Garante per la protezione dei dati personali (Italy) - Provvedimento del 9 maggio 2024

Garante per la protezione dei dati personali - Provvedimento del 9 maggio 2024
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5 GDPR Article 5 GDPR Article 28 GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR
Type:	Complaint
Outcome:	Partly Upheld
Started:	01.05.2019
Decided:	09.05.2024
Published:	09.05.2024
Fine:	n/a
Parties:	InfoCert S.p.A. Tinexta S.p.A.
National Case Number/Name:	Provvedimento del 9 maggio 2024
European Case Law Identifier:	10070397
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	italyone

The Italian Data Protection Authority held a meeting on May 9, 2024, involving key members, to address a significant data breach incident affecting the "Ordine degli Avvocati di Roma" and managed by InfoCert S.p.a.

English Summary

Facts

Data Breach Notification: The breach was reported on May 8, 2019, by InfoCert to the Italian Data Protection Authority, detailing the unauthorized access to personal data through hacking. Extent of Breach: Hackers accessed about 40,623 user credentials from the portal of the "Ordine degli Avvocati di Roma," leading to the further unauthorized disclosure of personal information of 26,921 members online. Security Measures Post-Breach: Post-incident, InfoCert implemented numerous security measures to enhance data protection and address the vulnerabilities exploited by the hackers.

Holding

Violations of GDPR Article 32 - Failure to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk. This includes issues with password management and security breaches that were not adequately addressed or remedied. Violations of GDPR Article 33 and 34 - Inadequate handling of data breach notifications to both the supervisory authority and the affected individuals. The timing, content, and completeness of these notifications did not meet the regulatory requirements. Violation of GDPR Article 28 - Inadequate contractual arrangements with processors, lacking detailed descriptions of data processing roles and responsibilities. Violation of GDPR Article 5 - Principles relating to processing of personal data were not adhered to, particularly concerning data security and the integrity and confidentiality of personal data.

Comment

The incident underscores significant lapses in cybersecurity measures and data protection protocols, which were exploited by the hackers. This breach not only exposed sensitive personal data but also highlighted the need for stricter compliance with data protection laws and the implementation of robust security measures to prevent such incidents in the future.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Provision of May 9, 2024*
*The provision has been challenged - Pending the opposition proceeding against the provision, the accessory sanction of publication of the injunction order is not applied

Register of provisions
n. 292 of May 9, 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councilor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data;

REPORTER the lawyer Guido Scorza;

WHEREAS

At the beginning of May 2019, the Authority became aware of a cyber attack carried out by the self-styled hacking groups “LulzSecITA” and “Anonymous Italia” against the institutional portals of various Bar Associations and the subsequent online dissemination of part of the personal data exfiltrated from these portals, including, in particular, the authentication credentials used by thousands of members of the Rome Bar Association (directly identifiable through personal or contact data) to access PEC mailboxes with the domain “ordineavvocatiroma.org”, managed by InfoCert S.p.a. (hereinafter “InfoCert” or the “Company”), as well as the messages contained in some of them.

As part of the complex investigation launched in relation to the aforementioned violation of personal data by the Authority against the Company and Visura S.p.a. (hereinafter “Visura”), which, also following the merger by incorporation of Lextel S.p.a. (hereinafter “Lextel”), managed the systems subject to the violation, the processing carried out by the Company, more generally, in the provision of the PEC service, was also carefully verified. In fact, in addition to being one of the main providers of trust services operating in Italy, since 19 January 2007 InfoCert has been registered in the list of certified electronic mail managers pursuant to art. 14 of Presidential Decree no. 68 of 11 February 2005 (“Regulation containing provisions for the use of certified electronic mail”, pursuant to article 27 of Law no. 3 of 16 January 2003), required to provide the aforementioned service in compliance with the Ministerial Decree. 2 November 2005 (containing “Technical rules for the formation, transmission and validation, including temporal, of certified electronic mail”). The number of PEC mailboxes managed by it as of 30 July 2019 was approximately 2.4 million, while the number of messages sent and received by the aforementioned PEC mailboxes in the first half of 2019 was approximately 95 million and 140 million, respectively (see attachment 2 to the minutes of 1 August 2019).

The investigation, in addition to requiring numerous inspections of the aforementioned companies, both belonging to the Tinexta Group, involved detailed technical and legal investigations, in order to reconstruct the roles assumed in the context of the complex processing of personal data carried out in the provision of the PEC service, as well as to attribute the related responsibilities and qualify the various cases identified, also within the large resale network, including, in addition to Visura, another 55 companies.

During the investigation, also on the basis of the requests of the Authority, the Company introduced numerous additional technical and organizational measures, compared to the framework in force at the time of the investigations, subject to verification and evaluation by the Office, which brought about significant improvements in the application of the Regulation, such as not to require the adoption of corrective measures by the Authority.

1. Characteristics of the personal data breach

With a note dated 8 May 2019, the Authority addressed to InfoCert a request for information regarding the initiatives undertaken to fulfill the obligations set forth in Articles 33 and 34 of the Regulation in relation to the aforementioned breach. With a note dated 9 May 2019, the Company, in providing the first elements in this regard, notified the Guarantor, pursuant to Article 33 of the Regulation, of the personal data breach concerning the “theft of a file containing the default passwords of the PEC mailboxes”, automatically generated by the system upon first activation by users, specifying that “the event […] did not involve the theft of other passwords of the professionals’ PEC mailboxes, other than the default passwords, nor did it involve the theft of data from the InfoCert PEC Manager’s systems” (see note dated 9 May 2019, p. 1).

During the inspection activity carried out at Visura, which managed the systems subject to the violation on behalf of the Company, it emerged that, through a SQL injection cyber attack against a server exposed on a public network (hereinafter “web server”), which culminated on 3 May 2019, unauthorized access was carried out, in various phases, to the data stored within some databases present on another server (hereinafter “database server”).

In particular, the attackers also managed to obtain data processed by Visura on behalf of InfoCert in relation to the provision of the PEC service to members of the Rome Bar Association. This is because, within the database of the old portal of the Rome Bar Association, there were also two tables containing the tax code, the PEC address with the domain “ordineavvocatiroma.org”, as well as the authentication credentials (username and password in clear text issued during the first activation of the PEC mailboxes) of 40,623 users (lawyers and trainees).

Following the exfiltration, the aforementioned personal data relating to 26,921 members of the Rome Bar Association were also disseminated online by the self-styled hacktivist group “Anonymous Italia”. In addition, through the use of authentication credentials, unauthorized access was made to several PEC mailboxes with online dissemination, for 12 of these, of the messages contained therein.

Also in order to understand the reasons for the unjustified presence on these systems of active authentication credentials, which still allowed access to PEC mailboxes, the Authority deemed it necessary to verify, also through specific inspections, the security measures adopted, more generally, by the Company for the management of the PEC service.

2. Elements that emerged during the Office’s investigation

2.1. InfoCert data controllers in the management of the PEC service

As anticipated, during the inspection activity it emerged that InfoCert uses numerous entities (for a total number of over 56 intermediaries) for the resale of the PEC service.

With respect to the processing involved in the personal data breach in question, Visura stated that “for […] the release of authentication credentials within the PEC service and the consequent processing of personal data of data subjects who request the activation of a PEC mailbox, Visura assumes the role of data controller of InfoCert S.p.A. […and] collects the personal data of data subjects necessary for InfoCert to activate the requested PEC mailbox and proceed, consequently, to the release of the related authentication credentials” (see note of 31 May 2019, p. 2), despite the “absence of a formalization of the role of data controller” (see minutes of 22 May 2019, p. 2). Visura provided a copy of the contract signed with InfoCert on 8 April 2008 (see attachment 4 to the minutes of 7 June 2019), as well as the legal document, signed pursuant to art. 28 of the Regulation, with which, on 20 June 2019, InfoCert designated Visura as data controller, delegating it to carry out the processing activities that “concern the personal data of the interested parties, customers of Visura, who intend to purchase, on their own behalf or on behalf of third parties, one or more of the InfoCert Services resold and marketed [by Visura]” (see attachment 6 to the note of 25 June 2019). InfoCert confirmed that “the relationship is currently governed by the aforementioned documents, specifying that the contract is being reviewed”, also declaring the absence of further previous acts of designation of Visura (or Lextel) pursuant to art. 29 of the previous Code or art. 28 of the Regulation (see minutes of 29 July 2020, pp. 3-4).

During the inspection activity, InfoCert also provided the list of the additional 55 entities used for the resale of the PEC service, stating that "the relationships with the aforementioned entities, [...] have not been regulated by a contract or other legal document drawn up pursuant to art. 28, par. 3, of the Regulation. These documents are being prepared on the basis of what is already provided for Visura S.p.a." (see minutes of 30 July 2019, p. 2, and attachment 2 to the same minutes).

2.2. The register of processing activities

During the inspection, InfoCert provided a copy of the register of processing activities, carried out in its capacity as data controller, regarding the management of the PEC service (see minutes of 29 July 2019, p. 2, and its annexes 2 and 3). In light of some inaccuracies, omissions or material errors detected during the inspection, InfoCert then provided some additional versions of the register (see annex 1 to the minutes of 30 July 2019, annex 1 to the note of 6 September 2019, and annex 1 to the note of 7 October 2019).

The examination of the documentation revealed, in particular, that, in the latest version of the aforementioned register provided by the Company:

− the activity relating to the “Activation of the PEC Service function for copying messages to clone mailboxes managed on external environments and software” has been added, which was not present in the first version provided to the Authority;

− in the activities relating to the “Transmission of messages and management of the transmission service” and the “Conservation of certified logs”, the presence of personal data belonging to particular categories or relating to criminal convictions and offences is not indicated (articles 9 and 10 of the Regulation) and, as the legal basis for the processing, only the execution of a contract is indicated;

− the information relating to the data controllers used by the Company is not adequately indicated).

2.3. The obligations related to the personal data breach in question

2.3.1. The documentation of personal data breaches

With reference to the documentation to be retained pursuant to art. 33, par. 5, of the Regulation, InfoCert provided a copy of the register with which it documents the personal data breaches, stating that “the annotation relating to the aforementioned personal data breach in the data breach register will take place following the conclusion of the analysis and evaluation activities currently underway” (see minutes of 29 July 2019, p. 5, and its annex 5).

InfoCert also provided further documentation extracted from the system used by the company for the management of IT incidents (see annex 6 to the minutes of 29 July 2019). Subsequently, it also highlighted that “the data breaches that occurred in 2018 and 2019 are reported in the register of personal data breaches acquired during the inspection activities” (see minutes of 1 August 2019, p. 3), providing further documentation regarding such personal data breaches, extracted from the system for the management of IT incidents (see annex 4 to the note of 6 September 2019); from the examination of the aforementioned register, it emerged that it lacks many essential elements, reporting only summary information on the violations that occurred, with generic descriptions and without motivations underlying the risk assessments, as well as without an indication of the measures adopted to remedy them.

2.3.2. Communication of the violation to the interested parties

Following the violation of personal data, InfoCert initially proceeded to "immediately suspend access to the [112,928] potentially involved mailboxes" resold by Visura, attributable to members of numerous professional associations; at a later stage, a smaller pool of potentially involved interested parties was identified (approximately 27,500), having been ascertained that not all the default passwords present in the stolen file could be considered "operational", since they had been changed in numerous cases by users of the PEC service who had set a personal password, not subject to the violation.

InfoCert therefore stated that, on its own behalf, Visura, starting from approximately 4:00 p.m. on 9 May 2019, sent a communication of the personal data breach to 24,859 users, “for whom it was possible to find, through the professional associations to which they belong, an ordinary email address”, in which instructions were also provided regarding the “procedure for resetting the password for accessing the PEC mailbox” (see note dated 16 May 2019, p. 3). In particular, the owners of the PEC mailboxes potentially at risk were informed that, “following a cyber attack, it was necessary, for reasons of prudence and risk containment, to block access to their PEC mailbox in order to prevent any undue access by unknown persons, aimed at acquiring and using the information contained therein in an illicit manner” and that the password for accessing the PEC mailbox had been reset. The same communication provided a temporary password that must be changed upon first access to the PEC mailbox (see note of 9 May 2019, pp. 3-4).

With reference to the PEC mailboxes used by members of the Rome Bar Association, for which some of the messages contained therein were disseminated online or which were in any case subject to unauthorised access, InfoCert stated that it had not transmitted, pursuant to art. 34 of the Regulation, a specific communication to the interested parties who were the holders of such PEC mailboxes, believing that "the communication made in relation to the compromise of the authentication credentials of the PEC mailboxes was also adequate with reference to such interested parties" (see minutes of 29 July 2019, p. 5).

During the inspection activities, InfoCert provided an initial list of “55 PEC mailboxes of the Rome Bar Association that present high risk profiles” (see attachment 2 to the minutes of 31 July 2019), stating that it had entrusted an external company with the implementation of specific forensic analysis activities, which then allowed it to identify a “set of PEC mailboxes, [for which] access from anonymized IP was detected for a total of N. 64 [(rectius 63)] mailboxes” (see point 15 of the note of 6 September 2019). On 23 September 2019, InfoCert sent a new communication to the users of the aforementioned mailboxes (see minutes of 24 September 2019, pp. 6-7, and minutes of 25 September 2019, p. 2).

It should be noted that this communication - also sent to the 12 members of the Rome Bar Association whose messages were disseminated - indicated, however, that "no sending, copying or deleting operations of messages performed by the IP addresses reported" had been found (see attachment 1 to the minutes of 25 September 2019); during the investigation, the Company represented, in this regard, that "the so-called "copy operation" constitutes, from a technical point of view, the copying of a PEC message from one folder to another within the same PEC mailbox and that this operation was considered different from that of downloading a PEC message (via client or via webmail), which certainly occurred for the twelve PEC mailboxes in question, as also emerges from the documentation already acquired during the inspections, and probably also for other PEC mailboxes involved in the violation".

On 7 October 2019, InfoCert, as already anticipated during the inspections (see minutes of 25 September 2019, pp. 3-4), sent the aforementioned 63 interested parties an integration of the communication already sent, in which it was specified that "the illicit access [...] led to the consultation and download - by unknown persons - of the messages present in the mailbox; however, it is not currently possible to establish what use may have derived from it in addition to those already disclosed by those responsible for the attack" (see note of 7 October 2019, p. 3, and attachment 4 to the same note).

Lastly, InfoCert stated that "in light of the final results of the forensic analysis of 09/10/2019, on [... 11 October 2019] it sent a communication pursuant to art. 34 of the GDPR to the additional 17 interested parties for whom access to the relative PEC mailboxes by IP addresses “with low reputation” was detected” (see note of 11 October 2019, pp. 1-2, and annex 2 to the same note).

2.4. The security of processing within the PEC service

2.4.1. The measures in place at the time of the personal data breach

2.4.1.1. The process of activating PEC mailboxes through an intermediary

During the investigation, it emerged that InfoCert markets the PEC service, not only directly, but also through a network of resellers (hereinafter also “intermediaries”). In this regard, InfoCert stated that, “although it does not provide specific instructions regarding the aforementioned processing of personal data, it makes available to resellers, including Visura S.p.a. and previously Lextel S.p.a., a web application called “Autogestione” and the related user manual for the management of processes relating to the activation and management of Legalmail mailboxes (version 14 of 26 May 2010)” (see minutes of 29 July 2019, p. 4).

Until 31 July 2019, the “Autogestione” application, at the end of the registration procedure for a PEC mailbox, automatically generated the access credentials, such as the username and password for the first activation, the latter viewable in clear text by the intermediary’s operators until the PEC mailbox was activated by the user (see minutes of 30 July 2019, p. 4).

With particular regard to the methods adopted by Visura for the activation of PEC mailboxes for members of Bar Associations, the same stated that, “following the generation of such mailboxes, InfoCert made available to the company the list of mailboxes accompanied by authentication credentials, consisting of username and password for first activation. […] the company sent a message to the ordinary email address of each lawyer, communicated by the Bar Associations, with the aforementioned authentication credentials (username and password in clear text) and with the instruction to obligatorily proceed with their modification”. In relation to the modification of the aforementioned password, Visura specified, however, that “the system did not require such modification either at the time of activation of the PEC mailbox, or at the first access” (see minutes of 24 May 2019, pp. 3-4, and attachment 6 to the same minutes). Furthermore, Visura stated that, following some problems reported by lawyers in receiving the aforementioned emails, at the request of the Orders, "a specific web application was prepared for the activation of PEC mailboxes that made the relative authentication credentials (first activation username and password) available to their holders, upon entry of some verification data", within the institutional portal of the Order, or through a specific web application, called "PEC Management" (see minutes of 24 May 2019, p. 4).

2.4.1.2. The password policy relating to the authentication credentials used to access PEC mailboxes: the lack of obligation to change the password upon first use

During the investigation, it was verified that, at the time the personal data breach occurred, and until 3 July 2019 (see attachment 3 to the minutes of 30 July 2019), the first activation passwords of the PEC mailboxes, automatically generated by the system when the authentication credentials for each user were created, were, in most cases, made up of eight characters, of which two were static and six were dynamic (only numbers and capital letters), and that no mechanisms were implemented that required users to change their password upon first use. In this regard, InfoCert stated that "starting from 2009, the year in which [...] it began providing the PEC service, the number of active Users is equal to 2,408,885. In this regard, detailed information on password changes is present only and exclusively from May 2015. That said, as of July 3, 2019, the only certain data that InfoCert is able to provide is that the number of PEC service users, activated after May 2015, who have never changed their password is equal to 1,032,358” (see note of September 6, 2019, p. 1).

2.4.2. Measures adopted following the breach of personal data

2.4.2.1. The temporary suspension of access to the PEC mailboxes involved in the personal data breach and the procedure for resetting the related access password

With regard, in particular, to the security measures adopted following the breach, InfoCert stated that, as a precaution, “it was decided to immediately suspend access to the [112,928] mailboxes potentially involved, while still allowing the receipt of emails in order to avoid generating disruptions when they were reactivated; the operation was concluded at 8:51 pm” on 7 May 2019 (see note of 9 May 2019, p. 1).

Visura also stated that “the reset of the compromised passwords was carried out as follows: (i) InfoCert reset the passwords for the PEC mailboxes involved in the breach and communicated them to Visura; (ii) the professional associations provided Visura with a list of the email addresses of the members involved in the violation or, in the absence of such collaboration by the associations, Visura proceeded to extract from the registers the email addresses of the members involved in the violation; (iii) Visura proceeded to send the new password to each interested party via email”. The system obliged the interested parties to change it on the occasion of the first access via webmail but “these passwords, even if temporary, still allowed access to the PEC mailbox via other network protocols (e.g. IMAP, POP3, SMTP), without there being any obligation for the users to change them” (see minutes of 24 May 2019, p. 3).
With reference to the methods by which InfoCert communicated to Visura, after having performed the reset, the new passwords for access to the PEC mailboxes potentially involved in the violation of personal data, Visura stated that "these were transmitted via email within a password-protected zip archive, containing for each PEC mailbox the tax code of the interested party, username and new password" (see minutes of 24 May 2019, p. 3).

Visura highlighted that "the new password was sent only for approximately 22,400 interested parties, as for the remaining ones Visura had not been able to recover an email address to which to send the [...] communication [containing the new password]" and that "a specific function was however available that allowed the interested parties to request the so-called "password forcing" after entering some verification data and a copy of an identity document. These requests were not processed automatically but were processed by a Visura operator with the help of a provisioning system that InfoCert S.p.a. makes available to the same” (see minutes of 24 May 2019, pp. 3-4).

Furthermore, Visura stated that it had published on some of its websites a notice regarding the methods for resetting the password and that it had made available a “certification of poor service of the PEC service dated 7 May 2019, issued to lawyers, useful for the reinstatement in procedural terms” (see minutes of 24 May 2019, p. 2, and attachment 5 to the same minutes).

2.4.2.2. Forensic analysis of access logs to PEC mailboxes involved in the personal data breach

With reference to the forensic analysis activities conducted by InfoCert in order to better outline the scope of the breach, the company stated that this activity took into consideration “the mailboxes for which accesses had been found by IP addresses “with low reputation” (TOR network, VPN or proxy)”, leading to “the identification of the 63 PEC mailboxes to whose Users the communication was sent pursuant to art. 34 of the Regulation” (see minutes of 25 September 2019, p. 3).

Subsequently, “following the inspection activity conducted […] on 24 and 25 September 2019, InfoCert commissioned the company Yarix to carry out a further verification of the quality of the analysis process carried out and the results obtained […] on 09/10/2019, Yarix provided InfoCert with a final report on the forensic analysis activity […], on the basis of which the presence of 17 compromised PEC mailboxes emerged, in addition to the 63 detected in the forensic analysis report provided to the Guarantor on 06/09/2019” (see note of 11 October 2019, p. 1, and annexes 1 and 2 to the same note).

2.4.2.3. Review of the PEC mailbox activation process through an intermediary

With reference to the PEC mailbox activation process through an intermediary, InfoCert has declared that, starting from 31 July 2019, a new process is operational which provides that “the intermediary provides InfoCert with the customer’s contact email, which is essential for sending activation and reset communications”; “the intermediary carries out the activation procedure, providing all the necessary data and obligatorily uploading the contract to the InfoCert self-management portal”; “at the end of the activation procedure, InfoCert automatically sends a communication to the end user’s contact email containing a link to the activation page of the legalmail mailbox on the InfoCert webmail site. The link includes a unique authentication token, usable only once, and subject to expiry”; “after receiving the email sent by the InfoCert systems, the user: accesses the activation page; chooses his/her password in compliance with the established policies and enters it on that page; enters security information such as: contact email, mobile number and secret question for password recovery; the contact email, once confirmed or modified, cannot be changed by the intermediary's operators" (see attachment 4 of the minutes of 30 July 2019, p. 6).

2.4.2.4. Mandatory password change upon first use

With reference to the password policy relating to the authentication credentials used to access PEC mailboxes, InfoCert has declared that, starting from 3 July 2019, with reference to access to the PEC mailbox via webmail, "the end user must set a new password and answer the security questions upon first access to the system" (see attachment 3 to the minutes of 30 July 2019, p. 11), while, only at a later time, a mechanism was made operational that inhibits access via client to a PEC mailbox in the event that the first activation password has not yet been changed.

With reference to the users of PEC mailboxes who, as of 3 July 2019, had never changed their password to access them, InfoCert stated that it “will shortly launch a targeted and “multi-channel” information campaign, in order to invite all users of the mailboxes to change their password for security reasons” (see note of 6 September 2019, p. 1). Subsequently, InfoCert stated that, “in relation to the 1,032,358 PEC mailboxes activated after May 2015 and for which as of 6 September 2019 the User had never changed their password, the Company has defined an action plan that will be implemented in the coming months. In particular, for approximately 750,000 PEC mailboxes that have never been accessed, InfoCert will set the obligation to change the password upon first access. Instead, for the PEC mailboxes that have been accessed at least once, the Company will initially send notices to the Users of the same, inviting them to change the access password and, subsequently, to set the obligation to change the password, also taking into account the fact that some of these PEC mailboxes could be used by application software of Customers (companies and public administrations)” (see minutes of 24 September 2019, p. 2).

With reference to the PEC mailboxes activated after May 2015 that have never been accessed by the user, InfoCert subsequently stated that “a second, more in-depth analysis of the logs of all access channels (web, smtp, pop3/imap) reduced this number to 459,530 PEC mailboxes, since only the latter had not actually been accessed by the Users. That said, with reference to the progress of the action plan defined by the Company, we represent that on these 459,530 PEC mailboxes - in the period between 3 and 14 October 2019 - the operation of immediate forcing of the password expiration was carried out" (see note of 21 February 2020, p. 1). Furthermore, InfoCert declared that "with regard to the remaining part of the 1,032,358 PEC mailboxes activated after the month of May 2015 for which there was no record of a password change - which, excluding the 459,530 never accessed, amount to 572,838 -, these have been traced back to the management process of the PEC mailboxes activated before the month of May 2015 and for which there were no recent password changes" (see note of 21 February 2020, p. 2).

With reference to the PEC mailboxes activated after May 2015 that have been accessed at least once, and to the PEC mailboxes activated before May 2015 for which any password changes made before that date were not recorded, InfoCert stated that it “has decided to implement warning actions and subsequent forcing of password expiration for all mailboxes that reflect all the following criteria, verified before each intervention: last recorded password change absent or prior to 12 months; activation prior to 12 months; PEC mailbox NOT accessed via applications. The intervention plan, which has affected a total of 1,601,314 PEC mailboxes to date, includes four phases” (see note of 21 February 2020, p. 2).

In particular, InfoCert stated that in the first two phases – carried out on 27-28 November 2019 and 17-19 December 2019, respectively – it sent a “notice to the User, with an invitation to change the password”; in the third phase, completed in February 2020, it sent a “final notice to the User, close to the setting of the password expiration”; while in the fourth and final phase, scheduled to end in the first week of June 2020, it would have carried out a “password expiration forcing”, forcing the users of the PEC mailboxes to change their password (see note of 21 February 2020, p. 2, and file no. 149356, note of 24 April 2020, pp. 6-7).

2.4.2.5. Actions taken against intermediaries

Following the violation, InfoCert stated that it had taken action against intermediaries, indicating the minimum security measures to be adopted in the management of passwords and other data, concerning, in particular, “Process Security”, “Personnel Training” and “Workstation Security” (see attachment 3 to the minutes of 30 July 2019, p. 11, and attachment 4 to the same minutes, p. 5), with the introduction, also, of verification methods of the aforementioned measures by InfoCert.

Furthermore, InfoCert stated that it had defined “a specific audit rule for the control of Certified Electronic Mail Service Intermediaries that integrates the company procedure for planning and managing first, second and third party audits” (attachment 3 to the minutes of 30 July 2019, p. 8).

2.4.3. Other security measures adopted within the PEC service

2.4.3.1. Storage of the certified log and methods of access to it by authorized parties

The Company, as required by the technical rules of the PEC service, stores in a register (so-called certified log) the data relating to the operations carried out during the processing phases of the PEC messages at the access, reception and delivery points.

In this regard, the Company has declared that "the certified log flows, on a daily basis, into the standard storage system, also used to provide the storage service offered to the generality of InfoCert customers, a body accredited with Agid" (see minutes of 31 July 2019, p. 4); InfoCert operators authorized to do so shall process requests for the display of the certified log both through the web application called “LegalDoc”, accessible from a public network, and by using a specific batch procedure that automatically extracts the requested data from the certified log files present in the compliant storage system (see minutes of 31 July 2019, pp. 4-5).

During the inspection, it emerged that, although authorized operators could access the bucket containing the certified log with their own nominal user name, "access to the aforementioned web application was carried out using non-nominal authentication credentials (application user name) that are used by the InfoCert Legalmail team consisting of 8 people" (see minutes of 31 July 2019, pp. 4-5, and annexes 13, 14 and 15 to the same minutes).

From the examination of the access logs and operations carried out on the bucket containing the certified log, it was also found that the majority of the search operations carried out in the period from 1 February to 31 July 2019 were carried out with the aforementioned non-nominal user name XX shared between several InfoCert operators (see annex 7 to the note of 6 September 2019).

In this regard, InfoCert stated that the company "has undertaken some enforcement initiatives in relation to access to the bucket that contains the certified log. In particular, as of August 6, 2019, the Company had proceeded to inhibit, for application users only (not nominal), the exhibition functionality and to limit access to the bucket containing the certified log to only four nominal users”. Furthermore, “it has planned another application modification of the conservation service, which will be operational by October 2019 and which will allow the inhibition of exhibition operations for connections from the public network to be set for each bucket” (see minutes of September 24, 2019, p. 2). Subsequently, InfoCert declared that, starting from October 8, 2019, “access from the public network to the conservation bucket relating to the certified logs of the InfoCert PEC service” was inhibited (see note of February 21, 2020, pp. 3-4).

InfoCert also stated that “the Company did not change the passwords of the application users for accessing the certified log bucket, which were also used by the InfoCert Legalmail team” (see minutes of 24 September 2019, p. 2).

On this point, in the document provided by InfoCert during the inspection activities, called “Legaldoc Product - IT/Password Policy”, dated 1 July 2019 relating to the users authorised to access the compliant storage service, it is clear that “the periodic expiration of the password is not implemented” (see attachment 1 to the minutes of 1 August 2019).

Following the checks carried out on the documentation and information acquired during the investigation, it was found that the InfoCert certified log is made up of several fields, including the sender, the subject and the recipients of the PEC message.

It has also been verified that the subject of a PEC message, present in the certified log, may contain personal data of various types (referring or referable to the sender, the recipient or third parties), including data belonging to particular categories or data relating to criminal convictions and offences (articles 9, paragraph 1, and 10 of the Regulation).

2.4.3.2. Tracking of accesses and operations carried out by authorised persons

InfoCert has provided a copy of the logs tracking accesses and operations carried out on the operating systems, databases and the “Self-management” application, as well as those relating to accesses and operations carried out, through the nominal and application users of InfoCert, in the period from 1 February to 31 July 2019, on the bucket containing the certified log (see attachment 7 of the note of 6 September 2019).

With reference to the logs tracking accesses and operations performed on the PEC service backend system on 31 July 2019, it was found that the logs provided by InfoCert (see attachment 6 of the note of 6 September 2019) appear to be a mere list of the commands executed without the indication of further information (such as the timestamp and the user who executed the command) and do not include the operations of copying files containing messages present in the mailboxes of the PEC boxes.

In this regard, InfoCert stated that "the system does not track file copy operations and that the system used for system administrators' system access does not record information other than that provided. Furthermore, the log trace does not contain a session identifier that allows correlation between the operation logs and the access logs. Some interventions are underway to achieve an integration between the two logs" (see minutes of 24 September 2019, p. 4).

With reference to the logs relating to accesses and operations carried out on the bucket containing the certified log (generated by the “LegalDoc” compliant storage system), it was found that they (see attachment 7 of the note of 6 September 2019) are composed of the following fields: the user identifier (username), the bucket identifier, the type of operation carried out, the date and number of operations carried out.

In this regard, InfoCert subsequently stated that “additional logs are available in addition to those already provided with the note of 6 September 2019 which contain the timestamp of the operations carried out and the accesses to the storage service and provided a copy of these logs” (see minutes of 24 September 2019, pp. 4-5, and attachment 6 to the same minutes).

From the examination of the aforementioned logs relating to accesses and operations carried out on the bucket containing the certified log, it emerged that they do not allow the identification of the device from which the operation was carried out (for example, via the IP address of the client used), nor the outcome of the operation, nor the work session in which various operations were carried out (for example, via a session identifier).

2.5. The data protection impact assessment

During the inspection activity, InfoCert initially provided the data protection impact assessment, updated to 30 May 2018, relating to the processing carried out for the provision of the PEC service (see minutes of 1 August 2019, p. 3, and attachment 5 to the same minutes), subsequently transmitting a new version of the data protection impact assessment relating to the processing carried out for the provision of the PEC service (see attachment to the note of 23 September 2019); in this regard, InfoCert stated that "on the basis of the algorithm used to identify the processing operations to be subjected to an impact assessment - the DPIA was conducted solely on the processing operations relating to the PEC service [...] (relating to personal data registration and contractual data, management of deadlines-LEGALMAIL, management of decommissioning/termination/withdrawal/cancellation/rescission, recall), which use, respectively, the applications St Legalmail-enterprise, St TOP, St Provisioning", representing that "an impact assessment was not conducted on the PEC mailbox management service and the processing of personal data contained therein [...]" (see minutes of 24 September 2019, p. 5).

With reference to the failure to carry out the impact assessment for the processing relating to the "message transmission and management of the transmission service", the "storage of certified logs" and the "activation of copying messages to a clone folder", also determined by the failure to identify in the data processing register of special categories (art. 9 of the Regulation) and judicial data (art. 10 of the Regulation) within the PEC service, which instead are present in the certified log due to the use of the PEC service in different contexts by numerous types of subjects (lawyers, doctors, courts, accountants, public administrations, health companies, etc.), InfoCert declared that "these categories of data were not indicated as the Company considered that the PEC service is generic since it is limited to ensuring the transport, with a guarantee of delivery and integrity of the messages, without entering into the merits of the related content, and to generating and storing the certified log" (see minutes of 24 September 2019, p. 5).

3. The initiation of the procedure for the adoption of corrective measures XX, pursuant to art. 166, paragraph 5, of the Code

With a note dated 6 September 2021, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged during the investigation, notified InfoCert, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, both in relation to the management of the personal data breach that occurred, more generally, for the processing carried out by the Company for the management of the PEC service, noting the following violations, for having acted:

a) in the absence of a written agreement suitable to regulate the relationships relating to data protection with Visura and the other 55 intermediaries and large intermediaries that the Company uses for the resale of the PEC service, which carry out the related processing of personal data on behalf of InfoCert as data controllers, in violation of art. 28 of the Regulation (see par. 2.1 of this provision);

b) without reporting in the register of processing activities all the necessary information relating to the processing of personal data carried out in the management of the PEC service, in violation of art. 30 of the Regulation (see par. 2.2 of this provision);

c) without adequately documenting the personal data breaches that occurred, in violation of art. 33, par. 5, of the Regulation (see par. 2.3.1 of this provision);

d) without promptly providing the interested parties involved with adequate information on the personal data breach that has occurred, in violation of the principle of "lawfulness, fairness and transparency" pursuant to art. 5, par. 1, letter a), and of arts. 12 and 34 of the Regulation (see par. 2.3.2 of this provision);

e) without implementing technical and organizational measures suitable for guaranteeing a level of security appropriate to the risk (see par. 2.4 of this provision), the Company having:

i. adopted processes for activating PEC mailboxes and resetting passwords for accessing them via an intermediary, as well as having Visura adopted a procedure for identifying users for the purpose of issuing authentication credentials (first activation username and password) for PEC mailboxes in favor of members of affiliated professional associations, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

ii. failed to adopt adequate password enforcement mechanisms, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

iii. with reference to conduct carried out by Visura, as the responsible party:

failed to use encryption tools for data transport in the context of the functions relating to the delivery of authentication credentials and password reset for members of professional associations affiliated with Visura, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

used basic software, installed on the processing systems used by Visura, obsolete, for which security updates are no longer available, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

failed to define internal quality control policies for passwords used for technical users, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

failed to adopt adequate measures to protect application security, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

failed to use cryptographic techniques to store user passwords and thus stored, in a form that allowed the identification of the interested parties, the authentication credentials for access to the PEC mailboxes used by members of professional associations (first activation username and password) even at a time after the activation of the PEC mailbox, regardless of whether or not the user of the PEC mailbox had changed the password, in violation of the principles of "limitation of storage" and "integrity and confidentiality" pursuant to art. 5, par. 1, letters e) and f), and art. 32 of the Regulation;

iv. failed to adopt adequate security measures in the password reset procedures and in the subsequent delivery of the same to users, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

v. failed to adopt appropriate measures to detect unauthorized access to PEC mailboxes, whose authentication credentials were involved in the violation in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

vi. failed to monitor the work of intermediaries, acting as data controllers, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;
vii. adopted inadequate methods of access to the certified log of the InfoCert PEC service, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

viii. adopted inadequate methods of tracking accesses and operations performed on the backend systems of the PEC service by the subjects authorised to process them, in violation of the principle of "integrity and confidentiality" pursuant to art. 5, par. 1, letter f), and art. 32 of the Regulation;

f) without conducting an adequate data protection impact assessment, in violation of art. 35 of the Regulation (see par. 2.5 of this provision);

g) without respecting the principles of "data protection by design" and "data protection by default", in violation of art. 25, par. 1 and 2, of the Regulation;

h) without adopting adequate technical and organizational measures to ensure, and be able to demonstrate, that the processing carried out in the context of the management of the PEC service had taken place in compliance with the Regulation, in violation of the "accountability" principle referred to in Articles 5, paragraph 2, and 24 of the Regulation.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

Pursuant to Article 83, paragraph 2, letter f) of the Regulation, the aforementioned data controller was also invited to disclose the initiatives undertaken or intended to be undertaken by the Company to bring the ongoing processing operations relating to the management of the PEC service into line with the regulations on the protection of personal data, with particular reference to:

the review of the register of processing activities, ensuring that it contains all the information required by art. 30, par. 1, of the Regulation;

the regulation of relationships with data controllers, in accordance with art. 28 of the Regulation;

an adequate data protection impact assessment, in accordance with art. 35 of the Regulation;

the change of the password of the non-nominal user XX and the adoption of adequate measures to ensure that it is not shared between multiple parties, in accordance with art. 32 of the Regulation.

With a note dated 5 November 2021, the Company submitted its defence briefs pursuant to art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law No. 689 of 24 November 1981, without requesting to be heard.

4. Outcome of the investigation

Preliminarily, given what was raised by the Company in its defense briefs with reference to the alleged lateness of the communication referred to in Article 166, paragraph 5, of the Code (see the aforementioned note of 6 September 2021) with respect to the deadline set by the Regulation of the Guarantor No. 2/2019, it is necessary to make some clarifications regarding the procedural deadlines applicable to the notification of the alleged violations committed by the Company, as set out in the Regulation of the Guarantor No. 2/2019.

Given that the administrative procedure in question is not subject to the 90-day deadline set out in Law No. 689 of 24 November 1981, but to the 120-day deadline specifically identified, pursuant to Article 154, paragraph 3 and art. 166, paragraph 9 of the Code, with the aforementioned Regulation of the Guarantor no. 2/2019, it is highlighted that said term runs "from the ascertainment of the violation" (see Table B, part 2) of the Regulation of the Guarantor no. 2/2019) and that the date of the ascertainment is to be identified when both the collection of the investigative elements and the evaluation of the same by the proceeding administration have been completed (see, in this sense, Cass. of 8 August 2005, no. 16642; see, also, Cass. Section II civ. of 28 November 2012, no. 21114 and Cass. Section II civ. of 22 April 2016, no. 8204).

In this regard, as regards in particular the activity of the independent administrative authorities, it is worth noting that the Supreme Court, in line with consolidated case law, has established that "the activity of ascertaining the offence, in relation to which to place the dies a quo of the term for the notification of the details of the violation, cannot coincide with the moment in which the fact is acquired in its materiality, but must be understood as including the time necessary for the evaluation of the data acquired and relating to the elements (objective and subjective) of the infringement and, therefore, of the final phase of deliberation related to the complexity, in the specific case, of the investigations aimed at finding the existence of the infringement itself and acquiring full knowledge of the illicit conduct, so as to evaluate its consistency for the purposes of the correct formulation of the charge (see Cass. no. 13050/2014; Cass. no. 1043/2015 and Cass. no. 770/2017)” (see Cass. Civ. Sez. II, no. 31635/2018).

Similarly, with specific reference to the administrative offences referred to in the legislation on the protection of personal data, the Supreme Court has recently reiterated that “since the position of this Court is consolidated according to which, in the matter of administrative offences referred to in the privacy code, the dies a quo for the calculation of the ninety-day term for the notification of the report starts from the ascertainment of the violation, which does not coincide with the generic and approximate perception of the fact and with the acquisition of the documentation relating to it, but requires the processing of the data thus obtained in order to identify the constituent elements of any violations (thus, ex multis, Cass. 14678/2018)” (Cass. civ., sez. 2, no. 18288/2020). Although this case law refers to the 90-day deadline provided for by art. 14 of law 689/1981, it cannot be denied that the principles identified therein also apply in relation to art. 166, paragraph 5, of the Code, since this last provision, following the amendments made by Legislative Decree 101/2018, contains the new discipline relating to the procedures for the adoption of corrective and sanctioning measures, previously defined exclusively through the reference made by the Code itself to the aforementioned law 689/1981. It follows, in any case, that, in principle, the more complex the case subject to the administrative procedure, the more time is required for the processing and evaluation of the acquired investigative elements.

On this point, it should also be noted that, as noted by the case law of the Supreme Court, in the event of multiple violations connected to each other, "the appropriateness of the overall time spent" by the proceeding administration for the purposes of ascertaining the aforementioned violations is to be understood as strictly connected "to the complexity of the investigation activity" carried out by the same (see Cass. Sez. I civ. of 4 April 2018, no. 8326).

It should also be noted that the aforementioned 120-day term "is suspended from 1 to 31 August of each year and resumes running from the end of the suspension period" (see art. 6, paragraph 1 of the Guarantor Regulation no. 2/2019).

In light of the above clarifications regarding the procedural terms applicable to the case in question, as provided for by the legislation in force, it must be considered that the notification of the alleged violations committed by the Company, carried out by the Office with a note dated 6 September 2021, was not untimely, especially if one considers, on the one hand, the emergency context due to the spread of Covid-19 within which the investigation and inspection activity in question was conducted and, on the other, the high degree of complexity of the case at issue in this administrative proceeding, which also appears to be evidenced by the Company's own actions, both in reference to the ascertainment of the extent of the violation of personal data and to the fulfillment of the obligation to communicate the violations of personal data to the interested parties pursuant to art. 34 of the Regulation, which occurred through the sending of a plurality of communications.

This is also taking into account that the case at issue in this administrative proceeding involves, in addition to InfoCert, also Visura and dozens of other intermediaries against whom separate investigations have been initiated, and that the elements acquired in the context of these investigations (such as, for example, the regulation of existing relationships pursuant to art. 28 of the Regulation) were also essential for the purposes of defining the investigation framework referred to in this proceeding, all the aforementioned intermediaries operating as data controllers with respect to InfoCert, as data controller and nodal point of the entire organizational network that the Company itself uses for the resale of the PEC service.

Finally, as regards the applicability to the case in question of art. 22, paragraph 13, of Legislative Decree 101/2018 (which amended the Code in order to adapt it to the new European regulatory framework introduced with the Regulation), according to which, for the first eight months from the date of entry into force of Legislative Decree 101/2018, the Authority was required to take into account, for the purposes of applying administrative sanctions and if compatible with the Regulation, "the phase of first application of the sanctioning provisions", it should be noted that, in its defense briefs, InfoCert represented, in particular, that "the main purpose of the aforementioned intervention by the legislator was to provide an express indication to the Authority regarding the need to take into account, in relation to violations of the regulations on the protection of personal data and for the purposes of applying administrative sanctions, the intense effort made by the entities that process personal data in order to adopt the appropriate actions required to adapt their structure and their processing to the new elements introduced by the Regulation in light of the significant increase in the Authority's sanctioning powers", deducing that, "also for the purposes of these sanctioning proceedings, [... the] Authority [... must take] into due consideration the circumstance that the violations contested to InfoCert fall within the time period immediately following the start of the binding nature of the discipline on the protection of personal data as redesigned in its architecture by the Regulation and by the national legislation aimed at adapting the internal legislation to the provisions of the Regulation itself" (see note of 5 November 2021, esp. pp. 38-39).

In this regard, it should be noted that, as also stated by InfoCert itself, this provision refers to violations of the discipline on the protection of personal data that occurred in the time frame included within eight months from the date of entry into force of the aforementioned decree.

This applies, however, only to violations that have exhausted their effects within the aforementioned period, not also to those violations of a continuous nature whose effects have continued even subsequently. In fact, as also recognized in case law, in the permanent offence the contra ius conduct, in addition to producing the event, continuously fuels it for the entire time in which it lasts, with the consequence that the unlawfulness ceases only with the cessation of the agent's conduct.

In the case in question, the violations contested to InfoCert concern conducts that have produced effects beyond the aforementioned date of 19 May 2019, relating not only to the violation in question, but more generally, to the processing carried out in the context of the management of the PEC service, as represented in this provision, only partly relating to obligations introduced by the new European regulatory framework.

4.1. Relationships between the data controller and the data processor: the failure to regulate relationships with intermediaries

In light of what emerged from the investigative activity, it is established that, until 19 June 2019, in violation of art. 28 of the Regulation, the processing carried out by Visura on behalf of the Company in the context of the PEC service was not adequately regulated by a contract or other legal act stipulated in written form and having all the requirements analytically identified by this provision (esp. par. 3 and 9). In fact, only on 20 June 2019, the Company regulated the relationships with Visura in relation to the processing carried out by the same, which "concern the personal data of the interested parties, customers of Visura, who intend to purchase, on their own behalf or in favour of third parties, one or more of the InfoCert Services resold and marketed" (see annex 6 to the note of 25 June 2019).

In this respect, the Authority then started separate investigations to verify the processing of personal data carried out in this context by the additional 55 intermediaries used by the Company for the resale of the PEC service, without having stipulated a contract or other adequate legal act pursuant to art. 28 of the Regulation.

With reference to the issue of the lack of regulation of relationships with intermediaries, in its defense briefs, the Company stated that, “even in the absence of formalization of the appointments of intermediaries as data controllers, it expected its resellers to carry out the aforementioned processing operations through a web application called “Self-management”, the methods of use of which were analytically regulated in the relevant user manual for the management of processes relating to the activation and management of Legalmail mailboxes”; in this sense, “in the absence of a specific act of appointment, the contract with the intermediary and the specific methods of carrying out the activities, as described in the user manual [mentioned above], represented the legal act responsible for regulating the contractual roles and, in fact, defined the framework within which the intermediary's activity, also with reference to data processing, was, in concrete terms, actually carried out” (see note of 5 November 2021, pp. 8-9); starting from June 2019, InfoCert then updated and formally adopted a new contract model pursuant to art. 28 of the Regulation, which, in particular, “includes the appointment of the intermediary as data controller pursuant to Article 28 of the Regulation, as well as the indications regarding the security measures that the intermediary is required to respect when using the platform”, subsequently arriving at the signing of such contract with all the intermediaries with whom a contractual relationship was still in place, with the specification that, with some of them, the relationship had in the meantime ceased, and that, during the investigation, two companies had been erroneously classified by InfoCert as intermediaries, although they had not actually carried out activities of resale of the PEC service, without therefore processing personal data on behalf of the same (see note cit., pp. 9-10; see in this sense also p. 34).

In fact, the circumstance that the latter had made available to intermediaries acting as data controllers a manual on the management of processes relating to the activation and management of certified email boxes cannot be considered sufficient, as claimed by the Company. In this regard, it should be noted that fulfilling the obligation set forth in art. 28, par. 3, of the Regulation requires the identification in a contract (or in another equally binding legal act) of all the requirements set forth in the aforementioned provision, since only this can ensure adequate regulation of the relationship between the data controller and the data processor and, consequently, the satisfaction of all the related substantial guarantees (see recital no. 81 of the Regulation; see also the “Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted by the European Data Protection Committee on 7 July 2021, esp. point 102). In the case in question, the aforementioned manual was intended to provide a guide to the application used by intermediaries, but did not provide anything, in particular, about the role they assumed in relation to the processing of personal data carried out by intermediaries in the resale of PEC mailboxes on behalf of the Company, the related confidentiality commitments, the security measures to be adopted by intermediaries, the use of any additional data controllers, the exercise of rights by interested parties, the obligations in the event of violations of personal data, the actions to be taken in the event of termination of services relating to the processing (see art. 28, par. 3, of the Regulation).

Following the separate investigations initiated against the intermediaries, although in some cases (also highlighted by the Company) the extremes of a violation of art. 28 of the Regulation (due to the role played in practice by these entities in the resale of the PEC service), in most of them there appears to have been a violation of this provision by the Company in its capacity as data controller, which continued, in reference to each of the intermediaries operating as data processor, until the date of the actual signing of the new model agreement adopted by the Company.

4.2. The register of processing activities: the incompleteness and inadequacy of the information reported therein

Pursuant to art. 30 of the Regulation, the data controller must keep, in written form, including in electronic format, a register of the processing activities carried out under his/her responsibility, which must contain all the information indicated in paragraph 1 of the same art. 30.
With regard to the issue of the incompleteness of the information in the register of processing activities illustrated in paragraph 2.2, the Company represented in its defense briefs that "the initial failure to include in the register of processing activities the processing activity relating to the "Activation of the PEC Service function for copying messages to clone mailboxes managed on external environments and software" should in no way be attributed to a voluntary omission by InfoCert, but rather to the circumstance that this processing activity, despite the efforts made by the undersigned company, had not been accidentally identified [...] due to the complexity and number of processing operations being mapped" (see note of 5 November 2021, p. 11); furthermore, in the opinion of the Company, "it is not correct to state that the register of processing activities lacked the indication of the data controllers", even though this coincides with the mere "[...] generic indication of the existence or otherwise of external data controllers, for each given processing activity"; moreover, “InfoCert maintained in parallel a list of the subjects appointed as data controllers and of the appointments received, in which [, however,] the retailers of the PEC mailboxes were not present because they had not yet been appointed, as declared to the same Authority” (see note cit., pp. 11-12). InfoCert has, in any case, acknowledged that it has “provided for the integration of its register of processing activities with the information reported as missing following the inspection activities”, also highlighting that it has undertaken new initiatives in order to manage the obligations in terms of the processing of personal data (see note cit., p. 12; see in this sense also p. 33).

In this regard, it should be noted, first of all, that the adequate maintenance of a register, with the main information relating to the processing operations carried out, constitutes a functional fulfillment of the principle of “accountability” of the owner (art. 5, par. 2, of the Regulation). In fact, a precise compilation of the information relating to the data controllers and the correct qualification of the personal data in relation to the processing activities relating to the “Transmission of messages and management of the transmission service” and the “Conservation of certified logs” could have contributed to the correct application of articles 28 and 35 of the Regulation by the Company in relation to what is highlighted in paragraphs 2.1 and 2.5.

In this regard, it is therefore stated that, in light of the preliminary evidence, in the version of the register of processing activities relating to the management of the PEC service made available by the Company on 29 July 2019, no information was indicated on the processing activity relating to the “Activation of the PEC Service function for copying messages to clone mailboxes managed on external environments and software”; with reference to the processing activities related to the “Transmission of messages and management of the transmission service” and the “Conservation of certified logs”, as well as the information relating to the data controllers that the Company uses for various processing activities, with regard to which it is specified that the mere and generic indication of the existence or otherwise of data controllers cannot be considered sufficient, referring to art. 30, par. 1, letter d), of the Regulation more precisely to the “categories of recipients to whom the personal data have been or will be communicated, including recipients in third countries or international organizations”, in violation of art. 30 of the Regulation.

These indications were adequately satisfied only in the version of the extract of the Register transmitted by the Company with the note of 5 November 2021.

4.3. Security of processing

From the examination of the elements found during the investigation, it is established that InfoCert, as data controller, has not implemented adequate technical and organizational measures to guarantee a level of security appropriate to the risk in the management of the PEC service, in violation of the principle of "integrity and confidentiality" (articles 5, paragraph 1, letter f), of the Regulation) and of the obligations regarding security of processing (article 32 of the Regulation), in relation to the profiles indicated in the following paragraphs.

In particular, the processing carried out in the context in question requires the adoption of the highest security standards in each individual phase of its management in order not to compromise the overall security of the PEC service, given the importance that this has in communications between companies, private individuals and the public administration and the reliability that must be guaranteed in its provision. as well as the consequences for natural persons in the event of unavailability of the service or violation of the integrity and confidentiality of the data being processed.

In this regard, it is also noted that, with regard to the critical issues relating to the processing carried out by Visura and other intermediaries on behalf of the Company, the data controller remains responsible for implementing appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in compliance with the Regulation (Articles 5, paragraph 2, and 24 of the Regulation), including through procedures to regularly test, verify and evaluate the effectiveness of the technical and organizational measures adopted.

In this regard, the Company, in its defense briefs (note dated 5 November 2021), stated that "following the cyber attack in question, InfoCert worked in an organic and integrated manner in order to raise the overall level of security and protection of all its services, with particular emphasis on the PEC service" (p. 18) and that "the investigation initiated by the Authority made it possible to become aware of certain circumstances that were not known to InfoCert. The same have certainly revealed the need to improve processes and security measures” (p. 21).

4.3.1. The unsuitability of the process of managing PEC mailboxes through an intermediary

From the elements acquired in the complex investigation activity, it was found that, until 31 July 2019, the process of activating a PEC mailbox through an intermediary provided that, in the period that went from the conclusion of the procedure for creating a PEC mailbox to the actual activation of the same by the user, an intermediary could clearly view, within the “Self-management” application, the authentication credentials (username and password for first activation) of the PEC mailbox generated by the system.

In particular, it emerged that, following the procedure for creating a PEC mailbox, the delivery of the aforementioned authentication credentials to the user of the PEC mailbox, and the definition of the related methods (e.g. via email or a specific web application), were delegated to the intermediary who, therefore, became aware of the first activation password; similarly, until 31 July 2019, through the aforementioned "Self-management" application, an intermediary could perform the operation of resetting the access password to a PEC mailbox, which could be viewed in clear text by the same until it was changed by the user (see attachment 3 of 30 July 2019, and attachment 10 to the minutes of 31 July 2019). Only at a later time, starting from 31 July 2019, InfoCert implemented a new process for activating PEC mailboxes through an intermediary, aimed at reducing the risk that the latter, both during the activation phase of the PEC mailbox and in the subsequent phase of any resetting of the authorization credentials, may know the passwords for accessing the PEC mailboxes or proceed with archiving them.

During the investigation, it was also found that, up until the time the violation of the personal data in question occurred, the release of authentication credentials (first activation username and password) of PEC mailboxes in favor of members of professional associations affiliated with Visura was carried out with an unsuitable identification procedure, since for this purpose In particular, it emerged that the "Activation parameters request" function, through which a member obtained the release of the authentication credentials of his/her PEC mailbox, was accessible without passing a computer authentication procedure, simply by providing some personal data relating to him/her. In particular, in addition to the name, surname and tax code of the member, further confirmation data was requested in order to ascertain the identity of the owner of the PEC mailbox, which was not suitable, however, to ensure that such authentication credentials were made available exclusively to the owner of the PEC mailbox.

In fact, with reference to lawyers and trainees, it should be noted that the registration date is information available to anyone as it is published in the register of lawyers or in the register of trainees (see art. 2, paragraph 1, letter d), and art. 4, paragraph 1, letter d), of Ministerial Decree 16 August 2016, no. 178), while the membership card number and the registration number are information which, even if not published in the aforementioned registers or registers, cannot be considered valid elements of verification as they may be available not only to the member but also to other individuals (e.g. the membership card number and the registration number are known to the staff working in the offices of the Order, while the registration number, sometimes present in the lawyer's stamp, may be known by his clients). With regard to agricultural experts or graduate agricultural experts, however, it should be noted that the registration number is information available to anyone as it is published in the professional register (see art. 30 of Law 28 March 1968, no. 434, as amended by paragraph 1 of art. 53 of Legislative Decree 26 March 2010, no. 59).

The authentication credentials made available with the aforementioned method, although aimed exclusively at activating the PEC mailbox, could also be used to access it if the member had not changed it. It should also be noted that InfoCert has made it mandatory to change the password upon first use only for PEC mailboxes activated after 3 July 2019.

For these reasons, the processes for activating PEC mailboxes and resetting passwords for access to them via an intermediary with the aforementioned methods, as well as the user identification procedure adopted by Visura for the purpose of issuing authentication credentials (username and password for first activation) of PEC mailboxes in favor of members of affiliated professional associations, do not comply with the provisions of art. 5, par. 1, letter f), and art. 32 par. 1, letter b and par. 2, as reported above.

The Company, in the aforementioned defense briefs, with regard to the dispute of the unsuitability of the process for managing PEC mailboxes through an intermediary, represented that "as of July 31, 2019, InfoCert has implemented a new process for activating PEC mailboxes through an intermediary. This process is suitable for eradicating by default the risk that the intermediary, both at the time of activation of the PEC mailbox and subsequently in the event of any reset of the authorization credentials, may become aware of the passwords for accessing the PEC mailboxes or may in any way proceed to archiving such passwords" (note of November 5, 2021, pp. 18 and 19), thus adopting adequate corrective measures.

4.3.2. The unsuitability of the password policy relating to authentication credentials for access to PEC mailboxes: the lack of mandatory password change

In light of what emerged overall in the context of the investigation, it was also noted that, until 3 July 2019, no mechanisms were implemented that required users of PEC mailboxes to change their password upon first use after activation of the mailbox or after its reset by an intermediary. Initially, in fact, the obligation to change the password was introduced in the event of access to the mailbox via webmail, and only subsequently was a mechanism for inhibiting access via client (e.g. IMAPS, POP3S, SMTPS) to a PEC mailbox made operational, before changing the password (see par. 2.5.2.5).

The absence of the aforementioned password enforcement mechanisms – which, until the adoption of some corrective measures (see par. 2.5.2.5), represented a risk for at least one million PEC mailboxes – does not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter b) and par. 2 of the Regulation already mentioned above.

With reference to the lack of mandatory password changes, the Company communicated in its defense briefs that it had introduced adequate corrective measures, stating that “first of all, starting from 3 July 2019, InfoCert imposed a password change for all users who accessed the service by answering security questions when first accessing the system. Starting from the following day (4 July 2019), InfoCert also took appropriate actions to ensure that all passwords relating to access to PEC services - both those automatically generated by the "Self-management" system and those set by users and accepted by the system when changing their password on the InfoCert website - comply with the same robustness policies envisaged for the 1st SPID security level (corresponding to the Level of Assurance "LoA2" of the ISO/IEC DIS 29115 standard)" (see note dated 5 November 2021, pp. 19-20); "Furthermore, in June 2020, InfoCert forced the expiration of passwords for all non-application PEC mailboxes for which no password change had been made in the previous twelve months, but for which - starting from November 2019 - it had sent appropriate warning communications to users aimed at provoking the spontaneous change of passwords before proceeding with the forcing described. In addition to the above, InfoCert has also introduced a mechanism that inhibits client access (e.g., via IMAPS, POP3S, SMTPS protocols) to PEC mailboxes for which the user has not yet proceeded with the mandatory change of the first activation password” (see note cit., p. 20).

4.3.3. Failure by Visura to adopt adequate security measures

During the investigation, it was detected and contested to InfoCert (see letter e), iii, of par. 3 of this provision), that Visura, in its capacity as data controller in the context of the processing carried out on behalf of the Company, has implemented conduct likely to violate the security obligations pursuant to art. 32 of the Regulation, with particular regard to:

- failure to use encryption tools for data transport in the context of the functions relating to the delivery of authentication credentials and password reset for members of professional associations affiliated with Visura;

- use of obsolete basic software, for which security updates are no longer available;

- failure to define internal policies for controlling the quality of passwords used for technical users;

- failure to adopt adequate measures to protect application security;

- failure to adopt cryptographic techniques for storing user passwords and thus storing, in a form that allowed the identification of the interested parties, the authentication credentials for access to the PEC mailboxes used by members of professional associations (first activation username and password) even at a time after the activation of the PEC mailbox.

In its defense briefs, as already noted above, the Company specified that it became aware of certain circumstances only during the investigation by the Authority which made the Company aware of the "need to improve processes and security measures". Some of the contested critical issues arose, in fact, from "an autonomous initiative [by Visura] that went beyond the instructions contained in the operating manual or subsequent instructions given by InfoCert"; "starting from July 2019, InfoCert has undertaken [...] multiple initiatives aimed at strengthening the monitoring carried out on intermediaries, including Visura" (note of 5 November 2021, p. 21).

In this regard, it should be noted that the Regulation, in art. 32, has also introduced the obligation for the data controller to adopt adequate measures to guarantee security. The measures that Visura failed to adopt, in relation to the aspects described above, constitute the minimum security standard that a service provider must be able to ensure even in the absence of specific instructions from the owner.

As noted in paragraph 4.3.6, although InfoCert should supervise Visura pursuant to art. 32, par. 1, letter d), of the Regulation, the aforementioned conduct implemented in the processing of personal data carried out on behalf of the Company by Visura are, therefore, the subject of examination and evaluation in the context of the separate proceeding initiated directly against that company.

On this basis, therefore, it is ordered, on this basis, limited to the aforementioned profiles of dispute relating to conduct implemented by Visura in the processing carried out on behalf of the Company, the archiving of the proceeding initiated against InfoCert pursuant to art. 11 of the Regulation of the Guarantor no. 1/2019.

4.3.4. Failure to adopt appropriate security measures to reset passwords deemed at risk of compromise and to deliver them to users

The inspection activities revealed that, following the breach of the personal data in question, InfoCert, after having suspended access to approximately 52,000 PEC mailboxes resold through Visura, proceeded to generate new passwords for 27,435 PEC mailboxes – whose authentication credentials were deemed at risk of compromise (see Annex 6 to the minutes of 29 July 2019) – and to transmit them to Visura. Subsequently, Visura proceeded to communicate the new passwords to the users of these PEC mailboxes using various methods: (i) for approximately 22,400 PEC mailboxes, the new password was sent via an ordinary email message to the user's address made available by the professional order to which they belong; (ii) in the remaining cases, the new password was provided following a request from the user, formulated through a specific online "password forcing" service (which required the insertion of some feedback data known to the user and a copy of his/her identity document) or through an on-site assistance service (at the offices of some professional associations) or by telephone (via call center).

Furthermore, it emerged that the new passwords generated by InfoCert were subject to the obligation to change only on the occasion of the first use via webmail, allowing, for a certain period of time, access to the PEC mailbox via client (e.g. IMAPS, POP3S, SMTPS) without this obligation.

In this regard, it is clear that the aforementioned password reset procedures and the subsequent delivery of the same to the users of the relative PEC mailboxes - which involved the processing of approximately 27,000 authentication credentials, characterized by high risks deriving from their possible use for unauthorized or illicit purposes - were carried out in the absence of adequate security measures, with particular regard to: (a) the methods of delivery of the new password, which was sent, in clear, within a message sent to the ordinary email address provided by the Order and not by the user; (b) the possibility of using such passwords to access the PEC mailboxes via client, since it is not mandatory to change them upon first use; (c) the non-automated management of the requests for "password forcing", carried out by Visura staff, with the related processing of the new passwords, in clear, generated by InfoCert.

The absence of adequate security measures in the aforementioned password reset procedures and in the subsequent delivery of the same to the users does not, therefore, appear to be compliant with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter b), of the Regulation, which, to the extent relevant to the case in question, requires that the data controller and the data processor must implement measures to “ensure on an ongoing basis the confidentiality, integrity, availability and resilience of processing systems and services”.

4.3.5. Failure to adopt appropriate measures to detect unauthorized access to PEC mailboxes whose authentication credentials were involved in the violation

During the investigation, it was found that the forensic analysis carried out on the access logs to the PEC mailboxes, whose authentication credentials were involved in the violation, was limited to the “mailboxes for which accesses were found by IP addresses “with low reputation” (TOR network, VPN or proxy)”.

The forensic analysis carried out on behalf of InfoCert therefore did not take into account accesses that, although not originating from IP addresses attributable to services that allow the real IP address to be masked (e.g. Tor, VPN or proxy), could still have been carried out by unauthorized parties. By way of example and not limited to, it is highlighted that the online dissemination of n. 26,921 authentication credentials of PEC mailboxes of lawyers and trainees of the Rome Bar Association (first activation username and password, in many cases still valid as they have not been modified by the user) could have led – in the period from approximately 2:25 p.m. (when the data was released online) to 8:51 p.m. (when the suspension of access to the aforementioned PEC mailboxes was completed) on 7 May 2019 – to access to such mailboxes by unauthorized persons who, having found such authentication credentials online, would have tried, even just out of curiosity, to verify their validity.

That said, InfoCert's choice to adopt only the aforementioned analysis criteria has effectively precluded the possibility of identifying any further unauthorized access to the aforementioned PEC mailboxes. InfoCert, in carrying out the aforementioned analysis activity, to be considered as a valid aid for the user of the PEC mailbox, has in fact replaced the user himself who would have been the only person able to distinguish unauthorized access from legitimate access. Instead, it would have been appropriate to make available to each user involved in the violation - whose authentication credentials (first activation username and password) were still valid - the list of all accesses to their PEC mailbox (with the indication, for example, of date and time, IP address, access method: webmail or client) carried out in the period from the moment in which the authentication credentials were acquired illicitly by unknown persons to the moment in which the measures were adopted to remedy the violation of personal data. This would have allowed each user to detect any unauthorized access to their PEC mailbox, to assess the risks arising from this circumstance, and to adopt adequate measures to protect themselves from the possible negative consequences of the violation.

Given the above, it is noted that the failure to adopt suitable measures to detect unauthorized access to the PEC mailboxes, whose authentication credentials were involved in the violation, did not comply with the aforementioned provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter b), of the Regulation.

In this regard, in the defense briefs, the Company stated that it had adopted adequate corrective measures, since, "in line with the findings made by this Authority, as of March 31, 2020, InfoCert has made available, for all users of the PEC service via webmail, a special control panel called "Access control dashboard", which allows the user to independently verify the information relating to the latest accesses to their PEC mailbox. Within the Dashboard, accesses are distinguished by type (i.e. access via webmail, client or applications, or via the “Legalmail” mobile app) and contain the indication of the relevant information in relation to each access”. Therefore, “as a result of the actions adopted, InfoCert has placed itself in a position to increase the security of the processing with respect to unauthorized access to PEC mailboxes, thereby ensuring compliance with the obligations set out in Articles 5, paragraph 1, letter f) and 32 of the Regulation in relation to the dispute profiles in question” (note of 5 November 2021, p. 24).

4.3.6 Failure to supervise the work of intermediaries

On the basis of the documentation in the file, it is established that InfoCert did not carry out the necessary control activities on the work of its data controllers which would have allowed, at the very least, to proactively detect the inadequacy of the security measures adopted by Visura, and possibly by other intermediaries, in the context of the processing carried out for the resale of the PEC service (see par. 4.3.3).

Having said this, while acknowledging the considerable supervisory activities of the intermediaries operating as data controllers, which were carried out by the Company following the Authority's objections and illustrated in the defense brief (note of 5 November 2021, pp. 22-25), it is noted that the failure to carry out control activities on the work of intermediaries up to that point was not compliant with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter d), of the Regulation, which, in the case in question, requires that the data controller must implement measures to "test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to guarantee the security of the processing".

4.3.7 Failure to adopt suitable measures for access to the certified log of the PEC service

As part of the inspections, it was found that the PEC message log kept by InfoCert could be consulted via a web application, reachable from a public network, after passing a single-factor computer authentication procedure (based on username and password, for which there is no expiry date, see annex 1 to the minutes of 1 August 2019, p. 5).

Furthermore, it emerged that, even though the authorized subjects had their own nominal user name, access to the aforementioned web application was usually carried out through a non-nominal user name (XX) shared between eight InfoCert operators, as also occurred during the inspection activity.

Taking into account the nature, object, context and purposes of the processing, which involves the retention for thirty months of information relating to all incoming messages to, or outgoing from, PEC mailboxes managed by InfoCert (approximately 500 million in 2019 alone), including personal data (referring or referable to the sender, recipient or third parties) belonging to particular categories or relating to criminal convictions and offences (Articles 9, paragraph 1, and 10 of the Regulation), the aforementioned methods of access to the certified log are not adequate from a security perspective.

First, it is believed that making the certified log relating to messages transiting through all the PEC mailboxes managed by the Company accessible from a public network and with a weak IT authentication procedure (with a single factor) presents a high and unjustified risk for the rights and freedoms of the interested parties, in consideration of the serious consequences that could arise from any unauthorized access to the data contained therein.

Second, it is noted that the use of non-nominal users by multiple subjects prevents the attribution of the actions performed in an IT system to a specific subject, with prejudice also for the data controller, deprived of the possibility of controlling the actions of the subjects acting under his authority. Furthermore, it is noted that – when a non-nominal user with administrative privileges, such as the one in question, is used by multiple subjects – situations may arise in which there is no coherence between the assigned authorization profiles and the actual operational needs for the management of the systems, making it possible for an unauthorized subject to operate, in the absence of a specific will of the data controller, within the processing systems and services.

With regard to the failure to adopt suitable measures for access to the certified log of the PEC service, in the defense briefs, the Company declared that "InfoCert has proceeded to review the profiles contested by this Authority, implementing the following measures relating to access to the bucket containing the PEC message log kept by InfoCert (so-called certified log): (i) deactivation, starting from 8 October 2019, of the exposure from the public network of the bucket containing the logs of InfoCert PEC messages, thereby inhibiting access from the public network, as attested by the screenshot reported in Annex 2.5.6 to this brief. (ii) deactivation, starting from 6 August 2019, of read access to the PEC bucket log by the technical user XX. The application user continues to be in use for the daily filing of new PEC logs, but is no longer enabled to view them via the web exhibitor. (iii) enabling, starting from 6 August 2019, personal users strictly necessary for the provision/verification of the service, to access the PEC bucket log via the web from the internal network and VPN. In this way, only identified and authorised users can access the PEC logs, exclusively from the internal network or VPN. (iv) changing the password of the technical user XX, which in any case can no longer be used for web access functions starting from 6 August 2019 (see the minutes of 24 September 2019, page 2). In this way, for further security, a user in possession of the old password will no longer be able to use the user in question to view the PEC logs via the WEB” (see note of 5 November 2021, p. 25; see also pp. 34-35 in this regard);

On this basis, it is therefore noted that, prior to the adoption of corrective measures by the Company, the methods of access to the certified log of the InfoCert PEC service did not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter b), and 2, of the Regulation.

4.3.8 The inadequacy of some logs tracking accesses and operations performed by the subjects authorized to process

During the investigation, it was ascertained that the logs tracking accesses and operations performed on a backend system of the PEC service, containing the mailboxes of the PEC boxes managed by InfoCert, did not include file copy operations (including the operation of copying all the messages contained in a PEC box), and did not even contain a session identifier that would allow the access logs and the operation logs to be correlated, which therefore appeared to be a mere list of the commands executed without the indication of information (such as the date and time of the operation and the user who performed it) necessary to attribute the actions performed to a specific subject.

Furthermore, it was found that the logs relating to accesses and operations carried out on the bucket containing the certified log, generated by the storage system, did not allow to identify either the device from which the operation was carried out (for example, through the IP address of the client used), nor the outcome of the operation, nor the work session in which different operations were carried out (for example, through a session identifier).

The tracking logs generated by the aforementioned systems did not therefore allow InfoCert to carry out analyses or checks on the activities carried out on the data by the subjects operating under its authority. Furthermore, the generation of adequate tracking logs is functional to other measures which, although not assessed during this investigation, should be adopted by InfoCert in order to detect intrusions or anomalous and abusive accesses to its IT systems, correlating the tracking logs relating to different IT systems.

In this regard, in the defense brief, the Company stated that it had implemented adequate improvement measures (see note of 5 November 2021, pp. 25-26).

While acknowledging the corrective measures implemented by the Company following the Authority's objections, it should be noted that, previously, the methods of tracking accesses and operations performed on the aforementioned systems were not found to be compliant with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, letter b), and 2, of the Regulation.

4.4. Obligation to document personal data breaches: the inadequacy of the documentation in this case

With reference to the obligation to document personal data breaches pursuant to art. 33, par. 5, of the Regulation, the “Guidelines on the notification of personal data breaches under Regulation (EU) 2016/679” of the Article 29 Data Protection Working Party of 3 October 2017, as amended and adopted lastly on 6 February 2018 and endorsed by the European Data Protection Board on 25 May 2018, highlight that “the controller is required to record the details of the breach, including the causes, facts and personal data concerned. It should also indicate the effects and consequences of the breach and the measures taken to address it. […] In addition to this information, the Working Party recommends that the data controller also document the reasoning behind the decisions taken in response to a breach”, as confirmed in the “Guidelines 9/2022 on personal data breach notification under GDPR” of the European Data Protection Board of 10 October 2022, as amended and lastly adopted on 28 March 2023.

It was found that, in the register with which InfoCert documented personal data breaches, only summary information on the breaches that occurred was initially reported, without indicating essential elements such as the reasons underlying the risk assessments carried out by the Company and the description of the measures adopted to remedy each personal data breach.

With particular reference to the personal data breach in question, during the investigation, it was then verified that from the moment it became aware of it, InfoCert did not proceed to appropriately document the personal data breach that occurred, as the information content found in the documentation produced during the investigations could not be considered adequate, as instead claimed by the company in the defense briefs (see note of 5 November 2021, p. 14-15 in relation to the use of additional company tools), as it lacked the essential elements. This criticality, relating to the absence or lack of the aforementioned essential elements, persists, in fact, even considering the information that InfoCert records in the system used for the management of IT incidents (see attachment 4 to the note of 6 September 2019), which is not referenced - and therefore identified - in the register of personal data breaches kept by the Company; nor would it be relevant, for this purpose, what was subsequently produced by the Company in the reply briefs given that, also in light of the extraction of the register of violations updated to 31 December 2019, there does not appear to be a univocal reference to a specific violation, since the same was identified without a specific ID and with a generic wording "SCINC".

In the defensive briefs, the Company then represented that "during 2020, [...] it took steps to integrate its register of personal data violations"; taking steps to "extend and detail the information contained in its register of personal data violations, which is maintained and updated by the privacy function of InfoCert" (see note cit., pp. 15-16).

4.5. Obligation to communicate the personal data breach to the data subjects: late and inadequate communication towards the data subjects involved

The aforementioned Guidelines on the notification of personal data breaches (also in the updated version of the same, see “Guidelines 9/2022 on personal data breach notification under GDPR”) identify the following factors to be considered – in the event of a personal data breach – in the assessment of the risk for the rights and freedoms of the data subjects.

With reference to the specific case, it is necessary to take into account the high number of data subjects involved, the nature of the personal data breach (which occurred in the context of a large-scale cyber attack, aimed at obtaining authentication credentials, disseminating them online and, most likely, using them for illicit activities, also determining the exfiltration of the content of some mailboxes), as well as the severity and persistence of the possible consequences for natural persons that could arise from the personal data breach (such as the loss of control by the data subjects over their personal data, identity theft or usurpation, as well as the possible use of the data subjects' data for phishing purposes or, in any case, for illicit or unauthorised purposes).

For these reasons, the personal data breach in question is likely to present a high risk to the rights and freedoms of natural persons, a condition for which communication to the data subjects is required in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular in the case of information specifically intended for minors, pursuant to Articles 12, paragraph 1, and 34, paragraph 1, of the Regulation.

With reference to the timeframes within which to make the aforementioned communications, the aforementioned Guidelines also highlight that "the Regulation states that the communication of a breach to the data subjects should take place "without undue delay", which means as soon as possible", considering the fact that the main objective of the communication to the data subjects is to provide them with specific information on the measures that they can take to protect themselves.
In particular, in the case in question, the group of interested parties who had not changed their first activation password must be taken into specific consideration, since the violation entailed, for these individuals, in addition to the loss of confidentiality of their tax code and PEC address, also that of their usernames and first activation passwords which, being still valid, allowed access to the PEC mailbox until InfoCert ordered the reset of the relevant password.

In its defense briefs, the Company represented, with regard to the profiles of lateness and inadequacy of the communication of the personal data violation to this group of interested parties, in particular, that “InfoCert promptly sent an initial communication on 9 May 2019”; “this communication was prepared and sent in the early and hectic phases following the cyber attack, in a context in which – as also resulting from the notification sent to the Authority on the same date – the perimeter (objective and subjective) and the scope of the cyber attack in question were not yet fully defined”; “pending the performance of the appropriate analyses aimed at determining the perimeter of the users actually involved in the Personal Data Breach, InfoCert promptly took action to identify, through the professional associations to which they belong, the interested parties for whom a regular email address was available. In this scenario – pending the results of the analysis and investigation activities immediately activated by the undersigned company in parallel with the necessary actions aimed at guaranteeing the continuity of the services offered – InfoCert found itself in the position of being able to fulfill its communication obligations in relation only to the circumstances actually verified as of 9 May 2019, also in order to avoid confusing or misleading communications towards the interested parties”; with regard to the communications made after 9 May 2019, InfoCert finally highlighted that “the fact that such supplementary communications were sent to a number of interested parties deemed small [by] the Authority is a direct consequence of the results of the forensic analysis that InfoCert – with a view to obtaining the technical support necessary to carry out the functional investigations to remedy the consequences of the Personal Data Breach – had commissioned for this purpose from a qualified company in the sector” (see note of 5 November 2021, pp. 16-17);

Having said all of the above, it is established that InfoCert, in violation of Articles 5, paragraph 1, letter a), 12, paragraph 1, and 34 of the Regulation, communicated the personal data breach that occurred to the interested parties involved late and in an inadequate manner; irrelevant for the purposes of the case in question, what was subsequently declared by the Company in the defense briefs, since, in light of the overall evidence collected during the detailed investigation, it emerged that:

− the first communication sent on 9 May 2019 by InfoCert did not clearly indicate the involvement of the interested party to whom it was addressed nor the categories of personal data subject to the violation, also failing to describe the probable consequences of the violation of personal data (especially towards those who had not changed the first activation password before the cyber attack, with high risks of unauthorized access to their PEC mailboxes); this communication, moreover, was sent only to the interested parties "for whom it was possible to find, through the professional associations to which they belong, an ordinary email address", without adopting measures to try to inform in alternative ways the interested parties for whom it was not possible to find an ordinary email address (for example, by publishing a press release on their institutional website);

− the subsequent communications sent on 23 September, 7 and 11 October 2019 were addressed to only a small number of interested parties (80 users in total), as the forensic analysis was conducted exclusively considering as anomalous the “accesses to […] PEC mailboxes by IP addresses with “low reputation”, thus ignoring any unauthorized accesses made by third parties, even from IP addresses not with “low reputation”; moreover, some of the aforementioned authentication credentials were disseminated online, thus potentially becoming available to anyone;

− with the communication sent on 23 September 2019 to 63 interested parties, in which it was stated that “no sending, copying or deletion of messages performed by the IP addresses reported were found”, the Company provided information that did not correspond to what actually happened, implying that the violation in question had not also involved the personal data present in the messages contained in the PEC mailbox; only with the subsequent communication of 7 October 2019 was it specified that "the illicit access [...] involved the consultation and download - by unknown persons - of the messages present in the mailbox";

− the aforementioned communications were sent late: it was in fact ascertained that InfoCert was already aware on 31 July 2019 of the fact that there had been illicit or, in any case, unauthorised access to some PEC mailboxes used by members of the Rome Bar Association and that only on 23 September, 7 October and 11 October 2019 (more than fifty days after having become aware of it) did it proceed to inform the interested parties involved.

More generally, as regards the corrective measures introduced to ensure compliance in question pursuant to art. 34 of the Regulation, InfoCert acknowledged that it had “proceeded to modify its data breach management procedure” in order to avoid the risk of sending untimely or incomplete communications to interested parties, adopting a new procedure “adopted on 4 May 2021” (see note of 5 November 2021, p. 17).

4.6. Responsibility of the data controller

In light of the documentation in the files and the considerations made, it is noted that InfoCert has not adopted adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing carried out in the context of the management of the PEC service has occurred in compliance with the Regulation, in violation of the principle of "accountability" (articles 5, par. 2, and 24 of the Regulation

In consideration of the above, in fact, the measures adopted by the Company have been found to be inadequate to ensure compliance with the principles of "lawfulness, correctness and transparency" and "integrity and confidentiality", not fulfilling the obligations imposed on the data controller, with particular reference to those regarding the security of the processing (specific par. 4.3) and in the event of a violation of personal data (specific par. 4.4. and 4.5.) and, during the complex investigation activity and on the basis of the evidence produced, InfoCert was not able to demonstrate the compliance of the aforementioned processing with the Regulation.

The violation of the principle of "accountability" is more serious due to the nature and context of the processing carried out by the Company in the provision of the PEC service, within which all the measures and precautions necessary to gain the trust of users and to rigorously satisfy the legitimate expectations of transparency and security should be adopted.

In this regard, in its defense briefs, the Company stated that, following the personal data breach that occurred between April and May 2019, "an intense remedial activity was implemented in order to mitigate the negative consequences of the event and to align the organization, the personal data processing processes and the security measures of InfoCert with the requirements of the applicable discipline, so as to reduce its exposure to the risk of similar violations in the future" (see note of 5 November 2021, pp. 28-30).

4.7. Data protection by design and by default

In light of what is stated in the previous paragraphs and what emerged during the investigation phase, it is established that the Company, in determining the means of processing, has not adopted adequate measures and guarantees to effectively implement the principles of “lawfulness, fairness and transparency” (specifically par. 4.5) and “integrity and confidentiality” (specifically par. 4.3), also taking into account the high risks for the rights and freedoms of the data subjects resulting from the processing in question.

Based on the principle of “data protection by design” (Article 25, par. 1, of the Regulation, as illustrated above), the data controller is, instead, required to implement the principles of data protection (Article 5 of the Regulation) by adopting adequate technical and organizational measures and integrating the necessary guarantees into the processing to meet the requirements of the Regulation and protect the rights and freedoms of the data subjects. The obligation to maintain, verify and update, where necessary, the processing also applies to pre-existing systems. This implies that systems designed before the entry into force of the Regulation must be subject to checks and maintenance to ensure the application of measures and safeguards that implement the principles and rights of data subjects in an effective manner. This obligation also extends to processing carried out by a data processor. In fact, processing operations carried out by a processor should be regularly reviewed and assessed by the controller to ensure that they continue to comply with the principles and allow the controller to fulfil the obligations set out in the Regulation (see the “Guidelines 4/2019 on Article 25 Data protection by design and by default”, adopted by the European Data Protection Board on 20 October 2020, v. 2.0, esp. points 7, 38, 39 and 84; esp. points 65 and 66, for the principle of lawfulness, fairness and transparency and esp. points 84 and 85 for the principle of integrity and confidentiality).

Furthermore, the principle of “data protection by default” (art. 25, par. 2, of the Regulation) requires the data controller to make choices that ensure that, by default, only the processing that is strictly necessary to achieve a specific and lawful purpose is carried out. This therefore means that, by default, the data controller must provide for limitations, both to the subjects authorized to access and to the type of access to personal data, based on an assessment of necessity, as well as provide that data that are no longer necessary for the purposes of processing are deleted or made anonymous (see the aforementioned Guidelines 4/2019, esp. points 42, 53 and 55). This did not occur, in particular, in the process of managing PEC mailboxes through an intermediary, nor in the procedures provided for resetting the password at risk of compromise following the violation.

Therefore, the failure to adopt the aforementioned measures conflicts with the principles of “data protection by design” and “data protection by default” referred to in art. 25, paragraphs 1 and 2, of the Regulation.

The Company, in its defense briefs, with regard to the failure to comply with the principles of data protection by design and by default referred to in art. 25 of the Regulation, has, in any case, represented that it has started, starting from October 2020, a process of reviewing the method of implementing the aforementioned principles, in particular through training and awareness-raising activities for personnel authorized to process data (see note of 5 November 2021, pp. 28-30).

4.8. Data protection impact assessment

In light of what emerged from the investigation, it is established that InfoCert has violated art. 35 of the Regulation as some processing operations carried out for the management of the PEC service, which present a high risk for the rights and freedoms of the interested parties, have not been subject to an impact assessment, and the one provided by InfoCert during the investigation (see annex 5 to the minutes of 1 August 2019, p. 3, and attached to the note of 23 September 2019), concerning the remaining processing operations relating to the PEC service, did not contain the essential elements required by paragraph 7 of the aforementioned article (see paragraph 2.5. of this provision).

In particular, also due to the incompleteness of the register of processing activities and the inadequate methodology adopted by the Company, the impact assessment was not conducted on the processing relating to the transmission of messages, the management of the transmission service, storage of certified logs, and the activation of copying messages to a clone folder, which involve the processing of data, on a large scale (the Company manages millions of PEC mailboxes), belonging to particular categories or relating to criminal convictions and crimes (also only in consideration of the fact that the Company offers the service to hundreds of thousands of lawyers who use PEC in the context of the various types of telematic process), some of which, in addition to being contained within the PEC messages, are also contained in the relevant object which is, moreover, stored in accordance with the law in the certified log.

Furthermore, the impact assessment carried out by InfoCert was mainly focused on purely technical aspects of the processing, resulting mainly in an IT risk assessment document, with evident shortcomings in the systematic description of the processing and the impacts on the rights and freedoms of the data subjects deriving from the different risk scenarios, as well as the measures envisaged to address them and the mechanisms to ensure data protection and demonstration of compliance with the Regulation.

With reference to the dispute in question, in its defensive briefs, InfoCert, demonstrating the measures taken following the Authority's dispute, sent a copy of the impact assessment integrated with the missing elements (see note of 5 November 2021, pp. 26-27 and also p. 34).

5. Conclusions

In light of the aforementioned assessments, it is noted that the statements made by the Company during the investigation referred to above - the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗ although worthy of consideration, they do not allow to overcome most of the findings contested by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, without prejudice to what is represented in par. 4.3.3.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by InfoCert is noted, for having carried out the processing of personal data in question in violation of art. 5, par. 1, letters a) and f) and par. 2, 12, 25, 28, 30, 32, 33, par. 5, 34 and 35 of the Regulation.

[OMISSIS]

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by InfoCert S.p.A. due to violation of art. 5, par. 1, letters a) and f), and par. 2, 12, par. 1, 25, 28, 30, 32, 33, par. 5, 34 and 35 of the Regulation, in the terms set out in the reasons;

[OMISSIS]

ORDERS

[OMISSIS]

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see art. 17 of the Regulation of the Guarantor n. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree n. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 9 May 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE SECRETARY GENERAL
Mattei