Recent Posts

Copyright Giulio Coraggio 2018

The Internet of Things and Cybercrime – what risks?

Internet of Things

The Internet of Things and Cybercrime – what risks?

The Internet of Things is expected to lead to 50 billion connected devices by 2020 collecting and exchanging personal data about their users, their lives, their preferences and tastes.  This will lead not only to relevant data protection issues, but also to increased cybercrime related risks triggering the need to ensure a higher level of cyber security.

I have already covered in this post the compliance measures to be put in place in order to face data protection issues affecting the Internet of Things .  However, as covered in this post from my friend Pierluigi Paganini, the Internet of Things is likely to create new opportunities for hackers able to go beyond security measures implemented in for instance wearable technologies or eHealth systems leading to cybercrimes.

This issue has been recently addressed by the Italian Government that adopted the National Plan on Cyber Security whose purpose is, among others, to amend cybercrime provisions in order to be better tailored to new technologies which certainly include crimes involving the unauthorized access to BIG DATA and personal data collected through Internet of Things technologies.

In addition to the above, a potential cybercrime deriving from access to personal data stored in a database including for instance health related data gathered by means of wearable technologies, but even data collected by companies such as manufactures of cars, home appliances, eHealth or telemedicine technologies and even banks can lead to liabilities also for the entities acting as controllers of such databases.  And in such circumstances, in accordance with GDPR, the burden of proof of having adopted all the possible security measures necessary to prevent the occurrence of the cybercrime will be on the data controller itself creating a scenario that in some cases can be defined of “probatio diabolica“.

Also, in case of the so called data breach (i.e. a breach of security leading to the accidental, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in a database), the notification obligation to the Data Protection Supervisory Authority currently represents an obligation only on providers of electronic communication services (Read on the topic “Top 3 lessons learnt on data breach events and how to be ready to face them“). However, it is now an obligation for any data controller under the GDPR i.e. any entity running a database of personal data as a consequence of the coming into force of new EU data protections regulation.  And this extension will be coupled with the increase of sanctions for breach of data protection regulations up to 4% of the global turnover of data controller’s group (Read on the topic “Are privacy fines really massive under the GDPR?“).

Such obligations will raise concerns not only for European companies, but also for non-European companies such as American entities collecting personal data of European users because the new European data protection regulation will be applicable to any entity processing personal data of users located in the European Union.

There were according to estimates 1,150 cybercrime attacks globally of which 35 in Italy in 2013 leading to annual damages between € 20 and € 40 billion in Italy.   And given such circumstances it is not surprising that insurance policies covering cybercrimes are becoming very popular.  The growth of the Internet of Things and the increased reliance of companies on BIG DATA and in general large databases leads to a risk against which companies are more and more deciding to get an insurance protection.

Likewise, the fact that Italian law provides for corporate criminal liability in relation to cybercrime conducts pushes companies to adopt the so called internal corporate model of organization and management of the company outlined in this post in order to minimize liabilities in case of cybercrime leading to the loss, alteration or destruction of their customers’ data). This is not relevant only for gaming operators, but for companies acting in any sector.

If you found this article interesting, share it on your favourite social media and register to our newsletter ✉️ Also don’t forget to try Prisca our GDPR chatbot 💬 described HERE


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

Giulio Coraggio
[email protected]

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world leading law firm DLA Piper. Top global IoT influencer and FinTech lover, finding solutions to what's next for our clients' success.