The Internet of Things is expected to lead to 50 billion connected devices by 2020 collecting and exchanging personal data about their users, their lives, their preferences and tastes. This will lead not only to relevant data protection issues, but also to increased cybercrime related risks triggering the need to ensure a higher level of cyber security.
I have already covered in this post the compliance measures to be put in place in order to face data protection issues affecting the Internet of Things . However, as covered in this post from my friend Pierluigi Paganini, the Internet of Things is likely to create new opportunities for hackers able to go beyond security measures implemented in for instance wearable technologies or eHealth systems leading to cybercrimes.
This issue has been recently addressed by the Italian Government that adopted the National Plan on Cyber Security whose purpose is, among others, to amend cybercrime provisions in order to be better tailored to new technologies which certainly include crimes involving the unauthorised access to BIG DATA and personal data collected through Internet of Things technologies.
In addition to the above, a potential cybercrime deriving from access to personal data stored in a database including for instance health related data gathered by means of wearable technologies but even data collected by companies such as manufactures of cars, home appliances, eHealth or telemedicine technologies and even banks can lead to liabilities also for the entities acting as controllers of such databases. And in such circumstances, in accordance with Italian privacy law, the burden of proof of having adopted all the possibile security measures necessary to prevent the occurrence of the cybercrime will be on the data controller itself creating a scenario that in some cases can be defined of “probatio diabolica“.
Also, in case of the so called data breach (i.e. a breach of security leading to the accidental, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in a database), the notification obligation to the Data Protection Supervisory Authority currently represents an obligation only on providers of electronic communication services. However, it will become an obligation for any data controller i.e. any entity running a database of personal data as a consequence of the coming into force of new EU data protections regulation already approved by the European Parliament. And this extension will be coupled with the increase of sanctions for breach of data protection regulations up to 5% of the global turnover of data controller’s group.
Such obligations will raise concerns not only for European companies, but also for non-European companies such as American entities collecting personal data of European users because the new European data protection regulation will be applicable to any entity processing personal data of users located in the European Union.
There were according to estimates 1,150 cybercrime attacks globally of which 35 in Italy in 2013 leading to annual damages between € 20 and € 40 billion in Italy. And given such circumstances it is not surprising that insurance policies covering cybercrimes are becoming very popular. The growth of the Internet of Things and the increased reliance of companies on BIG DATA and in general large databases leads to a risk against which companies are more and more deciding to get an insurance protection.
Likewise, the fact that Italian law provides for corporate criminal liability in relation to cybercrime conducts pushes companies to adopt the so called internal corporate model of organization and management of the company outlined in this post in order to minimize liabilities in case of cybercrime leading to the loss, alteration or destruction of their customers’ data). This is not relevant only for gaming operators, but for companies acting in any sector.
The issue above will become more and more relevant in the next years and as usual feel free to contact me, Giulio Coraggio, join the IoTLaw LinkedIn Group, follow me on Twitter, Google+ and become one of my friends on LinkedIn.