14 Apr Security measures: old acquaintances

Security breaches and data breaches are respectively the cause and the effect of events related to the personal data of different Certified Email Address inbox owners (“[…] several cases of data breaches notified to the Italian Data Protection Authority by different Certified Email Address inbox owners”). This is what is reported in the Provision of the Italian Data Protection Authority (the “Italian DPA”) of 18 December 2019, made known to the public only on 6 March in order to prevent that “the detected vulnerabilities could be exploited by any malicious attackers” (doc. web n. n. 9283040, the “Provision”).

Anticipating the outcome of the event, here is the good news: “The company has declared that it has fulfilled, within the prescribed time limits, the prescriptions imposed upon it” (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9283047#1).

That being said, the following is an examination of the Provision which may certainly be useful for us in defining a minimum level of security measures, some of which are already known. Indeed, you may recall Annex B to the Italian Privacy Code (Legislative Decree no. 196/2003) which expressly required passwords to be changed at the first use/access[1], the periodic modification of the password, and the assignment of individual credentials[2] – others indicated included therein, on the other hand, can be considered as reasonable and basic security best practices.

Identified non-compliance and laws violated

This case under examination may act as a useful tool to help us identify security measures in the light of the criticalities detected by the Authority:

1. definition of the password to access the Certified Email Address inbox by the Partner of Aruba PEC S.p.a. and sending the same, in an unencrypted format, to the ordinary inbox of the of the Certified Email Address inbox owner;
2. passwords without complexity requirements – in addition to the minimum number of 8 characters – and without the need to update it regularily;
3. no obligation to change the password upon first use/access;
4. possibility to check and export the logs of the messages of about 6.5 million Certified Email Address inboxes, moreover through the use of a shared and not an individual account, which does not allow for the association of actions carried out to a specific person, thus preventing, first of all, Aruba PEC itself from controlling the actions carried out;
5. storage, in log files, of information that is not necessary for ordinary and justified privacy and IT control and security purposes, with subsequent duplication of personal data and increased likelihood of data breaches;
6. storage in log files of authentication credentials,

in breach of art. 32 and of the privacy principles of data minimization and confidentiality set forth in art. 5 of EU Regulation 679/2016 (“GDPR“).

Compliance actions and related security measures prescribed by the Italian DPA

In order to mitigate and remove the aforementioned privacy violations and critical issues found, the Italian DPA has prescribed the adoption of the following security measures:

1. sending a communication to the owners of the 559,151 Certified Email Address inboxes in order to proceed with changing the password assigned by the Partner of Aruba PEC S.p.a.;
2. adoption of a procedure for a mandatory password change;
3. amend unnecessary high-level user authorization profiles;
4. assignment of individual and exclusive user profiles;
5. redefining of the log files so as to exclude the tracking of authentication credentials of technical users and other unnecessary and irrelevant information;
6. Change of passwords shown in log files.

In this regard, however, it cannot be ignored that some of these security measures were already referred to in the repealed Annex B of the Italian Privacy Code.

Administrative fines (stay tuned)

As opposed to the latest provisions published by the Italian DPA, such as the most famous ones issued to TIM S.p.a.[3] and ENI Gas e Luce S.p.a. [4], the Italian DPA will evaluate, with a subsequent provision, “… further aspects of the data processing carried out by Aruba PEC S.p.a., as well as all the violations detected“. Therefore, only in the future will we understand whether there will be a fine and how much the above-mentioned security violations may actually cost.

Tips for generating and using more secure passwords

First of all, it is always necessary to check  passwords in use and to change them if it has never been done before (or recently), or if they are not very complex.

Here are a few simple tips to follow:

• use special characters and numbers;
• don’t use weak passwords, such as those easily related to your person, thus avoiding the use of your first and last name, the company you work for, as well as the use of the same password over time (such as, “company1”, “company2”, “company3”);
• don’t disclose your authentication credentials to third parties or, in case you do, update them immediately;
• periodically update passwords (e.g. 3-4 times a year), and always update it in case a security incident or unauthorized access is suspected;
• don’t use the same password to access different applications/tools/databases/social networks/services;
• where it is necessary to disclose your credentials to third parties, provide your password and identification code over different channels (e.g. username via e-mail/zipped file, password with SMS);
• use a password manager for more secure storage and use.

Check the flash tips to protect your privacy with valid passwords[5] and the Italian DPA’s GDPR Implementation Guidelines[6] (see section entitled “Risk based approach and accountability measures for data controllers and data processors“).

[1] Point 5 of the repealed Annex B to the Italian Privacy Code (Legislative Decree no. 196/2003) stated: “The password, when provided for by the authentication system, shall consist of at least eight characters … it shall not contain references easily traceable to the person in charge and shall be modified by the latter at first use and, subsequently, at least every six months. In the case of processing of sensitive and judicial data the password shall be modified at least every three months”.

[2]  Point 3 of the repealed Annex B to the Italian Privacy Code (Legislative Decree no. 196/2003) stated: “Each person in charge is individually assigned or associated  with one or more authentication credentials”, and Point 6 of the same: “The identification code, where used, may not be assigned to other persons in charge, even at different times“.

[3] Corrective and sanctioning provision against TIM S.p.A. – 15 January 2020 [9256486]: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9256486

Corrective and sanctioning provision against TIM S.p.A. – 9 January 2020 [9263597]: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9263597

[4] Corrective and sanctioning provision against Eni Gas e luce S.p.a. – 11 December 2019 [9244358]: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9244358

[5] https://www.garanteprivacy.it/documents/10160/0/Consigli+flash+per+tutelare+la+tua+privacy+con+buone+password.pdf/3af66017-7a4a-4a18-895e-ce94e2522cee?version=1.3

[6] https://www.garanteprivacy.it/regolamentoue/approccio-basato-sul-rischio-e-misure-di-accountability-responsabilizzazione-di-titolari-e-responsabili#misure