Privacy & Data Protection

New ransomware campaign: companies with outdated software are under attack

The attack now in progress is a ransomware attack, in which cybercriminals enter systems through an infected link or phishing email and encrypt data of the enterprise. VMWare ESXi virtualization systems are very popular and used by many companies, and a compromise of these systems could have disruptive impacts on critical services such as banking or healthcare. That's because virtualization systems underpin most enterprise information systems, bypassing downstream application protections and entering directly into upstream systems.

Ransomware is a type of malware that prevents access to data on a computer using encryption. The goal is to obtain a ransom payment in exchange for decrypting data. These attacks are purely extortionate and do not aim to erase or disseminate data, but simply to prevent access to it. However, they can have serious consequences for businesses and individual users, as their personal data (common and sensitive) could be resold to third parties, disseminated, lost forever, or held hostage for a long time, causing economic and reputational damage, as well as the risk of facing penalties provided by law.

The current attack is directed against VMware ESXi servers and is targeting companies in Europe and North America. The National Agency for Information Security (ACN) in Italy has invited companies using these VMware products to upgrade immediately in order to avoid becoming victims of this cybercrime campaign.

According to ANSA, in addition to servers in Italy, hackers have also targeted those located in France, Finland, the United States and Canada. In Italy, entities in the public and private sectors have already been affected.

In the United States, cybersecurity authorities are also analyzing incoming reports. The Cybersecurity and Infrastructure Security Agency (CISA) is working with its public and private partners to assess the impacts of these incidents and provide assistance where needed.

A VMware representative confirmed that hackers are exploiting a vulnerability discovered in early 2021 and corrected in February of the same year. The company has also asked its customers to immediately apply the "patch", which have been available for years.

According to a report published by The Stack, more than 500 companies were affected by this campaign, which was effectively a ransomware attack. Companies in France have been the hardest hit, with the French government's cybersecurity incident response team, CERT-FR, describing the attack as semi-automated and targeting servers vulnerable to CVE-2021-21974.

The vulnerability, described as an OpenSLP HeapOverflow vulnerability, allows cybercriminals to execute code remotely. It is currently unknown which ransomware group initiated the attack and which encoder was used, but it is estimated that about 20 servers are affected every hour.

In this context, it is of paramount importance that companies take the right precautions to protect the security of their data and computer systems. A first measure is to monitor any vulnerabilities in the software used, and then promptly apply available security patches.

But there is more. In order to have an adequate protection, it is also important to rely on experienced cybersecurity consultants who can provide an assessment of the risks and vulnerabilities, as well as any measures to be taken to prevent them, as well as having qualified legal support to assist these processes.

In case companies suffered a ransomware attack, they should immediately seek the help of competent technicians and a lawyer specialized in cyber law to assess their options.

Firstly, it is important to check if there has been a data breach and, if so, follow the appropriate legal procedures to protect their own data and customer information.

Second, it is necessary to understand whether there are any legal obligations related to reporting the data breach to third parties, such as customers or relevant authorities.

In addition, it will be important to determine if there are any policies governing the use of data and how such contracts or policies may affect the legal situation.

Finally, the company will have to consider whether or not to accept paying the requested ransom, taking into account the legal risks and potential long-term effects on corporate reputation.

Pandemic, hackers, and corporate protection

Recent smart working habits, ushered in 2020 with the arrival of COVID, have subverted the cyber boundaries of our companies, and what was once a corporate LAN, located in a distinct geographic area and therefore more easily surveilled, is now instead open to all those, employees and contractors alike, who employ corporate devices either to connect remotely to the corporate office or for personal use.

The increase in cyber iterations has thus created more hackable points for skilled hackers who, for example, send e-mail attachments that look secure and come from verified senders, but instead conceal malware, i.e., programs designed to harm the host operating system, undetectable even by up-to-date antivirus software.

In order to corroborate what has just been said, let us add some numbers capable of explaining better than any words how much our safety is in danger.

July 2021: Il Sole 24ore estimates that the advent of smart working has led, since the beginning of the pandemic, to an increase in the number of cyber-attacks up to the percentage of 238%.

The 2022 CLUSIT report, the Italian Association for Information Security, records that cyber-attacks worldwide have increased by 10%. In that ranking, Italy represents the 4th most affected country behind the US, Germany and Colombia.

The three most commonly used types of attacks are as follows:

  1. Malware (use of malicious software)
  2. Targeted data breaches (theft of confidential information using unknown techniques)
  3. Security vulnerabilities real Achilles’ heel on which the first two forms of attack rest.

In 2001, hacker Kevin Mitnick prophesied in one sentence what would happen just twenty years later, "A secure computer is an off computer."

We believe that with the adoption of appropriate tools and specific procedures - human resource training remains a central point of the system - it is possible to have truly adequate security measures.

In addition to classic hardware and software protections, more advanced and synergistically deployable protection tools are now available to companies:

  • VA - Vulnerability Assessment: continuous monitoring and identification of all known vulnerabilities both within the corporate perimeter and on the web, including corporate devices connected with the premises remotely. Vulnerabilities that if not remediated can be easily exploited by criminal hackers (preventive action).
  • SOC - Security Operation Center: continuous monitoring, detection, analysis and management, with related blocking, of all external and internal threats to the company and unauthorized intrusions (proactive action).

We are available to support companies and professionals in choosing advanced software solutions and setting up simple and effective procedures to protect business operations and data, compliant with GDPR.

Contact us for more information: info@clovers.law

Stop the use of Analytics also by the Italian Guarantor: some alternative solutions

Managing a website or mobile application requires the use of traffic and/or performance statistics, which are often essential for service delivery. The market standard, in this area, is Google Analytics (GA), which will soon have to change because it has been declared unlawful.

Italy's Privacy Guarantor recently sanctioned the operator of a website, in an order dated June 9, 2022. Its site was using the GA service that transfers European users' data to the United States, a country lacking an adequate level of protection. An influential member of the Garante's panel also confirmed that a series of sweeping audits on this issue (as scheduled by the Garante) have begun.

The Italian Privacy Guarantor's investigation found that operators of websites using GA collect, through cookies, information on users' interactions with the aforementioned sites, individual pages visited and services offered. Among the multiple data collected are the IP address of the user's device and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. This information (which is personal data) was found to be transferred to the United States. Therefore, the processing was declared unlawful.

This was able to happen because the Court of Justice of the European Union, in a July 2020 ruling, declared the Privacy Shield, an international treaty that regulated data transfers between the European Union and the United States, null and void. That treaty did not provide adequate safeguards against the risk of unlawful access to European residents' personal data by U.S. authorities.

In March 2022, the European Commission and the United States adopted a joint statement on a future decision to properly regulate data flows to the United States. This is only a political announcement, with no legal value. In fact, on April 6, 2022, the European Data Protection Board (the EDPB i.e., the committee that brings together European privacy authorities) issued a statement clarifying that this statement is not a legal framework that organizations can rely on to transfer data to the United States.

CNIL's contribution

The privacy authority that, to date, has analyzed these issues most "practically" is the French authority.

The French privacy authority (CNIL) has made it clear that the use of GA is considered unlawful under the GDPR and remains so even by resorting to prior pseudonymization or cryptography practices of the data being transferred.

A question then arises. Can data continue to be transferred outside the EU using the legal basis of data subjects' consent?

Explicit consent of data subjects is one of the possible exemptions provided for some specific cases in Article 49 of the GDPR. However, as stated in the EDPB guidelines these exceptions can only be used for non-systematic transfers and, in any case, cannot be a permanent long-term solution, as the use of an exception cannot become the general rule.

Since explicit consent (or even GA) cannot validly be used, are there alternative means that are legitimate?

The CNIL has published a list of software that can be exempted from consent if properly configured.

This list includes tools that have already demonstrated to CNIL that they can be configured to be limited to what is strictly necessary to provide the service, thus not requiring user consent.

Whichever software is used, it is always necessary to verify, as far as possible, that the company producing it has no patrimonial or organizational ties with a parent company located in a country that allows intelligence services to request access to personal data located in another territory (for example: the United States but also China), and it is necessary to assess the legal framework of the country of export of the data.

The list of software suggested by the CNIL.

Without going into detail about the configuration required to use these software legitimately (which depends on several variables) we indicate below the list indicated by the CNIL:

  • Analytics Suite Delta di AT;
  • SmartProfile di Net Solution Partner;
  • Wysistat Business di Wysistat;
  • Piwik PRO Analytics Suite;
  • Abla Analytics di Astra Porta;
  • BEYABLE Analytics di BEYABLE;
  • etracker Analytics (Basic, Pro, Enterprise) di etracker;
  • Web Audience di Retency;
  • Nonli;
  • CS Digital di Contentsquare;
  • Matomo Analytics di Matomo;
  • Wizaly di Wizaly SAS;
  • Compass di Marfeel Solutions;
  • Statshop di Web2Roi;
  • Eulerian di Eulerian Technologies;
  • Thank-You Marketing Analytics di Thank-You;
  • eStat Streaming di Médiamétrie;
  • TrustCommander di Commanders Act.

The following sources were used in the preparation of this article, to which we refer for further study.

  • Google: Privacy Guarantor stop the use of Analytics. Data transferred to the US without adequate safeguards
  • The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (PDF, 322 ko) - CJEU
  • Alternatives to third-party cookies: what consequences regarding consent?
  • [FR] Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web

Facebook must compensate the user for the unlawful removal of posts

The Court of Appeal of L'Aquila with the judgment 1659 of November 9, 2021 reconstructs the contractual relationship between the social network and the user who interacts in the community and expresses itself on the scope of freedom of expression of users within the social network.

The plaintiff filed a summary procedure to react to the suspension of his account, for 4 months, by the social network following the publication of some politically motivated posts.

In the first instance, the Court of First Instance sentenced Facebook to pay compensation of 15 thousand euros for moral damages. The present decision concerns the appeal presented by the social network before the Court of Appeal of L'Aquila.

First of all, the Court affirms, in this relationship marked by elements of internationality (intervening between a consumer resident in Italy and a supplier based in Ireland), the jurisdiction of the Italian Judge and the applicability of Italian law to decide the dispute.

It then defines its scope, since it is a contract for adhesion in which the ordinary aspects of contractual responsibility are relevant. It then pauses to analyze the nature of the relationship characterized by onerousness, recalling how free contracts are protected with less force than contracts for consideration (paradigmatic is the difference between donation and sale). The relationship is for consideration in that the patrimonial content of a service can be considered to exist also in those cases in which goods other than money are transferred as consideration for a service which, due to their potential for commercial exploitation, become susceptible to an economic and patrimonial evaluation. It is, in essence, the intrinsic suitability of personal data - legitimately acquired and processed - to be considered, because of the profitable commercial exploitation of the same by the social network.

The Court affirms another interesting principle regarding the clause that provides for the powers of Facebook to remove content and suspend accounts in case of violation of the policies of the social network. The same was considered valid and effective, not being able to be considered vexatious.

The Court finally examined the merits of the case, going to syndicate in concrete powers of Facebook: the work of social must not result in behaviors that violate the freedom of expression that, after granting permission to use their sensitive data and not for free, is the typical content and, so to speak, the raison d'être of the membership of a platform of this type, whose function is precisely to allow users to express themselves and share content that is important to them.

The Court of Appeal therefore deemed illegitimate the suspension of the account, given that "the mere publication of a photo with a comment that is limited to the expression of one's own thoughts (...) is not considered sufficient to violate the standards of the community".

Therefore, the Court ruled that, due to the content posted by the user, Facebook exceeded its censorship power, limiting, however, the compensation for damages in favor of the user to € 3,000, also considering the total number of members of the page that was about 2,500 contacts.

Cookies: the French Privacy Guarantor (the "CNIL") sanctions GOOGLE for a total of 150 million euros and FACEBOOK for 60 million euros for failing to comply with French privacy legislation.

On January 6, following investigations, the CNIL found that the sites facebook.com, google.fr and youtube.com do not allow users to refuse cookies as easily as they accept them. The CNIL thus fined FACEBOOK 60 million euros and GOOGLE 150 million euros and ordered them to comply within three months. The French authority noted, in particular, that the sites facebook.com, google.fr and youtube.com offer a button that allows the user to immediately accept cookies, while they do not provide an equivalent solution (button or other) that allows the user to refuse, in an equally simple way the use of the same cookies. Indeed, the websites under scrutiny by the CNIL provided for several clicks to refuse all cookies and only one click to accept them, thus limiting the freedom of consent, which is provided for as a fundamental element by Art. 82 of the French Privacy Law, as well as by the GDPR. In addition to the payment of the aforementioned penalties, Google and Facebook will have to comply with the CNIL's requirements within 3 months, providing users with a way to reject cookies that is as simple as accepting them. Failing this, companies will have to pay a penalty of 100,000 euros for each day of delay. These two decisions are part of the comprehensive compliance strategy launched by the CNIL over the past two years against French and foreign operators who publish websites with many visits and who engage in practices that are contrary to the legislation on cookies. Since March 31, 2021, when the deadline expired for websites and mobile applications to comply with the new cookie rules, the CNIL has taken nearly 100 corrective measures (orders and sanctions) related to non-compliance with cookie legislation. On the Italian landscape regarding cookies, we point out the Cookies Guidelines published by the Privacy Guarantor and entered into force last January 10, 2022, the details of which are provided, on our Blog

Clovers Alert! Is your website compliant with the new regulations that will enter into force on January 10, 2022?

Below we analyze the new guidelines on cookies of the Privacy Guarantor

  1. Guidelines on the use of Cookies and other tracking tools

With Measure no. 231 of June 10, 2021, published in the Official Gazette no. 163 of July 9, 2021, the Privacy Guarantor has provided its guidelines to

a) indicate to website operators the rules to be applied for the use of cookies and other tracking tools and

b) to specify the correct procedures for providing information and acquiring the consent of those concerned (the "Guidelines").

The Guidelines therefore aim to supplement the previous indications of the Privacy Guarantor (Measure no. 229 of 2014) by specifying that the manifestation of will of the interested party is "unequivocal" as well as free and informed and by requiring that data protection is ensured by design and through default settings (privacy by default and by design).

  1. What needs to be done from 10 January?

The following is a summary of the obligations set out in the Guidelines, with particular reference to the methods of acquiring consent and the characteristics of the Cookies disclosure.

a) The acquisition of consent

First, the Guarantor reiterates that are not allowed, as forms of acquisition of consent, the practices:

  • of the so-called "scrolling" (i.e., the downward movement of the cursor), which can be qualified as a positive action suitable to unequivocally manifest the will to give consent to the treatment, subject to exceptions to be seen case by case;
  • the so-called "cookie wall", i.e. a binding mechanism (so-called take it or leave it) in which the user is obliged, in order to access the site, to express his/her consent to the reception of cookies or other tracking tools, except for exceptions to be evaluated on a case-by-case basis.

From an operational perspective, the Guarantor requires the following characteristics to validly acquire the consent of the surfer:

  • at the time of a user's first access to the website, no cookies or other tools other than technical ones will be placed inside the device and no active or passive tracking techniques will be used;
  • at the first access to the web page, an area or a banner will appear of adequate size and such as not to induce the user to make unwanted choices;
  • such banner will have to allow the user to express his consent, through a positive action;
  • it is therefore necessary to allow the user to maintain the default settings and to continue browsing without giving any consent, by clicking on the command to close the banner marked by an "X" positioned at the top and on the right inside the banner;
  • it is necessary to insert (besides the link to the complete informative report) a minimum informative report relative to the use of technical cookies and - previous consent, in order to send advertising messages or to supply the service in a personalized way - of profiling cookies or other tracing instruments;
  • there will also be a command through which it is possible to express one's consent by accepting the placement of all cookies or the use of any other tracking tools and the link to a further dedicated area in which it is possible to select the functions, the so-called third parties and the cookies to the use of which the user chooses to consent.

The Guarantor also states that the banner will not have to be re-presented at each new access and that the user's choice must be duly recorded and no longer solicited for at least 6 months, unless significant changes in the conditions of treatment.

b) The informative report

The Cookies informative report will have to indicate the recipients of the personal data collected and the storage time of the acquired data and can also be made on more than one channel and with different modalities (for example, with pop-ups, videos, vocal interactions). If only technical cookies are used, the Cookies policy may be included in the general policy. The Guarantor then recommends that analytics cookies, used to assess the effectiveness of a service, be used only for statistical purposes.

The above is the general framework of the guidelines of the Privacy Guarantor that - with proper legal support - should be implemented on each website.

Privacy Shield for EU - US data transfer has been ruled invalid by the European Court of Justice

image-asset.jpeg

The ”Privacy Shield” is an agreement between the European Commission and the U.S. Secretary of Commerce that allowed the transfer of data from EU to U.S. and followed the declaration of invalidity of the “Safe Harbour Pact” , the previous agreement between EU and US for the transfer of data.

The decision issued by the European Court of Justice on July , 16, 2020  will have serious political consequences for the  EU-US relations and for US providers and European companies.

The decision

In accordance with the General Data Protection Regulation (hereinafter referred to as the 'GDPR'), the transfer of data outside the EU can take place only if the third country can ensure  an adequate level of protection.

The European Commission can find that a third country ensures an adequate level of protection because of its national legislation or because it is part of an international agreement  (such as the Safe Harbour Pact which was declared invalid in Decision 206/1250 and it was related to  the export of data from EU to USA).

In the absence of an adequacy decision, a transfer of data can take place only  if the data controller, established in EU, provides adequate safeguards, which may result from standard contractual clauses adopted by the Commission (Decision 2010/87), and if the data subjects have enforceable rights and effective remedies.

In the absence of an adequacy decision or adequate guarantees, the GDPR shall ultimately determine the conditions under which such a transfer may take place.

The level of protection required in the context of a non-EU data transfer is equivalent to level of guarantee within the EU Member States.

The assessment of this level of protection concerns both what is contractually agreed between the parties (data exporter established in the Union and the recipient of the transfer established in an extra EU country) and the access for extra EU public authorities to the data, as well as other elements of the legal system of the country where data are transferred.

Specifically, the legislation governing the US surveillance programmes do not minimize the processing of data of EU data subjects and  do not limit the power of US authorities establishing adequate guarantees for European citizens who may potentially be subject to US mass surveillance.

For all these reasons, the Court – with the Decision 2016/1250 – declared the Privacy Shield Agreement invalid.

The Court also held that, in the absence of a valid adequacy decision adopted by the Commission, the Data Protection Authority must suspend or prohibit a transfer of personal data to a third country when it considers that the conditions required are not met.

The Court stated that the Decision 2010/87 on standard contractual clauses for the transfer of personal data to entities established in third countries was valid. It is certain that the reasons for the deletion of the Privacy Shield will also have effects on the standard contractual clauses.

Therefore, US providers who have used the legal basis of the Privacy Shield for data transfer from the EU to the US will have to adopt a different solution, such as standard contractual clauses.

The Italian company, as data exporter, and the data Protection Authority, will have to make a complex assessment of the adequacy of the guarantees offered by the party importing the data and the regulations in force in that country, with relevant liability profiles.

Practical implications

Impact on business activities

  • Decision 2016/1250 does not cover necessary data transfers to the USA (e.g. sending e-mails to a person in the USA, booking travel in the USA).

  • Can European companies continue to use US providers? At the moment the answer appears to be no, as all major providers are subject to potential US government oversight.

  • Can companies continue to use US providers based in the EU? In such cases, European companies are responsible for ensuring that "intra-Group" personal data flows to the US are GDPR compliant. Companies will now need to carefully review such data flows and determine whether to retain data in Europe or any other country that provides better privacy protection, instead of being transferred to the US.

Impact on consumer rights

Users are free to send their personal data directly to a third country, for example when using a Chinese or US website. However, consumers may not directly share other people's data (e.g. friends, colleagues) with a US provider unless they have obtained  free, specific, informed and unequivocal consent.

The Data Protection Authority’s Report: activities overview and prominent issues in 2019 and 2020

image-asset.jpeg

On 23 June 2020, the Italian Data Protection Authority (DPA) presented the report on its activities during the year 2019.

During the course of such year, the DPA supervised the application of Regulation 679/2016 (GDPR) and intervened on issues relating to the protection of fundamental rights in the digital age, the ethical implications arising from the use of artificial intelligence and the use of new surveillance systems, as IoT tools.

In light of the peculiar situation arising from the covid-19 pandemic, in its report the Authority has also expressed its views on specific issues relating to the first half of 2020.

Figures

In 2019, the DPA adopted 232 collegial measures and responded to 8000 complaints, including in relation to telephone marketing, consumer credit, employment law matters, and IT security, and carried out 147 inspections, both in the public and private sector.

The DPA also responded to 15,800 questions from citizens who asked for clarifications regarding the requirements related to the entry into force of the GDPR and issues related to unwanted promotional activities such as telephone calls, text messages, video surveillance in the public and private sector and banking data.

Platforms

With regard to online data breaches, in 2019 the DPA sanctioned Facebook Ireland Ltd for €1 million, following the investigation on the "Cambridge Analytica" case, which also involved data of Italian citizens.

In the same year, the authority strengthened its activities aimed at protecting the "Right to be Forgotten" and promoted an international debate to redefine the role played by Internet Service Providers in this specific context.

In 2020, the DPA also raised concerns about TikTok, a Chinese platform that has become extremely popular among millennials all over the world and which allows users to share videos and images. The Italian Authority requested and obtained the establishment of a “task force” at European level to investigate this platform.

Activities in the field of cybersecurity

In 2019, 1443 data breaches were notified and the DPA commented on the inadequacy of cybersecurity measures enacted by public administrations and private companies that collect data online. The Authority has also provided guidelines against ransomware and other malicious software.

Ransomware

Ransomware are computer programs that encrypt data, making them no longer accessible, and that request the payment of a "ransom" in order to re-obtain possession of the contents stored on the device. In its recommendations, the DPA pointed out that these malware are often installed on users' devices through free gaming or other apps, which users download being completely  unaware of the potential threats hidden thereunder.

Digital Assistants

The DPA has also examined the risks associated to the use of digital assistants. These are programs which interpret human language through algorithms and artificial intelligence and are therefore able to interact as a "human user", responding to various types of requests (such as finding information on the web, searching for a certain route, making an online purchase, adjusting the temperature or home lighting, closing or opening home locks).

The DPA observed that these digital assistants collect and process a huge amount of data, while users are often unaware of how data are processed and of the identity of the data controller.



Privacy and Marketing

The DPA intervened against "aggressive" telemarketing activities by applying significant penalties (including penalties amounting to euro 27.8 million and euro 11.5 million respectively) to companies that have utilized data without the data subject’s prior consent.

Privacy and Right to Report

The Authority intervened on several occasions to condemn the gruesome details published by some newspapers and television stations in relation to certain news, in order to ensure appropriate protection for the victims of crimes, and especially minors.



Privacy and Work

The DPA defined the necessary safeguards required in relation to the collection of employees’ fingerprints in order to contrast absenteeism in public administrations. The Authority affirmed that the collection of biometric data is an extremely sensitive proceeding, due to the nature of the data processed. Specifically, in the event the collection of fingerprints is coupled with the use of video-surveillance technologies, such procedure appears to be in contrast with the principle of proportionality.

Similarly, the DPA considered that a broad and generalized introduction of biometric survey systems for all public administrations would not appear to be justified under the GDPR.



Privacy and Justice

In relation to the "Exodus case" -  in which the communications of hundreds of citizens not involved in police investigations were tapped due to an error in the functioning of an electronic tapping device - the Italian Authority proposed measures to ensure increased safeguards in relation to the use of tools potentially threatening the citizens' freedom.

Privacy and Health

With regard to health data, the DPA intervened several times on the procedures for the collection and processing of health data in the context of the pandemic. The authority stated that, even in an emergency context, the principles of the GDPR must nonetheless be complied with.

The DPA also provided its opinions and indications regarding the "Immuni" app  (i.e., the app chosen by the Ministry of Economic Development to provide contact tracing technology to Italian health authorities). The DPA expressed its views on the methods for carrying out serological tests and for the collection of health data of employees and customers.

The several actions put in place by the DPA show the continuing efforts to monitor the application of the new European regulation, and to prevent and sanction violations that may pose a threat to individual freedoms.