Implementing Measures with Regard to the Notification of Personal Data Breaches – 4 April 2013 
[doc. web n. 2414592]
Implementing Measures with Regard to the Notification of Personal Data Breaches – 4 April 2013
The Italian Data Protection Authority,
Having convened today in the presence of Mr. Antonello Soro, President; Ms. Augusta Iannini, Vice-President; Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members; and Mr. Giuseppe Busia, Secretary General;
Having regard to the Personal data protection Code (legislative decree no. 196 of 30 June 2003, hereinafter "the Code"), in particular to sections 32 and 32-bis thereof;
Having regard to the resolution by the Italian DP Authority concerning "Guidelines for the Notification of Personal Data Breaches" (decision no. 221 of 26 July 2012 as published in Italy's Official Journal of Legislation no. 183 of 7 August 2012);
Taking account of the contributions submitted to the Italian DP Authority by the main providers of electronic communications services along with sector-specific study and research associations as part of the public consultation that was launched via the aforementioned decision of 26 July 2012;
Having regard to the first personal data breach cases that have occurred since the new regulations have been in force, as notified by the providers to the DPA in accordance with paragraph (1) of section 32-bis of the Code;
Whereas it is necessary to adopt a decision of a general nature replacing the aforementioned Guidelines, in pursuance of paragraph (6) of section 32-bis of the Code, in order to provide guidance and instructions on the circumstances under which a provider is required to notify personal data breaches, the format applying to such notification, and the relevant implementing arrangements;
Having regard to the considerations made by the Office as submitted by the Secretary General in accordance with Article 15 of Rules of Procedure no. 1/2000;
Acting on the report submitted by Ms. Augusta Iannini;
1. Preliminary Remarks
Directive 2002/58/EC (the so-called e-Privacy directive) provides that electronic communications service providers must take "appropriate technical and organizational measures" to ensure "a level of security appropriate to the risk presented" (Article 4(1) ). Directive 2009/136/EC, which amended directive 2002/58/EC, focused in particular on the circumstance that an incident involving personal data may be seriously harmful to the contracting party (or other data subjects) in both economic and social terms – e.g. by causing identity theft, see Recital 61 – if it is not tackled appropriately and promptly.
Following transposition into Italian law of the above provisions via decree no. 69 dated 28 May 2012 – in turn grounded in the delegated powers conferred on Government to that end by section 9 of the 2012 EU Act (Act no. 217 of 15 December 2011 as published in Italy's Official Journal of Legislation no. 1 of 2 January 2012) – electronic communications service providers are currently required to notify the Italian DPA, without undue delay, as well as the contracting party or other data subjects, under certain circumstances, of the occurrence of such incidents, which are regarded as "personal data breaches".
2. Regulatory Background
As already pointed out, decree no. 69 dated 28 May 2012 introduced many significant amendments into Italy's DP Code including new rules to handle the said security breaches in the electronic communications sector.
In particular, a definition of "personal data breach" was added, meaning "a security breach leading, accidentally or not, to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in the context of the provision of a publicly available communications service" (section 4(3), letter g-bis, of the Code).
The above definition is wide-ranging as it applies to any event that may endanger, also accidentally, any data that is processed in the context of electronic communications services; on the other hand, it sets forth the sector (i.e., publicly available electronic communications services) and the entities (i.e., the providers of such services) concerned by the new provisions.
This is the backdrop also applying to the amendments made to section 32 of the DP Code, which now reads as follows: "Obligations Applying to Providers of Publicly Available Electronic Communications Services"; under the new text of section 32, every provider is required to take, also by way of other entities it has entrusted with delivering the relevant service(s), "technical and organisational measures (…) that are adequate in the light of the existing risk, in order to safeguard security of its services and with a view to taking the steps set forth in section 32-bis hereof."
The EU lawmakers are actually aware that users' interest in being informed about security breaches affecting their personal data is not limited to electronic communications. Indeed, the proposals currently tabled to reform the EU data protection legal framework envisage a generalized obligation for all public and private data controllers to notify personal data breaches (see Draft Data Protection Regulation as submitted by the European Commission on 25 January 2012; see also Recital 59 in directive 2009/136/EC.)
In fact, the legislation in force in some EU member States already imposes this obligation on a broader set of entities (e.g. in Ireland); this is actually supported by the views expressed by the EU Data Protection Working Party (so-called "Article 29 Working Party") via its document no. 1/2011 of 5 April 2011.
Section 32-bis of the DP Code added provisions on the "Steps to be taken following a personal data breach", whereby the providers of publicly available electronic communications services must notify the DPA, without undue delay, of the breach of any personal data they hold. Where the breach may be prejudicial to a contracting party's or another individual's personal data or privacy, the provider must notify the breach to those entities as well (see section 32-bis, paragraph 2).
Whilst it is difficult to mark out the cases in which a data breach may be prejudicial to the contracting party or other individuals concerned – indeed, this may always be the case in principle, but see below for additional considerations – no notification to contracting parties/other individuals is necessary if the provider can prove to the DPA's satisfaction that measures were implemented "that render the data unintelligible to any entity that is not authorised to access it, and that the said measures were applied to the data concerned by the breach." (see section 32-bis, paragraph 3). Having considered the likely adverse effects of the breach, the DPA may require the provider to in any case notify the contracting party or another individual of the said breach, where the provider has not already done so (see paragraph 4 of section 32-bis).
3. Entities Concerned
As already pointed out, the new regulations on the obligation to notify the DPA (and the individuals concerned, as the case may be) do not apply to all data controllers holding and processing personal data for the respective business or institutional purposes.
The new requirements only apply to the providers of publicly available electronic communications services (hereinafter the "providers") – that is, the entities providing the public, on public communications networks, with services that consist mainly or exclusively "in the conveyance of signals on electronic communications networks" (see section 4(2), letters d) and e) of the Code).
Additionally, the new requirements are related to the specific activities consisting in the provision of the said services – like telephone or Internet access services. Accordingly, if a breach occurs in a provider's database that is not specifically related to the services that provider makes available and has to do with whatever other activity he carries out (personnel management, accounting, etc.), then no notification obligations are applicable.
Additional clarifications on the entities concerned by the new provisions can be found in the guidelines issued by the DPA via its decision on "Security of Telephone and Internet Traffic Data" of 17 January 2008 (as published in Italy's Official Journal no. 130 of 5 February 2008 and subsequently amended and expanded via the DPA's decision of 24 July 2008 as published in Italy's Official Journal no. 189 of 13 August 2008), since the controllers required to retain data under section 132 of the Code and implement the measures laid down therein are basically the same as the controllers required to comply with the new provisions of section 32-bis.
The above decision actually clarified that "providers of publicly available electronic communications services" are any entities that bring into effect, whether exclusively or not, the conveyance of signals on electronic communications networks – irrespective of the proprietary status of such networks – and offer services to end-users in pursuance of the non-discrimination principle (see also directive 2002/21/EC and decree no. 259/2003 – Electronic Communications Code.)
Conversely, the following entities fall outside the relevant scope of application:
- entities directly offering electronic communication services to limited groups of individuals (e.g. public or private bodies that only enable their employees and/or collaborators to carry out telephone or Internet communications). Although these services fall within the scope of the general definition applying to "electronic communication services", they may not be regarded as "publicly available";
- owners and managers of public establishments and/or private clubs of any kind that only make terminals available to the public, or to customers and/or associates in order to perform telephone or Internet communications, or else that make Internet wireless access points available to the public – except for public voice-only payphones;
- managers of Internet websites disseminating contents on the Net (so-called "content providers"). They do not provide an "electronic communication service" as per section 4(2)e. of the Code – which in turn refers to Article 2, letter c) of Directive 2002/21/EC, whereby "the services providing contents conveyed by means of electronic communication networks and services" are excluded from the scope of application. Where the said entities also provide e-mailing services, they conversely fall under the scope of application of the new provisions insofar as they handle the personal data related to such emailing services;
- search engines except for the data transmission component(s).
A different case is the one of Mobile Payment services that may be offered by a provider to its own customers. These services enable money transfers and payments to be performed via one's mobile phone and many providers are implementing them following transposition of directive 2007/64/EC (the so-called PSD or "Payment Service Directive") via legislative decree no. 11 of 27 January 2010.
In particular, the assets or services to be purchased are paid for either via a credit card following an order sent via the mobile phone if an ad-hoc POS reader is available – this being the so-called "proximity" mode – or by debiting the customer's prepaid phone card (whose credit is reduced accordingly) or the customer's mobile account (if the customer holds such account with a phone operator) – these being the so-called "remote" modes.
In the latter case, the customers' payment data are closely related to the respective traffic data; thus, it can be argued that the provider is required to comply with the obligations laid down in section 32-bis of the Code also in case of breaches affecting the said services.
3.1. Services Provided by Way of Other Entities
The new provisions explicitly envisage that a provider may commit electronic communications services to other entities. In particular, section 32-bis(8) provides that any entities entrusted with providing the services in question are required in such cases to "notify the provider, without undue delay, of any and all events and information necessary to enable the provider to take the steps" relating to the personal data breach.
The above requirement applies whenever "conventional" electronic communications service providers are involved alongside, e.g., the so-called Mobile Virtual Network Operators (MVNOs). A MVNO can be said to be a company that provides mobile telephony services without holding any license for the relevant radio spectrum and/or all the facilities required to provide such services, whilst it relies for that purpose on part of the facilities made available by one or more "real" Mobile Network Operators (MNOs).
MVNOs have their own telephone numbering ranges and accordingly their own SIM cards; they can manage switching and conveyance functions directly along with their mobile users' database. Thus, they manage customer relations autonomously and their customers have no direct contact with the MNO, given that their only contractual relationship is with the MVNO.
Accordingly, the obligation to notify any breach affecting customers' (or other individuals') personal data lies with the MVNO, since the latter is - as a rule - the only entity knowing customers' identities. However, the service is factually provided jointly with the MNO as explained above, which means that the systems affected may be under the MNO's exclusive control; thus, it is necessary for the MNO to disclose all the events and the information concerning the breach to the MVNO in order for the latter to notify the DPA and – where appropriate – his customers as required by the law.
Additional clarifications can be found in the definitions given via Resolution no. 544/00/CONS by the Italian Communications Safeguards Authority (AGCOM - "Regulatory Requirements Applying to New Entrant Operators in the Mobile Radio Systems Market") as published in Italy's Official Journal no. 183 of 7 August 2000.
The requirements made in paragraph 8 of section 32-bis also apply if a so-called "conventional" provider of electronic communications services commits the factual provision of those services wholly or partly to third parties having the necessary infrastructures and facilities – e.g. for cost-containment reasons.
Without prejudice to the need for the parties concerned to appropriately allocate their mutual responsibilities as either data processors or data controllers, any breach affecting the personal data that are processed in the context of the systems committed by the provider to the third party will have to be notified to the provider by the said third party within 24 hours of the latter's becoming aware of the breach; the provider will then notify the DPA and, where appropriate, the contracting party and/or other individuals as explained in paragraph 5 below.
4. Managing Security and Data Breaches
Under section 32 of Italy's DP Code as amended by legislative decree no. 69/2012 pursuant to Article 4 of directive 2002/58/EC, any entity operating on electronic communications networks shall ensure "that personal data may only be accessed by authorised personnel for legally authorised purposes" (see paragraph 1-bis); additionally, the technical and organizational measures to be taken by the electronic communications provider must be appropriate to the existing risks, protect any stored and/or transmitted data specifically against destruction, loss, accidental or non-accidental alteration, unauthorised or unlawful storage, processing, access or dissemination, and ensure that a "security policy" is implemented (see paragraph 1-ter).
Finally, paragraph 3 of section 32 requires providers to inform contracting parties, the DPA, AGCOM and – where feasible – users about existence of a "particular risk of a breach of network security"; they should also specify all possible remedies and the likely costs involved, if the risk falls outside the scope of application of the abovementioned measures.
The above requirements highlight that providers must make internal arrangements in order to ensure a high security level for the data they hold as well as to handle any personal data breaches in accordance with a structured framework and by way of pre-defined procedures and actions.
As also clarified by ENISA (the European Network and Information Security Agency) in their recent Recommendations (http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn/art4_tech), neither risk management nor the management of any personal data breach may be achieved by providers without a carefully thought-out approach. In fact, an appropriate plan should be laid down for this purpose including technical and organizational measures that are suitable for the specific threats so as to respond timely, effectively and adequately to the severity of the specific breach.
As for implementing the so-called minimum security measures – which may carry criminal punishments under section 169 of the DP Code in case of non-compliance – reference should be made to section 33 of the DP Code and the specific provisions contained in the Technical Specifications on minimum security measures as per Annex B to the Code – see, in particular, those relating to electronically processed data. It should be recalled here that all data controllers are required to take such minimum security measures.
4.1. Risk Assessment
In order to comply with the obligations set forth in section 32 of the DP Code, providers should first carry out a survey of all the personal data they process and the risks they are possibly exposed to.
Thus, each provider should identify and rate the value of the different types of personal data it holds and the risks such data are exposed to, setting its own risk acceptance threshold and the appropriate management policies. Providers are also required to determine risk thresholds – based e.g. on a low, medium or high risk level – to decide not only on the measures to be adopted for protecting data adequately, but also on whether the contracting party or other users concerned have to be notified.
This preliminary survey is meant to enable providers to arrange security measures aimed both at preventing harmful events and at stepping in if such events occur in spite of the measures adopted.
The assessment in question is basically similar to the one providers were required to carry out until 10 February 2012 with a view to drafting the so-called "Security Policy Document" as per Rule 19 in the Technical Specifications mentioned above. However, the obligations concerning the security policy document were lifted by section 45(1) of a decree dated 9 February 2012 (5/2012) that was subsequently converted into Act no. 35 of 4 April 2012.
4.2. Taking Appropriate Security Measures
The risk assessment exercise mentioned in the foregoing paragraph is a precondition for providers to lay down security measures that are "adequate in the light of the existing risk" as per the new text of section 32(1) of the DP Code, and to determine those measures that can best remedy a data breach once it has occurred; the measures in question must in any case be notified to the DPA pursuant to section 32-bis, paragraph (5), of the DP Code.
In particular, the following measures shall be adopted to ensure a minimum common standard of security – on top of those set forth in the aforementioned decision on "Security of Telephone and Internet Traffic Data" of 17 January 2008 as well as in the decision on "Measures and Arrangements Applying to the Controllers of Processing Operations Performed with the Help of Electronic Tools with a View to Committing the Task of System Administrator" of 27 November 2008 (as published in Italy's Official Journal of Legislation no. 300 of 24 December 2008 and amended by the DPA's decision of 25 June 2009):
1. Availability of any processed data for further processing operations shall be prevented immediately the activities for which that data is required are over, and the data in question shall be erased or anonymised within a time range that shall be technically compatible with the relevant IT procedures; this shall apply to the databases and processing systems used for the specific processing as well as to backup and disaster recovery systems and media, also by relying on encryption and/or anonymisation technology;
2. Special care shall be taken in respect of portable devices; specific security measures shall be laid down to mitigate the risks related to device portability and ensure that such devices operate under similar security arrangements compared to other IT devices. It should be considered that security breaches often impact the mobile devices used by providers' staff and collaborators outside corporate premises.
5. Notifying the DPA: Timeline and Scope
The definition by providers of an appropriate breach management plan on the basis of an in-depth risk assessment exercise is a prerequisite for them to fully comply also with the notification obligations mentioned in section 32-bis of the DP Code. Under the latter section, providers must notify the DPA of a personal data breach "without undue delay" – that is, at the time they become apprised of the breach.
In the light of the importance attached to timely notification to the DPA as well as, on the other hand, of the many, highly complex IT systems used by providers and the manifold data they hold, the DPA considers that these entities may firstly provide the DPA with summary information on the specific breach – on condition this is done immediately the breach becomes known to them – and add further details at a later stage.
The summary information in question must be such as to in any case enable the DPA to initially gauge the severity of the data breach; accordingly, it must include the following items in order for the notification to be considered fully valid:
- Information identifying the provider;
- A short description of the breach;
- The (estimated) date of occurrence of the breach and when it was detected;
- Information on the place where the breach occurred, including whether it was due to the loss of portable devices or media;
- Information on type and contents of the data that have been (presumably) affected;
- A brief description of the processing/storage systems for the data involved, including their location.
The appropriate time range is set at 24 hours as from the provider's knowledge of the breach for the initial summary notification, and at 3 days as from the above time for the detailed notification.
To facilitate compliance with this requirement, an ad-hoc notification form was made available online on the DPA's website to gather information on data breaches in a way that allows this information to be processed electronically by the DPA (Annex 1).
Regarding the scope of notification, section 32-bis, paragraph (5), of the DP Code provides that it shall include a description of the nature of the personal data breach and the contact points where additional information can be obtained along with the measures recommended to mitigate the possible detrimental effects of the personal data breach – which items of information must also be notified to the individuals concerned, where appropriate. Additionally, it shall describe the consequences of the personal data breach and the measures proposed or taken by the provider to remedy it.
If the breach was not detected at the time the relevant event occurred, the notification in question shall also detail the reasons why the event could not be detected immediately and what measures were or will be taken to prevent this from occurring in future.
If the checks performed by the provider following the initial summary notification do not yield additional findings, the provider shall notify the DPA of the arrangements made to remedy the breach and the measures taken to prevent further breaches of the same kind from occurring anew.
In short, the notification must provide the DPA with information allowing the severity of the breach to be assessed thoroughly by having also regard to the number of entities involved, the amount and quality of the affected data, the damage caused, and the measures taken to mitigate it. This is aimed ultimately at enabling the DPA to step in by taking such measures as may prove to be necessary – including the requirement that the breach be notified to contracting parties or other individuals concerned.
Equal importance should be attached to including information on the application systems affected by the breach and on the physical location of the processing systems relied upon – again, in order to enable the DPA to carry out additional inquiries, if any.
The obligation to notify the breach to the DPA and, if appropriate, to contracting parties and/or other individuals concerned applies even if the breach affects mobile devices and regardless of whether data protection systems have been installed on those devices. The only case in which a provider is exempted from notifying contracting parties or other individuals is where the data contained in and/or accessible via these and other devices have been made unintelligible (see below).
This DPA reserves the right to reconsider timeline and contents of the notification due to the DPA if a different stance is taken in this respect by the forthcoming Commission's Regulation on the measures applying to the notification of personal data breaches within the framework of directive 2002/58/EC (e-privacy directive).
6. Inventory of Personal Data Breaches
The same objective – i.e. enabling the DPA to discharge its control tasks regarding compliance by providers with personal data breach legislation – underlies the requirement to keep an updated inventory of personal data breaches as per section 32-bis, paragraph (7), of the Code (see also Recital 58 in directive 136/2009/EC).
The said inventory must include (and be limited to) all the information required to clarify the circumstances under which a breach occurred, the consequences of the breach, and the measures taken to remedy them.
Exactly to achieve the purposes referred to in the aforementioned piece of legislation, it is appropriate for the inventory at issue to keep track of the individual steps taken by the provider in handling the incident/event – from its detection to its resolution or conclusion – including the notifications given to the DPA and/or the contracting parties or other individuals. In this manner the inventory will prove a valuable tool for providers as well, since it will enable them to carry out a statistical analysis of the different types of breach affecting their services to then adopt such measures as can improve corporate security policies.
Therefore, the inventory will have to be updated regularly by providers and made available to the DPA if the latter so requests. Taking account of the applicable sanctions, providers will have to in any case enter a data breach concerning them in the inventory at the same time as they notify the DPA of such data breach pursuant to paragraph 5 above; they shall make sure any subsequent findings as also resulting from further inquiries are added promptly to the relevant records.
Additionally, providers must take suitable measures to ensure integrity and non-modifiability of the records contained in the inventory.
7. Notification to Contracting Parties or Other Individuals
If a personal data breach occurs and may adversely affect a contracting party's or other individuals' personal data or privacy, to the extent the breached data relate to that contracting party or those other individuals, providers are required to notify them of the breach, without delay, on top of notifying the DPA (see section 32-bis, paragraph (2), of the Code).
The contents of such communication are detailed in paragraph 5 above.
In this case, the DPA considers that the provider should perform the said notification by no later than 3 days as from becoming apprised of the breach. The provider may choose the notification mechanism(s) it considers to be most appropriate by having regard to the guidelines contained in paragraph 7.2 below.
Partly in the light of the guidance provided by the European Commission, this DPA considers that – by way of exception - the provider may be authorized to postpone the said notification for as long as is absolutely necessary to finalise the investigations into the data breach if the notification to the contracting party or other individuals may jeopardise the performance of the said investigations.
The notification in question is not required if the provider can prove, to the DPA's satisfaction, that technological protection measures were applied to the breached data such as to make them unintelligible to any entity that is not authorized to access them (see section 32-bis, paragraph (3), of the Code).
The requirement concerning data unintelligibility does not apply if the "security breach" (as per section 4(3), letter g-bis, of the Code) entails the destruction or loss of the contracting parties' personal data. In the latter case, the breach has to do with security features other than data confidentiality and undermines data integrity and/or availability of the data for data subjects; accordingly, it might be necessary to notify the events to the relevant data subjects.
Given the severity of the damage likely to be caused to data subjects, contracting parties must be notified in all cases of any breach affecting authentication credentials (userID and password, including hashed and/or encrypted passwords) and/or the encryption keys used by them.
7.1. Unintelligible Data
In the DPA's view, a data can be considered to be unintelligible if, for instance,:
(a) it has been securely encrypted with a standardised algorithm, or by means of public- or symmetric-key encryption schemes known in literature, providing the key used to decrypt the data is of adequate length (as expressed by its bit number), the controller has implemented a specific key escrow policy, and the key has not been compromised in any security breach and has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or
(b) it has been replaced by its hashed value calculated with a cryptographic keyed hash function, providing the key used to hash the data is of adequate length (as expressed by its bit number), the controller has implemented a specific key escrow policy, the key has not been compromised in any security breach and has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or
(c) it has been anonymized via procedures that prevent re-identification of the data subjects by any person who is not authorized to process the data, also by having regard to other information sources that are available to the controller and/or are public in nature.
In principle, there is always a risk that a personal data breach may adversely affect the data and/or confidentiality of the individual the data relates to; accordingly, it is far from easy to determine beforehand under what circumstances a provider may be exempted from notifying a breach to the contracting party or other individuals concerned.
Under section 32-bis, paragraph (4), of the Code, the DPA, having considered the likely adverse effects of the breach, may require the provider to notify the contracting party or another individual of the said breach, where the provider has not already done so. This is clearly unrelated to the circumstance that a provider has made the data unintelligible, since the risk that the breached data is intelligible is reduced, not eliminated, by the said arrangement; thus, the Garante may require the notification in question to be given in any case.
For the above reasons, it is absolutely necessary for the provider to describe – in the notification to the DPA – the security policies it has in place along with the consequences of the given breach and the measures proposed or taken by it to remedy the breach; in this manner, the DPA will be enabled to make its own assessment of the case and issue instructions, if any.
7.2. Mechanisms to Notify Contracting Parties or Other Individuals
Each provider will have to determine what mechanisms can allow notifying the entities affected by the breach most easily and quickly. This applies both to the contracting parties and – above all – to the individuals that are affected by the data breach without being the provider's customers; the provider will notify such individuals directly where it holds the relevant contact details and is not required to collect additional information for this purpose.
It is to be considered that a provider may more easily achieve the objectives underlying this legislation – i.e., notifying a breach without delay to any individual whose personal data is affected – by relying on non-personal communication arrangements; this applies if, under the given circumstances, no individual notification has been given – which approach is unquestionably preferable - in particular to the individuals other than contracting parties, but also to a provider's customers where an especially substantial number of them are affected by the breach.
Accordingly, public communication mechanisms are considered to be more helpful in some cases – such as publishing notices on dailies, including online dailies, or broadcasting notices via (local or national) radio stations. Of course, these alternative communication arrangements to notify contracting parties or other individuals affected by a breach must also be made as quickly as possible, and anyhow by the 3-day deadline mentioned in paragraphs 5 and 7 above.
7.3. Risk Assessment With a View to Notifying Contracting Parties or Other Individuals
As already pointed out, a provider must carry out an assessment exercise to determine what measures should be taken to reduce the risk, mitigate the damage resulting from a breach, and decide whether the breach is to be notified to the contracting party and/or to other individuals in order for them to take the necessary precautions.
The said assessment exercise should be carried out on the basis of pre-defined standards shared by all providers, so that carefully thought-out as well as comparable decisions are ultimately made. Providers may want to consider, in the first place, the amount and nature of the data affected by the breach for the purposes of the assessment in question.
For instance, it may well be that a breach affecting one personal data, or several items of non-sensitive personal information relating to a single contracting party, need not be notified to the contracting party under the terms of section 32-bis, paragraph (2), without prejudice to the obligation for the provider to take all the measures that can mitigate the resulting damage.
Similar importance should be attached in this risk assessment exercise to the "topicality" of the data held by the provider – i.e. to the time lapsed from acquisition and inclusion of a data in the provider's database; accordingly, this element should also be taken into account in assessing the risk. More recent data might be more appealing to malicious attackers, as such data is more likely to reliably mirror the data subject's "status" or specific financial, medical, real estate or other conditions at the time the breach occurs.
In determining whether the breach is to be notified to data subjects, consideration might also be given to the effects produced by the breach - whereupon the contracting party's or another individual's data or private life might be regarded as adversely affected if the breach "could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the provision of publicly available electronic communications services" (see Recital 61 in directive 136/2009/EC).
In order to achieve harmonized, comparable ratings, providers should address this risk assessment exercise also via a quantitative approach – that is, they should develop specific metrics to reflect the adverse effects a breach may produce on a data subject by having regard to the data attributes mentioned above (nature, amount, topicality, etc.).
To sum up, the following risk assessment criteria might be taken into consideration:
- The security measures and arrangements that are already in place (e.g. encryption);
- The categories of the data affected by the breach (special attention should be paid in this respect to telephone or Internet traffic data and to users' authentication credentials);
- The nature of the breach (e.g., unauthorised access vs. data loss or destruction);
- Whether the contracting parties or other individuals concerned by the breach are identifiable (e.g., in case the breach has impacted several categories of data relating to the same individuals);
- The topicality of the data affected by the breach.
In gauging the above indicative criteria, the provider will have to always take account of the specific context in which the breach occurred, as there are contexts featuring increased sensitivity such as health care or military activities; in case of doubts, the worst case scenario will have to be considered – i.e. a scenario where the contracting parties' or other individuals' personal data are actually jeopardized by the event. This may consist, for instance, in the exposure to the risk of fraud following the loss of data relating to a data subject's credit card.
8. Consequences Resulting from Non-Compliance with the New Security Obligations
Decree no. 69/2012 added new, specific administrative penalties (see section 162-ter) to the Code in case of non-compliance with the new security obligations; it also expanded the scope of the criminal punishment mentioned in section 168 of the Code to include the case of false statements contained in the notification given to the DPA under section 32-bis (paragraphs 1 and 8).
Under section 162-ter, any provider that fails to notify a personal data breach to the DPA under section 32-bis, paragraph 1, or that notifies the personal data breach to the DPA belatedly, i.e. after expiry of the deadline set in paragraph 5 above, shall be punished by an administrative penalty consisting in payment of between twenty-five thousand and one hundred and fifty thousand Euro; where a provider fails to notify a personal data breach to the contracting party or another individual under section 32-bis, paragraph 2, or where it notifies the personal data breach to the contracting party or another individual belatedly, i.e. after expiry of the deadline set in paragraph 7 above, it shall be punished by an administrative penalty consisting in payment of between one hundred and fifty and one thousand Euro per contracting party or individual concerned.
In the latter case, the fine capping arrangements set forth in section 8 of Act no. 689/1981 are not applicable to the provider; however, the ultimate amount of the pecuniary penalty may not exceed 5% of the provider's turnover in the accounting year ended prior to the date when the notice of administrative infringement was served on such provider. The amount of the fine may nevertheless be increased by up to four times if the pecuniary penalty is found to be ineffective because of the infringer's financial status (see section 164-bis, paragraph (4), of the Code; see also section 162-ter, paragraphs 2 and 3).
Under Section 162-ter, paragraph (4), of the Code, any breach of the provision concerning the obligation to keep an updated inventory of personal data breaches shall be punished by an administrative penalty consisting in payment of between twenty thousand and one hundred and twenty thousand Euro.
The same penalties shall apply to the entities entrusted by the provider of publicly available electronic communications services with the delivery of such services if they fail to notify the provider, without undue delay, of the information necessary to fulfil the relevant obligations (see Section 162-ter, paragraph 5).
Finally, Section 168 of the Code provides that imprisonment for between six months and three years shall be imposed, unless the offence is more serious, on any provider declaring or attesting to untrue information or circumstances, or else submitting forged records or documents, in connection with the notifications due to the DPA following a personal data breach; the same shall apply to any entity entrusted by the provider with delivering the services at issue if it notifies untrue information to the provider.
BASED ON THE ABOVE PREMISES, THE ITALIAN DATA PROTECTION AUTHORITY
Provides hereby under section 32-bis, paragraph 6, of the Code that the providers of publicly available electronic communications services specified in the Preamble are required to
a. Give an initial, albeit summary, notification to the DPA of any personal data breach suffered by them within 24 hours from the time they become apprised of such breach, and to make available additional information, if any, by 3 days from the said initial notification;
b. Specify, in the notification to the DPA, the reasons why the breach was not detected immediately along with the measures that were or are intended to be taken in order to prevent this from occurring again, if the breach was not detected at the time the relevant event occurred;
c. Provide at least the following information to the DPA already in the initial notification of any personal data breach affecting them:
1. Information to identify the provider;
2. A short description of the breach;
3. Specification of the date (including the estimated date) when the breach occurred and the time when the breach was detected;
4. Specification of the place where the data breach occurred, including whether the breach occurred following the loss of mobile devices or media;
5. Specification of the nature and type of the data that are (presumably) affected;
6. A short description of the processing or storage systems used for the affected data, including their location.
d. Notify the contracting parties or other individuals the personal data affected by the breach relate to by 3 days from the time the said providers become apprised of the breach;
e. Enter the data breach suffered by them in the inventory at the time they notify the breach to the DPA as per paragraph 5 above, and make sure that such additional findings as may be made thereafter, also following further inquiries, are promptly entered as well.
A copy of this decision shall be transmitted to the Ministry of Justice in order for it to be published in the Official Journal of the Italian Republic under the responsibility of the Ufficio pubblicazione leggi e decreti.
Done in Rome, this 4th day of the month of April 2013.
THE SECRETARY GENERAL