Author

Link to the previous article: Cloud: how to evaluate a contract - A lawyer's advice

If you are planning to use a Cloud service, then pay attention to certain aspects. In the previous issue we covered contractual clauses. Today we’ll deal about privacy defense.

Privacy and data protection by part of a Cloud Provider is one of the most delicate topic when agreeing on a contract. When choosing a cloud service, you authorize the provider to manage your data (your own or your clients’), in addition to let them on the provider’s infrastructure.Needless to say that it’s very important to understand, when choosing the provider, what kind of rules he’s subject to, what kind of guarantees he must provide and how he can manage your data, also on a privacy perspective.

A recent study conducted by ABI and CIPA called “Rilevazione sull’IT nel sistema bancario italiano – Il cloud e le banche. Stato dell’arte e prospettive” (“Identification of IT in the italian banking system - Cloud and banks. State of the art and perspective”), published in May 2016, revealed that the guarantees about privacy and data security are of fundamental importance by 100% of the interviewed (on par with experience in the sector, and much more than any other factor). On the other hand, only in half the cases banks have found a correspondece in the service offered by providers, which signals that the topic is important and requires an in-depth analysis.

It’s safe to know that using Cloud services might bring some problems. Let’s start to see together some contractual aspects we must take particular care.

Who means to use, for his own activity, whichever Internet service that belong to the definition of Cloud, faces several aspects: from the content of the contract and the management of data by the provider, to the loss of data transferred outside the walls on their security. Very interesting and interwoven profile, which require a meticulous reflection in particular from a legal standpoint.

The first important aspect is the contract you are about to stipulate with the cloud provider, the agreement that will regulate the relationship. It’s a contract that, in our code, doesn’t have a typical discipline in the civil code (codice civile) or in some special law: it’s an atypical contract and, because of that, you must read it carefully as it contains the primary regulamentation of the relationship and responsibilities. The most probable hypothesis is that you can choose between predefined contractual offerings: a cloud computing contract is usually defined by the provider according to standard contractual models (the so-called “general terms of contract”) which can be hardly negotiated.
Let’s see some of the main clause you must pay attention while choosing a provider and subscribing a contract. Read more Cloud: how to evaluate a contract - A lawyer's advice

Perhaps you did underestimate them, but all virus, and in particular, the more recent Ranswomare that steal your data and ask for a ransom, are against the law. Let’s see how to behave, and let’s understand when and if filing a complaint.

As a technician, expert, IT manager or consultant you’ve maybe given advice to your colleagues, friends and clients by facing legal questions related to the IT world with a practical approach, using some common sense. Unfortunately that could not be the best way to follow, at least if you want to avoid risks, damages or consequences on your activity.

Warning: while the reflections contained in this article apply to Italian law, they may or may not apply to other laws. Each specific italian term is specified in parenthesis for a better understanding.

All malware -that is, harmful software that snake into computers and IT systems to steal information, open ports for remote control and other perils, or encrypt data with an extortion aim- clearly violate the italian juridical system and who spreads them commits a crime which is subject to sanctions according to our penal code (codice penale, c.p.). In particular, there is not only an abusive access to an IT or telematic system (ex art.615 ter c.p.), but also the diffusion of devices or programs with the specific fraud (that is, consciously) of damaging, interrupting or altering any IT or telematic system, and we can also face the criminal hypothesis of art.615 quinquies c.p.; if a “damagement of information, data and programs” is present, the crime is condemned by art.635 bis c.p. with a basic punishment of detention for 6 months to 3 years, complaint presented, with respect to art.124 c.p., within 3 months to the news of the crime (otherwise, prosecution cannot be advanced).

But things worsen if we deal with the recent threats brought by ransomware, virus that encrypt files and ask for a ransom in order to have decryption keys. In this case it’s a crime, still not specified in the IT world, of extortion, which is regulated by art.629 c.p., in accordance with the indications given by the Ministry of Justice (Ministero della Giustizia). The crime of extortion if committed by “whoever, by means of violence or threat, obliging someone to do or omit something, gains himself or others an unfair profit with damage to a third party.” From that it would derive stricter penalties to the responsibles (basic penalty is detention from 5 to 10 years and a fine from 1.000 to 4.000€), in addition the crime to being prosecutable ex officio. Moreover, it would also derive, from the transfer of money of the ransom payment, the crime of laundering (riciclaggio) ex art.648 bis c.p. in charge to who has received and “used” money.

How to behave if hit by malware or ransomware?