Legal cybersecurity
Legal Cybersecurity
Related topics: Cybersecurity in information systems, Technical cybersecurity
Legal informatics intervenes in various areas of an information system to align its organizational and technical procedures with current regulations.
Legal informatics has differentiated during its natural evolution, taking on increasingly specialized characteristics in relation to its field of application.
The discipline is vast, but Legislative Decree 179 of 2016 defines legal informatics as a fundamental competence of digital citizens and public administration employees.
It deals with laws and regulations related to legal aspects concerning the use of information systems and the information they produce or acquire.
In particular, the topics of computer law fall under the following macro-areas:
- Protection of individuals with regard to personal data and their use;
- Rights of Citizens and Consumers;
- Digital Administration Code;
- Document management and preservation;
- Recognition of the legal value of electronically drafted and transmitted documents;
- Violation of Copyright;
- Violation of information systems.
Information and Personal Data
Today, millions of people use networks to shop online and interact with service providers where personal or other types of data are exchanged.
Personal data identifies or makes an individual identifiable and can provide details about their characteristics, habits, lifestyles, personal relationships, health status, financial situation, and more.
The personal data that are of particular importance include:
- Identification data, which are all the data that allow the direct identification of a person through personal information, images, or any other information that enables the direct identification of a subject;
- Sensitive data, which can reveal racial and ethnic origin, religious, philosophical, or other beliefs, political opinions, membership of parties, unions, associations, or organizations of a religious, philosophical, political, or union nature, health status, and sexual life;
- Judicial data, which are data that can reveal the status of an accused person, a suspect, or the existence of judicial measures that involve registration in the criminal record: definitive criminal convictions, alternative measures to detention, parole, prohibition, or obligation to stay.
Data that allows geolocation also falls under personal data, providing information about visited places and movements.
Personal data constitutes a valuable and inviolable asset of an individual, and therefore, it is necessary to adopt appropriate security measures to ensure:
- That data is stored and controlled in a way that reduces the risk of theft, alteration, or loss;
- That there is no unauthorized access by third parties to the environments where data is stored;
- That unauthorized and non-compliant data processing does not occur as per regulatory provisions.
An Overview of Legislation on Privacy, Protection, and Processing of Personal Data
From a legislative perspective, the provisions contained in Legislative Decree no. 196 of June 30, 2003, represent a real turning point in the field of privacy, protection, and processing of personal data, obliging all parties involved in processing to adopt a security program document (DPS).
While everyone has the right to the protection of their personal data, the document - also known as the code on the processing of personal data - aims to ensure that data processing takes place in compliance with fundamental rights and freedoms, with particular reference to privacy and personal identity.
The code also follows the principle of necessity in data processing, according to which information systems and computer programs should be configured to minimize the use of personal or identifying data, excluding processing when the intended purposes can be achieved using anonymous data or data that only allows the identification of the data subject in case of objective necessity.
The Technical Disciplinary on minimum security measures (Annex B) covers articles 33 to 36 of Legislative Decree no. 196 of June 30, 2003, and lists the contents related to the minimum security measures to be included in the security program document (DPS). The contents of the document are listed in point 19 of the Technical Disciplinary and include:
- The list of personal data processing activities;
- The distribution of tasks and responsibilities within the structures responsible for data processing;
- An analysis of the risks associated with the data;
- The measures to be adopted to ensure the integrity and availability of data, as well as the protection of areas and premises relevant to their storage and accessibility;
- A description of the criteria and methods for restoring data availability following destruction or damage, as stated in the subsequent point 23;
- The provision of training for data processors to make them aware of the risks associated with the data, the available measures to prevent harmful events, the most relevant aspects of the personal data protection discipline in relation to their activities, the resulting responsibilities, and the methods for keeping updated on the minimum measures adopted by the data controller. Training is planned at the time of hiring, as well as during changes in duties or the introduction of new significant tools related to the processing of personal data;
- A description of the criteria to be adopted to ensure the adoption of minimum security measures when personal data processing is entrusted, in accordance with the code, outside the structure of the data controller;
- For personal data suitable for revealing health status and sexual life, as mentioned in point 24, the identification of criteria to be adopted for encryption or separation of such data from other personal data of the data subject.
Legislative Decree no. 5 of February 9, 2012, converted by Law no. 35 of April 4, 2012, abolished the obligation to prepare the DPS and amended some provisions concerning minimum security measures. However, common sense still recommends the adoption of such a document, especially regarding the following points:
- Measures to ensure the integrity and availability of data;
- Methods for restoring data availability following destruction or damage;
- Minimum security measures pursuant to Article 34 of Legislative Decree 196/2003.
Legislative Decree no. 33 of March 14, 2013, on the reorganization of the discipline concerning the right of civic access and the obligations of publicity, transparency, and dissemination of information by public administrations, represents another milestone: de facto, it obliges public administrations to guarantee civic access to information and to be transparent in the publication of information.
Legislative Decree no. 176 of September 25, 2015, containing provisions concerning the updating and integration of sensitive and judicial data processed and related operations carried out by the Ministry of the Interior, has further strengthened the effectiveness of Legislative Decree no. 196 of June 30, 2003.
The natural evolution of communication and digitization systems has made the exchange of personal data between users and service providers more efficient. However, the adaptation of the ICT security measures adopted to counter the most common and frequent threats to information systems has unfortunately not evolved at the same speed.
The increase in risk factors related to the processing of personal data has prompted the Agency for Digital Italy (AgID) to issue the official list of "Minimum ICT Security Measures for Public Administrations" in implementation of the Directive of August 1, 2015, of the President of the Council of Ministers, which issues provisions aimed at consolidating the state of national cybersecurity.
The publication in the Official Gazette (General Series no. 103 of May 5, 2017) of Circular no. 2/2017 of April 18, 2017, containing "Minimum ICT Security Measures for Public Administrations," makes their adoption mandatory for all Administrations.
At the European level, the General Data Protection Regulation has been adopted, which pays particular attention to the security of data of European citizens, extending and strengthening what is already present in Legislative Decree no. 196 of June 30, 2003, clarifying in particular the responsibilities of all parties involved who operate or use the information system of a public or private company.
Copyright Infringement
The problem of copyright infringement does not depend solely on illegally downloaded or exchanged software on the Internet but also on its illegal installation and sharing with third parties or individuals who do not hold a valid usage license.
Intellectual property can be violated in the same way, not only for software but also for other multimedia objects such as movies, music, and, more generally, for all works of creativity.
Therefore, the issue of legal protection of software arises not only as highlighted by recent legislation but also in accordance with Legislative Decree no. 518, which transposes Directive 91/250/EEC.