29 Apr Legal cyber-security compliance in light of the “Rousseau provision”
The Garante per la Protezione dei dati personali (the “Italian Data Protection Authority” or “Authority”) through the publishing of provision n. 83 of April 4 2019, imposed on the Rousseau Association, who had assumed the role of a data controller, a fine of 50,000 euros under art. 83(4)(a) of EU Regulation 2016/679 (“GDPR” or “Regulation”), for the violation of art. 32 of the GDPR concerning the security of the processing.
Article 32 states that “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller unless he or she is required to do so by Union or Member State law.”
It should be noted that the provision in question derives from the prescriptions contained in provision n. 548 of 21 December 2017 with which the Authority, after having verified the violation of personal data relating to the so-called “Rousseau platform”, requested a review of the security measures implemented by the Rousseau Association in order to protect the processing operations of the e-voting system.
The sanctioning process
The Authority’s verification was based both on the information obtained through the technical analysis carried out during their inspection of the Rousseau Association, and on the review of the documentation received following the provision that extended the deadline, issued on 16 May and 4 October 2018.
It should be noted that the Authority considered that the state of security of the processing activities improved as a whole but that residual vulnerabilities are likely to affect these improvements. Moreover, as a result of the vulnerabilities found, the Authority cannot consider the Rousseau Association as fully compliant with the requirements of the provision of 21 December 2017.
To understand the reasoning behind the provision, it is necessary to retrace the preliminary procedure relating to the verification of compliance with provision n. 548 of 21 December 2017.
During the summer of 2017, following data protection violations on several websites related to the 5 Star Movement, the Authority requested the adoption of adequate security measures in order for the data controller to align the processing carried out through the websites with the rules on the protection of personal data.
The data controller had promptly been able to meet requirements concerning the reformulation of the information provided under art. 13 GDPR and the appropriate designation of the data processor through a legally binding agreement, however not those relating to the information security profiles. From an IT point of view, however, it should be noted that, pending the compliance with the deficiencies found in terms of security, two changes occurred. Firstly, the data controller role got transferred from Giuseppe Piero Grillo to the 5 Star Movement. Secondly, the website on which the violation of the summer of 2017 had taken place, transformed from an e-voting platform to a personal blog, no longer allowing the creation of accounts and the possibility of transmitting personal data through it. The Garante, having taken note of these transformations, decided to exclude the site www.beppegrillo.it from their investigation, therefore, focusing on the criticalities of the “Rousseau platform”, which is the IT infrastructure which served as the platform for the political activity and opinions of the 5 Star Movement and its members.
Precisely “given the complexity and delicacy of the databases concerned”, the Authority has granted two extensions to the Association Rousseau, the data controller, to comply with the requirements of provision n. 548. After the passing of the deadline to complete the correcting operations, the Authority analysed the state of compliance with the instructions it gave earlier and identified persistent critical issues.
The content of the provision
In paragraph 2 of provision n. 83 of 4 April 2019, the Authority provides a brief description of the requirements of provision n. 583 of 2017 and how the Rousseau Association has implemented these provisions.
Concerning paragraph 2(A), the Authority, through provision n. 583, required the Rousseau Association to carry out vulnerability assessment activities. These activities are present as risk mitigation measures in ISO/IEC 27001, Annex A.12.6.1, and consequently in line with the adoption of technical and organisational measures to reduce risk pursuant to art. 32 GDPR. The ISO/IEC 27001 standard outlines that it is necessary to remove technical vulnerabilities by implementing appropriate measures that can impact the risk.
The vulnerability assessment was conducted only partially by the Rousseau Association because the Authority has detected the in-use systems’ obsolescence. Such obsolescence implies the presence of known vulnerabilities that are not correctly resolved by the data controller. Also, the Authority specifies in paragraph 3.1 of the provision n. 83 that the content management system (“CMS”) is one of these obsolete systems, through which the websites of the 5 Star Movement are managed. Moreover, the obsolescence in question does not concern the lack of updating of the CMS but the achievement of the End of Life of the product itself, which can no longer be updated from 31 December 2013. It should be noted that the repealed Annex B of Legislative Decree no. 196/2003 already requires that “periodic updates of computer programs aimed at preventing the vulnerability of electronic instruments and correcting defects are carried out at least annually. In the case of processing of sensitive or judicial data, the update is at least every six months”. The General Data Protection Regulation, as is well-known, is based on the principle of accountability (so-called “accountability”), which obliges the data controller to adopt appropriate and effective measures to comply with the principles of data protection, and creates the requirement to demonstrate such compliance both on request and while carrying out the processing operations. Therefore, the minimum security measures contained in the former Annex B, which instead directly dictated some minimum measures that the data controller had to confirm, no longer extend to all contexts and sectors. Nevertheless, Annex B can be considered as a starting point for compliance with the principle of accountability and to ensure the security of processing activities. As a result of the above, the isolation and/or dismissal of systems that are no longer subject to updating by their manufacturers is a safety measure whose implementation is fundamental in terms of accountability.
Regarding points 2.B, 2.C, and 2.D of provision n. 83, it should be noted that the Authority considers that the adaptation to the requirements contained in provision n. 548 of 21 December 2017 has been completed, as the Association Rousseau remedied the weaknesses found in the procedure for creating accounts, in the adoption of secure network protocols, and in the protection of profiles by encrypting passwords for access to online services.
On the other hand, in paragraph 2.E, the Authority reports that the auditing measures for the database of the Rousseau System are not correctly implemented, indicating a non-compliance with the general provision of the Authority of 27 November 2008 concerning System Administrators. The general provision continues in paragraph 2.1, explaining that the adoption of auditing tools, that is, software of operational intelligence that can generate complete, unalterable logs, subject to integrity verification and stored for at least six months, was the reason for the extension of the deadline for compliance. The Authority has had the opportunity to verify the presence of application logs, paragraph 2.1.a) of the provision but has not found the presence of logs relating to access to databases. As described in point 2.1.B of the provision, it has been demonstrated that access can occur through two modalities, one that concerns the remote access of the sub-processor of the processing, a computer company that is responsible for system management, and another that involves the access through the web interface of DBMS management used by the staff of the Rousseau Association itself. This second method does not allow the data controller to track access to the database, so the Rousseau Association has declared its intention to remove the tool through which this second method is carried out in favour of tools that exploit the SSH protocol, and that can ensure the tracking required by the General Provision of 27 November 2008. Furthermore, points 2.1.C and 2.1.D concern the presence of an event management system that collects and correlates the produced logs and how these logs are stored for the necessary time and are adequately protected and so compliant with data protection norms and the provisions.
With regard to point 2.1.E of the provision in question, the Authority noted the presence of shared credentials between the system administrators of the website and the e-voting platform. This disclosure of credentials does not leave the possibility of tracing operations carried out by the system administrators. Therefore, such actions represent a risk that is not mitigated by the data controller and has led the Authority to produce further considerations and impose the sanction mentioned above, and as will be seen in more detail below.
In paragraph 3 of provision n. 83, the Authority expresses its views on the findings described in section 2. As for the vulnerability assessment activity referred to in paragraph 3.1 of the present provision, the Authority’s considerations have been described above. With regard to the content of section 3.2 on security measures to protect platform accounts, it should be noted that the Authority has considered that the requirements have been substantially fulfilled. In paragraphs 3.3 and 3.5, the Authority describes how the lack of an ex-post verification capacity regarding the operations carried out by system administrators and the sharing of their credentials with the consequent inconsistency between authorisation profiles, exposes the system to potential risks of a personal data breach. The provision refers to the previous regulatory system to emphasise that Annex B of Legislative Decree no. 196/2003 already contained provisions on the use of authentication credentials to be assigned exclusively to individual persons in charge and the definition of different profiles of authorisation to limit access to only the data necessary for processing operations. The Authority highlighted, as mentioned above, as well as from an accountability point of view, that the security measures contained in the abrogated Annex B are to be considered minimum measures to ensure the security of processing pursuant to art. 32 GDPR.
In paragraph 3.4, the evidence of which is described in section 2.2 of the provision in question, the Authority addresses the issue of the confidentiality of electronic voting operations.
The Authority, in paragraph 8.2 of provision n. 548 of 21 December 2017, had prescribed the adoption of appropriate measures such as cancellation or anonymisation of the personal data processed once the voting operations had been completed. Although the Rousseau Association had declared that this measure had been implemented, during the course of the inspection, it was found that there was a database table containing the voting information and the mobile phone number and ID of the voter. The presence of the above-mentioned table, together with the findings in terms of the absence of adequate auditing measures and the mixing of the credentials of the system administrators, must be considered severe deficiencies from a technical and organisational point of view, such as to affect the security of the processing and the failure to comply with the fundamental characteristics that an e-voting platform should have on the basis of international standards.
Paragraph 4 of the present provision contains the Authority’s final assessments. On the basis of the considerations made in section 3, the Authority orders the 5 Star Association and the Rousseau Association, as data processor, to assign personal accounts with relative separation of authorisation profiles to system administrators, to complete the adoption of the aforementioned auditing measures, to update the CMS and to proceed with the drafting of a Data Protection Impact Assessment relating to the e-voting platform.
Subsequently, in paragraph 4.2, the Authority, in compliance with the provisions of art. 32 GDPR ascertained:
– the failure to completely trace the accesses to the database of the Rousseau system and the operations carried out on it, which constitutes a violation of that general duty of control over the lawfulness of the processing on the part of the data controller and, in particular, of the obligation to ensure more adequate guarantees of confidentiality to the subscribers to the platform itself; this is due to the size of the databases in question, to the type of data collected and to the functions that characterize them;
– the sharing of authentication credentials by several operators with high privileges for the management of the Rousseau platform and the failure to define and configure the different authorization profiles in order to limit access to only the data necessary in the various areas of operation, which in the previous legal system were even qualified as minimum security measures for data controllers. In this case, therefore, there is a violation of the obligation on the part of the data controller to prepare adequate technical and organizational measures.
Elements of compliance
One of the measures that the Authority’s provision requires to be adopted relates to System Administrators and specifically concerning the audit tools or the production and preservation of log files referred to in paragraph 2 of the provision.
The data controller must adopt solutions for logging the accesses of the system administrators that have the characteristics of completeness, inalterability, which can be checked for integrity and maintained for at least six months, on all the systems that the administrators’ access.
It is necessary to go into detail on the characteristics of the logs mentioned above, which ensure compliance with the provision. The logs must be complete, i.e., the logging system must keep track of each action for which it has been configured, the logs must contain the timestamp and details of the machine from which access and disconnection have been made. As for the inalterability, it should be noted that the logs should not be editable or erasable, as this action would also invalidate the property of completeness of the log. The integrity check by the operational intelligence software can be carried out manually, i.e., at the request of a system administrator or another person in charge with a proper authorization profile, or it can be carried out continuously in the background, alerting when corrupt logs have been detected.
As far as the presence of shared credentials and undefined authorisation profiles is concerned, it is recommended that accounts should be individual and associated with one or more authorisation profiles. To implement these security measures correctly, it may be necessary for authentication to be managed centrally, for example through an IAM (Identity and Access Management) system. It is particularly useful to put in place adaptive authentication mechanisms. Adaptive authentication is an authentication mode that consists of the possible configuration and implementation of two-factor authentication or multi-factor authentication. It is a method of selecting the right authentication factors based on a user’s risk profile and trends to adapt the type of authentication to the actual situation. Authorisation profiles should be assigned according to the principle of the need-to-know and minimum privilege. The principle of need-to-know can be defined as the possibility for a user to come into contact with the least amount of information strictly necessary for the processing of the processes of which he is a part or useful for the performance of the task to which the user is assigned. This principle is legally relevant pursuant to Article 5(3)(c) of the GDPR since it adheres perfectly to the requirement of data minimisation. The principle of least privilege does not strictly concern the access to data but the permissions relating to the operations that can be carried out with those data and is useful to achieve the purpose of ensuring confidentiality as per Article 32(1)(b) GDPR. The two principles should also be taken into account in the drafting of a formalized process for the creation of high privilege accounts such as system administrator to properly perimeter the accesses and permissions of employees with the most top operational tasks.
In conclusion, it should be noted that there are a variety of new elements in the provision in question.
To contain the threats related to information security and, more generally, to ensure the safety of personal data by the data controllers and processors, until September 19, 2018, there was a “Technical specification on minimum security measures” in Annex B to Legislative Decree no. 196/2003. The Legislative Decree 101/2018, in adapting the Legislative Decree 196/2003 to the provisions of the GDPR, had to take into account the fact that the Legislative Decree 196/2003 and the GDPR itself have an approach to the issue of data protection, especially in the area of information security, particularly different from each other. The Regulation establishes the principle of accountability under art. 24 GDPR, consisting in the obligation for the data controller to take appropriate and effective measures to implement the principles of data protection, as well as the need to demonstrate this both on request and in carrying out the processing. Annex B, on the other hand, directly required the implementation of some minimum measures with a “checklist-based” approach that was particularly far from the “risk-based” approach outlined in the Regulation in Art. 32 of the GDPR.
The Italian Authority intended to clarify how the measures contained in Annex B are in any case to be considered “minimum” in terms of accountability. The new element, therefore, concerns the possibility for the owner or the data controller to identify alternative mitigation measures to those contained in Annex B of Legislative Decree no. 196/2003, which should be equally aimed at reducing the risks assessed. If it is detected the failure to implement measures resulting from a risk analysis process in the application of art. 32 GDPR, the absence of minimum security measures under Annex B Legislative Decree no. 196/2003 could be considered a violation of art. 32 itself, assuming it as a basis from which to start to secure the processing of personal data. It is necessary to analyze how the reasons that led the Authority to impose the sanction under Art. 83.1 are closely related to compliance on the one hand with what is contained in Annex B and on the other hand to compliance with the general provision on system administrators of 27 November 2008. In this sense, we are witnessing a real rebirth of what was predisposed by the Garante in the first decade of the new millennium, a rebirth which does not involve what more accurate commentators, in relation to the entry into force of Legislative Decree 101/2018, have defined as “zombie effect”, but rather there is a “phoenix-effect”, since Annex B is able to re-emerge from the ashes of its abrogation to rise to be the basis on which the security of processing is based pursuant to Art. 32 GDPR.
Another element of particular importance is that concerning the demonstration of compliance with the Regulation by a data processor or controller. The risk of sanctions, in the light of the provision in question, can no longer be mitigated solely by the formalization of policies and procedures, the presence of appointments and information pursuant to art. 13 GDPR, and the definition of the perimeter of contracts. The elements of information security, which compose the methods by which the processing is protected, are the first and clear sign of adherence to the principles of the Regulation, the showcase of compliance with the rules on the protection of personal data, the outpost of compliance. The provision of 4 April 2019 can be considered the first step towards a phase in which the processes of compliance with the regulations on the protection of personal data can no longer be separated from a synthesis between legal profiles and elements of information security and the concretization in cybersecurity terms of what is required by the legislator.