keyboard_return Articles

Smart Working and Cyber Security - Operational Aspects and Legal Issues.

calendar_today 30 May 2023

The emergency created by the spread of the Covid-19 pandemic has forced a radical shift in social relations at every level due to the need to prevent the spread of the virus, through what is commonly referred to as “social distancing”.

At the regulatory level, governmental measures have been enacted that have mandated the adoption of particularly restrictive behavioral measures with regard to the free movement of people and the normal conduct of commercial, professional and industrial activities.

In a scenario in which the virus has catalyzed on itself’general attention and all efforts are directed at coping with its spread, “cyber criminals” can find ample room for maneuver, being able to take advantage of the enormous and rapid expansion of remote working modalities.

It is not surprising, then, how the past few months have seen an’exponential growth in cyber attacks. At the national level, the ’alarm è has been launched by the Italian Postal Police, which has ascertained several attempts of “phishing” and “spamming” to the detriment of citizens and institutions and has recommended everyone to be more cautious in online operations.

Also abroad, Reuters and Bloomberg agencies are devoting attention to the phenomenon of computer hacking increased globally since the start of the pandemic, and are raising awareness of its potential danger.

In recent months, due to the pandemic, given the ’need to ensure social distancing even in the work environment especially in the industrial and service sectors, there has been a sharp increase in the mode of remote work, or “agile work” and that is – – to repeat a definition contained in Art. 18 paragraph 1 of L. 22/5/2017 No. 81 – a “modalityà of execution of the employment relationship established by agreement between the parties, including with forms of organization by phases, cycles and objectives and without precise constraints of time or place of work, with the possible use of technological tools for the performance of the'work activity. Work is performed, partly on company premises and partly outside without a fixed location, within the limits only of the maximum duration of daily and weekly working time, resulting from the law and collective bargaining”.

This mode of providing work activity, which was practicable in the presence of a specific agreement between the company and the worker, following the spread of the Covid 19 pandemic, è became a de facto mandatory practice, as a result at first, of the enactment of the norms on “social distancing” even in the working environment (further reinforced by the requirements of protecting the health of workers) and later, also as a result of the suspension of operations of many companies belonging to production sectors “not essential” to the national economy, obviously considering the emergency regime in which we are operating. All the regulations issued at the governmental and legislative level since the beginning of the pandemic emergency refer to remote or agile work, widening to an ever-increasing extent, the spread of this mode of operation in the business environment. However, while è it is true that the performance of work in agile mode is not a new concept, è it is equally true that organizing and managing the entire workforce remotely è an unprecedented event.

Moreover, the legislature has issued a sequence of provisions in an attempt to give more content to the ’meaning of “smart working”, creating a real regulatory maze in which it becomes quite difficult to find one’s way around. In particular, in’Art. 2 of the Prime Ministerial Decree of 25/2/2020, whose operativeness’was limited to the so-called “red zones”, è made the first reference to’the use of “smart working” in a simplified form, that is, applicable to all employees residing in risk zones, thus including also those who, although residing there, need to move for work reasons to other territories. However, the real novelty is to be found in the expressly introduced possibility of resorting to this form of labor performance not only if it has been contemplated in the labor contract, but also in the absence of a specific agreement to that effect. It follows that, as of the’entry into force of the rule just mentioned, employees in risk areas have automatically acquired the right to work in “smart” mode, albeit on a temporary basis, for the duration of the health crisis.

On the same line is the Prime Minister's Decree 01/3/2020 implementing the measures provided for in Decree Law No. 6 of 23/2/2020, which at’Art. 1, lett. l), which, specifying the measures adopted for the containment of virus contagion in the so-called. “red zones”, and suspending the performance of certain work activities, however, excludes from the suspension itself those “activities” that can be carried out in a home mode or in a remote mode”.

The gradual spread of Covid-19 has led to the extension of the above measures to the entire Italian peninsula, so much so that the same DPCM 01/3/2020, in ’Art. 4 point 1 lett. a) è came to provide the option of access to work in agile form with reference to “any subordinate employment relationship”, therefore also outside the so-called “red zones”. Subsequently, with the DPCM of 04/3/2020, the legislature expressly widened the narrow mesh of the ’applicabilityà of smart working also “in the absence of the individual agreements provided therein”. Therefore, from the date of the decree’s entry into force, employees, consistent with the nature of the activity’performed, may perform their work remotely.

With Decree Law No. 18 of 17/3/2020, the legislature also allowed disabled workers and those who, regardless of the existence of an employment contract, have a disabled person in their household to care for, thus further expanding the range of individuals eligible for agile work performance, with specific reference to the private sector.

In contrast, self-employed workers had to wait until 3/25/2020 when è Decree Law No. 19/2020 was issued, that is, almost a month after the first protective measure, for a normative regulation of the agile work modality.

In light of the current regulatory framework, it is clear that with the pandemic from Covid-19, agile work or smart working, è has become a de facto mandatory mode of operation in all sectors, expanded also to the world of professions and banking and insurance services.

Globally, the process of expanding remote work è started a long time ago, and in the most disparate sectors, but the spread of smart working has accelerated extremely rapidly, and with it also the increasing use of computer devices and digital equipment for communication between people.

This acceleration has è però developed in an emergency situation, without an organic and thoughtful planning of the aspects involved, and in some cases we would even say overwhelmed, by such a rapid and wide spread of an operational modality that, if previously it was restricted to communicative aspects of ordinary administration (video conferencing, remote access in order to transfer data or documents) or for specific and specialized activities; of advanced technology (remote industrial maintenance assistance), in the state è became not a simple mode of information transfer, but a real tool of work activity, intended to fully involve all business operational moments in the most disparate sectors.

In essence, what used to be a possibility or an opportunity granted to workers and companies, today has become an indispensable and unavoidable necessity for companies; the problems of work performance provided in smart working mode, in a general sense, may also concern, with regard to IT security issues, professional or self-employment activities to which, forò may not be applicable the specific legislation set forth in L. 22/5/2017 n. 81.

This new situation has generated – and presumably will cause– in the future - several critical issuesà in the system: while on the one hand, the “historical” need for worker protection must be considered, in view of the dynamics of remote control of the’activityà of workers (which must be regulated contractually, pursuant to’Art. 21 of L. 22/5/2017 No. 81), as well as those related to data privacy, new risk situations are induced by technological and information security issues, or “cyber security”.

Enough to think about the fact that a corporate network system, should be structured and protected with the’use of specific technologies, aimed at the protection of communication between corporate devices and those in use by the worker (by way of example we refer to , the limitation to’access to’corporate intranet, to “cloud”, authentication procedures, the’use of unique codes, the’use of highly secured digital processes) while in most cases smart working is carried out – particularly in this contingent moment – with the’use of public or private digital networks, or home Wi-Fi networks that have low levels of security, and can be easily hacked.

The’use of a worker's personal devices (BYOD – Bring Your Own Device) for carrying out smart working activities can’be a cause of system criticality, since in addition to the integrity of communications between the parties involved could be affected, the vulnerability of the network of one of the recipients could also be compromised (think of the possibility of reaching, through the worker's device that has inadequate levels of protection, corporate networks and the data contained therein, in particular, in the case of banks, public institutions, insurance companies or industries).

From the operational point of view, there exist, and are in common use, a whole series of behaviors, falling within those conducts that are defined as of so-called “computer hygiene”, aimed at the protection of data transmitted through the computer medium, the integrity of the device ( whether personal computer, or smartphone or tablet) and the programs installed in it; we highlight, for example, the’performance of backups, the’use of complex passwords, the’use and updating of antivirus systems, the’sharing of data only with authorized parties, the’use of virtual private networks (VPN) for the transmission of one’s data to the server or encryption systems in e-mail.

While from the operational point of view, there are generally shared indications on the procedures and precautions to be taken for the cyber security of smart working, from the regulatory point of view è it is advisable to verify the existence of rules on the subject and what are the possible consequent obligations for operators (companies, workers, professionals, etc.) .

By summarily addressing the issues of cyber security (which given the purpose of this discussion are not examined exhaustively), we will see how specific technical standards configure actions to be taken for the protection of cybersecurity, which are therefore also applicable in the ’context of “smart working”.

Law No. 81 of 22/5/2017, limited to labor relations in which the parties have agreed to work in an agile work mode, provides specific obligations regarding the cybersecurity aspects of the ’work activity.

In fact, Art. 18 paragraph 2 of the Law provides that: “The employer è is responsible for the safety and proper functioning of the technological tools assigned to the worker for the performance of the'work activity”, which suggests that the’only person responsible for the safety and proper functioning of the devices used for the performance of the’activityà in smart working is the employer, who is responsible for any obligation related to the computer security of the’activityà.

This circumstance does not prevent the worker from being held liable in any case, in the event that making use in the case of personal devices, he or she has not applied due diligence in following the instructions given regarding the manner of use of the devices and the procedures agreed upon to ensure the computer security of communications related to the performance of the’work activity.

In addition to the regulations governing the employer/employee relationship, it is necessary to point out that there are other provisions that provide for obligations and involve the responsibility of companies in relation to and data protection (first of all those of the EU Regulation 679/2016 or GDPR) and the management of cyber security, with immediate reflection on the’work activity carried out in smart working mode.

The corporate organizational upheaval that smart working is bringing about in the current pandemic situation, in terms of Digital Transformation, also imposes on corporate leadership the obligation to scrupulously and punctually address the issue of cyber security of their organizations' networks and information systems.

Fundamental legislation on cyber security è represented by Regulation (EU) 2019/881 of the European Parliament and of the Council of 17/4/2019 on ENISA, the European Union Agency for Cyber Security, and Cybersecurity Certification for Information and Communication Technologies, and repealing Regulation (EU) No. 526/2013 («Cybersecurity Regulation»), which in Recital No. 2 states that: “The use of networks and information systems by citizens, organizations and businesses throughout the Union è currently widespread. Digitization and connectivity are becoming key features of a steadily increasing number of products and services, and with the advent of the Internet of Things — IoT, an extremely large number of connected digital devices are expected to be available throughout the Union in the next decade. Although an increasing number of devices are connected to the Internet, security and resilience are not sufficiently integrated by design, making cybersecurity” while in recital No. 3 it further explains that: “the increase in digitization and connectivity’ leads to greater risks related to cybersecurity, which makes society in general more vulnerable to cyber threats and exacerbates the dangers faced by people, including the most vulnerable such as children. In order to mitigate these risks, all necessary steps should be taken to improve cybersecurity in the’Union in order to better protect networks and information systems, communication networks, digital products, services, and devices used by citizens, organizations, and businesses , starting with small and medium-sized enterprises (SMEs), as defined in Commission Recommendation 2003\361;EC, and ending with critical infrastructure operators”.

The Cyber Act emphasizes in Recital No. 8 that “cybersecurity is not only an issue related to technology, but also that human behavior è of equal importance” and consequently “è it is appropriate to vigorously promote cyber hygiene, that is, simple routine measures that, if implemented and carried out regularly by citizens, organizations and businesses, minimize their exposure to risks from cyber threats“.

Based on these premises, the Regulations, in addition to dictating the rules for the establishment and operation of ’ENISA, introduced the concept of “certification” of cybersecurity (Art.46) “in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and making possible, at the Union level, a harmonized approach of European cybersecurity certification systems in order to create a digital single market for ICT (Information and Communication Technologies, ed.) products, ICT services and ICT processes.

The European cybersecurity certification framework provides a mechanism to establish European cybersecurity certification systems and to certify that ICT products, ICT services and ICT processes evaluated under them comply with certain security requirements in order to protect the availabilityà, authenticity, integrity or confidentiality of data stored, transmitted or processed or the functions or services offered by or accessed through such products, services and processes throughout their life cycle”.

The principles introduced here by the Cyber Act represent fundamental elements to provide effectiveness and effectiveness to the organizational models that companies will adopt in deference to what the international technical reference standards impose sinceé the introduced principle places particular importance on human behavior (active phase) for the’achievement, in synergy with technical and technological tools (passive phase), of the best feasible result in terms of countering threats from cyber attacks.

And precisely in relation to human behavior, and the concept of cyber hygiene, technical standardization is also an effective tool available to operators, which is also applicable to “smart working” activity: in particular, è it is worth mentioning ISO-IEC 27001 (Information Technology — Security Techniques — Information security management systems — Requirements), which aims to provide a model for defining and implementing, monitoring, reviewing, maintaining and improving an information security management system (ISMS).

Just with reference to the behaviors to be adopted to ensure information security, the cited standard provides the following actions:

7.2. Competence

The’organization must:

  • a) Determine the necessary competency for people who perform activities under its control and who influence its performance related to information security;
  • b) Ensure that these persons are competent based on appropriate education, training, and training or experience;
  • c) Where applicable, take actions to acquire the necessary competence and evaluate the’effectiveness of the actions taken; and
  • d) Maintain appropriate documented information as evidence of competency.

7.3 Awareness

Persons performing activities under the control of the’organization must be aware:

  • a) Of the information security policy;
  • b) Of their contribution to the’effectiveness of the information security management system, including the benefits of improving information security-related performance;
  • c) Of the implications of not complying with the requirements of the information security management system

7.4 Communication

The’organization must determine the needà for internal and external communications in relation to the information security management system , including:

  • a) Whatò to communicate about;
  • b) When to communicate;
  • c) With whom to communicate;
  • d) Who should communicate;
  • e) The processes through which communications”
  • must be carried out.

As canò be noted, these actions essentially concern human behavior, which cannot, of course, disregard the adoption and implementation of the technological tools necessary to act on computer networks and equipment, implementing the appropriate protection systems and procedures necessary to ensure their effectiveness over time .

Just in this last regard, and always with reference to the technical standards issued at the international level in the specific field of cyber security, è a nod to the standards that are part of the IEC 62443 standards, for the cyber security of IACS (Industrial Automation Control Systems) systems, which in particular with 62443-3-2 provide with punctualityà and precision terminological definitions as well as workflows for the configuration of a business process that is able to identify measures to protect the computer system under consideration .

The standard examines the behaviors and events that are suitable and indispensable for an accomplished examination of the critical information technology of a system with the consequent provision of technical and behavioral measures aimed at obtaining the highest security target with respect to the conceivable threats .

In’art. 4 are provided terms and definitions of all elements considered in the provision among others are identified: Threat countermeasures , cybersecurity, data movement, Suc (System under Consideration), external network connected to SUC , risk analysis process, residual risk, risk, security level (target security), security perimeter, threat, threat environment, threat source, tolerable risk , risk assessment before having considered a countermeasure (unmitigated cybersecurity risk) and many other aspects that in the scope of this discussion would be overly technical and misleading.

Once the various definitions have been identified, the standard establishes two areas of cybersecurity process assessment with reference to the so-called “SuC”.

The first area covered è workflow to establish zones, conducts and risk assessment; in this context some insights could be identified to analyze the critical issues that smart working activity could represent.

The following are some points from the standards relevant in this regard: section 5.2.2. Identification of the perimeter and access points of the IT system under consideration; point 5.4.4 ZCR Separation of security-related areas; point 5.4.5 Separation of temporarily connected devices; point 5.4.6 Separation of wireless devices; point 5.4.7 Separation of devices connected through external networks.

The second concerns the workflow also indicated by IEC (PRV) 62443-3-2, which deals with the assessment of “cybersecurity risk” in its broadest sense : threat identification, identification of points of vulnerability (smart working certainly detects), determinations of absolute probabilities of risk, determination of the security level, determination of tolerable and residual risk and their comparison , description of the information system and many other purely technical aspects aimed at determining security level targets , risk matrices as well asé applying the results of the assessment to determine the level of security achieved.

The technical standards now referred to can be considered the regulatory tools of a predominantly technical nature (even ifé involving human conduct) through which operators can manage the cybersecurity of work processes, production or provision of services (including professional services): it is necessary, however, to ask whether non-compliance with these criteria can take on legal relevance?

In other words, is there è a legal obligation to apply the technical standards on cyber security? And, again, can failure to comply with technical standards aimed at countering potential cyber security breaches generate liability? A number of considerations must be made to answer these questions: the first concerns the fact that technical standards adopted by their own definition, on a voluntary basis, can assume legal relevance only if they are transposed by national legal norms or if they have been expressly included in the contractual regulations governing a relationship between two parties, or if they express the “state of’art” at a given historical moment in relation to a given technical issue.

Therefore ,except in the case of transposition into legal norms, the technical norms acquire binding effect in the event that the parties to a contract have included them in the rules of negotiation, whereby they become a characterizing and substantial element of the performance or in any case in the event that they are taken into account in order to assess the unlawfulnessà of a conduct and compliance with the parameters indicated by them may assume relevance in terms of assessing the diligence of the person required to comply with them.

Hence the possibility that the failure to comply with the technical standards on cyber security are a source of contractual or extra-contractual liability, with reference, that is, in the latter case, to the general rules on tort (Art. 2043 Civil Code).

The second consideration concerns the legal norms that may be sources of obligations and liability; with reference to aspects of computer security and/or failure to protect data.

In addition to the Cyber Security Act mentioned above, another relevant legal norm è is the one dictated by Directive (EU) 2016/1148 (so-called NIS Directive), aimed at defining the measures necessary to achieve a high level of security of networks and information systems, which è was transposed in Italy by Legislative Decree 18/5/2018 no. 65: the decree è aimed at Essential Service Operators (OSEs, which are entities, public or private, that provide essential services for society and the economy in the health, energy, transportation, banking, financial markets, drinking water supply and digital infrastructure sectors,) and Digital Service Providers (FSDs which are the legal entities that provide e-commerce, cloud computing or search engine services, which have main establishment, registered office or designated representative in the national territory).

As noted, the NIS Directive deals with particular sectors, and is aimed at urging European states to organically manage cybersecurity in specific areas of production or provision of essential services, and imposes a comprehensive approach to cybersecurity, based on coordination and exchange of information among operators; it also provides for the adoption of rules that identify the actors, their obligations and responsibilities in case of violation of the provisions.

The NIS Directive, while significant in its purposes, may not have immediate relevance to the issues under discussion here: what certainly has immediate relevance even in the area of smart working are the consequences that may result in the event of a breach of cyber security or in the event of non-compliance with specific rules on data processing.

From the first point of view, the weakness of the computer system in case of a cyber attack that has exploited the system and connection of “agile work”, canò cause damage to the corporate network, the integrityà of its data, to its operation also in relation to the management of production processes (causing, for example, a production stoppage), so that the company would either find itself or see, even partially, paralyzed its activity; or suffer the theft of data or trade secrets of even very significant importance.

From another point of view, the company could incur conduct that does not comply with the legal provisions on privacy (GDPR), with the risk of suffering liability actions by the owners of the lost or improperly or inadequately processed data, with serious consequences from an economic point of view. Specifically, on the subject of cybersecurity in smart working, the data protection regulatory provisions concerning the security of processing (e.g., Art. 32 of the GDPR) as well as the international ISO and IEC standards; alongside the aforementioned norms, the employer/processor will have to organize the’activity’of workers carried out in “smart” mode, also observing’the regulations on remote control of workers set forth in’Art. 4 of the Workers' Statute, recalled by’Art. 114 of Legislative Decree 196/2003 (Privacy Code), the provisions of the ’Guarantor Authority for the Protection of Personal Data as well as’the Guidelines adopted by the European Guarantors. In compliance with the “best practices” in use in the industry, it would also be desirable for a company Policy on the use of IT tools to be established, including detailed instructions to the companies’employees and collaborators, including on the’implementation of smart working.

As mentioned at’the beginning, the spread of agile work has led to an increase in cyber attacks, among the most recent ones it is worth mentioning the one directed at the video conferencing platform “Zoom”. Specifically, during the attack, dubbed “zoom boombing” which lasted no more than ten minutes, hackers detected some vulnerabilities in the system such that they were able to penetrate the software and have free access to users' personal data and passwords, as well as to hack into ongoing video conferences. The detected data breach had a further negative implication, as the stolen data was transmitted to well-known social networks. In the aftermath of the incident è a twofold problem emerged: on the one hand, the lack of adequate protection of personal data and privacy, and on the other hand, the insufficient cyber security measures employed. The platform's CEO, Eric S. Yuan, has è publicly apologized, promising to fix the system's deficiencies and increase security protection.

In addition, the relevance of cyber security cannot be overlooked with reference to the ’extension of the liability provided by Legislative Decree 231/2001 to cyber crimes: this extension derives from a fundamental norm represented by L. 18/11/2019 no. 133 (so-called “Cybersecurity Law”), which converted into law, with amendments, D. L. 21/9/2019 no. 105 (so-called “Cybersecurity Decree”), bearing “Urgent provisions on the national cybersecurity perimeter and the regulation of special powers in sectors of strategic importance”: with this norm è the so-called “National Cybersecurity Perimeter” (PSNC) was established, with the aim of ensuring an adequate level of security of networks, information systems, and information services of collective interest.

The subject of cyber security has been and is becoming more and more widespread, and the pandemic of Covid – 19 has quickly made evident numerous criticalitiesà of the system, including with regard to work activities carried out in smart working mode: the existing regulatory apparatus, although it is in a phase of considerable expansion and from the technical and legal point of view needs more preventive effectiveness, so as to allow , through the implementation of regulatory tools , technical and legal, the’indication of more’precise and protective lines of conduct; precise and protective for both operators, companies and employees, as well as for those who generally use computer networks for the performance of their activitiesà work and not least the people who in any capacity, rely on the computer security of systems for the management of their data and information.

Cristiano Cimadom

Olga Manservigi Kichitskaia

Informative

We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, also for other purposes as specified in the .
If you close this banner with a tick or click on "Decline", only technical cookies will be used. If you want to select the cookies to be installed, click on 'Customise'. If you prefer, you can consent to the use of all cookies, including cookies other than technical cookies, by clicking on "Accept all". You can change your choice at any time.