Can the risk of cybercrime the main threat to the growth of the Internet of Things technologies? How to handle such risk?
The Internet of Things is expected to lead to 50 billion connected devices by 2020 collecting and exchanging personal data about their users, their lives, their preferences, and tastes. This scenario will lead not only to relevant data protection issues but also to increased cybercrime related risks triggering the need to ensure a higher level of cybersecurity.
I have already covered in a previous post “The Internet of Things and data protection issues,” the compliance measures to be put in place to face data protection issues affecting the Internet of Things. However, as covered in this article “Internet of Things, new opportunities for hackers and cyber criminals” from my friend Pierluigi Paganini, the Internet of Things is likely to create new opportunities for hackers able to go beyond security measures implemented in, for instance, wearable technologies or eHealth systems leading to cybercrimes.
This issue was addressed by the Italian Government that adopted the National Plan on Cyber Security whose purpose is, among others, to amend cybercrime provisions to tailor them to new technologies which certainly include crimes involving the unauthorized access to Big Data and personal data collected through the Internet of Things technologies.
In addition to the above, a potential cybercrime deriving from access to personal data stored in a database, including for instance health-related data gathered through wearable technologies, eHealth or telemedicine technologies and even banks can lead to liabilities also for the entities acting as controllers of such databases. And in such circumstances, under the GDPR, the burden of proof of having adopted all the possible security measures necessary to prevent the occurrence of the cybercrime in the Internet of Things technologies will be on the data controller itself creating a scenario that in some cases can be defined of “probatio diabolica.”
Also, in case of the so-called “data breach,” the notification obligation to the Data Protection Supervisory Authority is now an obligation for any data controller under the GDPR, i.e., an entity running a database of personal data as a consequence of the coming into force of new EU data protection regulation. You can read on the topic “Top 3 lessons learned on data breach events and how to be ready to face them“. And this extension is coupled with the increase of sanctions for breach of data protection regulations up to 4% of the global turnover of data controller’s group (Read on the topic “Are privacy fines massive under the GDPR?“).
Such obligations raise concerns not only for European companies but also for non-European companies such as American entities collecting personal data of European users because the new European data protection regulation will apply to any entity processing personal data of users located in the European Union.
There were according to estimates 1,150 cybercrime attacks globally of which 35 in Italy in 2013 leading to annual damages between € 20 and € 40 billion in Italy. Given such circumstances, it is not surprising that insurance policies covering cybercrimes are becoming popular. The growth of the Internet of Things and the increased reliance of companies on Big Data and, in general terms, large databases leads to a risk against which companies are more and more deciding to get insurance protection.
Likewise, the fact that Italian law provides for corporate criminal liability in relation to cybercrime conducts pushes companies to adopt the so-called internal corporate model of organization and management of the company outlined in this article “Corporate Criminal Liability for Gaming Operators” in order to minimize liabilities in case of cybercrime leading to the loss, alteration or destruction of their customers’ data. The scenario is not relevant only for gaming operators, but for companies acting in any sector.
I covered in this article “When the Internet of Things meets the blockchain” how the blockchain might considerably limit risks deriving from IoT technologies. And we will see whether the matching between such technologies is the solution to boost both of them. Also, you can watch below, a video (in Italian) on how to arrange a proper cybersecurity strategy as part of my videoblog Diritto al Digitale.