Clifford Chance

Italy is at the forefront of the use of certified e-mail (posta elettronica certificata or PEC), an e-mail system that – similarly to registered mail (raccomandata con avviso di ricevimento) – confers legal value as to (i) the date a message was sent/received and (ii) the content of the message. In many cases, evidence in court and service of pleadings can rely on registered email systems working properly. Considering the value at stake, it is no surprise that the Italian Data Protection Authority recently took a close look to one of the most used registered email services and tested its cybersecurity measures.

Following several users' complaints regarding alleged data breaches and identity thefts involving the registered email accounts of Aruba Posta Elettronica Certificata S.p.A. (Aruba PEC) – an Italian hosting provider used by more than six million public and private users, the Italian Data Protection Authority (IDPA) opened an investigation.

If you name your business after a Caribbean island, you should be prepared to ringfence your users from the outer pirates, Italian Data Protection Authority (more or less) says

In its decision dated 18 December 2019, published on 6 March 2020, the IPDA ordered Aruba PEC to implement urgent remedial actions aimed at ensuring the security of its users' personal data, on grounds that the IPDA's investigation revealed certain serious flaws in the security systems implemented by Aruba PEC.

In particular, the IDPA identified certain flaws regarding (i) security management of users' sign-in process, and (ii) access management of the log files of the messages exchanged through Aruba PEC's website, as follows

• Sign-in process: The IDPA found that, subsequently to the user signing up to Aruba PEC, the system generated an automatic password of eight characters, without setting particular rules to be followed by users in relation to the content or length of the password. Neither did the system require users to immediately change the password at their first access to the website, nor to update it on a regular basis.
• Log files: Aruba PEC also provides users an online platform – "PEC log" – storing log files. The IDPA found that these files were available not only to users, but also to a number of Aruba PEC system administrators, who accessed the platform by using the same authentication credentials assigned to the individual user. The IDPA identified a risk of a wide range of individuals being in a position to access the user's instant messages and export them without the user knowing it.

According to the latest report issued by the Italian association for cyber security, Clusit, 60% of all cyber security attacks involve a weak or stolen password. Changing the password regularly reduces the risk of exposure and avoids a number of dangers

The IDPA concluded that the above settings mined the security of the Aruba PEC users. In particular, the absence of a mandatory password changes in the Aruba PEC's system exposed users' data to the risk of unauthorised access to their email accounts and, definitely, to their personal data.

Furthermore, the security of users' personal data was affected by the too permissive access system to the log files. In particular, log files pertaining to certified emails provide important insights into message delivery, error messages, identification code, subjects and date and time of messages, sender's and recipient's details. Moreover, information contained in log files can be of a sensitive nature and give valuable guidance to attackers or expose sensitive user information.

Simple actions to enhance cybersecurity and mitigate liability risks

In light of the above, the IDPA ordered Aruba PEC to:

• require users to regularly change their password;
• prevent a widespread access to "PEC log," ensuring that each user must be given his/her/its own password;
• minimise log data, by ensuring that log files include only the essential information to provide for the security of the system and the activities carried out by users; and
• secure stored logs to make sure they are not maliciously altered by cybercriminals.

This decision confirms that the European supervisory authorities are paying greater attention to the security of information and systems implemented by data controllers. The IDPA recalls that the GDPR enhanced the protection of personal data, imposing requirements on data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the rights and freedoms of natural persons.