as a form of strategic investment.

Transparency: each standard-setting body is obliged to report the milestones in the approval process of a draft standard

Voluntariness: standards are merely a reference, as there is no obligation to follow and respect them except in specific cases (e.g. when referred to in specific legislative provisions). A technical standard is, therefore, not binding per se but derives its authority from the socioeconomic actors’ consensus.

In conclusion, these standards aim to define a standard that facilitates productive, economic, and social interaction. The technical standards that have become more widespread on the market in recent decades are those on management systems. A management model is an organisational model made up of policies, procedures and rules that the company sets itself to achieve a specific objective, which, as far as it is relevant here, is information security.

Information security management systems are the subject of a specific international standard, ISO/IEC 27001:2017 ‘Information technology – Security techniques – Information security management systems – Requirements. Several others have since been derived from this technical standard, making up what is usually referred to as the ‘ISO/IEC 27000 family’.

Specifically, the ISO/IEC 27001 standard identifies the requirements for implementing, implementing, maintaining and continuously improving an ISMS (Information Security Management System) in the context of a company or organisation. This standard aims, therefore, to establish an organised system that ensures controlled information management and enables a careful assessment of all risks to the business and the different types of information managed, highlighting areas where improvement is needed. This intends to preserve the confidentiality, integrity and availability of data and information.

Like the GDPR, ISO/IEC 27001 also adopts a risk-based approach to decide on actions and measures to ensure data and information security. This standard, however, has a much broader scope than the objectives of the GDPR: the international standard aims to protect not only personal data but the entire wealth of information (financial, economic), in whatever form it is stored (paper or electronic), constituting a real asset to be protected.

Moreover, as a technical standard, any entity (natural or legal person, public or private body, association) may freely decide whether and to what extent to adopt it, as well as to use it as a guiding criterion for managing risks relating to the security of data and information subject to processing operations.

Its widespread use is closely linked to the certification issued by accredited bodies to companies that adopt it. Only organisations wishing to obtain ISO 27001 certification and be awarded this title are therefore obliged to comply with the standard’s requirements.