Update | Ransomware: a recent measure by the Italian Data Protection Authority
The Italian Data Protection Authority recently adopted a measure (LINK) on a very topical issue: the ransomware attack.
The ransomware is a malicious computer program that can “infect” a digital device with the aim of blocking access to all or some of the files stored in the infected device.
This allows the hacker to ask a ransom to the attacked organization for the release of such files. In this regard, the European Union Agency for Cybersecurity (ENISA), in its annual report “Threat Landscape 2021“, specified that ransomware attacks have been evaluated as the primary threat in cybersecurity for the period 2020/2021.
The security incident at the basis of the Italian Data Protection Authority’s measure
The company Minelli S.p.A. suffered a security incident consisting in the temporary loss of availability of the data stored in some company servers and PCs and the probable loss of confidentiality of such data. This security incident is the result of a ransomware attack that led to the encryption of the data stored in these servers and PCs (resulting in the impossibility to access and process the data) and the probable exfiltration of such data.
The breach resulted in the loss of confidentiality of personal data and involved around 800 data subjects including employees/consultants, holder of corporate offices, customers and suppliers. The data involved were both common data of employees, customers, suppliers and holders of corporate offices as well as data related to the employee’s judgment of suitability for the working activities.
In any case, at the time of the breach, the data controller was regularly backing up the data which allowed the data controller to restore the data affected by the security incident.
Following this security incident, the data controller provided a preliminary notification of data breach to the Italian Data Protection Authority, followed by a supplemental notification, as well as a communication of the data breach to only one of the data subjects involved in the security incident.
The conclusions of the Italian Data Protection Authority
The Italian Data Protection Authority, taking into consideration:
- the large number of the data subjects involved (approximately 800 data subjects);
- that the personal data breach is likely to present a high risk for the rights and freedoms of natural persons;
ordered Minelli S.p.A. to:
- communicate the personal data breach to all the data subjects involved in the data breach without delay, and in any case within ten days of receipt of the order;
- provide, within seven days of the aforementioned communication, adequately documented feedback regarding the actions taken and any further measures adopted to mitigate the possible prejudicial effects of the data breach on the data subjects.
The Italian Data Protection Authority, in any case, has not issued any pecuniary sanction against the company.
Recommendations
The data controller should implement technical measures to counter ransomware attacks, such as:
- the implementation of backup strategies;
- restricting access to known ransomware sites;
- the monitoring of IT systems in order to quickly identify possible infections;
- proper management of authentication credentials, etc.
It is also important to provide organizational security measures such as training and awareness-raising for the personnel. These measures, in any case, must be properly reported in the record of processing activities drafted and updated by the data controllers and data processors.
Finally, if the ransomware attack results in a violation of personal data (data breach), the data controller shall notify the data breach to the supervisory authority/the data subjects when required by law. In this regard, we suggest to:
- draft and update policies for the management of data breaches;
- carry out training activities for personnel;
- carry out ad hoc simulations in order to verify the effective implementation of this policy and the level of awareness by personnel; and
- draft and update the record of data breaches.
