Categories: Cyber CrimeSecurity

The Internet of Things and Cybercrime – what risks?

Analysis of the compliance measures to be put in place in order to face data protection issues affecting the Internet of Things.

The Internet of Things is expected to lead to 50 billion connected devices by 2020 collecting and exchanging personal data about their users, their lives, their preferences and tastes.  This will lead not only to relevant data protection issues, but also to increased cybercrime related risks triggering the need to ensure a higher level of cyber security.

I have already covered in this post the compliance measures to be put in place in order to face data protection issues affecting the Internet of Things.  However, as covered in this post from my friend Pierluigi Paganini, the Internet of Things is likely to create new opportunities for hackers able to go beyond security measures implemented in for instance wearable technologies or eHealth systems leading to cybercrimes.

This issue has been recently addressed by the Italian Government that adopted the National Plan on Cyber Security whose purpose is, among others, to amend cybercrime provisions in order to be better tailored to new technologies which certainly include crimes involving the unauthorized access to BIG DATA and personal data collected through Internet of Things technologies.

In addition to the above, a potential cybercrime deriving from access to personal data stored in a database including for instance health related data gathered by means of wearable technologies, but even data collected by companies such as manufactures of cars, home appliances, eHealth or telemedicine technologies and even banks can lead to liabilities also for the entities acting as controllers of such databases.  And in such circumstances, in accordance with the Italian privacy law, the burden of proof of having adopted all the possible security measures necessary to prevent the occurrence of the cybercrime will be on the data controller itself creating a scenario that in some cases can be defined of “probatio diabolica“.

Also, in case of the so called data breach (i.e. a breach of security leading to the accidental, unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data in a database), the notification obligation to the Data Protection Supervisory Authority currently represents an obligation only on providers of electronic communication services.  However, it will become an obligation for any data controller i.e. any entity running a database of personal data as a consequence of the coming into force of new EU data protections regulation already approved by the European Parliament.  And this extension will be coupled with the increase of sanctions for breach of data protection regulations up to 5% of the global turnover of the data controller’s group.

Such obligations will raise concerns not only for European companies, but also for non-European companies such as American entities collecting personal data of European users because the new European data protection regulation will be applicable to any entity processing personal data of users located in the European Union.

There were according to estimates 1,150 cybercrime attacks globally of which 35 in Italy in 2013 leading to annual damages between € 20 and € 40 billion in Italy.   And given such circumstances it is not surprising that insurance policies covering cybercrimes are becoming very popular.  The growth of the Internet of Things and the increased reliance of companies on BIG DATA and in general large databases leads to a risk against which companies are more and more deciding to get an insurance protection.

Likewise, the fact that Italian law provides for corporate criminal liability in relation to cybercrime conducts pushes companies to adopt the so called internal corporate model of organization and management of the company outlined in this post in order to minimize liabilities in case of cybercrime leading to the loss, alteration or destruction of their customers’ data). This is not relevant only for gaming operators, but for companies acting in any sector.

The issue above will become more and more relevant in the next years and as usual feel free to contact me, Giulio Coraggio to discuss. Also, if you want to receive my newsletter, please join my LinkedIn Group or my Facebook page. And follow me on TwitterGoogle+ and become one of my friends on LinkedIn.

Giulio Coraggio

Security Affairs –  (cybercrime,  Internet of Things)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.