Smart Working and Cyber Security - Operational Aspects and Legal Issues

The emergency created by the spread of the Covid-19 pandemic has imposed a radical change in social relations, at every level, due to the need to prevent the spread of the virus, through what is commonly referred to as "social distancing". At a regulatory level, government measures have been issued that have imposed the adoption of particularly restrictive behavioral measures regarding the free movement of persons and the normal conduct of commercial, professional, and industrial activities.
In a scenario in which the virus has catalyzed general attention and all efforts are aimed at facing its spread, "cybercriminals" can find ample room for maneuver, being able to take advantage of the enormous and rapid expansion of the methods of remote work.

It is therefore not surprising that in recent months there has been an exponential growth in cyber attacks. On a national level, the alarm was raised by the Italian Postal Police, which ascertained several attempts of "phishing" and "spamming" against citizens and institutions and recommended that everyone be more cautious in online operations. Also abroad, Reuters and Bloomberg agencies are paying attention to the phenomenon of computer hacking that has increased globally since the beginning of the pandemic, and are raising awareness of its potential danger.

In recent months, due to the pandemic, given the need to guarantee social distancing also in the workplace, especially in the industrial and service sectors, the distance working method, or "agile work", has greatly increased, and that is - to repeat a definition contained in Art. 18 paragraph 1 of Law 22/5/2017 n. 81 - a "method of execution of the subordinate employment relationship established by agreement between the parties, also with forms of organization by phases, cycles and objectives and without specific time or place of work constraints, with the possible use of technological tools for the performance of the work activity. The work is performed, partly inside company premises and partly outside without a fixed location, within the limits of the maximum duration of daily and weekly working hours, deriving from the law and collective bargaining ".This working method, which was practicable in the presence of a specific agreement between the company and the worker, following the spread of the Covid 19 pandemic, has become a de facto mandatory practice, as a consequence at first of the enactment of the rules on "social distancing" also in the workplace (further strengthened by the needs of protecting the health of workers) and later, also due to the suspension of the activity of many companies belonging to production sectors "not essential" for the economy national, obviously considering the emergency regime in which we find ourselves operating.

All the regulations issued at the governmental and legislative level since the beginning of the pandemic emergency refer to remote work or agile work, expanding to an ever-greater extent, the spread of this operating mode within companies. However, while it is true that doing work in agile mode is not a new concept, it is equally true that organizing and managing the entire workforce remotely is an unprecedented event. Moreover, the legislator has issued a sequence of provisions in an attempt to give more content to the meaning of "smart working", creating a real regulatory labyrinth in which it becomes quite difficult to navigate.

In particular, in Art. 2 of the Prime Ministerial Decree of 25/2/2020, whose operations were limited to the so-called "Red areas", the first reference is made to the use of "smart working" in a simplified form, ie applicable to all subordinate workers residing in the areas at risk, including therefore also those who, despite residing there, need to move for work reasons in other territories. However, the real novelty is the possibility, expressly introduced, of resorting to this form of work performance not only if it has been contemplated by the employment contract, but also in the absence of a specific agreement to that effect. It follows that, starting from the entry into force of the aforementioned rule, subordinate workers in the areas at risk have automatically acquired the right to work in "smart" mode, albeit temporarily, for the duration of the health crisis.

The DPCM 01/3/2020 implementing the measures envisaged by the D.L. n. 6 of 23/2/2020, which in Art. 1, lett. l), specifies the measures adopted to contain the virus infection in the so-called "Red zones", and by suspending the performance of certain work activities, however, excludes from the suspension itself those "activities that can be carried out in the home or remotely mode".

The progressive spread of Covid-19 has led to the extension of the measures described above to the entire Italian peninsula, so much so that the Prime Ministerial Decree 01/3/2020, in Art. 4 point 1 lett. a) has come to provide for the right to access work in an agile form with reference to "any subordinate employment relationship", therefore also outside the so-called "Red areas". Subsequently, with the Prime Ministerial Decree of 04/3/2020, the legislator has expressly expanded the narrow aspect of the applicability of smart working even "in the absence of the individual agreements provided for therein". Therefore, from the date of entry into force of the decree, employees, compatibly with the nature of the activity carried out, can work remotely.

With the D.L. n. 18 of 17/3/2020 the legislator has allowed the use of the agile work tool also to disabled workers and to those who, regardless of the existence of an employment contract, have a disabled person in their family unit to look after, further expanding, therefore, the range of subjects suitable for work performance in an agile form, with a specific reference to the private sector.

On the other hand, self-employed workers had to wait until 25/3/2020 for the D.L. n. 19/2020, almost a month after the first protection measure, for a regulatory regulation of the agile work mode.

In light of the current regulatory framework, it is clear that with the Covid-19 pandemic, agile or smart working has become a de facto mandatory operating mode in all sectors, also extended to the world of professions and banking and insurance services. On a global level, the process of expanding remote working has started a long time ago, and in the most disparate sectors, but the spread of smart working has accelerated extremely rapidly, and with it also the increasing use of IT devices and equipment. digital for communication between people.

This acceleration, however, developed in an emergency situation, without an organic and thoughtful planning of the aspects involved, and in some cases we would even say overwhelmed, by such a rapid and wide spread of an operating mode that, if previously limited to communication aspects of ordinary administration (videoconferencing, remote access in order to transfer data or documents) or for specific and specialized advanced technology activities (remote industrial maintenance assistance), has now become not a simple method of transferring information, but a real working activity tool, destined to fully involve all company operational phases in the most different sectors.

Basically, what was previously a possibility, or an opportunity granted to workers and companies, has now become an indispensable and non-postponable necessity for companies; problems related to work-performance in smart working, in a general sense, may concern, with regard to IT security problems, also professional activities or self-employment to which, however, the specific legislation referred to in Law 22/5 / 2017 n. 81.may not be applicable This new situation has generated - and presumably will cause in the future - various critical issues in the system: if on the one hand the "historical" needs for the protection of workers must be considered, in assessing the dynamics of workers in remote, (which must be contractually regulated, pursuant to Art. 21 of Law 22/5/2017 n. 81), as well as those related to data confidentiality, new risks arise with problems of a technological and IT security nature, or "cyber security ".

If we consider that a company network system should be structured and protected with the use of specific technologies, aimed at protecting the communication between company devices and those in use by the worker (by way of example, we refer to the limitation access to the corporate intranet, "clouds", authentication procedures, the use of unique codes, the use of highly secure digital processes) instead,in most cases smart working is carried out - in particular in this contingent moment - with the use of public or private digital networks, or home Wi-Fi networks that have low security levels, and which can be easily violated.

The use of personal devices of the worker (BYOD - Bring Your Own Device) for carrying out smart working activities can be a cause of criticality of the system, since not only it compromises the integrity of communications between the interested parties, but also the vulnerability of the network of one of the recipients could be compromised (think of the possibility of reaching, through the device of the worker who has inadequate levels of protection, the company networks and the data contained therein, in particular, in the case of banks, public institutions, insurance or industries).

From an operational point of view there are, and are in common use, a whole series of behaviors, falling within those behaviors that are defined as "computer hygiene", aimed at protecting the data transmitted through the computer, and the integrity of the device (both personal computer, smartphone or tablet) and the programs installed on it; for example, the execution of backups, the use of complex passwords, the use and updating of antivirus systems, the sharing of data only with authorized subjects, the use of virtual private networks (VPN) for transmission of their data to the server or encryption systems in e-mail.

If from an operational point of view, there are generally shared indications on the procedures and precautions to be adopted for the IT security of smart working, from a regulatory point of view it is advisable to verify the existence of rules on the matter and what are the possible consequent obligations for operators (companies, workers, professionals, etc.).

Briefly addressing the problems of cyber security (which given the purpose of this discussion are not examined in an exhaustive manner), we will see how specific technical standards configure actions to be taken for the protection of IT security, which are therefore also applicable in the context of "smart working ".

The Law 22/5/2017 n. 81, limited to employment relationships in which the parties have agreed to work in an agile way, provides for specific obligations regarding the IT security aspects of the work. In fact, Art. 18 paragraph 2 of the Law provides that: "The employer is responsible for the safety and proper functioning of the technological tools assigned to the worker for carrying out the work activity", which suggests that the only person responsible for safety and for the correct functioning of the devices used for carrying out the smart working activity is the employer, who is responsible for all obligations relating to the IT security of the activity.

This circumstance does not prevent the worker from being held responsible in any case, in the event that, using personal devices, he has not applied due diligence in following the instructions given on the use of the devices and the procedures agreed to guarantee IT security of communications related to the performance of the work activity. In addition to the rules governing the employer/employee relationship, it should be noted that there are other provisions that provide for obligations and involve the responsibility of companies in relation to and data protection (first of all those of EU Regulation 679/2016 or GDPR) and the management of cyber security, with an immediate impact on the work carried out in smart working mode. The corporate organizational upheaval that smart working is causing in the current pandemic situation, in terms of Digital Transformation also imposes, on the company leadership, the obligation to deal scrupulously and punctually with the issue of IT security of the networks and information systems of their own organizations. Fundamental standard on cyber security is represented by Regulation (EU) 2019/881 of the European Parliament and of the Council of 17/4/2019 relating to ENISA, the European Union Agency for cybersecurity, and to the certification of cybersecurity for information and communication technologies, and repealing regulation (EU) no. 526/2013 («regulation on cybersecurity»), which in recital no. 2 states that: "The use of networks and information systems by citizens, organizations and businesses across the Union is currently widespread. Digitization and connectivity are becoming key features of an ever-increasing number of products and services, and with the advent of the Internet of Things (IoT), a number should be available across the Union over the next decade. extremely high number of connected digital devices. Although an increasing number of devices are connected to the Internet, security and resilience are not sufficiently integrated into the design, which makes cybersecurity inadequate ", while in recital no. 3 further explains that: "The increase in digitalisation and connectivity entails greater risks related to cybersecurity, which makes society in general more vulnerable to cyber threats and exacerbates the dangers to which people are exposed, including the most vulnerable such as minors. In order to mitigate these risks, all necessary measures should be taken to improve cybersecurity in the Union in order to better protect information networks and systems, communication networks, digital products, services and devices used by citizens from cyber threats, organizations and enterprises, starting from small and medium-sized enterprises (SMEs), as defined in Commission Recommendation 2003 \ 361 \ EC, up to critical infrastructure managers ”.

The Cyber ​​Act points out to recital n. 8 that "cybersecurity is not only an issue related to technology, but also that human behavior is of equal importance" and consequently "it is appropriate to vigorously promote cyber hygiene, that is simple routine measures that, if implemented and carried out regularly by citizens, organizations and businesses, minimize their exposure to risks deriving from cyber threats “.

On the basis of these premises, the Regulation, in addition to dictating the rules of constitution and functioning of ENISA, introduced the concept of "certification" of cybersecurity (Article 46) "in order to improve the operating conditions of the internal market by increasing the level of cybersecurity within the Union and making possible, at Union level, a harmonized approach of the European cybersecurity certification systems with the aim of creating a digital single market for ICT products (Information and Communication Technologies), ICT services and ICT processes. The European Cybersecurity Certification Framework provides for a mechanism to establish European cybersecurity certification schemes and to certify that ICT products, services and ICT processes assessed within them comply with certain security requirements in order to protect availability, authenticity, integrity or confidentiality of the data stored, transmitted or processed or the functions or services offered by such products, services and processes or accessible through them throughout their life cycle ”.

The principles introduced here by the Cyber ​​Act represent fundamental elements to provide effectiveness to the organizational models that companies will adopt in compliance with what the international technical standards of reference impose since the principle introduced places particular importance in human behavior (active phase) for the obtaining, in synergy with the technical and technological tools (passive phase), the best feasible result in terms of contrasting the threats from cyber attacks.And precisely in relation to human behavior, and the concept of IT hygiene, technical standardization also represents an effective tool available to operators, also applicable to "smart working" activities: in particular, it is appropriate to mention the ISO-IEC standard 27001 (Information Technology - Security Techniques - Information security management systems - Requirements), which aims to provide a model for defining and implementing, monitoring, reviewing, maintaining and improving an information security management system (ISMS).

Precisely with reference to the behaviors to be adopted to ensure IT security, the aforementioned standard provides for the following actions:
7.2. Competence
The organization must:
a) Determine the necessary skills for the people who carry out activities under its control and which influence its performance related to information security;
b) Ensure that these individuals are competent on the basis of appropriate education, training, training or experience;
c) Where applicable, take actions to acquire the necessary expertise and evaluate the effectiveness of the actions taken;
d) Maintain appropriate documented information as evidence of skills.

7.3 Awareness
People who carry out activities under the control of the organization must be aware of:
a) The information security policy;
b) Its contribution to the effectiveness of the information security management system, including the benefits of improving information security performance;
c) The implications of not complying with the information security management system requirements

7.4 Communication
The organization must determine the need for internal and external communications in relation to the information security management system, including:
a) What to communicate about;
b) When to communicate;
c) With whom to communicate;
d) Who must communicate;
e) The processes through which communications must be made ".

Clearly, these actions essentially concern human behavior, which naturally cannot ignore the adoption and implementation of the technological tools necessary to act on the networks and IT equipment, implementing the adequate protection systems and the procedures necessary to guarantee their effectiveness in time .

Precisely with reference to the technical standards issued internationally in the specific sector of cyber security, attention must be given to the standards that are part of the IEC 62443 standards, for the IT security of IACS systems (Industrial Automation Control Systems) which in particular with the 62443-3-2 supply with punctuality and precision terminological definitions as well as workflows for the configuration of a business process that is able to identify the measures aimed at protecting the information system under consideration.

The standard examines the suitable and indispensable behaviors and events for a thorough examination of the IT criticalities of a system with the consequent provision of technical and behavioral measures aimed at obtaining the highest security target against hypothetical threats.

Art. 4 provides terms and definitions of all the elements considered in the provision among others: countermeasures to threats, cybersecurity, data movements, Suc (System under Consideration), external network connected to the SUC, risk analysis process, residual risk , risk, security level (target security), security perimeter, threat, threat environment, source of the threat, tolerable risk, risk assessment before considering a countermeasure (unmitigated cybersecurity risk) and many other aspects that of this discussion would be excessively technical and misleading.

Once the various definitions have been identified, the standard establishes two areas of evaluation of the IT process with reference to the so-called "SuC".The first area covered is the workflow for establishing zones, conduct and risk assessment; in this context, some ideas could be identified to analyze the criticalities that the smart working activity could represent.

Some points of the relevant regulations in this sense are mentioned below:

Point 5.2.2.Identification of the perimeter and access points of the computer system considered; point 5.4.4 ZCR Separation of safety-related areas; point 5.4.5 Separation of temporarily connected devices; point 5.4.6 Separation of wireless devices; point 5.4.7 Separation of devices connected via external networks.

The second concerns the work flow indicated by IEC (PRV) 62443-3-2, which deals with the assessment of the "cybersecurity risk" in its broadest sense: identification of threats, identification of vulnerability points (smart working certainly notes), determination of the absolute risk probabilities, determination of the level of security, determination of tolerable and residual risk and their comparison, description of the IT system and many other aspects of a purely technical nature aimed at determining the targets of the security level, the risk matrices and apply the results of the assessment to establish the level of safety achieved.

The technical standards referred to above can be considered the regulatory instruments of a mainly technical nature (although involving human conduct) through which operators can manage the IT security of work, production or service processes (including professional ones): however, it is necessary to ask yourself if the non-compliance with these criteria can assume relevance from a legal point of view.

In other words, is there a legal obligation to apply the technical rules on cyber security? And, again, can the failure to comply with the technical standards aimed at countering potential cyber security violations generate responsibility?

To answer these questions it is necessary to make some considerations: the first concerns the fact that the technical standards adopted themselves, on a voluntary basis, can assume legal relevance only if they are transposed by national legal regulations or if they have been expressly included in the contractual regulation that governs a relationship between two subjects or if they express the "state of the art" at a given historical moment in relation to a specific technical problem. Therefore, except in the case of transposition into legal regulations, the technical standards acquire binding effect in the event that the parties to a contract have included them in the negotiating regulation, so that they become a characterizing and substantial element of the performance or in any case if taken into consideration in order to assess the illegality of a conduct and compliance with the parameters indicated by them may assume relevance in terms of assessing the diligence of the subject required to comply with them.

Hence the possibility that failure to comply with the technical rules on cyber security may be a source of contractual or extra-contractual liability, with reference to the general rules on civil offenses (Art. 2043 of the Civil Code .).

The second consideration concerns the legal rules that can be sources of obligations and responsibilities with reference to the aspects of IT security and / or the lack of data protection.

In addition to the Cyber ​​Security Act mentioned above, another relevant legal rule is Directive (EU) 2016/1148 (so-called NIS Directive), intended to define the measures necessary to achieve a high level of security of networks and informative systems, which was implemented in Italy with Legislative Decree 18/5/2018 n. 65: the decree is aimed at Operators of Essential Services (OSE, which are public or private entities that provide essential services for society and the economy in the health, energy, transport, banking and market sectors financial, drinking water supply and digital infrastructures,) and Digital Service Providers (FSDs which are legal entities providing e-commerce, cloud computing or search engine services, which have their main establishment, registered office or designated representative on the national territory).

As you can see, the NIS Directive concerns particular sectors, and is aimed at soliciting European states to an organic management of information security in specific production areas or supplies of essential services, and imposes a global approach in the field of information security, based on the coordination and exchange of information between operators; it also provides for the adoption of rules that identify the subjects, their obligations and their responsibilities in case of violation of the provisions.

The NIS Directive, although significant in its purposes, may not have immediate relevance for the issues covered by this discussion: what certainly has immediate relevance also in the field of smart working are the consequences that may arise in the event of a cyber security violation or in case of non-compliance with specific rules on data processing.

From the first point of view, the weakness of the IT system in the event of an IT attack that has exploited the system and the "agile work" connection, can damage the company network, the integrity of its data, its functioning also in relation to management of production processes (causing, for example, a production stoppage), for which the company would either see its activity paralyzed, even if only partially, or suffer the theft of data or industrial secrets of even very significant importance.

From another point of view, the company could adopt a conduct that does not comply with the provisions of the law on privacy (GDPR), with the risk of suffering liability actions by the owners of lost data or unduly or not adequately processed with serious consequences from an economic point of view. Specifically, with regard to cybersecurity in smart working, the regulatory provisions on the protection of personal data concerning the security of processing (eg Art. 32 of the GDPR) as well as the international standards ISO and IEC have particular importance; alongside the aforementioned rules, the employer / data controller must organize the workers' activity carried out in "smart" mode, also observing the regulations referred to in Art. 4 of the Workers' Statute, referred to in art. 114 of Legislative Decree 196/2003 (Privacy Code), the provisions of the Authority for the protection of personal data as well as the guidelines adopted by the European Guarantors. In compliance with the "best practices" in use in the sector, it would also be desirable that a company policy be established on the use of IT tools, which includes detailed instructions to employees and collaborators of the companies also on the implementation of smart working.

As mentioned at the beginning, the spread of agile work has led to an increase in cyber attacks, among the most recent ones it is worth mentioning the one directed at the "Zoom" videoconferencing platform. Specifically, during the attack, called "zoom boombing" which lasted no more than ten minutes, the hackers detected some system vulnerabilities that allowed them to penetrate the software and have free access to personal data and passwords of users , as well as to join the videoconferences in progress. The data breach detected had a further negative implication, since the stolen data were transmitted to well-known social networks. Following the incident, a twofold problem emerged: on the one hand, the lack of adequate protection of personal data and privacy, on the other, the inadequacy of the cyber security measures used. The CEO of the platform, Eric S. Yuan, has publicly apologized and promised to fix the deficiencies in the system and increase security protection.

Furthermore, the relevance of cyber security cannot be ignored with reference to the extension of liability provided for by Legislative Decree 231/2001 to computer crimes: this extension derives from a fundamental rule represented by Law 11/18/2019 n. 133 (so-called "Cybersecurity Law"), which converted into law, with amendments, the Legislative Decree 21/9/2019 n. 105 (so-called "Cybersecurity Decree"), containing "Urgent provisions regarding the perimeter of national cyber security and the regulation of special powers in sectors of strategic importance": with this rule, the so-called "national cyber security perimeter" ( PSNC), with the aim of guaranteeing an adequate level of security of networks, IT systems, and IT services of collective interest.

The subject of cyber security has had and is having an increasingly widespread diffusion, and the Covid pandemic -19 has rapidly highlighted the system’s criticalities, also with regard to work performance in smart-working carried out in smart working: the existing regulatory frame, is in considerable expansion and in need of greater efectiveness from a technical and legal point of view, in order to allow, through the implementation of regulatory, technical and legal instruments, the indication of more precise and protective both for operators, companies and employees, and for those who generally use computer networks to carry out their work activities and, last but not least, people who, for whatever reason, trust in IT security of the systems for the management of their data and information.

Bologna - Parma, April 17, 2020

Avv. Giorgio Caramori – Studio Legale de Capoa e Associati – Bologna – g.caramori@clex.it
Avv. Cristiano Cimadom – Studio Legale Associato Cimadom – Pasquazzi – Parma - c.cimadom@studiolegalecmp.it
Avv. Olga Manservigi Kichitskaia – Studio Legale de Capoa e Associati – Bologna – avv.olgamanservigik@gmail.com