Library Systems Report 2019 – American Libraries

Illustration by (c)vladgrin/Adobe Stock and Rebecca Lomax/American Libraries

The library technology industry, broadly speaking, shows more affinity toward utility than innovation. Library automation systems are not necessarily exciting technologies, but they are workhorse applications that must support the complex tasks of acquiring, describing, and providing access to materials and services. They represent substantial investments, and their effectiveness is tested daily in the library. But more than efficiency is at stake: These products must be aligned with the priorities of the library relative to collection management, service provision, and other functions.

Outdated automation systems can reinforce work patterns that no longer reflect priorities as core library activities change. Bursts of innovation can create new products better aligned with current library realities. The products that emerge out of these creative booms then become mainstays that support the next phase of library operations. The academic library sector can be seen as a cycle of innovation that began eight years ago with the inception of an automation product substantially different from previous systems. The trajectory of innovation for public and school libraries has followed a different course, characterized by incremental change layered on top of longstanding systems with aging architectures.

The state of the industry

The library technology field continues to see modest growth overall, though that growth is unevenly distributed among companies. Large companies with expanding portfolios of products and services are giving new shape to the landscape. Despite the dominance of a few globally diverse and large companies, midsized and small companies continue to hold their own and in some cases thrive. Massive companies such as Follett, ProQuest/Ex Libris, and EBSCO represent formidable competition for any challenger in their markets. SirsiDynix and Innovative Interfaces continue to retain and attract diverse libraries to their evolving integrated library system (ILS)–centric product portfolios.

It’s a complex industry, with different business and technology trends running simultaneously, often along divergent paths. Economic prospects are low risk, with adequate room for new business opportunities. It is an industry of established companies and few start-ups. It resists new entrants or even the advancement of local or regional companies to the global sphere. The global market for library companies must be seen in the context of client saturation. Almost all libraries that fall within the ranks of eligible customers have at least some level of automation infrastructure in place. In such a zero-sum economy, the success of one company comes at the direct expense of another.

The cost and difficulty of changing systems lead libraries to keep existing systems unless they have strong vendor or product dissatisfaction, or they think certain technologies better align with their goals. Ex Libris and OCLC have capitalized on the latter, fueling a decade-long migration cycle of academic libraries away from legacy, print-centered ILS products to a library services platform (LSP) designed to manage complex multiformat collections.

Follett’s products designed for school libraries carry the same characteristics. Destiny dominates the US public school library market to an extent unmatched in any other sector—its market share is five times that of its nearest competitor. And Follett’s economic weight extends beyond library systems. It’s a significant supplier of content products for libraries, for the classroom curriculum, and for student information systems for district administration.

The slate of competitive products in some sectors has become uncomfortably narrow, though none has claimed a monopoly. Even lesser competitors exert pressure to moderate pricing and spark innovation. Once a library implements a new automation system, it will probably not be back in the buying market for a decade or two. As a result, vendors can’t rest on their laurels, since libraries demand sustained improvement cycles for technology products in which they have already invested.

Sales performance

Ex Libris was the leader in 2018 sales, reporting 115 new contracts representing 448 individual libraries for its Alma LSP. The 113 licenses for Primo indicate that almost all new Alma selections were paired with Ex Libris’s own discovery service. New category products, including Leganto with 46 new sales and Esploro with 10 sales, further bolstered the company’s position. OCLC’s WorldShare Management Services provided competition at a lower sales level, with 53 new licenses signed this year. In the ILS category, SirsiDynix made 107 deals for Symphony, many of them to multibranch libraries. BLUEcloud product sales were strong, including 83 for Enterprise, 64 for BLUEcloud Analytics, 58 for BLUEcloud Mobile, and 23 for Portfolio. These figures for the premium products include BLUEcloud modules available without cost to its ILS customers. ByWater Solutions added 43 new Koha service contracts representing 225 libraries, demonstrating the strong competitive position of open source technology when backed by solid support arrangements. Follett placed Destiny into 4,507 additional school libraries in its continued dominance of that sector. In the small library sector, Book Systems made 145 new sales.

Innovation and evolution

The current innovation cycle in the academic sector began about a decade ago, in response to the fundamental shift toward electronic resources. The new generation of LSPs has succeeded considerably in its promise to introduce business infrastructure aligned with the new proportionality of electronic, digital, and print resource management. These products dominate current migration selections, and defections have been negligible.

Cycles of innovation in the library technology industry turn slowly. The launch of a new technology, even if well conceived and well executed, will be tried out by a handful of early adopters who are usually aligned with the vendor’s vision. If these implementations succeed, a sales cycle may ensue. The early sales and adoption period validates the viability of the product. Some have failed, notably Intota and Kuali OLE. But the few that find traction can see significant opportunities. Alma and WorldShare Management Services fall in this category, and both entered a cycle of adoption in 2012 that has continued unabated, though at different levels.

The trajectory of new products follows a distinct arc: It takes at least two or three years for products to become established enough to find their way into current procurement processes. Risk-adverse libraries observe from the sidelines during the shakeout period of new offerings. Early success can lead to mainstream adoption and to a growing sales cycle that may swell over the course of more than a decade. As a case in point, from its introduction in 2012 until 2014, Alma was considered risky among academic libraries, who were skeptical it would live up to promises of more efficient resource management. Since then, Alma has become the conservative choice, due to its growing prevalence in that community and its functional capabilities. Libraries using Alma do not necessarily rave about its features, especially since it goes against the grain of many long-established work patterns.

Finding economic opportunities requires conceiving and developing products beyond core systems. These products can target new interests within or beyond the library and fill in gaps not yet addressed.

Overdue: web-based interfaces

One key focus of development for ILS products for the last few years has been upgrading web-based interfaces on software applications installed on library personnel computers. The maintenance of staff-facing clients has been a longstanding pain for libraries using ILS products. The transition to web interfaces is long overdue and unfortunately consumes much of the development capacity of the vendors at the expense of creating new functionality or services.

The path from graphical to web interfaces isn’t trivial. Graphical interfaces offer rich, mature functionality with good ergonomics and efficiency. Creating web-based interfaces with the same qualities has been a major challenge, with most of the recent development not yet reaching a break-even point relative to incumbent workstation-based clients.

Examples of retrofitting existing products with web interfaces include the BLUEcloud Suite from SirsiDynix, Innovative’s new interfaces for Sierra and Polaris, and Spydus from Civica, which will be fully web based in its latest release. A web-based client for Evergreen introduced in version 3.2 will be the standard for development going forward.

Products with web interfaces have an advantage and can focus development on new functionality. Koha, for example, has had web interfaces for both staff functions and its catalog since its initial release in 1999. Apollo likewise was web based from its inception in 2006, and LSPs Alma and OCLC’s WorldShare Management Services have web interfaces for all staff features, as does open source LSP FOLIO.

Discovery

Discovery products continue to represent an important category, though one of somewhat diminished strategic value. During the initial phase of index-based discovery products beginning in 2009, these offerings were able to drive the direction of a library’s technology investments. Success in placing Primo, Summon, or EBSCO Discovery Service increased the likelihood that a library would eventually acquire other more strategic products from that vendor. Today the tables have turned.

Index-based discovery products are perceived as less differentiated from each other and of more modest strategic value. Each of the discovery services reasonably covers the body of scholarly and professional literature of interest to libraries. Important differences can be seen in interface features and retrieval algorithms. The current trend of product bundling translates into strong sales for Primo, riding on the coattails of Ex Libris’s Alma. But these products have not made a dent in the reality that most researchers rely on Google Scholar or disciplinary indexes more than library-provided discovery services. These products remain in the must-have category, with academic libraries almost universally featuring a single search box powered by one of these index-based discovery services on their websites.

Multisector players

SirsiDynix, a company built through multiple rounds of mergers and acquisitions, offers a diverse portfolio of technology products. It has operated under several owners, passing in 1999 from private founder owners to venture capital firms to (in 2007) Vista Equity Partners, which sold the company to ICV Partners in 2014.

SirsiDynix is the largest of the ILS companies, with a workforce of 391. The size of its postmerger workforce peaked in 2014 at 421 and has gradually slimmed down in the following years. While SirsiDynix can be considered a large company compared to other ILS providers, it is midsized in comparison to diversified organizations like ProQuest, EBSCO, and Follett.

SirsiDynix products have been implemented by all types of libraries. This strategy puts the company in competition with specialist companies like Follett for school libraries and Ex Libris for academics. Even in light of stiff competition, SirsiDynix products are a strong presence in the industry. Symphony had its highest number of installations in 2016 at 2,573 libraries and has slipped only slightly to the 2,498 reported for 2018. SirsiDynix reported 107 contracts for Symphony in 2018. Major sales included the London Libraries Consortium, serving 17 library authorities in and around London and spanning more than 150 branch libraries. SirsiDynix made 17 sales of Horizon, mostly extending existing installations to additional libraries. The number of libraries using Horizon peaked in 2007, just after the company’s takeover by Vista Equity Partners.

SirsiDynix continues to market and develop EOS.Web (a web-based ILS for special and smaller academic libraries), which it acquired in 2013. Installations of EOS.Web peaked in 2014 at 1,137 and have declined slightly since.

Development of the BLUEcloud Mobile app has been a priority, with new functionality—including options for full account management, hold placement, item renewal, enhanced discovery, and viewing of ebooks and other digital content—expected in an upcoming release. SirsiDynix continued development of BLUEcloud Circulation in 2018.

The company launched its Community Engagement Platform based on automated marketing to help a library communicate events, programs, newsletters, and other content to patrons, targeting areas of interest and other factors.

SirsiDynix’s core product strategy centers on developing BLUEcloud as a modern interface that delivers the existing functionality of Symphony and Horizon, as well as additional capabilities beyond the conventional ILS. This plan enables existing customers to adopt modern technology at their own pace without having to replace core systems and migrate data. SirsiDynix is working toward a more complete development of BLUEcloud in which most of its customers will use those interfaces rather than the staff clients of their Symphony or Horizon ILS. The company anticipates reaching that goal in the next few years and reports that more than 2,000 libraries use at least one BLUEcloud module in production.

The BLUEcloud Suite sees the strongest sales trends. These modules will be part of almost any product bundle for new customers, though the largest portion of sales goes to existing customers. In 2018, 44 existing customers licensed BLUEcloud Analytics, and 20 were part of new client deals. Of the 35 sales for eResource Central, 22 were to existing sites; the 83 contracts for the Enterprise discovery interface went to 57 existing customers and 26 new ones.

Innovative Interfaces offers multiple ILS products, including the Sierra and Polaris ILS. Its legacy products Millennium and Virtua, though not actively developed, continue to be supported and have a substantial number of remaining installations.

Innovative did not supply a detailed response to the vendor survey but instead provided a narrative response of its general accomplishments and plans. In the absence of verifiable data, analysis of this company cannot be as thorough. It reported several major contracts, such as one for Sierra to the Consortium of Icelandic Libraries, serving 300 libraries in the country, including the National Library and Reykjavik University. Libraries moving to Polaris include Whatcom County (Wash.) Library System, St. Charles City-County (Mo.) Library, Tippecanoe County (Ind.) Public Library, Bloomington (Ill.) Public Library, and Parkland Regional Library in Alberta.

Innovative was also subject to academic library losses in 2018, including 29 Sierra institutions that signed with Alma, such as Baylor University; many in California’s Community College League consortium; the University of Houston; and the University of Sydney. Fifty-two Millennium libraries selected Alma in 2018.

To counter competition in the academic sector, Innovative has begun an ambitious effort to develop a next-generation environment, offering characteristics not found in other products. This new platform will be based on a context engine built on linked data concepts and BIBFRAME. The context engine follows a multidimensional data model that can make connections with library data within the platform as well as with external sources. Innovative reports that it has completed the initial version of Innovative Inspire, a discovery service powered by the company’s new Context Engine that offers capabilities such as contextual browsing and its graphical Context Wheel for exploring connections among resources.

The company notes that Innovative Inspire is now available, but it did not mention specific libraries that have implemented it. The company also continues to enhance Sierra, Polaris, Encore, and its other active products. Innovative has achieved ISO 27001 certification and this year implemented General Data Protection Regulation compliance for patron security and privacy.

Open source businesses and strategies

Library systems based on open source software rather than proprietary licenses continue to grow. In the US and other economically advantaged regions, most adoptions of open source ILS products are based on commercial support arrangements, which provide comprehensive services for hosting, migration, implementation, and product support. Open source ILS implementations currently represent about 14% of ILS installations in the US and 6% of academic libraries. These libraries are mostly small to midsized, with a smattering of larger institutions.

Business configurations differ for companies providing services for open source products from those involved with proprietary software. Companies offering proprietary solutions are responsible for each aspect of product development and enjoy exclusive control and financial benefit. For these companies, the software represents an important corporate asset. The business model includes software licensing and fees for hosting, support, and other services.

The open source arena relies solely on a services-based economy. Organizations cannot claim ownership of the software but rather provide support services for the free software their clients use. These services make open source products accessible to libraries without in-house technical expertise. While most of the organizations involved in open source support have some involvement in the technical development of the product, they have no obligation to do so. For Koha, an extensive network of developers collaborates on its development. These organizations devote much smaller proportions of their personnel to software development and higher proportions to support personnel.

Koha, launched in 1999, has received continual development, with version 18.05.09 released in February 2019. Koha has been implemented in every global region and is dominant in many countries, including India, Malaysia, Turkey, and most Latin American countries. In the developed world, Koha participates in the general mix of the ILS arena, usually through commercial support firms.

ByWater Solutions provides support services for Koha and other open source technologies. In 2018 ByWater signed 43 new contracts representing 225 libraries. Although the number of contracts was smaller than last year, the number of libraries represented was more than four times larger than 2017. ByWater broke into the ranks of the Association of Research Libraries, supporting Virginia Tech in its migration from Sierra to Koha, Coral, and EBSCO Discovery Service.

In business for just a decade, the company now supports 1,221 libraries on Koha. It employs 24 personnel with three dedicated to product development. ByWater relies considerably on the broader Koha development community for advancement of the product, supplemented by its strategic and sponsored enhancements. For comparison, SirsiDynix devotes 129 of its 391 personnel to development. In the open source business, interested stakeholders share development, enabling the companies to focus their resources on services and outreach.

Some of the enhancements ByWater notes include the creation of new ebook APIs for multiple providers, including OverDrive, Recorded Books, and bibliotheca cloudLibrary.

PTFS Europe, based in the UK, provides support services for open source software. The company has a business relationship with US-based PTFS and represents its Knowvation digital resource management system for Europe. PTFS Europe provides support services for Koha based on the open source community project, unlike PTFS in the US, which works with a private version of Koha and now focuses on its new proprietary ILS, branded as Bibliovation.

PTFS Europe has been successful in attracting European libraries of all types to Koha. These include academic libraries, for which it also includes Coral for electronic resource management along with third-party knowledge bases and discovery services. The company recently introduced Metabase, a new open source business analytics tool for use in conjunction with Koha.

In 2018 PTFS Europe made an additional seven contracts for Koha support, increasing its Koha customers to 109. One of these also contracted for Coral, increasing the number of supported sites to 14. PTFS Europe has 18 employees, with four involved with development.

Equinox Open Software Initiative is a nonprofit organization providing development and support services for open source software. It operated as a commercial company from its founding in 2007 through 2017. Equinox includes individuals involved with the creation of Evergreen for the Georgia PINES project and continues to be involved in its ongoing development, contributing about 80% of the new features and bug fixes applied to the codebase. The Evergreen ILS, designed for consortia of public libraries, is used mostly within the US and Canada, with a handful of installations in other international regions.

In 2018 Equinox signed support contracts for 11 new libraries spanning 54 branches, increasing the number of libraries it supports to 1,503. Equinox notes that about 2,000 libraries are now using Evergreen, including those that are self-supported and that work with other service providers. The company also provides support services for Koha, especially for libraries interested in open source automation but not as part of a consortium. It began support for seven additional libraries for Koha, for a total of 40.

The company developed a specialized hosting infrastructure, launched in 2014 and branded as Sequoia, optimized for hosting open source library applications, especially Evergreen and Koha. Equinox now hosts 18 instances of Evergreen, totaling 436 libraries on Sequoia.

TIND is a relatively new start-up that offers services surrounding open source software originally developed by CERN in Switzerland. TIND provides multiple versions of the product, each based on the same technology platform. The TIND ILS offers the full capabilities of an ILS and has been implemented in the US by Caltech Library and the University of California, Berkeley Law Library. Last year the company worked on the development of serials and acquisitions modules for the TIND ILS in collaboration with the Berkeley Law Library. Three new libraries selected the TIND ILS in 2018, including Mills College in Oakland, California. A total of 14 libraries have implemented the TIND ILS. The company also offers the TIND IR institutional repository, which saw four new contracts in 2018 and is now in use in 22 libraries. The TIND DA digital collection management system was selected by four institutions. TIND has developed a version of its platform for research data management, which has been implemented by three libraries. TIND is a small company, employing 11 people.

A global community continues to develop the open source FOLIO LSP. This project was initiated by EBSCO Information Services, which provides financial support as well as technical and organizational leadership. FOLIO remains on the cusp of implementation, with multiple libraries slated to put the software into production later this year. Several organizations will provide hosting and other support services for FOLIO, including EBSCO, Index Data, ALZAD, and Infoestratégica Latina. ByWater Solutions will offer support services based on EBSCO hosting services. This January saw the launch of FOLIO Aster Release, the first iteration of a product expected to gain more complete functionality and technical integrations.

Some of the libraries engaged with FOLIO and likely to implement it once it has reached a sufficient threshold of functionality include Cornell University, Duke University, Five Colleges Consortium, North Carolina State University, Texas A&M University, University of Alabama, and University of Chicago. Each of these institutions has significant experience with and commitment to open source software. Chalmers University of Technology in Sweden plans to implement FOLIO as an early adopter, based on EBSCO’s hosting and support services.

Academic libraries

Academic libraries have distinct needs for technology support, given the high proportion of electronic resources in their collections and their evolving roles in service to their parent institutions. The need for effective management of electronic resources and corresponding discovery services for patrons has proven to be the major driver of change in this sector of the industry. The release of Ex Libris’s Alma in 2012 led to a major wave of migrations away from ILSes. Companies offering ILS products to academic libraries remain competitive mostly by assembling additional components to offer similar capabilities to LSPs.

Alma dominates new system selections in the academic and research sector, capturing almost all large libraries, multicampus systems, and consortia. In its shadow, OCLC’s WorldShare Management Services sees moderate success among midsized and smaller academic institutions. Last year Association of Research Libraries member McGill University selected WorldShare Management Services, interrupting the clean sweep of large libraries by Alma. Virginia Tech opted for Koha and Coral, reflecting some academic institutions’ interest in exploring alternatives.

The innovation cycle in academic libraries will likely run to completion in the next five years with ever-growing momentum. The window of opportunity is limited for new systems to enter and disrupt the current wave of movement toward Alma and WorldShare Management Services. FOLIO stands ready, however. After three years of development, community building, and evangelizing, early adopters are on the cusp of implementation. With the full force of EBSCO’s support, strengthened by a natural affinity toward open technologies, FOLIO seems positioned to make a dent in the momentum of Alma as its rate of adoption grows each year.

Despite the current momentum of Alma and WorldShare Management Services, more than half of academic libraries in the US, and even more globally, remain on ILSes. The clock has not run out entirely for other products to attract significant proportions of the academic library sector.

Ex Libris, a ProQuest Company, is working to increase business integration and product unification. With Alma established as the dominant resource management system for academic libraries, the company is now leveraging the platform as the foundation for its new products Leganto, Esploro, and Rialto. The recent launch of ProQuest One reflects a unification of its core content products into a single-user interface and delivery infrastructure.

Ex Libris has followed a consistent business strategy based on large investments in product development. The company has a history of attracting investments to create products that have transformed the academic library sector. Its consolidation with Endeavor and multiple rounds of private equity investments give it the resources to enter or create new cycles of product genres. Its development activities have been costly, have represented considerable risk, and may have moderated short-term profits. These bets paid off in terms of the valuation of its business through each new cycle of ownership and in building reliable channels of new revenue.

Ex Libris continues to attract the largest academic libraries and consortia to Alma. Some of the major deals concluded in 2018 include all libraries in the Community College League of California, which migrated from multiple systems including Horizon, Millennium, Polaris, Sierra, and Symphony; the University of Hawaii system; the Consortium of Academic and Research Libraries in Illinois, which featured 91 libraries migrating from Ex Libris’s Voyager; the PASCAL consortium of academic libraries in South Carolina, which migrated from Millennium, Sierra, Symphony, and WorldShare Management Services; the Ontario Council of University Libraries, migrating from multiple systems; the National Library of Poland; 64 campuses that make up the State University of New York, which migrated from Ex Libris’s Aleph; Michigan Shared System Alliance; and National Taiwan University.

In early 2018 Ex Libris announced Esploro, a new product initiative to address multiple aspects of academic research services and support. This product, to be created and designed in consultation with multiple development partners, will help universities manage research outputs, identify funding opportunities, highlight researchers and primary investigators through published profiles, and assist in other related areas. Esploro will be built on top of the Alma technical platform.

ProQuest and Ex Libris will jointly develop a new library acquisitions environment, branded as Rialto and based on the Alma technical platform. Rialto will offer capabilities similar to book acquisitions platforms such as OASIS through a reconceived workflow based on business rules, buying patterns, and ways libraries acquire content.

OCLC, a large nonprofit membership organization, includes many technology products in addition to metadata, research, and other services. The organization employs 1,251 people, more than any other ILS company (though fewer than top-level companies Follett, EBSCO Information Services, or ProQuest).

In 2018 OCLC signed 53 new contracts for WorldShare Management Services, increasing its installations to 565 libraries. Some of the major libraries selecting WorldShare Management Services include The Revs Institute, the Tolstoy Library in Germany, Oxford Brookes University in the UK, the University of the Basque Country in Spain, and the SAE Institute in Australia. Library and Archives Canada has begun implementing WorldShare Management Services and has launched Voilà, a national union catalog based on Syndeo, a related service designed for national libraries that enables use of specialized authority files and other record ingestion and distribution workflows.

To expand its presence in public libraries in the US, OCLC launched Wise, a library automation product it positions as a community engagement system. In addition to standard ILS functionality, Wise incorporates characteristics of a customer relationship management system with marketing tools and analytics to provide personalized services and targeted messaging to patrons. Wise is based on the bicatWise product acquired from HKA in 2013, which is used by most public libraries in the Netherlands. Last year Cultuurconnect, representing 300 libraries in the Flanders area of Belgium, signed an agreement to implement Wise. Early adopters for Wise in the US include Anythink Libraries in Colorado and Allen County (Ind.) Public Library.

OCLC continues to enhance the Tipasa interlibrary loan management utility, designed to automate routines in interlibrary loan offices. Tipasa was designed as a migration path for ILLiad, the Windows-based utility developed by Atlas Systems. OCLC serves as the exclusive distribution and support channel for ILLiad.

Enhancements to the OCLC digital collection management system CONTENTdm include the creation of support for the International Image Interoperability Framework (IIIF) Image and Presentation APIs. This new capability enables libraries to view and share images in CONTENTdm through other IIIF-enabled applications and viewers. OCLC reported that 1,164 libraries now use CONTENTdm.

As a 501(c)(3) corporation, OCLC is required to submit filings regarding its financials, which are also published in its annual reports. The organization’s overall revenues for 2018 were $217.6 million.

EBSCO Information Services, a subsidiary of EBSCO Industries, is a privately owned company offering a wide range of content and technology systems for all types of libraries, most prominently academic libraries. We focus on its technology services, but abstracting and indexing databases represents much of its overall business. The company’s expertise in creating subject indexing for content also flavors its approach to other discovery and technology products.

EBSCO Discovery Service (EDS) can be seen as one of its most strategic products, with search technologies that treat subject indexing as a key retrieval and relevance factor. In 2018 the company licensed EDS to 552 additional libraries. EBSCO expanded its base index with content from more than 50 new subject databases. Recent enhancements include support for Google authentication, responsive user interface design, and improved citation searching.

EBSCO offers support for OpenAthens, an authentication framework from Eduserv, as a commercial service. OpenAthens provides an alternative to single sign-on for all of its licensed resources and avoids many of the problems and limitations with IP authentication. In 2018 EBSCO gained 196 new customers for OpenAthens, including GALILEO, a University System of Georgia initiative that represents more than 400 individual sites.

EBSCO also recently launched the Knowledge Services suite of modules to provide interoperable tools based on its content and technology components. The initial part of this set, branded as HoldingsIQ, encapsulates EBSCO’s knowledge base of holdings data and link management services for integration with external systems or services developed by the library or by other EBSCO technology partners. Scenarios for HoldingsIQ could include implementations of FOLIO that are able to benefit from EBSCO’s licensed products for electronic resource management and discovery. EBSCO also plans a new round of enhancements to Full Text Finder.

Public libraries

The public library sector has not yet experienced a significant new cycle of innovation. It remains reliant on ILSes that are modified to fill in the gaps required to support critical integrations in ebook lending and other digital offerings. One of the key concerns for public libraries is whether they are poised to enter a disruptive cycle of innovation or if the current pattern of incremental advance­ment will continue.

All of the ILS products in the established public library market are based on aging internal architectures. This is a field of evolved systems—many of which have been substantially reengineered from their antecedents—but none have been developed anew. These include Atriuum (2001), CARL·X (2004 and reengineered from the CARL ILS that launched in the 1980s), Evergreen (2007), Horizon (introduced in 1994), Koha (2000), Library·Solution (1996), Polaris (1997), Sierra (introduced in 2011 and based on INNOPAC, which launched in the 1980s, and Millennium, launched in 1997), Symphony (launched as Unicorn in 1982), and VERSO (2001).

The maturity of the ILS competitors translates into lackluster energy for system migrations. Few public libraries opt to make a lateral move that will result in marginal strategic gain. Some react to prevailing issues of discontent, but most remain with incumbent systems and dread painful migrations, knowing that alternatives have their own foibles and flaws.

In a year of sluggish churn in the public library sector, The Library Corporation (TLC) made 14 new contracts for Library·Solution, increasing total installations to 766. Library·Solution has been implemented mostly in small to midsized public libraries and by school districts. This year the El Paso (Tex.) Independent School District selected Library·Solution to replace SirsiDynix Horizon ILS. On the public library side, Library·Solution competes in a challenging niche market vulnerable to libraries moving into consortial implementations of open source products such as Evergreen. Library·Solution faces strong competition from Follett for district-wide school library automation. The Berkeley (Calif.) Public Library selected CARL·X, confirming interest in a product oriented to large public libraries and consortia. Since mostly large libraries implement CARL·X, the product remains within the critical mass needed to sustain its development. This year substantial enhancements were made to CARL·X, such as new displays in CARL·Connect Discovery that are organized according to Functional Requirements for Bibliographic Records principles. TLC offers a variety of products and services in addition to its ILS products, including its BiblioFile bibliographic services. Its SmartTECH division offers a family of products to facilitate STEM learning, which can be implemented in makerspaces and other contexts. The company, established in 1974, is privately owned by its founder and CEO, Annette Murphy. TLC is one of the very few remaining founder-owned companies.

Auto-Graphics made four new sales spanning 27 branches for its VERSO ILS, increasing its installed base to 529 and six for its MONTAGEdc digital collections management application, now installed in 44 libraries. While VERSO attracts mostly small public libraries, the company also specializes in large-scale resource sharing, with its SHAREit platform used in many statewide interlibrary loan projects. This year Auto-Graphics made an additional sale of SHAREit for a project for the Reaching Across Illinois Library System that currently supports 450 libraries. SHAREit now provides interlibrary loan or resource sharing to more than 6,000 libraries. In early 2019, the company will release the sixth version of its platform, which will include a variety of enhancements in search capabilities, database management, and security measures. Inbound and outbound APIs are also being developed so that the products can provide the interoperability its clients expect. Auto-Graphics specializes in technology products for public libraries and is the only publicly traded company in the industry.

Book Systems had a very strong sales year in 2018, with 145 contracts representing 235 library facilities. Of these, 67 were to public libraries totaling 122 branches. The company’s customer base is divided among school libraries, small public libraries, and small academics, with 4,575 libraries in total using Atriuum; 3,104 of these are in pre-K­ through grade 12 schools. While locally installed versions of Atriuum are still available, almost all new customers are opting for its hosted version. In 2018, 98% of new contracts were for Atriuum ASP/Express hosted solutions. Atriuum Version 12 was released in 2018, and it included a wide range of enhancements. This year Book Systems released its Librista mobile app for Android smartphones. Book Systems also continues to support its Windows-based Concourse ILS, though it did not report new sales. The company reported revenues in the $5–$10 million range.

Biblionix, focusing exclusively on public libraries, gained 58 new customers in 2018 to increase its installed base to 719. Although the number of new sites is on par with recent years, Apollo has begun attracting ever larger libraries, including multibranch systems. Biblionix reports an increased number of libraries moving to its products from flagship competitors, including Library·Solution, Polaris, Sierra, and Symphony, rather than from legacy or PC-based products. Biblionix now offers a lightweight consortial configuration based on VersaCard and VersaCat discovery. This option enables libraries to implement Apollo individually, but selectively share resources with partner libraries and provide a union catalog of shared resources. Biblionix is a small, privately owned company with no debt or involvement from external investors. Apollo is offered exclusively as a hosted service residing on hardware Biblionix manages directly. The platform does not rely on shared cloud services such as Amazon Web Services.

Infovision Software has developed the Evolve ILS, used primarily by small public libraries in the US. Through 2010 Infovision was the US distributor of the Amlib ILS, which was created in Australia. That year Amlib was acquired by OCLC, and Infovision opted to make a new ILS rather than continue with Amlib. Since that time, Evolve has been implemented in 147 libraries, almost all of which are US public libraries. Development activities in 2018 include the launch of a mobile app offering similar functionality to its online catalog. Infovision employs 11 personnel; five are in product development.

LibraryWorld offers a web-based ILS designed for small libraries and available at an affordable price to accommodate limited budgets. The LibraryWorld ILS is available as a hosted service. As of February, 3,064 libraries have implemented it, and 2,010 of those are school affiliated. The others are public, academic, and special libraries.

BiblioCommons, now in its 10th year of business, specializes in user interface technologies for public libraries. Its initial product, BiblioCore, provides a complete replacement for a library’s online catalog. In addition to a user-experience design based on extensive studies of public libraries, BiblioCore includes collaborative social sharing features and the full feature set associated with online catalogs and self-service patron requests. Enhancements to BiblioCore include a new approach to item display grouping based on the principles in FRBR. Other features include a new format chooser to view all available bibliographic item displays, providing an easy mechanism for patrons to find items of interest in other available formats, and keyword search suggestions on each page that can channel searches to external resources.

BiblioCloudRecords provides shared records for collections of digital resources that are available without the need to load them into the library’s ILS. In 2018 BiblioCommons extended the shared records to include Hoopla content in addition to the existing OverDrive collection records.

BiblioWeb, introduced in 2016, provides a complete library website replacement, managed through an administrative console. The product is based on WordPress infrastructure but managed through a console developed by BiblioCommons. BiblioCommons also released BiblioWeb 3.0, which includes a new page builder that enables additional flexibility in presenting content beyond its templates.

The company’s newest product, BiblioOmni, will be a multi​channel marketing platform designed to deliver content and messaging to specific groups of library patrons. Delivery of the initial version is expected in late 2019.

New libraries implementing BiblioCommons in 2018 include Contra Costa County (Calif.) Library; Gail Borden Public Library in Elgin, Illinois; Herrick District Library in Holland, Michigan; Indianapolis Public Library; Pleasanton (Calif.) Public Library; San Antonio Public Library; Santa Clara (Calif.) City Library; Tampa-Hillsborough County (Fla.) Public Library; and Burlington Public Library in Ontario.

School libraries

Libraries in pre-K through grade 12 schools represent a major component of the industry, though some schools and districts may not operate traditional libraries. The economy of a school library is distinctive, with sales measured in higher increments than other sectors, consistent with the proportion of schools to public or academic libraries. A sale to a school district may include hundreds of individual schools. While district-wide sales are lucrative, the sales value per school library served is modest.

Follett School Solutions dominates the pre-K through grade 12 library sector and continues to increase its penetration of products in aspects of the school or district beyond the library. Its sale of Destiny to Fairfax County (Va.) Public Schools included 234 schools that will serve 188,000 students. Follett states that 23 of the 25 largest school districts in the US have selected Destiny. In 2018 Follett also launched its Classroom Ready Collections, a wide range of learning materials through a body of curated open educational resources, all searchable through Destiny. Follett School Solutions is a business division of Follett Corporation, a large, diversified business with about $3.6 billion in annual revenue.

Mandarin Library Automation develops library automation systems primarily used by school libraries but also by other types of small libraries. The current version, Mandarin M5, is offered as software for local installation and as a hosted service. Like other vendors, the company emphasizes its hosted service. In 2018, 344 libraries signed contracts for Mandarin M5 as a hosted service and only eight as local software. Installations for Mandarin M5 hosted service totaled 1,533, with 695 continuing to use the locally installed version. The company reported that 1,570 libraries continue to use Mandarin M3. Recent developments include a new web-based reports module. The company employs 23 individuals, down considerably from its 2014 peak of 38.

Media Flex has developed the web-based OPALS ILS, primarily used by school libraries and other types of small libraries. The software has been released under an open source license, though Media Flex exclusively develops it. This contrasts with other open source applications such as Koha, where a broad community of stakeholders participates in its development. OPALS has been implemented by many schools and school districts. It is also offered through the Boards of Cooperative Educational Services (BOCES) organization, which provides automation systems for school districts in New York. In these cases, BOCES and Media Flex collaborate to provide services and support for OPALS. Recent developments for OPALS include implementation of HTTPS encryption, improved Americans with Disabilities Act compatibility, and functionality for management of physical assets such as multimedia devices and IT equipment. Media Flex employs 18 people.

Special libraries

Lucidea, formed through a series of acquisitions of companies offering products and services to special libraries, offers a slate of ILSes and knowledge-management applications. Its slate of products includes DB/TextWorks, GeniePlus, and Inmagic Presto, along with Argus, CuadraSTAR SKCA, Eloquent Archives, LawPort, LookUp Precision, and SydneyEnterprise. These products have been implemented by law firms, corporations, museums, archives, and other types of organizations. Lucidea also launched two new products based on its LucideaCore platform, including ArchivEra for large archives and ArchivEssentia for smaller organizations. It also introduced ArgusEssentia, a collection management and integrated portal application for museums. Last year, Lucidea opened a new office in Melbourne, Australia, following its acquisition of Maxis, a company established in 1984 that had previously served as Australian distributor for its Inmagic and other knowledge-management products. Lucidea Press, which publishes books oriented to the development of professionals in the field, issued two books in 2018. The company reported 80 employees.

Soutron Global offers its information management platform to manage library collections, archives, and records. The company recently launched a discovery service that is in an early adoption and implementation phase. Other product developments include internal reengineering to incorporate the latest version of Microsoft.NET technology and to develop new APIs. New functionality will give library staff more content management capabilities and offer users more self-service options, such as self-registration. Other enhancements include expanded support for third-party authentication options, added controls to make its products GDPR compliant, and protection of end-user submitted content through reCAPTCHA. In 2018, the company made 33 new sales of its Soutron ILS product, increasing its installations to 231; the eight new sales of Soutron Archive resulted in a total of 33 total installations.

Keystone Systems fills an important niche in the industry, specializing in technologies for libraries that serve people with visual disabilities. Last year the company developed a duplication-on-demand system named Scribe in collaboration with North Carolina Library for the Blind and Physically Handicapped and with financial support from a Library Services and Technology Act grant. Scribe incorporates a streamlined workflow optimized for people with visual disabilities. Keystone was also able to leverage its development of Scribe for a similar project for the National Library Service for the Blind and Physically Handicapped. Keystone made a new sale of the Keystone Library Automation System (KLAS) to one additional organization, the Trauma Center Association of America, increasing its installations to 117. This installation featured an embedded version of the KLAS catalog. Keystone is a small, privately owned company employing 15 people.

Looking forward

Library technology has experienced considerable consolidation. Strategic acquisitions by top-level companies such as Follett, EBSCO, and ProQuest can be seen as permanent. The acquisition of Prima by Volaris Group is similarly positioned as permanent. These companies regularly make acquisitions and rarely divest.

There are also signs of fragmentation. Previous rounds of mergers and acquisitions brought together companies with limited capacity for innovation and development, resulting in overlapping products with marginal differentiation. The current slate of ILS companies fits that bill. Each company works hard to advance its product lines incrementally, but even mid-tier companies may not be able to create market-changing innovation.

The library technology industry sits poised for new rounds of business transactions. Continued churn of large businesses buying new technology firms to expand product areas seems likely. The ownership arrangements of multiple companies are approaching their due dates. Investments made in companies by private equity firms are usually of limited duration, typically four to seven years in the library technology industry. Investment firms and lenders backing leveraged buyouts are working toward an exit from the onset of their engagement.

SirsiDynix was acquired by ICV Partners in December 2014. JMI Equity and Huntsman Gay Global Capital gained control of Innovative in 2012. It would be surprising for these arrangements to remain in place much longer, though the time frames are uncertain. Possible next moves might include lateral transitions to new investors and strategic acquisitions by top-level companies in the broader library and publishing sectors. Consolidation involving any of the small or midsized companies in the industry would not be outside the range of possibilities. While predictions are speculative, inactivity would nonetheless be surprising.

Note: The Library Systems Report 2019 documents on­going investments of libraries in strategic technology products made in 2018. It covers organizations, both for-profit and nonprofit, offering strategic resource management products—especially integrated library systems and library services platforms—and comprehensive discovery products. The vendors included have responded to a survey requesting details about their organization, sales performance, and narrative explanations of accomplishments. Additional sources consulted include press releases, news articles, and other publicly available information. Most of the organizations provided lists of libraries represented in the statistics reported, allowing for more detailed analysis and validation. Charts with statistics on sales trends and installations are available here.

Cybersecurity in Italy – Lexology

Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.

Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

Dedicated cybersecurity laws are a relatively recent phenomenon in the Italian legal system. Before the boom of the internet and computer technology throughout the 1980s and the 1990s, there were no specific provisions. To fill this gap, the Italian government adopted a series of laws and regulations, both sectoral and general in scope. The most relevant are listed chronologically below.

  • Law No. 547/1993, amending the provisions of the Criminal Code and Code of Criminal Procedure with regard to cyber and computer crimes, introduced new categories of crimes and punishments in order to provide more effective enforcement tools to police and judicial authorities.
  • Law No. 675/1996, implementing Directive 95/46/EC, introduced provisions on data privacy and security also relevant to cyber resilience, and created the Italian Data Protection Authority. This was then followed by Law No. 269/1998, instituting a police force tasked with the mission of fighting cybercrime, internet fraud and online child pornography (the Postal Police).
  • Government Directive of 16 January 2002 on information and tele­communications security for public administrations underlined for the first time the strategic value of data assets and the need to adequately protect them in public IT networks.
  • The provisions of Law No. 675/1996 were subsequently abrogated by Legislative Decree No. 196/2003 – the current Data Protection Code – as well as by its Annex B on Minimum Security Measures (the Annex B) regarding the security of the processing of personal data by private and public bodies. Currently, the Data Protection Code and its Annex B represent two of the main sources of cybersecurity obligations in the Italian legal system.
  • Legislative Decree No. 259/2003 (the Electronic Communications Code) introduced the computer emergency response teams network (CERTs). CERTs are composed of institutional and private entities charged with the task of technical assistance and cooperation in the field of cybersecurity and cyber resilience of critical infrastructures and essential services (eg, telecommunications, healthcare, banking, finance, energy and transport).
  • Legislative Decree No. 82/2005 (the Digital Administration Code) strengthened provisions on cyber and data security obligations to be implemented by public administrations, in light of a greater wave of digitalisation of the public sectors, also with the introduction of the Computer Emergency Response Team of the Public Administration (CERT-PA). In the same year, Law No. 255/2005 created the national strategic centre for cyberthreats at the Ministry of the Interior and placed it under the direction, control and coordination of the Postal Police, which was then granted more enforcement powers.
  • In 2007, to face the social-national and political-international changes and the new economic, cyber and energy challenges, the entire national intelligence apparatus underwent a profound reform process under Law No. 124 of 3 August 2007, which established the Information System for the security of the Republic. Within it, under the general supervision of the President of the Council of Ministers, responsible for the appointment of directors and deputy directors of each agency, and with the coordination of the Department of Information for Security (DIS), several different institutions operate, such as the Information and External Security Agency and the Information and Internal Security Agency, as well as the Interministerial Committee for the Security of the Republic (CISR). Article 5 of Law No. 124/2007 regulates the functions of CISR to which are assigned tasks of advice, proposal and deliberation on the guidelines and general objectives of the information policy for security, as well as the elaboration of general guidelines and fundamental objectives to be pursued in the framework of the information policy for security.
  • In light of the growing concerns surrounding cybersecurity and cyberthreats at an international level, Law No. 48/2008 ratified the 2001 Budapest Convention on Cybercrime and updated both the Data Protection Code and Legislative Decree No. 231/2001 on corporate criminal liability, by introducing specific references to cyber and computer crimes. This marked a turning point for cybersecurity legislation in Italy; many more provisions, ministerial decrees and soft law tools have been adopted since then in order to raise cybersecurity awareness in both the private and public sector.
  • The most recent developments saw the adoption of Legislative Decree No. 83/2012, establishing Italian Digital Agency’s (AgID) and of Law No. 133/2012, which modified Law 124/2007 granting extended powers over national critical infrastructures to cyber intelligence bodies (eg, the power of the President of the Council of Ministers, having heard the CISR, to adopt specific directives to strengthen information activities for the protection of critical material and immaterial infrastructures), with particular regard to cybernetic protection and national cybersecurity; the government therefore adopted several national cybersecurity plans, aimed at exponentially developing nationally integrated computer incident response capabilities – also on the basis of the European Union Agency for Network and Information Security Agency’s recommendations. Furthermore, Decree No. 174 of 30 October 2015 converted, with modifications, by Law of 11 December 2015, No. 198, and in particular article 7-bis, paragraph 5, attributed to the CISR, convened by the President of the Council of Ministers in case of crisis involving aspects of national security, tasks of consulting, proposal and resolution.
  • Pending the implementation, by 9 May 2018, of the Directive No. 2016/1148/EU, on network and information security (the NIS Directive), on 17 February 2017 the President of the Council of Ministers Decree (the Cybersecurity Decree) was adopted, setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT security’, updating the existing regulatory framework to replace the former Decree of the President of the Council of Ministers of 24 January 2013. Through this act, the government has deeply innovated and strengthened the national cybersecurity strategy.
  • In March 2017, the Presidency of the Council of Ministers adopted the National Plan for cyberspace protection and ICT security, which identified the operational guidelines, the goals to pursue and the lines of action to be carried out in order to give full implementation to the National Strategic Framework for Cyberspace Security, in line with what was set forth under the previous plan referring to the years 2014-2015 and outlined by the Prime Minister’s Decree of 17 February 2017 setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT Security’. With this additional document, Italy adopted an integrated strategy to activate the involvement of both the private and public stakeholders identified in the National Strategic Framework as well as of all those who, on a daily basis, make use of modern ICT technologies, starting with every citizen.
  • Finally, having received the necessary delegation from Parliament on 25 October 2017 (Law No. 163/2017), the government adopted, on 18 May 2018, Legislative Decree No. 2018/65 for the implementation of the NIS Directive (the NIS Directive Italian Decree), aligning the Italian legal system with the most recent legislative developments on cyber resilience taking place at European level. In particular, the NIS Directive Italian Decree has established the Italian competent authorities or the computer security incident response teams (CSIRT) with the functions of the national CERT and CERT-PA. The CSIRT will be assisted by the DIS, appointed by the NIS Directive Italian Decree as the ‘single points of contact’ under article 8 of the NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems.
  • While waiting for the government to define the organisation and functioning of the CSIRT, the national CERT and CERT-PA shall enhance their respective activities to cooperate to carry out jointly the functions and the role of the CSIRT.

The Italian legislative framework on cybersecurity is built on general provisions applicable to both the public and the private sector (eg, the Data Protection Code as amended by Legislative Decree No. 101/2018, which has repealed its Annex B on minimum security measures for data processing), as well as secondary legislation and soft law tools used at industry level (eg, banking, marketing, big data and insurance). These may be adopted or revised by competent independent regulators (ie, AgCom for telecommunications, IVASS for insurance, the Italian Central Bank for banking). Furthermore, Regulation No. 679/2016/EU (the General Data Protection Regulation (GDPR)) brought important innovations in the cybersecurity field for both private and public entities as of 25 May 2018.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

According to recent reports, cybersecurity threats most often involve healthcare, banking, finance, telecommunications and critical infrastructures. This trend has grown exponentially in recent decades, as it was complemented by the need to face more sophisticated cyberattacks to both individuals and legal entities.

As reported by the White Paper entitled ‘The future of Cybersecurity in Italy: Strategic focus areas’ published on May 2018 by Cyber Security National Laboratory of the National Interuniversity Consortium for Informatics (CINI), the Bank of Italy estimated that between September 2015 and September 2016, 45 per cent of national companies were hit by some type of attack. The riskiest subjects are large companies, exporters and operators working in a sector with high-end technological intensity.

Has your jurisdiction adopted any international standards related to cybersecurity?

The Italian Standards and Certification Institute (UNI), which is the Italian member of the European Committee for Standardization and the International Organization for Standardization (ISO), has adopted all the relevant international standards related to cybersecurity, most notably ISO/IEC 27001:2013 (currently, UNI CEI EN ISO/IEC 27001:2017 in Italy) and ISO/IEC 27032:2012, which provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, and covering the baseline security practices for stakeholders in cyberspace. Even if not specifically related to cybersecurity, the GDPR also encourages the drawing up of codes of conduct (article 40 GDPR) and the establishment of data protection certification mechanisms (article 42 GDPR) that will contribute to the proper application of EU regulation and allow controllers and processors to demonstrate the compliance of their processing operations with the GDPR. It is not out of the question that further certification and standards relevant to data and cybersecurity obligations will be adopted or published. In fact, the Italian Data Protection Authority and the Italian government are currently working on mechanisms aimed at facilitating this process in a consistent and uniform way for both the private and public sector.

In addition to those measures, the Research Centre of Cyber Intelligence and Information Security of Sapienza University of Rome (CIS Sapienza), in collaboration with CINI, introduced in Italy in 2016 the National Cyber Security Framework (the Framework). The Framework, which derives much from the Framework for Improving Critical Infrastructure Cybersecurity adopted by the US National Institute of Standards and Technology, is not a security standard and can be adopted on a voluntary basis, but it appears particularly relevant in the Italian national system, since it proposes a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises to reduce the number of vulnerabilities present in their systems and to increase the awareness of internal staff, to resist to the most common attacks.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

Those responsible for securing cybersecurity compliance within private and public organisations must always implement measures adequate to the risk of the activities performed by the legal entity they operate for and the information they process (eg, cybersecurity obligations for legal entities processing health-related data or personal sensitive data are generally stricter under Italian law). This is a general rule shared by the letter of the Data Protection Code (ie, articles 31 and the following), the provisions of the Criminal Code and those of Legislative Decree No. 231/2001.

From a data protection perspective, although provisions regarding security measures have been repealed from the Italian Data Protection Code, the GDPR has introduced the principle of accountability under which the controller shall be responsible for, and be able to demonstrate compliance with data protection regulations. Another relevant principle set forth by the GDPR is the one of integrity and confidentiality, under which data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Moreover, in accordance with privacy by design and by default principles, the data controller shall implement appropriate technical and organisational measure designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the EU Regulation and protect the rights of data subjects.

As provided by article 32.4 GDPR, controllers and processors shall take steps to ensure that any natural person acting under their authority who has access to personal data does not process them except on their specific instructions, unless their processing is required by European Union or member state law.

Therefore, responsible personnel and directors who do not prove to have implemented adequate cybersecurity compliance may face either criminal or civil liability, including the sanctions set forth under GDPR for unlawful data processing. In addition, the organisation they work for can also exercise its right of regress on them in the case of administrative sanctions being issued against it by an independent authority (ie, the Italian Data Protection Authority or others).

How does your jurisdiction define cybersecurity and cybercrime?

There had been no definition of cybersecurity and cybercrime in the Italian legal system, neither in statute nor in case law, until the introduction of the President of the Council of Ministers Decree of 24 January 2013, replaced in 2017 by the Cybersecurity Decree. Such notions were widely interpreted by means of reference to different laws, regulations, secondary legislation and soft law provisions issued throughout years by both the Italian legislature and authorities such as the Italian Data Protection Authority. In any case, given that Italy ratified the Budapest Convention on Cybercrime by means of Law No. 48/2008, the terms for identifying illicit conduct relevant to computer crimes thereby used were widely considered the same under Italian law.

After the adoption of the aforementioned Prime Minister’s Decrees, this scenario has changed. A definition of security of network and information systems has been introduced (ie, cybersecurity): article 2, paragraph 1, letter i) of the Cybersecurity Decree states that cybersecurity is the condition in which cyberspace is protected by means of the adoption of ad hoc physical, logistic and procedural security measures, with respect to events, either deliberate or accidental, consisting in the access, transfer, modification, destruction, illicit control, damaging or blocking of the regular functioning of networks and information systems and their essential elements. Although the Decree does not define cybercrime, it also provides a definition of cyberthreat and cyber incident (ie, article 2, paragraph 2, letters l and m). With particular regard to the former, the legislator refers to conduct performed by individuals or groups with the aim of violating private or public cyberspace and damaging the security of networks and information systems.

Furthermore, the NIS Directive Italian Decree defines the ‘security of network and information systems’ in accordance with the definition given by the NIS Directive, as the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

In addition to this, with reference to data protection, article 32 GDPR provides that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including, inter alia, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in good time in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing). In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Said disposition is therefore significant because it entails a concept of cybersecurity being strictly interconnected to data privacy requirements and the governance of data flows within private and public networks. Despite the fact that the GDPR and the Data Protection Code only applies to personal data, their provisions recognise the importance of securing information assets of all kinds with sole regard to their vulnerability and level of sensitivity. Therefore, the mentioned principles of data protection on security processes can be considered a cybersecurity standard.

As a final remark, with regard to information system security and cybercrime enforcement, it could be said that the distinction between them is both of a technical and a legal nature under Italian law. On the one hand, the former refers to those IT requirements that shall be implemented in accordance with applicable cyber laws and regulations (eg, provisions and principles of the GDPR); on the other, cybercrime enforcement is delegated to competent regulatory, police and judicial authorities case by case (ie, depending on whether civil, criminal or administrative liability arises).

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

Security requirements relevant to different categories of data are not uncommon under Italian data protection and cybersecurity laws. However, one of the most relevant distinctions to bear in mind is that between personal and non-personal information. In the first case, specific and more robust data and cyber protection shall always be applied; while, in the second, requirements may vary depending on the type or value of the information involved (eg, intellectual property rights-related, relevant to strategic infrastructures). This notwithsanding, as per article 14 of NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use, as indicated in the relevant Decree.

With reference to personal data, instead, the GDPR does not indicate minimum security measures to be adopted by controllers or processors (in accordance with the accountability principle), but generically prescribes, under article 32 GDPR, that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including, inter alia, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing).

In assessing the appropriate level of security, the GDPR underlines that account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Therefore, cybersecurity measures shall be ‘adequate’ to the risks inherent to the processing; however, responsibility to self-assess and guarantee their effectiveness will only rely on data controllers, at their own peril.

To align national data protection provisions with the GDPR, Legislative Decree No. 101/2018 has modified the Italian Data Protection Code by repealing different dispositions incompatible with the EU Regulations, included Annex B to the Data Protection Code which foresaw a series of specific measures (ie, minimum) relevant to data security and aimed at protecting data and information assets on a general basis.

The GDPR has therefore produced a shift of paradigm on security: from external regulation and control (as provided by former Italian Data Protection Code), to a risk-based approach solely based on accountability – balanced with the possibility of higher administrative fines.

Notwithstanding this lack of normative prescription on minimum security measures concerning cybersecurity, one should mention soft law tools aimed at reducing risks in both the private and public sector.

With reference to the private sector, in 2016 CIS Sapienza, in collaboration with CINI, adopted the National Cyber Security Framework, providing a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises. The listed measures include, among others the following:

  • data, personnel, devices, systems and facilities that enable the organisation to achieve business purposes are identified to manage this resources in accordance with their relative importance to business objectives and the organisation’s risk strategy;
  • services granted by third parties are minimised in order to limit them at those strictly necessary;
  • policies, procedures and processes are adopted to manage and monitor the organisation’s regulatory, legal, risk, environmental and operational requirements;
  • employees are selected and appointed in accordance with their respective roles on IT systems and risk management;
  • the legal framework on cybersecurity applicable to the company is identified, and it is constantly monitored to see that all relevant instructions are fulfilled;
  • all devices and systems offered in use to the employees have tools and software for security and data protection constantly and automatically updated;
  • each individual shall access only to the information need to execute the relevant role in the company, in accordance with specific authorisations;
  • basic staff training on cybersecurity risks is performed according to an established plan and schedule and with the aid of appropriate training techniques and tools (eg, e-learning, classroom training, tutorial material) in line with the specific characteristics of each organisation (eg, staff territorial distribution, prevailing use of external supplier);
  • a secure setup of systems is carried out by the IT responsible staff (if applicable) or by external designated companies;
  • backup and restoration of data is performed and regularly tested through the use of specific technology solutions that automate the main activities required (planning of savings, monitoring of results, etc);
  • users use robust passwords, possibly implemented through setup mechanisms and automatic controls, and frequently updated;
  • perimeter protection of networks is obtained through appropriate hardware and software solutions; and
  • the response to cybersecurity events takes place at least through the establishment of a company procedure, written accordingly to the applicable regulations and communicated to all involved parties (eg, employees, consultants, third parties).

With regard to the public sector, AgID’s Circular dated 18 April 2017, No. 2/2017 contains ‘Minimum ICT security measures for public administrations’. AgID has therefore identified the minimum ICT security measures that public administrations must implement (eg, technological, organisational and procedural controls) to combat the most frequent cyber threats arising in the Italian public administration.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

As a general remark, cyberthreats to intellectual property and industrial secrets are addressed by the provisions of both the Criminal Code and the Civil Code, as well as by the letter of Legislative Decree No. 30/2005 (the Intellectual Property Code). These sources regulate and provide for several means for protecting intellectual property in both the online and offline environment. For example:

  • key provisions of the Criminal Code (ie, articles 473, 474 and 517-ter) punish counterfeiting, illicit use of trademarks and national commercialisation of fakes – either of a digital or a material nature;
  • article 623 of the Criminal Code also punishes the revelation of trade secrets or scientific inventions known because of the relevant profession;
  • the Civil Code also contains some general provisions on intellectual property rights that may extend to the cybersphere (ie, articles 2569 to 2594), whose enforcement is delegated to the Civil Procedure Code; and
  • finally, the Intellectual Property Code provides for sanctions against intellectual property infringement in general (ie, articles 117 to 143) and more specific provisions on anti-piracy, which often extend also to cyberthreat prevention (ie, articles 144 to 146).

In addition to the above, Legislative Decree No. 70/2003 and AgCom’s Regulation on online intellectual property protection of 31 March 2014 also introduced legal tools aimed at preventing cyberthreats to intellectual property by means of notice and takedown procedures and other judicial and non-judicial remedies.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

The NIS Directive, which has been implemented in the Italian legal system by means of the NIS Directive Italian Decree, has set up the basis for the coming years’ national cybersecurity strategy. This act aligns Italian laws with the most recent legislative developments on cybersecurity taking place at a European level. The Decree addresses cyberthreat prevention for a wide range of industries, critical infrastructure and provider of essential services operating in the economic, digital and public sector. The content of the Decree is substantially aligned with that of the NIS Directive and reflects its principles and structure with the aim of strengthening national cybersecurity resilience and foster private-public partnerships to that extent.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

Restriction of information sharing concerning cyberthreats is not addressed by any particular law or regulation under Italian legislation. Although cybercrime is always punished under the current legal regime (eg, articles 615-quater and quinquies of the Criminal Code), reverse engineering of cyber weapons to pursue cyber attackers may also lead to sanctions. In such cases (although paradoxically), the victim reacting to a cyberthreat may risk committing the crime of digital trespassing (ie, article 615-ter of the Criminal Code) and, therefore, be subject to punishment alongside the perpetrators.

In addition, information-sharing practices should be subject to particular cautions. This is especially with regard to possible data privacy claims or civil proceedings concerning the protection of private communications (ie, a fundamental right under article 21 of the Italian Constitution). Authorities can request privileged access to such information for investigation purposes. In such cases, prescriptions on the processing of personal data for police or judicial purposes may apply with the relevant limitations (eg, those set forth under the Italian Criminal Procedure Code and in other sources).

Without prejudice to the GDPR provisions, exceptions to such limitations introduced for the purpose of facing cyberthreats can be found in the jurisprudence of the Italian Data Protection Authority. For example, access to private communications is governed by the Italian Data Protection Authority’s Guidelines applying to the use of emails and the internet in the employment context of 1 March 2007. This source foresees that data controllers can only access employees’ electronic communications where there is a risk of serious and concrete violations or breaches of their information assets (ie, thus including possible cyberthreats). However, this can happen only where:

  • explicit consent for access of the same employee involved has been provided;
  • an external counsel (ie, usually a lawyer) has been appointed for the purpose of carrying out defence investigations (also preventive) on behalf of the data controller; and
  • the search is limited to the specific objects or items the employer is looking for (ie, search by means of specific key words or hashtags to discover a competitor’s name or alias, external senders and unauthorised email exchanges).

Metadata are subject to access requirements similar to the above. In particular, the Italian Data Protection Authority’s Guidelines foresee that they may only be accessed by the data controller in light of the principle of gradualness of security and defensive controls (eg, ranging from a general warning to all employees to singling out the individual cyber infringer).

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

Cybercrimes that are relevant to organisations can be tracked in two particular pieces of legislation: Legislative Decree No. 231/2001 on corporate criminal liability; and the Data Protection Code. The former includes specific provisions on cyber and computer crimes performed by organisations their representatives, or subject under the authority of the latter, as well as the relevant sanctions regime (article 24-bis). In particular, the general principle applicable to organisations for crimes and cybercrimes they have committed, directly or indirectly, is that criminal liability is always personal (ie, held by employees, directors or managers), whereas corporate liability has an administrative character impacting the organisation as a whole by means of fines or sanctions, and shall be recognised only if the entity’s personnel have committed the crime in the interest or for the advantage of the company. The following are some examples of the most frequent cybercrimes disciplined by the Italian Criminal Code:

  • unlawful access to an information system (article 615-ter);
  • detention and dissemination of access codes to computer or telematics systems (article 615-quater);
  • dissemination of equipment, devices or computer programs aimed at damaging or interrupting an IT or telematic system (article 615-quinques);
  • unlawful surveillance by means of information system (617-quater); and
  • damaging of software, information, data, IT programs, telematics systems (article 635-bis to quinquies).

With regard to the Data Protection Code, aside from applicability of the same general principle above, the conduct subject to sanctions has recently been updated as per Legislative Decree No. 101/2018. Consequently, the Data Protection Code provides criminal sanctions in cases of

  • unlawful processing of personal data (article 167);
  • illicit communication and dissemination of personal data processed on a large scale (article 167-bis);
  • fraudulent acquisition of personal data being processed on a large scale (article 167-ter);
  • falsity in declarations to the Data Protection Authority and interruption of the execution of the tasks or exercise of the powers of the Data Protection Authority (article 168); and
  • failure to comply with the provisions of the Data Protection Authority (article 170).

As a consequence of the repealing of Annex B to the Data Protection Code on minimum security measures and the introduction of the accountability principle under GDPR, the provision of the Data Protection Authority that criminalised failure to adopt mandatory security measures (former article 169) has been repealed.

Finally, article 20 of NIS Directive Italian Decree provides administrative fines for the operators of essential services acting in violation of the dispositions of the Decree.

How has your jurisdiction addressed information security challenges associated with cloud computing?

The NIS Directive Italian Decree defines cloud computing, in accordance with the NIS Directive, as a digital service that enables access to a scalable and elastic pool of shareable computing resources. The Italian Ministries listed in article 7 of NIS Directive Italian Decree shall put into effect, and supervise, the application of the relevant dispositions of the Decree, also with specific reference to cloud computing. With reference to soft law guideline referring to cloud computing, the framework adopted by CIS Sapienza and CINI for the private sector, as well as AgID Circular No. 2/2017 for the public sector, make direct reference to the cloud system, underlining the need for backup activities also in those infrastructures for cybersecurity reasons.

Apart from those references, as at the time of writing, no particular act, secondary legislation, guideline, decree, general order or any other provision has been issued by competent institutions with specific regard to cybersecurity in cloud computing. However, that does not mean that the issue does not find indirect recognition in other complementary sources, such as data protection, criminal, consumer and civil law statutes, whose obligations can still be considered applicable to cloud computing. Further, the provisions of the Cybersecurity Decree can be included among such sources. As a general remark, businesses and public administrations usually take extra care in assessing the risks resulting from a shift of their activities to cloud-based services, irrespective of the categories of data they process or the sector in which they operate.

In any case, there are some issues relevant to cloud-based services to which particular attention should be given, both from a regulatory and a cybersecurity point of view. In particular, these are:

  • the regime of allocation of responsibilities and the contractual obligations with cloud providers;
  • data and information security compliance, with specific regard to sensitive personal data;
  • considering who should be responsible for the implementation of specific cybersecurity defences; and
  • extra-European Economic Area transfers and the governance of international data flows.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Obligations applicable to foreign organisations are the same as applicable to domestic ones; in particular, this has also been clarified by the scope of the NIS Directive, which applies to all operators providing essential or digital services (ie, thus including online search, cloud computing and e-commerce) within the European Union, irrespective of their country of establishment. To this extent, the NIS Directive Italian Decree fully aligned Italian applicable provisions on cybersecurity to such extraterritorial scope of application.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

As of today, business and private sector operators may refer to industry best practices. However, public administrations usually rely on national CERTs’ indications (ie, with particular reference to those coming from CERT-PA), the Italian Digital Agency’s (AgID) sector-specific set of guidelines or other similar soft law tools aimed at reducing risks for computer and networks, in compliance with applicable statutes on cybersecurity. It has been noted that NIS Directive Italian Decree has established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.

In spite of this, it can be said that the Italian legal system is not aware of any particular additional cybersecurity protection that goes beyond what is mandatorily prescribed by the laws and regulations in force.

How does the government incentivise organisations to improve their cybersecurity?

For the operating expenses of the Italian CSIRT, the NIS Directive Italian Decree has authorised expenditure of €2.7 million for 2018, of which €2 million for investment expenses, and €700,000 annually from 2019.

The Cybersecurity Decree only foresaw generic provisions on incentivising and funding cybersecurity in the private and the public sector or by means of private-public partnerships. Current spending on cybersecurity is quite likely to remain unchanged unless future and more specific provisions are adopted by the government or in light of possible European initiatives (eg, statutes on defence spending, research and development funding).

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

Industry codes of practice and standards may greatly vary from sector to sector; however, as at the time of writing, none have been updated to meet the evolving legal scenario. This notwithstanding, it is likely that the forthcoming government decree on the functions and organisation of the Italian CSIRT will have a significant impact on current and future industry standards promoting cybersecurity and cyber resilience at a national level.

Are there generally recommended best practices and procedures for responding to breaches?

Post-breach response strategies may vary greatly. They may depend on the degree of cybersecurity awareness that legal entities of both the public and the private sector have. As a general remark, it could be said that intervention of third-party forensic firms is not uncommon, although often within the sole framework of the performance of defensive and preventive investigations.

In all cases involving personal data, apart from the general rules set forth under articles 33 and 34 GDPR (the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons), the Italian Data Protection Authority’s jurisprudence (with particular regard to its Guidelines, which apply to the use of emails and the internet in the context of employment) also provide some useful indications on notice to employees and the adoption of ad hoc internal policies on data security and cyber resilience. In the case of breaches or cyber incidents, evidence of the adoption and implementation of such policies may be relevant from a burden of proof perspective (ie, either from a civil, criminal or administrative standpoint).

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Article 18 of NIS Directive Italian Decree provides that entities that have not been identified as operators of essential services and are not digital service providers may notify, on a voluntary basis, incidents having a significant impact on the continuity of the services that they provide (likewise article 20 of NIS Directive provision). Furthermore, the Cybersecurity Decree of 17 February 2017 provides for mandatory mechanisms of constant update and communication between private operators, CSIRTs, CERTs, intelligence services and the government (ie, article 11).

Such mechanisms do not foresee the details of the practices or the procedures for communicating cyber incidents or cyberthreats; although the decree states that this can also happen by means of competent ministerial institutions (ie, through the offices of the Ministry of Defence and the Ministry of Economic Development). In addition, a lack of communication may also lead to sanctions of an administrative, civil or criminal nature.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The NIS Directive Italian Decree has appointed the DIS as the ‘single point of contact’ under article 8 of NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems. The NIS Directive Italian Decree has also established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.

While waiting for the government to define the organisation and functioning of the CSIRT, the national CERT and CERT-PA shall enhance their respective activities to cooperate to carry out jointly the functions and the role of the CSIRT.

CERT, operating on the basis of a public-private cooperative model, supporting citizens and businesses through actions to raise awareness, prevention and coordination of the responses to large-scale cyber events, has presented a significant example of how government and the private sector can cooperate in the field of cybersecurity, especially with respect to the cyber resilience of critical infrastructure and essential services. However, there is no particular way in which private and public partnerships or collaborations are meant to be developed.

To this extent, the Cybersecurity Decree of 17 February 2017 has also improved such collaboration by strengthening the link between CSIRTs, the government and internal intelligence agencies in the management of cyber incidents and the drafting of best practices and procedures, also applicable to the private sector.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cyber insurance is a fast-growing sector in Italy and it is offered by all the major insurers operating at a national level. Despite great availability and choice, such products are far from common among all kind of operators of both the public and the private sector. Existing cyber risk insurances usually cover first- and third-party liability for negligence, accidents or faults. Furthermore, they have variable costs depending on the extension of the coverage and the kind of informational, data or ICT assets they are linked to.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The competent NIS authorities (ie, the Ministries listed in article 7 of NIS Directive Italian Decree) are responsible for the implementation of NIS Directive Italian Decree with regard to the sectors referred to in Annex II and to the services listed in Annex III of the Decree, and supervise the application of the Decree at national level, also exercising the related powers of investigation and imposing administrative sanctions. Therefore, the monitoring of compliance with information security standards from a regulatory point of view is allocated to several public intelligence bodies operating in different fields and networking together for to increase cyber resilience and data security at national level.

Authorities competent for prosecuting relevant cybercrimes are instead usually identified as judicial and police bodies, such as the above-mentioned Postal Police or competent territorial criminal and civil tribunals. Their enforcement, decision-making and investigative powers can be either sought upon request or activated ex officio (eg, in the case of serious cyberattacks, data breaches or extended frauds to individuals or legal entities).

From a data protection perspective, the Italian Data Protection Authority can enforce the provisions of the GDPR and the Italian Privacy Code imposing the relevant sanctions.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

The Italian Data Protection Authority can act with broad powers to request information or demand the disclosure of specific documents relevant to possible cybersecurity accidents. Such powers can also extend to monitor compliance, conduct investigations and prosecute infringements. Aside from the Italian Data Protection Authority’s regulatory enforcement action, other institutions may also be competent in cases of possible cybersecurity incidents. In particular, judicial, intelligence and police authorities can investigate the link between such incidents and the commission of computer crimes and cyberattacks or commence proceedings and adopt countermeasures, as the case may be.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

Most common enforcement issues concerning both regulators and the private sector may vary greatly. In particular, they may depend on a wide range of factors, such as:

  • the type of cyber defences adopted;
  • the categories and the amount of data being processed (either personal or non-personal);
  • the likeliness of possible cyberattacks and the measures in place to prevent them;
  • the adoption of disaster recovery tools and software; and
  • technological evolution in general.

From a regulatory point of view, the Italian Data Protection Authority dedicates significant focus to cybersecurity issues in its annual report, which provides important insights on the Authority’s past and future activity in different sectors, and features specific notes and chapters on data security, cybersecurity and enforcement. 2017’s Annual Report, the most recent annual report, refers to the 39th International Conference of Data Protection Authorities, held in Hong Kong on 25-29 September 2017: during the course of the works, which were attended by a representative of the Italian Data Protection Authority, crucial issues were addressed, linked to the hyper-connected world, such as artificial intelligence and cybersecurity. In 2016’s Annual Report, the Authority presented the healthcare sector as a major concern for the Italian Data Protection Authority. In particular, in said report, the Authority underlined the vastness of non-compliant data processing practices carried out, both in the public and in the private sector, because of a general lack of adequate IT, storage, encryption and delivery procedures. Also, the Italian Data Protection Authority shed light on excessive retention periods and the failure to adopt minimum appropriately calibrated security measures on health-related data (ie, including cyber defences and disaster recovery procedures), even after the global outbreak of the WannaCry ransomware.

The private sector has also been reacting to cybersecurity issues in various ways, for example, by adopting industry best practices, codes of conduct or ad hoc information security certifications (eg, ISO 270001 and the like). This approach is quite common in ‘cyber-sensitive’ sectors such as healthcare, banking, insurance, energy, telecommunications and digital services. However, it is also spreading fast in other industries, from retail to professional services, and transport to entertainment.

With regard to the aforementioned sectors, operators have complied with regulatory enforcement. In particular, banking and healthcare face the most challenging scenarios. This is because the combination between new technologies and fast-growing business opportunities poses unprecedented cyber risks to their traditional cyber defences (eg, the blockchain, mobile payments, the internet of things, personal medicine, artificial intelligence applied to finance and investments, and so on).

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

Penalties are generally identified with administrative fines and may vary depending on the type of breach occurred. Article 20 of the NIS Directive Italian Decree provides administrative fines for the operators of essential services acting in violation of the dispositions of the decree.

Fines can be lighter in the case of cyber incidents resulting in a breach of non-personal data. On the contrary, penalties for failure to comply with cybersecurity requirements involving personal data may be more severe. In these latter cases, the Italian Data Protection Authority would be the competent authority in charge of issuing administrative fines in accordance with the letter of the GDPR (article 83) and the Data Protection Code. Such fines may also focus on entities operating specific industries of the public or the private sector (eg, electronic communications services). In addition to the above, cybersecurity failures can also set the premise for judicial compensation for non-contractual liability; however, the institution of punitive damages neither exists under Italian law, nor is it allowed by the jurisprudence of the Italian Court of Cassation.

As a final remark, criminal penalties may also arise in the case of serious cybersecurity failures amounting to criminal offences, such as in the case of abuse of access to information systems or similar events. In these cases, although the principle of personal criminal liability would still apply, the responsible legal entity in the interest of the advantage of which the crime was committed may also be subject to sanctions, mainly of an administrative nature (such as fines or asset seizure) pursuant to Legislative Decree 231/2001.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Once again, the importance of the penalties may vary depending on the seriousness of the failure, as well as on the extension of the threats or breaches involved. Furthermore, they may be of a civil, administrative or criminal nature and be applied jointly.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Businesses, individuals or interested third parties may seek redress for unauthorised cyberactivity or failure to adequately protect their IT systems or data against either legal or natural persons by means of reporting to the competent administrative authorities or start proceedings in court. Both remedies can be activated at the same time without particular exceptions. Additionally, compensation may be sought in front of civil tribunals once concrete proof of damage has been provided by the alleged damaged party.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As per article 14 of NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use.

To protect personal data, instead, controllers and processors shall comply with EU regulation, in particular with provisions set forth under article 32 GDPR and in accordance with the principles of privacy by design, by default and accountability.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

In cases in which cyberthreats or attacks involve personal data, data breaches also occur: therefore, articles 33 and 34 GDPR shall apply, the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons.

In accordance with the accountability principle, article 33.5 also provides that the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, to allow the supervisory authority to verify compliance with said disposition.

Digital services suppliers have also to adopt – notwithstanding the processing of personal data – the security measures set forth under article 14 of NIS Directive Italian Decree, and must document their compliance with this disposition as set forth under article 13.2 and 15.2 of the Decree, which might also include a record of the cyberthreats or attacks occurred.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The Cybersecurity Decree of 17 February 2017 introduced stronger reporting and information-sharing obligations for the private and the public sector, with particular regard to operators of critical infrastructures and providers of essential services.

Furthermore, NIS Directive Italian Decree of 18 May 2018 has innovated the scenario having established the Italian CSIRT with the functions of the national CERT and CERT-PA. Article 12 of the Decree provided that essential services providers shall notify to the Italian CSIRT and, for information, the competent NIS authority, without unjustified delay, incidents having a significant impact on the continuity of the essential services provided.

Notwithstanding the above, while waiting for the government to define the organisation and functioning of the CSIRT, the functions of the latter shall be carried out by the national CERT together with CERT-PA in collaboration with each other.

These obligations foresee the duty to communicate cyberthreats or incidents to competent regulatory authorities, ranging from intelligence to government officials, by means of protected channels and without undue delay (the relevant time frame is not mentioned by the decree; however, this issue may be addressed by future best practices published by CSIRTs or other competent institutions). In addition to this, private operators should also allow access to their security operations centres and archives to regulatory authorities in the case that it is necessary for facing cyberthreats or improving cyber resilience. This may also happen with regard to the provisions of Law No. 124/2007 on ‘Information system for the security of the Republic and new regulation of secrecy’. Finally, the obligations above do not exclude the duty of public and private operators to also report possible breaches to competent police, judicial and administrative authorities (ie, the Italian Data Protection Authority), as the case may be.

Timeframes

What is the timeline for reporting to the authorities?

As previously mentioned, apart from cases governed by the provisions of the EU Regulation on data protection under which possible data breaches must be reported to the Italian Data Protection Authority within a certain time (ie, 72 hours after having become aware of the breach), there is no such timeline in the Cybersecurity Decree, NIS Directive Italian Decree or other relevant sources.

In fact, this may well be subject to future modifications and amendments by means of guidelines and best practice that will be adopted and implemented at a national level by Italian CSIRT and other competent authorities.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Pursuant to article 12 of NIS Directive Italian Decree, the competent NIS Authority, in accordance with the Italian CSIRT, after consultation with the essential services provider notifying the breach, may inform the public about single incidents, if awareness is needed to avoid an accident or to handle an ongoing accident. Other than this provision and the obligations of reporting breaches prescribed by the GDPR on personal data breach notifications to the general public and the National Authority (ie, the Italian Data Protection Authority), there are no particular rules regarding an obligation to report threats or cybersecurity breaches to other members of the same sector.

However, this requirement may be included in industry codes of conduct, operational guidelines or best practices. It is not uncommon for companies to draft their own data breach and cybersecurity policies and attach them to commercial agreements, to make them binding sources and prevent future negative scenarios by attributing liabilities prior to start performing the obligations of a contract. This may well reduce the risk of IT incidents and force outsourcers to comply with non-negotiable cybersecurity standards and clauses. In addition to this, should outsourcers operate as data processors, such non-negotiable clauses should be reflected in the relevant data processing agreement, in accordance with article 28 GDPR. Moreover, in such cases, specific duties of cooperation with the data controller also fall on the data processor with regard to data breach notifications.

CyberWire Daily Briefing – The CyberWire

Cyber Attacks, Threats, and Vulnerabilities

Beapy: Cryptojacking Worm Hits Enterprises in China(Symantec) Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Cryptomining worm ‘Beapy’ targets Asian enterprises, ignores consumers(SC Media) Researchers have discovered a previously unknown, file-based cryptominer worm that has been heavily targeting enterprises based in Asia.

EternalBlue Exploit Serves Beapy Cryptojacking Campaign(BleepingComputer) A cryptojacking campaign uses NSA’s leaked DoublePulsar backdoor and the EternalBlue exploit to spread a file-based cryptocurrency malware on enterprise networks in China.

The Economy of Credential Stuffing Attacks(Recorded Future) Insikt Group reviews popular tools used by cybercriminals to initiate credential stuffing and explores marketplaces that sell compromised credentials.

An inside look at how credential stuffing operations work(ZDNet) Data breaches, custom software, proxies, IoT botnets, and hacking forums — all play a role.

The Anatomy of Highly Profitable Credential Stuffing Attacks(BleepingComputer) Even though credential stuffing is a popular method used by hacking groups to attack businesses since at least late 2014, there still is a lot to be uncovered about the techniques malicious actors use to run them.

DNSpionage actors adjust tactics, debut new remote administration tool(SC Media) The actors behind DNSpionage DNS hijacking campaign have introduced a new reconnaissance phase and a new malicious remote administration tool, Karkoff.

Emotet Uses Compromised Devices as Proxy Command Servers(BleepingComputer) A new Emotet Trojan variant has been observed in the wild with the added capabilities of using compromised connected devices as proxy command-and-control servers and of employing random URI directory paths to evade network-based detection rules.

ExtraPulsar backdoor based on leaked NSA code – what you need to know(Naked Security) A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017.

Qualcomm Critical Flaw Exposes Private Keys For Android Devices(Threatpost) A side-channel attack in Qualcomm technology, which is used by most Android devices, could allow an attacker to snatch private keys.

New Oracle WebLogic zero-day discovered in the wild(ZDNet) Chinese cyber-security firm warns about impending attacks on Oracle WebLogic servers.

Romanian intelligence service outlines cyberattack scenarios during elections(Romania Insider) The National Cyberint Center, part of the Romanian Intelligence Service (SRI), has outlined five scenarios of possible cyberattacks on the IT systems of public institutions during the EU and presidential elections of this year, Agerpres reported.

Fake Social Accounts Multiply; Can Users ID Them?(Infosecurity Magazine) A new quiz tests user ability to detect fake social accounts.

Amazon’s Alexa Data Services team could track users to their homes, claim insiders(Computing) Insiders reveal more about the personal information the Alexa Data Services team are able to read from users’ Alexa personal assistants

Supply Chain Attacks: When Things Go Wrong(Infosecurity Magazine) How supply chain attacks have leveraged the weakest links in security

Browser Security: The Worst Code Injections and How They Work(Security Boulevard) What do browser-based attacks have in common? They target locally installed browsers through malicious code injects.

Avengers: End Game leaked online soon after releasing in China(HackRead) Avengers: End Game has been leaked online because why not?

Security Patches, Mitigations, and Software Updates

ProtonMail now offers elliptic curve cryptography for advanced security and faster speeds(Security Boulevard) Elliptic curve cryptography is the most advanced cryptographic system available. Now ProtonMail is making this technology available to all users.

Cyber Trends

National Security Council cyber chief: Criminals are closing the gap with nation-state hackers(CyberScoop) Cybercriminals are catching up to nation-states’ hacking capabilities, and it’s making attribution more difficult, the National Security Council’s senior director for cybersecurity policy said Thursday. “They’re not five years behind nation-states anymore, because the tools have become more ubiquitous,” said Grant Schneider, who also holds the title of federal CISO…

Cybercriminals are becoming more methodical and adaptive(Help Net Security) Global cybersecurity threats are progressing as organizations improve in areas such as time to detection and response to threats.

New Glasswall-sponsored Research Reveals Security Leaders’ Ongoing Conundrum(BusinessWire) Glasswall Solutions today released its latest research report “Keeping the Enterprise Secure: A Tangled Web of Contradictions,” revealing the increasi

Attacks on Businesses Soar 235% in Q1(Infosecurity Magazine) Malwarebytes report reveals growth in Trojans and ransomware

Connected devices, legacy systems leave hospitals wide open to cyber attack(Healthcare IT News) A new study from vendor Vectra monitored network traffic for six months to find the most prevalent methods attackers use to gain control and access protected information.

Marketplace

IoT Set to Put Strain on Cyber Skills Market(Infosecurity Magazine) Demand soars for specific roles

Former BAE exec to promote UK cybersecurity ‎exports(Sky News) Dr Henry Pearson will help UK companies bid for contracts with foreign governments and central banks, Sky News understands.

Raytheon services biz continues shift beyond traditional defense(Washington Technology) Raytheon’s government services business continues to bet on itself and partnerships as it pursues more space, cyber and command-and-control opportunities.

Nadella claims Microsoft is the ‘clear leader in cloud security’ as sales rise again(CRN) Azure sees revenue growth of 73 per cent

Dan Gilbert’s Detroit startup has no profits. But it could be worth $1B(Detroit Free Press) Dan Gilbert-backed StockX would mark the third time in the past couple of years that a southeast Michigan startup has become a unicorn.

‘On borrowed time with the arrogance they show’: The most brutal 2019 Vendor Report comments so far(CRN) Which vendor has been castigated for its ‘wide boy’ sales staff, and whose ‘stupid schemes and obscure rebates’ are driving the channel mad?

Armis Raises $65 Million to Accelerate Its 700% Growth in Addressing Massive Enterprise IoT Security Exposure(Armis) Armis, the enterprise IoT security company, today announced it has raised $65 million in Series C …

Canadian Innovation Investment Marks Another Funding Milestone for ISARA Corp.(BusinessWire) With this month’s strategic investment of $7.2 million from Canada’s Strategic Innovation Fund, ISARA Corp., the world’s leading provider of agile qua

DISA Awards Two Contracts to Build a Moat Around the Pentagon’s Internet(Nextgov.com) The two selected vendors will prototype cloud-based systems that isolate the department’s internal network from the public internet while still allowing employees to browse the web.

Collibra appoints new Chief Information Security Officer, Myke Lyons(Collibra) Former ServiceNow executive joins leader in data governance, catalog, and privacy

McLean cybersecurity firm Cyren appoints new CEO(Washington Business Journal) Brett Jackson, former CEO of Digital Reasoning, has been appointed CEO of McLean-based Cyren.

Products, Services, and Solutions

Introducing the threat bounty(Medium) PolySwarm’s threat detection marketplace has created the possibility of a new type of cyber-related bounty: Say hello to the threat…

Center for Internet Security (CIS) Selects Qualys to Provide its Members with Continuous Monitoring of their Internet facing Digital Certificates and SSL/TLS Configurations(PR Newswire) Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of cloud-based security and compliance…

AT&T Cybersecurity develops new AlienApp for Box for highly secure content management in the cloud(Alien Vault) Today, I’m excited to share that we have released AlienApp for Box, a new security integration between AT&T Cybersecurity and Box, a leader in cloud content management. This new feature within USM Anywhere takes advantage of Box’s granular logging capabilities and powerful APIs to add an additional layer of security for Box Enterprise customers that enables you to monitor your Box environments for potential threats and malicious activities. With the AlienApp for Box, you can enhanc

Protiviti Offers Cyber Risk Quantification Through New Partnership with RiskLens(PR Newswire) Global consulting firm Protiviti has launched a Cyber Risk Quantification as a Service offering in alliance…

United Bulgarian Bank Selects OneSpan to Help Fight Social Engineering and Mobile Malware Attacks(West) Leading bank implements OneSpan’s Cronto and Mobile Security Suite to protect online and mobile banking applications while meeting PSD2 Requirements

Fortinet Claims Industry’s First SD-WAN ASIC(Virtualization Review) Security specialist Fortinet announced what it claims is the industry’s first application-specific integrated circuit for the burgeoning software-defined wide-area networking space.

Centrify Achieves FedRAMP Authorization(Yahoo) Federal agencies can now accelerate cloud deployments by securing privileged access with Centrify cloud-ready Zero Trust Privilege Services

ESET Partners with Alphabet’s Chronicle(AP NEWS) ESET, a global leader in cybersecurity, today announced it has partnered with Chronicle, an Alphabet company, to provide essential validation on security incidents and alerts within Backstory, Chronicle’s global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential attacks.

Technologies, Techniques, and Standards

Nato rüstet sich für den Cyberkrieg(Tagespiegel) Virtuell und doch ganz real: Die Nato übt mit IT-Experten aus fast 30 Ländern in Talinn, Angriffe auf ihre Infrastruktur abzuwehren.

Fort Bragg cut power for thousands to test ‘real-world reactions’ to a cyber-attack(Miami Herald) Fort Bragg Army base in eastern North Carolina went into a “blackout” for more than 12 hours as part of cyber attack military exercise. The base sought to see ‘real world reactions’ to a power outage.

Twitter launches reporting tool to curb misinformation during campaigns(Washington Post) It allows users to flag posts that attempt to mislead users about registering to vote or cast a ballot; identification requirements; and the date and time of an election.

Are election tech vendors making the right cybersecurity moves?(CyberScoop) Election tech companies are telling the world they are fixing their cybersecurity issues. Will the changes they make satisfy everyone ahead of 2020?

How to Easily Spot and Avoid Apple ID Phishing Scams(Heimdal Security Blog) Apple ID users are frequent targets of phishing scams. Here is how the Apple ID phishing scams work and what you can do to avoid them.

What does a threat intelligence team do? –(Enterprise Times) Joel Cedersjö, Threat Intelligence Manager, NTT Security explains what a threat intelligence team does and who he recruits.

Research and Development

Quantum Xchange Tests Toshiba’s Quantum Key Distribution System; Doubles Network Capacity with Optical Multiplexing(BusinessWire) Quantum Xchange has collaborated with Toshiba Corporation to double the capacity of Phio, the first nationwide QKD network in the U.S.

Legislation, Policy, and Regulation

Putin won the battle, but the outcome of the war is still uncertain(Center for Public Integrity) The Kremlin’s election triumph has been undermined by Mueller’s disclosures and by Washington’s renewed strategic wariness.

Information Warfare Is Here To Stay(Foreign Affairs) States have always fought for the means of communication.

Five Eyes cyber summit – five things we learned(PublicTechnology.net) If you spend too much time in certain poorly illuminated corners of the internet, you will find a fair few people who characterise the Five Eyes intelligence alliance as a front for a shadowy cabal committed to spying on citizens, no doubt while spreading chemtrails and pulling the strings of the New World Order.

Is Cyber Command really being more ‘aggressive’ in cyberspace?(Fifth Domain) Some inside and outside government are careful to couch new cyber authorities as offensive in nature, saying they allow greater flexibility in defense.

Huawei Still Has Friends in Europe, Despite US Warnings(WIRED) The UK appears ready to allow Huawei gear in “non-core” parts of its 5G network. Many European countries rely heavily on Chinese equipment.

Here’s which leading countries have barred, and welcomed, Huawei’s 5G technology(CNBC) Huawei has faced mounting political pressure as the U.S. asks other countries to block the Chinese firm from being involved in 5G networks.

Federal CISO Wants To Move Beyond ‘Whack-a-Mole’ Supply Chain Security(Nextgov) Sweeping bans on Kaspersky Lab, ZTE and Huawei products were the right move, but Grant Schneider thinks the government needs a more scalable approach.

U.K. Cybersecurity Agency Won’t Tip Regulator on Breaches(Bloomberg) Policy to allay fears of GDPR chill on information sharing. Data regulator reiterates legal duty to notify it of breaches.

Should Canadian technology be used to stifle free speech?(National Post) Opinion: Canadian-made technology seems to be enabling the Egyptian regime to block access to tens of thousands of internet sites

Spain on the front line of election security ahead of EU-wide poll(Daily Swig) Combating disinformation and election meddling, one bot at a time

State of Washington Expands Breach Notice Laws(Infosecurity Magazine) Companion bills try to give citizens the right to know what data companies are collecting.

Litigation, Investigation, and Law Enforcement

Sri Lankan spice tycoon’s sons and daughter-in-law were suicide bombers in Easter attacks(Washington Post) The explosions around the country Sunday killed 359 people.

Sri Lankan attacks example of ISIS spreading from Iraq, Syria into Afghanistan: Iran FM Zarif(Business Standard) The Islamic State (ISIS) has been “airlifted” from Iraq and Syria into Afghanistan and one example of it is the barbaric attack in Sri Lanka on Easter Sunday, Iran’s Foreign Minister Mohammad Javad Zarif said here.

Sri Lanka tourists warned of more terror(Times) The Foreign Office has warned against all but essential travel to Sri Lanka amid fears that Islamist terrorists are preparing more attacks after the Easter Sunday bombings. Sri Lankan police…

Sri Lanka’s Christians and Muslims Weren’t Enemies(Foreign Policy) The country’s real divide has been between Buddhists and Muslims, but the Easter attacks may change all that.

Ultimatum to cabinet ministers in Huawei leak investigation(Guardian) Senior figures in Theresa May’s cabinet deny role in leaking details of vote in National Security Council meeting

Calls for criminal inquiry as top ministers deny Huawei security leak(Times) Jeremy Hunt led a chorus of denials from senior ministers last night that they were responsible for the first known leak from Britain’s top national security body. Theresa May came under pressure…

Minister says ‘criminal inquiry’ possible into leak of Huawei decision over new 5G network (The Telegraph) Jeremy Wright, the Culture Secretary, has refused to rule out a criminal inquiry into the leak of a Government decision to allow Chinese telecommunications giant Huawei to work on the UK’s new 5G mobile network.

How the case against Maria Butina began to crumble(CNN) Prosecutors have recanted some allegations and already dropped one charge against her as part of a plea deal.

Facebook hit with three privacy investigations in a single day – TechCrunch(TechCrunch) Third time lucky — unless you’re Facebook . The social networking giant was hit Thursday by a trio of investigations over its privacy practices following a particularly tumultuous month of security lapses and privacy violations — the latest in a string of embarrassing and damaging breaches at…

Canada accuses Facebook of breaking privacy laws, promises to take the company to court(Washington Post) Canadian regulators on Thursday found that Facebook committed “serious” breaches of local laws over its mishandling of users’ personal information, announcing they would take the company to court to force it to change its privacy practices.

Facebook says it filed a US lawsuit to shut down a follower-buying service in New Zealand(TechCrunch) Facebook is cracking down on services that promise to help Instagram users buy themselves a large following on the photo app. The social network said today that it has filed a lawsuit against a New Zealand-based company that operates one such ‘follower-buying service.’ The suit is in a …

Poland joins Europol’s cyber-crime taskforce(Global Government Forum) Poland has become the latest country to join an international initiative to tackle the growing problem of cyber-crime, such as payment fraud and malware. Europol, the European Union’s law-enforcement agency headquartered in The Hague, has announced that the country has deployed a cybercrime speci

Analysis | The Cybersecurity 202: Cybersecurity proposal pits cyber pros against campaign finance hawks(Washington Post) Ex-Clinton and Romney aides want to help campaigns combat foreign hackers

Teen sues Apple for $1 billion over Apple stores’ facial recognition(Naked Security) He claims that Apple allegedly uses the technology to spot shoplifters and that it falsely linked him to a series of Apple store thefts.

Daily Briefing – The CyberWire

Cyber Attacks, Threats, and Vulnerabilities

Beapy: Cryptojacking Worm Hits Enterprises in China(Symantec) Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Cryptomining worm ‘Beapy’ targets Asian enterprises, ignores consumers(SC Media) Researchers have discovered a previously unknown, file-based cryptominer worm that has been heavily targeting enterprises based in Asia.

EternalBlue Exploit Serves Beapy Cryptojacking Campaign(BleepingComputer) A cryptojacking campaign uses NSA’s leaked DoublePulsar backdoor and the EternalBlue exploit to spread a file-based cryptocurrency malware on enterprise networks in China.

The Economy of Credential Stuffing Attacks(Recorded Future) Insikt Group reviews popular tools used by cybercriminals to initiate credential stuffing and explores marketplaces that sell compromised credentials.

An inside look at how credential stuffing operations work(ZDNet) Data breaches, custom software, proxies, IoT botnets, and hacking forums — all play a role.

The Anatomy of Highly Profitable Credential Stuffing Attacks(BleepingComputer) Even though credential stuffing is a popular method used by hacking groups to attack businesses since at least late 2014, there still is a lot to be uncovered about the techniques malicious actors use to run them.

DNSpionage actors adjust tactics, debut new remote administration tool(SC Media) The actors behind DNSpionage DNS hijacking campaign have introduced a new reconnaissance phase and a new malicious remote administration tool, Karkoff.

Emotet Uses Compromised Devices as Proxy Command Servers(BleepingComputer) A new Emotet Trojan variant has been observed in the wild with the added capabilities of using compromised connected devices as proxy command-and-control servers and of employing random URI directory paths to evade network-based detection rules.

ExtraPulsar backdoor based on leaked NSA code – what you need to know(Naked Security) A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017.

Qualcomm Critical Flaw Exposes Private Keys For Android Devices(Threatpost) A side-channel attack in Qualcomm technology, which is used by most Android devices, could allow an attacker to snatch private keys.

New Oracle WebLogic zero-day discovered in the wild(ZDNet) Chinese cyber-security firm warns about impending attacks on Oracle WebLogic servers.

Romanian intelligence service outlines cyberattack scenarios during elections(Romania Insider) The National Cyberint Center, part of the Romanian Intelligence Service (SRI), has outlined five scenarios of possible cyberattacks on the IT systems of public institutions during the EU and presidential elections of this year, Agerpres reported.

Fake Social Accounts Multiply; Can Users ID Them?(Infosecurity Magazine) A new quiz tests user ability to detect fake social accounts.

Amazon’s Alexa Data Services team could track users to their homes, claim insiders(Computing) Insiders reveal more about the personal information the Alexa Data Services team are able to read from users’ Alexa personal assistants

Supply Chain Attacks: When Things Go Wrong(Infosecurity Magazine) How supply chain attacks have leveraged the weakest links in security

Browser Security: The Worst Code Injections and How They Work(Security Boulevard) What do browser-based attacks have in common? They target locally installed browsers through malicious code injects.

Avengers: End Game leaked online soon after releasing in China(HackRead) Avengers: End Game has been leaked online because why not?

Security Patches, Mitigations, and Software Updates

ProtonMail now offers elliptic curve cryptography for advanced security and faster speeds(Security Boulevard) Elliptic curve cryptography is the most advanced cryptographic system available. Now ProtonMail is making this technology available to all users.

Cyber Trends

National Security Council cyber chief: Criminals are closing the gap with nation-state hackers(CyberScoop) Cybercriminals are catching up to nation-states’ hacking capabilities, and it’s making attribution more difficult, the National Security Council’s senior director for cybersecurity policy said Thursday. “They’re not five years behind nation-states anymore, because the tools have become more ubiquitous,” said Grant Schneider, who also holds the title of federal CISO…

Cybercriminals are becoming more methodical and adaptive(Help Net Security) Global cybersecurity threats are progressing as organizations improve in areas such as time to detection and response to threats.

New Glasswall-sponsored Research Reveals Security Leaders’ Ongoing Conundrum(BusinessWire) Glasswall Solutions today released its latest research report “Keeping the Enterprise Secure: A Tangled Web of Contradictions,” revealing the increasi

Attacks on Businesses Soar 235% in Q1(Infosecurity Magazine) Malwarebytes report reveals growth in Trojans and ransomware

Connected devices, legacy systems leave hospitals wide open to cyber attack(Healthcare IT News) A new study from vendor Vectra monitored network traffic for six months to find the most prevalent methods attackers use to gain control and access protected information.

Marketplace

IoT Set to Put Strain on Cyber Skills Market(Infosecurity Magazine) Demand soars for specific roles

Former BAE exec to promote UK cybersecurity ‎exports(Sky News) Dr Henry Pearson will help UK companies bid for contracts with foreign governments and central banks, Sky News understands.

Raytheon services biz continues shift beyond traditional defense(Washington Technology) Raytheon’s government services business continues to bet on itself and partnerships as it pursues more space, cyber and command-and-control opportunities.

Nadella claims Microsoft is the ‘clear leader in cloud security’ as sales rise again(CRN) Azure sees revenue growth of 73 per cent

Dan Gilbert’s Detroit startup has no profits. But it could be worth $1B(Detroit Free Press) Dan Gilbert-backed StockX would mark the third time in the past couple of years that a southeast Michigan startup has become a unicorn.

‘On borrowed time with the arrogance they show’: The most brutal 2019 Vendor Report comments so far(CRN) Which vendor has been castigated for its ‘wide boy’ sales staff, and whose ‘stupid schemes and obscure rebates’ are driving the channel mad?

Armis Raises $65 Million to Accelerate Its 700% Growth in Addressing Massive Enterprise IoT Security Exposure(Armis) Armis, the enterprise IoT security company, today announced it has raised $65 million in Series C …

Canadian Innovation Investment Marks Another Funding Milestone for ISARA Corp.(BusinessWire) With this month’s strategic investment of $7.2 million from Canada’s Strategic Innovation Fund, ISARA Corp., the world’s leading provider of agile qua

DISA Awards Two Contracts to Build a Moat Around the Pentagon’s Internet(Nextgov.com) The two selected vendors will prototype cloud-based systems that isolate the department’s internal network from the public internet while still allowing employees to browse the web.

Collibra appoints new Chief Information Security Officer, Myke Lyons(Collibra) Former ServiceNow executive joins leader in data governance, catalog, and privacy

McLean cybersecurity firm Cyren appoints new CEO(Washington Business Journal) Brett Jackson, former CEO of Digital Reasoning, has been appointed CEO of McLean-based Cyren.

Products, Services, and Solutions

Introducing the threat bounty(Medium) PolySwarm’s threat detection marketplace has created the possibility of a new type of cyber-related bounty: Say hello to the threat…

Center for Internet Security (CIS) Selects Qualys to Provide its Members with Continuous Monitoring of their Internet facing Digital Certificates and SSL/TLS Configurations(PR Newswire) Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of cloud-based security and compliance…

AT&T Cybersecurity develops new AlienApp for Box for highly secure content management in the cloud(Alien Vault) Today, I’m excited to share that we have released AlienApp for Box, a new security integration between AT&T Cybersecurity and Box, a leader in cloud content management. This new feature within USM Anywhere takes advantage of Box’s granular logging capabilities and powerful APIs to add an additional layer of security for Box Enterprise customers that enables you to monitor your Box environments for potential threats and malicious activities. With the AlienApp for Box, you can enhanc

Protiviti Offers Cyber Risk Quantification Through New Partnership with RiskLens(PR Newswire) Global consulting firm Protiviti has launched a Cyber Risk Quantification as a Service offering in alliance…

United Bulgarian Bank Selects OneSpan to Help Fight Social Engineering and Mobile Malware Attacks(West) Leading bank implements OneSpan’s Cronto and Mobile Security Suite to protect online and mobile banking applications while meeting PSD2 Requirements

Fortinet Claims Industry’s First SD-WAN ASIC(Virtualization Review) Security specialist Fortinet announced what it claims is the industry’s first application-specific integrated circuit for the burgeoning software-defined wide-area networking space.

Centrify Achieves FedRAMP Authorization(Yahoo) Federal agencies can now accelerate cloud deployments by securing privileged access with Centrify cloud-ready Zero Trust Privilege Services

ESET Partners with Alphabet’s Chronicle(AP NEWS) ESET, a global leader in cybersecurity, today announced it has partnered with Chronicle, an Alphabet company, to provide essential validation on security incidents and alerts within Backstory, Chronicle’s global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential attacks.

Technologies, Techniques, and Standards

Nato rüstet sich für den Cyberkrieg(Tagespiegel) Virtuell und doch ganz real: Die Nato übt mit IT-Experten aus fast 30 Ländern in Talinn, Angriffe auf ihre Infrastruktur abzuwehren.

Fort Bragg cut power for thousands to test ‘real-world reactions’ to a cyber-attack(Miami Herald) Fort Bragg Army base in eastern North Carolina went into a “blackout” for more than 12 hours as part of cyber attack military exercise. The base sought to see ‘real world reactions’ to a power outage.

Twitter launches reporting tool to curb misinformation during campaigns(Washington Post) It allows users to flag posts that attempt to mislead users about registering to vote or cast a ballot; identification requirements; and the date and time of an election.

Are election tech vendors making the right cybersecurity moves?(CyberScoop) Election tech companies are telling the world they are fixing their cybersecurity issues. Will the changes they make satisfy everyone ahead of 2020?

How to Easily Spot and Avoid Apple ID Phishing Scams(Heimdal Security Blog) Apple ID users are frequent targets of phishing scams. Here is how the Apple ID phishing scams work and what you can do to avoid them.

What does a threat intelligence team do? –(Enterprise Times) Joel Cedersjö, Threat Intelligence Manager, NTT Security explains what a threat intelligence team does and who he recruits.

Research and Development

Quantum Xchange Tests Toshiba’s Quantum Key Distribution System; Doubles Network Capacity with Optical Multiplexing(BusinessWire) Quantum Xchange has collaborated with Toshiba Corporation to double the capacity of Phio, the first nationwide QKD network in the U.S.

Legislation, Policy, and Regulation

Putin won the battle, but the outcome of the war is still uncertain(Center for Public Integrity) The Kremlin’s election triumph has been undermined by Mueller’s disclosures and by Washington’s renewed strategic wariness.

Information Warfare Is Here To Stay(Foreign Affairs) States have always fought for the means of communication.

Five Eyes cyber summit – five things we learned(PublicTechnology.net) If you spend too much time in certain poorly illuminated corners of the internet, you will find a fair few people who characterise the Five Eyes intelligence alliance as a front for a shadowy cabal committed to spying on citizens, no doubt while spreading chemtrails and pulling the strings of the New World Order.

Is Cyber Command really being more ‘aggressive’ in cyberspace?(Fifth Domain) Some inside and outside government are careful to couch new cyber authorities as offensive in nature, saying they allow greater flexibility in defense.

Huawei Still Has Friends in Europe, Despite US Warnings(WIRED) The UK appears ready to allow Huawei gear in “non-core” parts of its 5G network. Many European countries rely heavily on Chinese equipment.

Here’s which leading countries have barred, and welcomed, Huawei’s 5G technology(CNBC) Huawei has faced mounting political pressure as the U.S. asks other countries to block the Chinese firm from being involved in 5G networks.

Federal CISO Wants To Move Beyond ‘Whack-a-Mole’ Supply Chain Security(Nextgov) Sweeping bans on Kaspersky Lab, ZTE and Huawei products were the right move, but Grant Schneider thinks the government needs a more scalable approach.

U.K. Cybersecurity Agency Won’t Tip Regulator on Breaches(Bloomberg) Policy to allay fears of GDPR chill on information sharing. Data regulator reiterates legal duty to notify it of breaches.

Should Canadian technology be used to stifle free speech?(National Post) Opinion: Canadian-made technology seems to be enabling the Egyptian regime to block access to tens of thousands of internet sites

Spain on the front line of election security ahead of EU-wide poll(Daily Swig) Combating disinformation and election meddling, one bot at a time

State of Washington Expands Breach Notice Laws(Infosecurity Magazine) Companion bills try to give citizens the right to know what data companies are collecting.

Litigation, Investigation, and Law Enforcement

Sri Lankan spice tycoon’s sons and daughter-in-law were suicide bombers in Easter attacks(Washington Post) The explosions around the country Sunday killed 359 people.

Sri Lankan attacks example of ISIS spreading from Iraq, Syria into Afghanistan: Iran FM Zarif(Business Standard) The Islamic State (ISIS) has been “airlifted” from Iraq and Syria into Afghanistan and one example of it is the barbaric attack in Sri Lanka on Easter Sunday, Iran’s Foreign Minister Mohammad Javad Zarif said here.

Sri Lanka tourists warned of more terror(Times) The Foreign Office has warned against all but essential travel to Sri Lanka amid fears that Islamist terrorists are preparing more attacks after the Easter Sunday bombings. Sri Lankan police…

Sri Lanka’s Christians and Muslims Weren’t Enemies(Foreign Policy) The country’s real divide has been between Buddhists and Muslims, but the Easter attacks may change all that.

Ultimatum to cabinet ministers in Huawei leak investigation(Guardian) Senior figures in Theresa May’s cabinet deny role in leaking details of vote in National Security Council meeting

Calls for criminal inquiry as top ministers deny Huawei security leak(Times) Jeremy Hunt led a chorus of denials from senior ministers last night that they were responsible for the first known leak from Britain’s top national security body. Theresa May came under pressure…

Minister says ‘criminal inquiry’ possible into leak of Huawei decision over new 5G network (The Telegraph) Jeremy Wright, the Culture Secretary, has refused to rule out a criminal inquiry into the leak of a Government decision to allow Chinese telecommunications giant Huawei to work on the UK’s new 5G mobile network.

How the case against Maria Butina began to crumble(CNN) Prosecutors have recanted some allegations and already dropped one charge against her as part of a plea deal.

Facebook hit with three privacy investigations in a single day – TechCrunch(TechCrunch) Third time lucky — unless you’re Facebook . The social networking giant was hit Thursday by a trio of investigations over its privacy practices following a particularly tumultuous month of security lapses and privacy violations — the latest in a string of embarrassing and damaging breaches at…

Canada accuses Facebook of breaking privacy laws, promises to take the company to court(Washington Post) Canadian regulators on Thursday found that Facebook committed “serious” breaches of local laws over its mishandling of users’ personal information, announcing they would take the company to court to force it to change its privacy practices.

Facebook says it filed a US lawsuit to shut down a follower-buying service in New Zealand(TechCrunch) Facebook is cracking down on services that promise to help Instagram users buy themselves a large following on the photo app. The social network said today that it has filed a lawsuit against a New Zealand-based company that operates one such ‘follower-buying service.’ The suit is in a …

Poland joins Europol’s cyber-crime taskforce(Global Government Forum) Poland has become the latest country to join an international initiative to tackle the growing problem of cyber-crime, such as payment fraud and malware. Europol, the European Union’s law-enforcement agency headquartered in The Hague, has announced that the country has deployed a cybercrime speci

Analysis | The Cybersecurity 202: Cybersecurity proposal pits cyber pros against campaign finance hawks(Washington Post) Ex-Clinton and Romney aides want to help campaigns combat foreign hackers

Teen sues Apple for $1 billion over Apple stores’ facial recognition(Naked Security) He claims that Apple allegedly uses the technology to spot shoplifters and that it falsely linked him to a series of Apple store thefts.

Thriving with technology in Greece – Brookings Institution

After a decade of turmoil, Greece is looking toward a better future—a future of economic recovery, lower unemployment and rising living standards. But 10 years is a long time in the world of technology. Recovery will make life better, but it will not take Greeks back to the pre-crisis world of the mid-2000s. As the Greek economy slid into recession, technological change in the world accelerated noticeably. Greece is returning to a global economy that has been radically transformed.

Authors

Before the economic crisis hit Greece, digital transformation and automation was a niche topic outside of a few countries like Japan. The world was in the midst of its last artificial intelligence (AI) winter. Europe was losing jobs to lower-wage economies in Asia, not to machines. Today, things are completely different. Digital technologies are disrupting the prospects for firms, workers, and consumers. Firms in the digital economy—often in the U.S. and China—are racking up record profits way in excess of Europe’s most productive global leaders in manufacturing. Jobs across Europe are increasingly about nonroutine, cognitive, and interpersonal tasks that cannot easily be automated, and machines are gradually taking over manual and routine tasks.

Greece is no different, and its policymakers are contemplating how to take advantage of new opportunities, while managing the disruptive effects. They are dealing with questions that are not easy to answer. Will tech hold Greece back or accelerate its recovery? Does Greece have the wherewithal to thrive in a world of accelerating technological change?

Recent work by the World Bank gives some clues. Countries can thrive with technology if they boost opportunities for people to succeed in the new labor market and for firms to leverage tech for improved productivity. Opportunities for people come mainly through better education: higher enrollments and more graduates with the right skills. Opportunities for firms come through investments in connective infrastructure and broadband access. But firms also have to get aggressive about adopting new technology. For this, they need new managerial competencies and a business environment that encourages investment and innovation. The real question is: Does Greece have what it takes?

Opportunities for people

Greece’s position in education is relatively strong: 44 percent of 30- to 34-year-olds have a higher education degree, compared to the European Union average of 40 percent. Greece also has a tradition of science and technology; it has a relatively high share of STEM graduates, for example. But Greece has not managed to provide enough jobs for them. The result is that Greece has been exporting its talent, especially in tech, instead of allowing it to thrive at home. What’s worse, Greece is struggling to ensure that its future generations of workers have the right foundational skills. More than a third of Greek 15-year-olds failed to achieve basic proficiency in mathematics in the 2015 Program for International Student Assessment (PISA). They are poorly prepared for the new tech-driven labor market and for lifelong learning (Figure 1).

35 percent of Greek 15-year-olds struggle with mathematics

Opportunities for firms

In the business environment, the situation in equally mixed. On the one hand, Greece has managed to engineer a quick catch-up to the EU leaders in broadband access. On the other, few firms are taking advantage of it for e-commerce and other tech-enabled operations. What’s more, Europe’s economies are seeing a widening productivity divide between large and small firms, as larger firms are quicker to adopt new technologies (Figure 2). Greece has an unusually large share of small firms and microenterprises, so it risks falling even farther behind. And much remains to be done in improving the general environment faced by Greek businesses. Greece still lags its OECD peers in the World Bank’s Doing Business assessment, and its labor taxes are among the highest in the OECD.

Greece has seen a growing productivity divide between small and large firms

And yet, while the economic crisis ravaged Greece’s economy and traditional sectors, entrepreneurs in Athens have produced new tech success stories with global reach, such as the mobile platform Upstream, the recruitment software Workable, and the taxi app Beat recently acquired by a Daimler subsidiary and operating in capital cities in Latin America. Moreover, the tech sector’s innovative spirit is beginning to spill over into other sectors such as agriculture, where technology and modern farming practices have jump-started agricultural productivity on some Greek farms. Greece is also not a minor player in cutting-edge digital technology research and development in the EU. Greek enterprises, universities, and research institutions are prominent in Horizon 2020, the big EU program for research and technological development, placing Greece within the top seven countries in Horizon 2020-supported tech research and development in the EU.

What Greece now has to do

Greece can thrive with technology by leveraging its many strengths. This starts with mobilizing its large share of STEM graduates and linking them and their alma maters with the nascent tech sector. Global networks matter more than ever before. While Greece’s long-standing brain drain has worsened during the crisis years, its diaspora offers new opportunities for Greece’s tech sector to connect with entrepreneurs, investors, and scientists around the world.

But even as Greece sets its sights on a digital future, it needs to get its analog fundamentals right. It has to fix its school system to make sure that all students obtain the necessary foundation skills in reading, mathematics, science, and problem-solving. It has to improve the business environment, helping firms raise managerial skills and reducing labor taxes to incentivize firms to create more jobs. And it has to attract foreign direct investment in both manufacturing and services by reducing policy uncertainty.

UMass Transportation Center and Sara’s Wish Foundation Receive Safe System Innovation Grant From the Road to Zero Coalition – UMass News and Media Relations

AMHERST, Mass. – The University Massachusetts Transportation Center (UMTC) and Sara’s Wish Foundation (SWF)have received a one-year, $83,147 Safe System Innovation Grant from the Road to Zero Coalition to advance their collaborative effort to end traffic fatalities by 2050 by promoting seat belt use on motor coaches.

The grant will help SWF and UMTC create an effective national motor coach seatbelt educational campaign “kit” to be distributed to motor coach operators. It includes easy-to-implement templates of actions including formal announcements made by the motor coach driver, a video via an in-vehicle monitor or internet-based application, promotional banners at the entrance to the motor coach and in the terminal waiting area, text or email messages sent to riders, digital messages promoting seatbelt usage when tickets are purchased online as well as a simple message printed on the ticket and also attached to the back of each seat: e.g., “Be Safe, Sit, Click and Ride.”

“The expectations are that this campaign ‘kit’ will enable motor coach operators to make passengers aware of the benefits of wearing seatbelts and that this awareness will convince passengers that seatbelts can save their lives and reduce the severity of injuries in crashes. This in turn is expected to lead to increases in motor coach seatbelt usage,” says Anne Schewe, SWF president.

UMTC Director Professor Michael Knodler says, “The need to continue to focus on promoting seatbelt usage especially along our busy, high speed highways, is of paramount importance. And it makes good sense in light of the fact that all new buses since 2016 are required by law to be equipped with seatbelts, a multi-million dollar investment made annually by motor coach operators. Based on a small, preliminary survey conducted jointly by SWF and UMTC, current seatbelt usage on motor coaches may be on the order of 1 percent.”

The SWF and UMTC program will include: “before” seatbelt usage counts along motor coach routes in selected locations in the United States; the development of a comprehensive plan to educate motor coach passengers about the benefits of wearing seatbelts and to persuade passengers to wear their seatbelts (where installed); implementation and evaluation of the comprehensive plan with the aid of “after” seatbelt usage counts; post-implementation focus groups; and the final preparation and distribution of the campaign “kit.” SWF and UMTC have a long history of working with U.S. DOT agencies including Federal Motor Carrier Safety Administration, National Highway Traffic Safety Administration, and the Federal Highway and Transit Administrations as well as the American Bus Association, United Motor Coach Association, Greyhound, Peter Pan Bus Lines, and other motor coach industry stakeholders.

The Road to Zero initiative was launched in 2016 as a joint effort between the National Highway Traffic Safety Administration, the Federal Highway Administration, the Federal Motor Carrier Safety Administration, and the National Safety Council. The goal is to eliminate roadway deaths by 2050. The Department of Transportation committed $1 million annually from 2017 to 2019 and an additional $500,000 in 2018 to fund Safe System Innovation Grants, and the National Safety Council is managing the grant process. For more information, visit nsc.org/roadtozero.

Sara’s Wish Foundation was established to perpetuate the memory of Sara Christie Schewe the daughter of Anne and Charles Schewe, professor emeritus of marketing at UMass Amherst. In 1996, Sara was killed in a fatal bus crash along with six others including three classmates while participating in a study abroad program. The mission the foundation is to sustain Sara’s living spirit by promoting travel safety standards and practices around the globe and by providing financial support to young women working in the areas of education, health care and/or public service in the global community. www.saraswish.org

UMass Transportation Center (UMTC) conducts transportation research, education, and training activities to improve transportation mobility and safety with innovative technologies and institutional strategies and partnerships. The UMassSafe Program, a multidisciplinary traffic safety research program housed in UMTC, works with many federal and state transportation safety agencies and transportation industry partners. UMassSafe collects and analyzes crash related data, provides online data access, develops training materials and examines data quality challenges within the databases, providing recommendations for safety improvements to save lives and to reduce injury severity. www.umasstransportationcenter.org

How one country blocks the world on data privacy – POLITICO

Last May, Europe imposed new data privacy guidelines that carry the hopes of hundreds of millions of people around the world — including in the United States — to rein in abuses by big tech companies.

Almost a year later, it’s apparent that the new rules have a significant loophole: The designated lead regulator — the tiny nation of Ireland — has yet to bring an enforcement action against a big tech firm.

Story Continued Below

That’s not entirely surprising. Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland’s commitment to policing imminent privacy concerns like Facebook’s reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google’s sharing of information across its burgeoning number of platforms.

Interviews with scores of privacy experts, data watchdogs, academics and regulators in other countries reveal increasing concern that the landmark General Data Protection Regulation, the product of years of wrangling with data companies, is vulnerable because of the one provision on which the tech companies prevailed: That the lead regulator be in the country in which the tech firms have their “data controller” – in most cases, Ireland.

“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland. “I don’t want to see a race [between EU countries] to attract or keep the headquarters of the big tech actors.”

Leaving open a loophole

Ireland’s willingness to crack down on the companies that dominate its economy has long been questionable, even when its regulatory officials spot a potential violation. Such a situation developed with Facebook in 2011, in events detailed here for the first time.

Years before the social-media giant unwittingly released the personal data of 87 million users that made its way to Cambridge Analytica and the 2016 Trump campaign,Ireland’s data-privacy regulator found that it was failing to screen applications in a way that could have prevented the breach.

The then-head of Ireland’s Data Protection Commission recorded his complaint in a 2011 audit report that zeroed in on how Facebook was allowing outside app developers to gain access to oceans of “friend” data. Facebook pushed back on the finding, according to the agency, and the Irish regulator backed off,issuing an almost perfect score for Facebook’s privacy practices in a follow-up report a year later. The rampant exposure of data wasn’t corrected until years later — too late to prevent the Cambridge Analytica breach.

Ireland’s failure to safeguard huge stores of personal information looms larger now that the country is the primary regulator responsible for protecting the health information, email addresses, financial records, relationship status, search histories and friend lists for hundreds of millions of Americans, Europeans and other users around the globe.

Already, regulators in other countries are expressing concern over Ireland’s failure this year to crack down on Facebook’s sharing of data with the messaging tool WhatsApp,which it purchased in 2014.

According to the EU, Facebook misled European officials into believing the two networks would not exchange information, thereby allaying concerns at the time of the merger that WhatsApp users could be drawn into Facebook’s web. In 2016, a German court found that the two networks were indeed sharing data, and barred Facebook and WhatsApp from exchanging information about German users. The ban became unenforceable when the GDPR took effect and Ireland became the lead supervisory authority. Now, German authorities say the sharing has resumed and Ireland must crack down. For their part, Irish officials said in a statement they’re satisfied that Facebook and WhatsApp aren’t sharing information for the purposes of “friend suggestion or enhanced advertising.”

Meanwhile, Facebook took advantage of Ireland’s assumption of the lead regulator role last May to reintroduce its facial recognition tool, which had been banned in the EU out of fear that photos would be used to track people without their permission. Facebook says it will not utilize the photo data until it receives consent from individuals. But other EU regulators and privacy lawyers contend that merely storing the photographs amounts to an unauthorized taking of data under GDPR rules.Although Irish authorities have suggested they share many of the lawyers’ concerns and have begun a preliminary “examination,” they have yet to launch a formal probe.

Google, meanwhile, aroused the ire of regulators in other countries last year by failing to obtain consent before sharing data among its fast-growing line of networks and products — from YouTube to Google Photos to Gmail and more. Irish regulators declined to open a probe against Google, which had consolidated most of its operations for Europe, Middle East and Africa in Ireland, arguing that the company had not yet finished the paperwork that would give Irish regulators “lead supervisory authority.” The paperwork was finished in January, but Ireland has yet to announce an investigation.

Critics, including German authorities, insist that the Irish Data Protection Commission had the authority to launch a probe without Google’s consent, and should have done so. Meanwhile, France stepped in to issue its first-ever fine under GDPR against the company for €50 million.

The head of the Irish Data Protection Commission, Helen Dixon, declined requests for interviews. Her spokesman, Graham Doyle, wrote in an emailed response to POLITICO’s questions that the commission takes its regulatory responsibilities seriously and has16 investigations underway, probing complaints against networks including Twitter, WhatsApp, Instagram, LinkedIn, and Apple, along with seven probes involving Facebook.

The Irish Data Protection Commission is “one of the most strongly resourced data protection authorities in Europe” and stands ready to impose “fines and firm remedies when appropriate,” he wrote.

Doyle said the commission, which earlier this decade was so obscure it was headquartered in a small office above a convenience store in the tiny village of Portarlington, is recruiting state-of-the-industry experts to join its staff of approximately 140 people currently working out of temporary offices in Dublin, with a goal of eventually employing 180 people.

He noted the agency’s tough new enforcement powers include fines of up to 4 percent of a company’s annual worldwide revenues and cited the agency’s willingness to enforce privacy rules by pointing to a pre-GDPR case in which Irish regulators ordered LinkedIn to delete data on nonmembers.

He rejected any suggestion that the agency is being overly deferential to companies under its purview, but added: “Those with an interest in data protection don’t always agree on every point, and we respect that.”

Nonetheless, regulators in other EU countries, particularly Germany, remain skeptical, maintaining that Ireland is letting major complaints slide and creating the risk of a regulatory safe zone in Europe. So, too, are independent experts who are familiar with the actions of the Irish Data Protection Commission.

“It’s the appearance of an investigation rather than the substance of one,” said the independent Dublin-based data management consultant Daragh O’Brien, referring to the Ireland’s data enforcement culture, which he scrutinizes closely.

Max Schrems, an Austrian privacy advocate behind some of the most successful legal challenges against major technology companies, said he believes Ireland’s approach to regulation is more or less unchanged since 2012.

“They’ve basically gotten smarter about not doing things,” said Schrems, whose initial complaint about transatlantic sharing of data was thrown out by the Irish regulator in 2013, only to succeed in European courts, bringing down the transatlantic data flow known as Safe Harbor.

Ireland continues to take a more corporate-friendly approach to regulation than many of its EU counterparts, openly favoring negotiation over sanctions and lists of questions over on-site inspections.

For example, as of last October, the Data Protection Commission had yet to dispatch any regulatory agents to Facebook’s Dublin headquarters, despite its multiple investigations, according to a person close to the matter who spoke under the condition of anonymity. Rather than seek answers more aggressively, the regulator has been satisfied by “updates” from Facebook’s headquarters that often reveal little more than what’s been said in public statements. Both Facebook and the DPC declined to say whether any on-site visits had taken place since 2011.

Around the same time,France posted its own regulatory officers inside Facebook’s offices to monitor the network’s efforts to police hate speech and terrorist content, a core concern in many countries where terrorists have connected via social media and hate speech encouraged racist or sectarian violence. But France has no authority to enforce standards beyond its borders.

Privacy watchdogs also voice concerns about the 2014 appointment of Dixon, an Irish civil servant with no prior experience in regulatory enforcement, to replace Billy Hawkes, the regulator who initially presided over the finding of Facebook’s over-sharing of data with researchers and developers of third-party apps.

If Ireland were serious about cracking down on privacy violations, some legal professionals said, it would have followed the lead of the United Kingdom and appointed an outside specialist with a history in law enforcement or regulatory investigation. Moreover, they said, Dixon’s budget is overseen by the Irish Justice Ministry, while other data regulators, like the U.K.’s, are financed through fees on the companies they oversee. That could make her, or any future chief regulator, more susceptible to interference by government officials, who have long cultivated close relationships with tech executives.

In 2014, Facebook’s chief operating officer, Sheryl Sandberg, personally lobbied Enda Kenny, then Ireland’s prime minister, over the selection of a data protection chief, according to emails revealed by the Irish Independent.

Now, just as some of its investigations should be wrapping up — with Dixon telling Bloomberg News in January that her office would announce decisions by midyear — the Data Protection Commission is launching an “international consultation on regulation strategy” that some critics fear will be an invitation for corporations to critique its practices.

Doyle said the agency will reach out to a broad range of as yet unnamed parties to weigh in on how Ireland should apply regulation. Doyle declined to say whether those consultants would come from the tech industry, only specifying that the panel would be “international.”

The call for advice is symptomatic of what Dixon’s critics among privacy advocates, lawyers and other EU data protection authorities argue is a preference for resolving issues amicably over public enforcement actions, which Dixon, in speeches, has suggested might expose the regulator to extremely costly legal battles. It’s a reasonable fear in a place where the tech companies’ resources far outstrip the government’s. Google’s market capitalization, by itself, is twice the size of Ireland’s gross domestic product. Facebook’s is larger by about a third.

“Regulation is a particularly fraught area for a country like Ireland because they have less leverage [over companies] than a bigger country,” said Josephine Wolff, a professor of public policy at the Rochester Institute of Technology. “If Facebook announced tomorrow, ‘We’ve had it with Ireland, we are closing down our office,’ that would be a huge deal with political and economic consequences for the whole country.”

Bringing Silicon Valley to Europe

The story of how a country known for poetry and dark ale ended up in the unlikely role of global tech policeman stretches back to the aftermath of World War II.

As a neutral power, Ireland had emerged physically undamaged from the war but with a sputtering economy and bleak prospects. It had limited access to U.S. reconstruction funds from the European Recovery Program, or Marshall Plan, due to its neutral position, and no industrial base to speak of, thanks largely to Britain’s long-held interest in keeping Roman Catholic southern Ireland in a firmly agrarian state. (Ireland won independence from Britain in 1922.) There was little chance of jump-starting domestic manufacturing 250 years after the rest of Europe, so Irish leaders turned to the next best thing: nurturing ties with countries that had flourishing industries of their own.

Spurred on by an economist and central banker named Thomas Kenneth Whitaker, Ireland’s leaders oversaw an economic transformation starting in the late 1950s — away from protectionism, toward free trade and encouraging foreign investment. The most obvious partner was the United States, to which generations of Irish people had emigrated and whose Irish-origin population already far surpassed the population at home.

So began Ireland’s epic and enduring courtship of U.S. corporations. Via the Industrial Development Authority, now IDA Ireland, a powerful entity that acts as a sales office for the country, the Emerald Isle established missions across the United States, dispatching dozens of agents to start preaching the good word about Ireland to U.S. companies from New York to San Francisco.

One of these investment missionaries was Larry Mone, a former accountant who joined the IDA in the late 1970s because he was, in his own words, “really bad at” accounting.

After a brief stint in Chicago, Mone was sent out to join the IDA’s office in what was already known as Silicon Valley. In an office that overlooked a golf course, Mone and his colleagues spent their days trying to coax emerging digital giants — Microsoft chief among them — over to Ireland. Working from an alphabetical list of the important companies in the region, they spent their days cold-calling executives in an atmosphere he describes as “boiler room-like.”

“We had an almost messianic zeal to bring jobs to Ireland,” Mone, who’s now retired and lives in Palo Alto, said in a telephone conversation.

Mone’s section of the list covered companies with names from the letter G to the letter O and included giants like Microsoft and Intel, which would both go on to establish major footholds in Ireland. Apple set up its first manufacturing plant in Cork in 1980, setting off a wave of tech companies coming to the country.

The pitch, as Mone recalled, was “very simple.” Any product exported from Ireland would be totally exempt from taxation. That was later updated, under EU pressure, to a 10-percent flat rate that could be offset in other ways. When added to the promise of cheap labor, cheap land and an English-speaking workforce, this amounted to an almost unbeatable argument for locating sales operations in Ireland, because it would allow U.S. firms to reach hundreds of millions of European consumers without facing the heavy corporate taxes in France, Germany or even the Netherlands.

The IDA’s approach had other refinements, like inviting top tech executives over to Ireland for country tours during which they would be entertained, fed whiskey and “sent home punch-drunk, in love with the country,” according to Mone. It didn’t hurt that Ireland shares a common-law legal system with the United States.

But the basic argument — which remains Ireland’s unique selling point today, despite intensifying scrutiny of its tax practices by the European Commission — never varied: not having to hand over a significant portion of income to the Irish taxman.

“At the end of the day, these are profit-drive companies, and they go where the offer is the most profitable,” Mone said.

Data regulation wasn’t an issue at the time when most of the companies were recruited, but Ireland did everything in its power to create an industry-friendly landscape.

“Back in those days there really was not much thought given to regulation of the technology industry, more what could be done to foster its development and bring it on shore,” he said.

The pitch was so seductive that, over the next 30 years, Ireland morphed into what Mone calls “the 51st state of the United States.”

Google and Facebook both landed in Ireland during the first decade of the new century. While the highly advantageous tax arrangements they enjoyed came under pressure from the European Commission (Apple was forced to pay the Irish government $13 billion in back taxes that Ireland had neglected to collect), regulation was just starting to become a concern.

Ireland’s 1995 Data Protection Act lacked significant enforcement mechanisms — so much so that Billy Hawkes, then the head of the Irish Data Protection Commission, had no legal power to apply any sanctions or penalties against the companies he was regulating in the years leading up to the Cambridge Analytica scandal. His successor, Dixon, herself acknowledged the lax culture in 2015, one year into her job, mentioning the problem of “forum-shopping” and perceptions that companies locate where “soft, incompetent or under-resourced regulators are.”

In the event that any regulatory issue should arise, as it did in the 2011 audit involving Facebook’s sharing of data with app developers, U.S. companies had a powerful insurance policy: access to top Irish politicians via direct contacts or through the American Chamber of Commerce Ireland in Dublin, which continues to play an outsize role in shaping the direction of Irish policy. Top tech executives had Hawkes’ cellphone number and could access him directly whenever they had a need, according to two people with knowledge of such calls.

This welcoming atmosphere explains why Facebook, in particular, kept doubling down on its Irish presence throughout the 2000s, according to Sandy Parakilas, former operations manager for Facebook who left the company in 2012.

“It was simply the country with the least regulatory scrutiny,” he explained in a phone conversation from Los Angeles,where he is now senior product marketing manager, privacy, for Apple.

That statement was put to the test during Ireland’s 2011 audit of the company. Prompted by a groundswell of complaints against Facebook, Hawkes’ deputy, Gary Davis, undertook what is likely to have been the most in-depth review of Facebook’s privacy practices ever. In his capacity as lead regulator not just for Europeans but Facebook users worldwide, Davis’ staff spent three months scouring the company’s machinery, including sending officers to its Dublin headquarters to investigate first hand.

His first report, published in December 2011, called for dozens of changes and upgrades to Facebook’s privacy practices, including its practices for screening third-party apps.

“We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data,” the report stated. “This is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect FB-I [Facebook Ireland] to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission.”

Parakilas, who was Facebook’s “point person” on privacy matters at the time, said the criticism did not rile the company. Facebook responded to the audit in a “professional manner” but did not feel pressure to make fundamental changes, he said. When Parakilas tried to escalate concerns about the key critical findings in the original audit report, he was brushed off by senior executives.

At the time, Facebook expressed its concern about the audit to Irish officials, according to later testimony by Dixon before a government committee. Afterward, the Data Protection Commission appeared to go out of its way to give Facebook a clean bill of health.

In a 74-page follow-up report published in 2012, the commission declared that “most of the recommendations [had] been fully implemented to our full satisfaction.” On its call to improve screening of third-party apps, where major problems later emerged, the report stated: “Satisfactory response from FB-I.” A year later, Davis left the commission to join Apple as its chief privacy officer.

“They didn’t go anywhere near as far as you would have hoped,” Parakilas said, referring to the Irish commission. Parakilas, who left Facebook in 2012, added that he doubts Ireland’s approach to regulation has changed substantially.

“Facebook is certainly the one that has the leverage in that relationship,” he said.

Asked whether Ireland had done enough to stop the Cambridge Analytica scandal, Doyle said the commission had gone as far as it could,within its legal limitations, in simply flagging the problem with app developers and seeking changes to Facebook’s privacy practices. He pointed to comments Davis had made outside the report saying there were “still a number of items on which progress has not been as ‘fully forward’ as hoped,” although the issues flagged did not have to do with third-party apps. In 2017, HelenDixon told the Irish parliamentary committee that Facebook “did not agree with the recommendation” for significant changes to its privacy rules in 2011, and that the changes were made only through an “iterative process” 18 months later.

Facebook disputes that account.

In comments to POLITICO, a spokesperson said that the company had “complied fully” with all requested changes, and claimed that the Irish regulator had never requested any changes that would have prevented the Cambridge Analytica scandal.

Hawkes, who at the time was the top Irish regulator, declined to comment on the matter, according to a spokeswoman at the International Association of Privacy Professionals, a nonprofit association that brings together people working on data protection.Gary Davis did not respond to repeated requests for comment and a spokesperson for Apple, where Davis now works, did not respond.

Facebook flexes its muscles

The years that followed Davis’ audit brought Facebook’s relationship with Ireland to new levels of closeness.

In 2013, the commission dismissed Schrems’ claim against the company over data transfers to the United States, calling the suit frivolous. The company then won an award of funds from Ireland’s national asset management agency — the so-called “bad bank” that took over assets on troubled lenders during the financial crisis — to build its Frank Gehry-designed headquarters in Dublin.

When the Cambridge Analytica scandal broke in 2018, the U.K. launched an investigation and fined the company, while Ireland merely issued recommendations. A few months after Facebook CEO Mark Zuckerberg appeared before the U.S. Congress and European Parliament to answer questions from lawmakers, the company announced the construction of a new 14-acre campus in Dublin and the opening of several new data centers in County Meath, north of Dublin.

As far back as 2014, the question of how Ireland would handle the new privacy rules under the GDPR was on the minds of Facebook’s leaders. As it happened, Ireland was in the process of choosing a new chief data regulator to replace Hawkes. Sandberg took it on herself to investigate the matter, lobbying then Irish Prime Minister Kenny on the sidelines of the World Economic Forum in Davos and also at her offices in Menlo Park, Calif.

According to emails obtained by the Irish Independent via Freedom of Information requests, Sandberg wanted to know that Hawkes’ successor would be “as strong as” he had been in the role. But if the wrong choice was made, Sandberg suggested, there would be consequences for Ireland’s attractiveness as a destination for tech investment.

“The risk is that companies will revisit their investment strategies for the EU market,” she wrote in a June, 2014, email to Kenny, adding that Ireland’s regulator should be a person who would “establish a strong collaborative working relationship with companies like ours.”

The choice of Dixon, a former Irish civil servant with a law degree but no background in law enforcement or regulatory investigation, was in line with Sandberg’s wishes. Before she became one of the most important privacy regulators in the world, Dixon had spent four years working for U.S. software company Citrix, followed by a stint at the business-friendly Irish Department of Enterprise, Trade and Innovation.

While the regulator’s statutes called for the appointment of three co-equaldirectors in order to properly separate the agency’s enforcement and adjudication roles, the other two were never named.

TJ McIntyre, a law professor at University College Dublin whose organization Digital Rights Ireland sued the government over the process under which Dixon was chosen, complained that she’s “not coming from that investigatory and enforcement perspective.”

Instead, he said, Dixon was chosen to supervise the DPC’s development into a more substantial regulator than the one housed above a convenience store in Portarlington, building a bureaucratic structure rather than targeting specific issues.

In speeches and interviews, Dixon has emphasized the need to engage with tech companies to help them understand the law, rather than cultivate adversarial relationships.

“We are very committed to this approach of engaging with the multinationals,” she told the Irish Times in 2016. “We do firmly believe the way in which we work with them produces much better safeguards for data subjects.”

That approach yields good results in terms of compliance, said Bojana Bellamy, who runs the Centre for Information Policy Leadership, an industry-backed privacy think tank whose members include Facebook and Apple.

“I do believe that constructive engagement is incredibly important to build that trust,” she said. “Sticks and enforcement — that doesn’t create the best behavior in the marketplace.”

Ireland’s more conciliatory approach is now fueling tension with other EU regulators. After France’s data watchdog fined Google €50 million in January for failing to comply with GDPR, Germany’s prominent Hamburg data regulator told the regulatory-analysis publication MLex that Ireland should be investigating the company. In a separate statement to POLITICO, the German watchdog underscored “differences” in the way Irish and German authorities interpreted and enforced EU rules, singling out “face recognition techniques by Facebook” and the “exchange of data between WhatsApp and Facebook.”

“Unfortunately, it has not yet been possible to set up the data protection we have enforced in national court proceedings against Facebook at the EU level,” wrote professor Johannes Caspar, head of the Hamburg regulator. “After the transmission of user data between WhatsApp and Facebook was stopped, they [Facebook] took the entry into force of the GDPR as an opportunity to return to their former practice.”

Zuckerberg’s announcement of plans to merge WhatsApp, Facebook Messenger and Instagram messaging were also “reason for concern,” added Caspar, echoing the German Justice Ministry’s warning that such a merger would create a “monopoly” and call for enforcement of European antitrust rules.

While the Irish regulator said it would examine the implications of such a merger, France echoed the German concerns.

“In general, in relation to Facebook, you have a pattern where other regulatory authorities have been much more active and found themselves thwarted by the fact that Facebook was headquartered in Ireland,” said McIntyre, adding that “enforcement has been lax.”

Jimmy Stewart, an adjunct professor of finance at Trinity Business School at Trinity College Dublin, said less rigorous regulation is part of Ireland’s strategy.

Google, Facebook, Twitter and other companies like them make their money by harvesting vast amounts of data on users that is used to target them more precisely with advertising. Thanks to the data collected on Facebook, an advertiser can pinpoint categories of users down to hyper-minute criteria including their age, sexual orientation, health issues or political beliefs. This technology has allowed tech platforms to corner the global market for online advertising, turning them into juggernauts worth hundreds of billions of dollars.

But those dollars could disappear if regulators interfere with the tech giants’ ability to collect and hold that information.

“Regulatory arbitrage is an important part of the country’s arsenal” to attract tech companies “along with tax incentives,” Stewart said.

Feuding over facial recognition

Ireland’s handling of new technologies such as Facebook’s facial recognition tool will go a long way toward determining how seriously it intends to scrutinize tech companies.

Last spring, just as the GDPR was about to take effect, Facebook prepared to reintroduce its banned facial recognition tool, this time promising to ask users if they wanted the tool switched on, so that the platform could match their names to photographs of them posted by friends online. But when senior executives, including Chief Data Protection Officer Stephen Deadman, disclosed the plans to a small group of privacy specialists and journalists in Dublin, the meeting did not go exactly as planned, according to multiple participants who asked not to be named out of respect for the meeting’s private nature.

The journalists and privacy watchdogs peppered the executives with questions about whether the tool violated GDPR principles, suggesting that Facebook may be unlawfully “processing” biometric data on users even if they chose to opt out of the tool, because the data was being gathered and stored anyway — a process that would go against GDPR rules.

“They are analyzing every photograph, even those where they don’t have permission, and their argument is this is not processing biometric data because they don’t take the final step of identifying the person,” said Dublin-based privacy lawyer Simon McGarr. “From a privacy standpoint, this is cloud cuckoo land.”

After a brief exchange, Facebook executives ended the meeting stating that they needed to catch planes, the participants said.

Facebook representatives told POLITICO last year that the meeting had gone as planned. They also said they had discussed the facial recognition tool with the Irish Data Protection Commission and not been informed of any concerns. YetDoyle contradicted that account, saying that while no initiative was taken to halt the rollout, an “examination” — as distinct from a statutory investigation — was launched.

“It is standard practice to conduct an examination on this basis to determine whether a statutory investigation is warranted,” Doyle said in his email. “In the case of FB’s facial recognition facility, that determination has not yet been made.”

In the following months, Facebook was rocked by a series of scandals, data breaches and PR disasters that included Zuckerberg being grilled by lawmakers on both sides of the Atlantic, and The New York Times revealing the firm had hired a public relations firm to attack critics, including by such dubious tactics as linking them to Hungarian-born investor George Soros.

Yet in Ireland, the going was relatively quiet. In early October, the commission announced the launch of its first official investigation of Facebook, over a data breach that compromised the private messages and data of an estimated 50 million users. The commission has since disclosed it is carrying a total of seven investigations into Facebook, which Dixon told Bloomberg were all “substantially advanced,” and should lead to the first decisions being taken in “June or July.”

However, as of late October, it had yet to send any officers to visit Facebook’s Irish headquarters and was receiving its information mainly via “updates” from the company, which often coincided with its disclosures to the public, a person close to the matter said. Asked whether any visits had taken place, both Facebook and the commission said such visits had taken place “in the past” but did not specify whether any had taken place in the past year. The last publicly disclosed site visits took place in 2011, under Billy Hawkes.

“We visit companies being audited or investigated when we need to, and regular meetings often take place in the normal course of our supervised engagement with companies at their premises,” Doyle said. “Such visits have taken place to Facebook Ireland’s offices in the past but we won’t be disclosing any details on these for operational reasons.”

For Daragh O’Brien, whose Castlebridge consultancy routinely carries out privacy audits on companies, not sending an officer to Facebook is the equivalent of “police investigating a crime from the doughnut shop.”

“You miss the opportunity for someone to grab you and tell you something they can’t do in writing … It happens all the time, especially in the context of complex investigations,” he said.

Asked whether it intends to launch any probes into data-sharing by the various networks controlled by Google, the commission said that it gained jurisdiction over the search giant only on Jan. 22 and still is not the lead supervisory authority for Google’s search engine and indexing service.

But Caspar, the German regulatory chief, said that Ireland had a responsibility to investigate any privacy complaint lodged in the European Union. (Google is appealing the French fine. In previous comments to POLITICO, a spokesperson for Google said the company had been under no legal obligation in 2018 to finalize the steps for its “main establishment” in the European Union.)

As for the scandals that rocked Facebook over the past year, Doyle pointed to the commission’s limited mandate as a regulator of data security as a reason to defer action or public communications. The spread of hate speech and the use of micro-targeting for online political advertising — both of which have been identified as major areas of concern by the European Commission — are outside its purview as a data regulator, Doyle said.

Yet such an interpretation of the regulator’s role and responsibility does not sit well with privacy professionals. In addition to being responsible for compliance with data protection statutes, Dixon and her staff have an “ethical duty” to lead debates on where and how regulation should be applied in response to emerging issues, O’Brien said.

“It’s not just about the letter of the law, but also anticipating where problems may be coming from,” he said, adding that the next big problems would crop up if and when facial recognition technology is combined with targeted ads to beam commercial messages at people in public spaces. “The sort of scandals and breaches we’ve seen over the past few years are just a prelude to what may be coming as 5G [next generation] networks come online.”

I’m continuing to report on data privacy issues with Big Tech. If you have a tip for me, you can reach me at nvinocur@politico.eu.

CORRECTION: An earlier version of this story stated the wrong year for Irish independence from Britain. The correct year is 1922.

Nine universities team up to create global infrastructure for digital academic credentials – MIT News

While digital technology has started to transform education by enabling new learning pathways that are customized to each individual’s needs, the way that educational institutions issue and manage academic credentials has not changed much. Nine leading universities announced that they have formed the Digital Credentials collaboration in order to create a trusted, distributed, and shared infrastructure standard for issuing, storing, displaying, and verifying academic credentials.

“Currently, those who successfully complete a degree from an institution must go back to that institution — sometimes by mail or even in person — each time there is a need to verify the academic credentials earned,” says Sanjay Sarma, MIT vice president for open learning. “This can be a complicated problem, especially if the learner no longer has access to the university. Such is the case with many refugees, immigrants, and displaced populations.”

The universities working on this effort include Delft University of Technology in the Netherlands; Harvard University Division of Continuing Education; Hasso Plattner Institute at the University of Potsdam in Germany; MIT; Tecnologico de Monterrey in Mexico; Technical University of Munich in Germany; University of California at Berkeley; University of California at Irvine; and the University of Toronto in Canada.

“As teaching and learning offered by our universities has come to encompass digital platforms, and as each of our learners have gained the power to shape their own educational trajectory over a lifetime, the question of trusted verification and authentication of learning and credentials poses itself with broad urgency,” says Diana Wu, dean of university extension and new academic ventures at UC Berkeley.

Using technology that relies on strong cryptography to prevent tampering and fraud, and shared ledgers to create a global infrastructure for anchoring academic achievements, the researchers plan to build upon earlier research and pioneering efforts by their institutions — including MIT’s pilot program for issuing all of its graduates a digital version of their diploma that is verified against a blockchain.

One of the driving forces behind this shared effort is the interest by universities to utilize the advances brought by these new technologies in a way that prioritizes the needs of learners. Digital credentials allow learners to maintain a compelling and verifiable digital record of their lifelong learning achievements that may include badges, internships, bootcamps, certificates, MicroMasters (graduate-level courses), and stackable combinations thereof, as well as traditional degrees — all of which they can easily share with employers or other institutions. Institutions can record and manage the achievements of their learners in a way that is easy, safe, and inexpensive, and minimizes the risk of identity fraud.

“We are well-positioned in academia to use cutting-edge technology to empower learners to advance their careers and education with credentials in the palms of their hands,” says Hans Pongratz, senior vice president for information technology systems and services at Technical University of Munich.

The team has now set their sights on the evolution and governance of a shared standard. “Digital credentials are like tokens of social and human capital and hold tremendous value for the individual. The crucial opportunity we have today is to bring together institutions that share a commitment to the benefit of learners, and who can act as stewards of this infrastructure,” says Philipp Schmidt, director of learning innovation at the MIT Media Lab.

“Our shared vision is one where academic achievements, and the corresponding credentials that verify them, can open up new pathways for individuals to become who they want to be in the future,” says José Escamilla, director of TecLabs Learning Reimagined at Tecnologico de Monterrey.

To learn more about this project, visit digitalcredentials.mit.edu.

Innovation and digitization to drive aftermarket in India – SME Futures

India is the fifth largest automobile market in the world, and a not-so-named auto component or the automotive aftermarket sector plays an important part in its growth and turnover at large. In recent years, a rapidly-growing middle class and increased purchasing power is driving the vehicle sales, thus, creating immense opportunities for manufacturers and supply chains to put an effective aftermarket sector in the country. Seeing such positive sentiments, auto OEMs are also foraying into the aftermarket segments. After entering the two-wheeler aftermarket segment in 2017, Rico Auto forayed into the four-wheeler aftermarket segment last year. The company did so with 28 products and is targeting for a revenue of ₹ 100 crores by 2020 from the sector.

According to reports, it is anticipated that by 2025, the Indian automotive aftermarket will become the third largest market in the world. As per the report titled “Transformation Shifts in Mobility and Impact on Aftermarket in India” by the Confederation of Indian Industry (CII), the domestic automotive aftermarket has grown at a compounded annual growth rate (CAGR) of 14 per cent in the last five years. It is expected to touch ₹ 75,000 crores by 2020. The report also states that the country’s car market also has the potential to grow to over six million units annually by 2020, up from 3.7 million in 2016. The data collected by the Automotive Component manufacturers Association of India (ACMA) also reports that, of the total Indian aftermarket, the two- and three-wheeler segments account for around ₹ 12,038 crores, while the passenger car segment accounts for around ₹ 18,970 crores, commercial vehicles for around ₹ 19,748 crores and tractors for ₹ 5,342 crores.

What is Aftermarket?

For those who are not familiar with the term “Automotive aftermarket,” it is a secondary market that encompasses all parts and services purchased for vehicles, light or heavy, after original sales have been done. It includes replacement parts, accessories, service repairs, lubricants, appearance products and so on. “When parts supplied by an original equipment manufacturer (OEM) get damaged or worn out, the replaced parts built or manufactured come under the aftermarket category”, Fahad Hazari, Product Lead at Uno Minda Distribution and Services, said when asked about what automotive aftermarket exactly is, while visiting the 4th edition of ACMA Automechanika Show.

In a more elaborate manner, the parts that come into the aftermarket segment include product type – braking (brake pads, hydraulics and hardware, and rotors and drums), steering and suspension (ball joints, tie rods, sway bar links, bushings, bearings/seals and coil springs) hub assemblies (wheel-ends), universal joints (drive lines), gaskets, wipers, filters (air, oil and cabin air), lighting and spark plugs.

The auto component industry, which had an annual turnover of US$ 51.2 billion in 2017-18, is expected to cross US$ 200 billion by 2026. While exports have grown at a CAGR of 11.42 per cent to US$ 13.5 billion, auto components production has seen an increase of 12-14 per cent in 2018-19, due to robust growth in the domestic and export markets. Industry experts believe that the future of the automotive secondary market looks bright amidst all the transformations that the sector is undergoing. Ashish Bhat, Executive Vice President and Head, Digital Factory, Siemens India, shares, “The automotive component industry in India is making significant progress in the adoption of Industry 4.0, and there is great potential to take this sector a step ahead. With digitalisation, manufacturing enterprises, especially the SMEs, can enhance their efficiency to fight scale, reduce cost of production, minimise manufacturing defects and shorten production time. With this, they can not only meet international quality standards but also strengthen their position as competent suppliers for the global market”.

What is Aftermarket?

For those who are not familiar with the term “Automotive aftermarket,” it is a secondary market that encompasses all parts and services purchased for vehicles, light or heavy, after original sales have been done. It includes replacement parts, accessories, service repairs, lubricants, appearance products and so on. “When parts supplied by an original equipment manufacturer (OEM) get damaged or worn out, the replaced parts built or manufactured come under the aftermarket category”, Fahad Hazari, Product Lead at Uno Minda Distribution and Services, said when asked about what automotive aftermarket exactly is, while visiting the 4th edition of ACMA Automechanika Show.

In a more elaborate manner, the parts that come into the aftermarket segment include product type – braking (brake pads, hydraulics and hardware, and rotors and drums), steering and suspension (ball joints, tie rods, sway bar links, bushings, bearings/seals and coil springs) hub assemblies (wheel-ends), universal joints (drive lines), gaskets, wipers, filters (air, oil and cabin air), lighting and spark plugs.

The auto component industry, which had an annual turnover of US$ 51.2 billion in 2017-18, is expected to cross US$ 200 billion by 2026. While exports have grown at a CAGR of 11.42 per cent to US$ 13.5 billion, auto components production has seen an increase of 12-14 per cent in 2018-19, due to robust growth in the domestic and export markets. Industry experts believe that the future of the automotive secondary market looks bright amidst all the transformations that the sector is undergoing. Ashish Bhat, Executive Vice President and Head, Digital Factory, Siemens India, shares, “The automotive component industry in India is making significant progress in the adoption of Industry 4.0, and there is great potential to take this sector a step ahead. With digitalisation, manufacturing enterprises, especially the SMEs, can enhance their efficiency to fight scale, reduce cost of production, minimise manufacturing defects and shorten production time. With this, they can not only meet international quality standards but also strengthen their position as competent suppliers for the global market”.

The Evolution of Aftermarket

The Indian auto parts sector contributes 2.3 per cent to the Gross Domestic Product (GDP) and employs as many as 1.5 million people directly and indirectly, constituting a big chunk of SMEs in the sector. The organised sector mainly has OEMs that manufacture high-precision machinery and parts, and the sector is largely made of the unorganised sector, that is, MSMEs that produce low-quality products.

Initially, the aftermarket was small in size. In the 1970s, the industry got initiated with the operations of Maruti Udyog Ltd. And in the 1980s, many new manufacturers emerged in the sector. There are three main automotive aftermarket clusters that have flourished in the past few decades, in the west, north and south regions. These are Mumbai, Pune, Nasik and Aurangabad in the west, Chennai, Bengaluru and Hosur in the south, and New Delhi, Gurugram and Faridabad in the north.

According to CII’s report, the states of Tamil Nadu, Andhra Pradesh, Karnataka and Kerala contribute more than 75 per cent of the total aftermarket potential. Here, sales of auto components owing to increased vehicle ownership (new and used vehicles) in semi-urban and rural markets are driving demand. The report also revealed that the number of vehicles are expected to grow by six to seven per cent this year. This offers a substantial opportunity for independent aftermarket service providers, both existing and new entrants, to grow.

As of now, no specific data has been found for the total number of aftermarket companies functioning in India, but according to the journal Indian Auto component Industry: Challenges Ahead, written by Sachin Borgave and JS Chaudhari, the sector has more than 420 players in the organised sector and more than 10,000 players in the unorganised sector. SMEs are largely based out of tier 2 and 3 cities. Around 390 auto component manufacturers have ISO 9000 certification, while 223 companies have QS-9000.

Thrust to Success

In 2017-18, the total exports value of India’s automotive exports stood at US$ 13.5 billion, while it was US$ 10.9 billion in 2016-17. The growth is being driven by the expanding domestic market and increasing globalisation (including exports) of several Indian suppliers. In the past few years, this sector has gained momentum on investments. As per the Department of Industrial Policy and Promotion (DIPP), the foreign direct investment (FDI) inflow in the period April 2000 to June 2018 was US$ 19.29 billion. In recent developments, giants like Schaeffler India, German Automotive major continental Elgi Equipments and IMI Precision Engineering have all decided to invest in the country.

The budget, too, has given the much-needed attention to the MSME sector by extending incentives. An industry expert opines that increasing the zero tax income limit to ₹ 500,000 will be a shot in the arm for the middle-class, thus boosting market sentiments. “These measures will lead to improved sales of automotive products, especially two-wheelers, farm equipment and entry-level passenger vehicles, which, in turn, will fuel the growth of the domestic auto component industry”, says Ram Venkataramani, President of the Automotive Component Manufacturers Association of India (ACMA).

G.S. Luthra

Digitisation of manufacturing operations and investments in technologies such as PLM, Simulation, etc are set to be crucial differentiators in making companies globally–competitive and catering to the emerging needs of next-generation automobiles in the wake of the E-vehicles revolution and “connected mobility” megatrends.

One crucial step for the segment is technology and innovation. Raj Manek, Executive Director and Board Member of Messe Frankfurt Asia Holding Ltd, opines, “The automotive market is witnessing rapid technological transformations. In tune, regulatory changes in India are also redefining the domestic aftermarket”. Indeed, technology and innovation in the component sector is playing a vital role in the growth of the sector. Today, most companies are looking at tech innovations and product development, which hold the key to tap the biggest growth opportunities in the future.

One such SME company is Turbo Tech Engineers based out of New Delhi, which supplies and manufactures precision-engineered replacement turbocharger components, turbo repair kits and complete VSR-balanced CHRA/core assemblies to the turbo repair sector. Gurinder Singh, its owner, says that today, due to precision engineering his company is the only manufacturer after OEMs in the turbo manufacturing aftermarket segment. “Our factory is the only one after OEMs who are into manufacturing turbochargers and its parts for diesel engines. With the help of precision engineering, our team of technical engineers has changed the designs and technicalities of the products, giving them better and prolonged life”. According to Singh, manufacturing is a task that needs precision and perfection with a blend of modern tech and, thus, only a few players have ventured in this sector. With more innovation, the company has recently forayed into manufacturing of turbochargers for petrol and Euro 6 engines, and is anticipating seeing double–digit growth in its business.

E-commerce has also given a significant boost to the automotive aftermarket. Simply searching for the term ‘auto parts online’ on the Internet opens up a bunch of e-tailing platforms where auto parts are sold via suppliers and manufacturers for B2C and B2B consumers. Most of the registered people on these trading websites are medium and small players, who can have a regional presence through these portals, such as marketplace or third party e-tailers. According to a global report on E-Commerce Automotive Aftermarket scenario conducted by Transparency Market Research, the Asia-Pacific region is expected to dominate the global e-commerce automotive aftermarket by 2025. The Indian government’s initiative Digital India and collaboration between brick-and-mortar stores and E-commerce platform providers is boosting the industry demand globally. While easily availability coupled with cost-saving prices are surging the e-commerce activities. Do-it-yourself is also becoming quite prominent.

Challenges

India’s aftermarket in the past was focused on cost, but now the sector is focusing on quality of the products and services. However, the sector is complex in many ways and needs to work around the following roadblocks:

  1. Unorganisedand fragmented operations in the aftermarket makes it highly inefficient and, in many cases, unreliable. This leads to higher costs or higher dissatisfaction among consumers.
  2. Missing data and information for training and actual repairing and maintenance of vehicles.
  3. Substandard parts and services impact the safety standards and vehicle fitness, which contributes to road fatalities.
  4. Poor returns of investments (RoI) from its trade channels due to inefficient inventory and supply chain practices. Theunorganisedmarket only adds further to this weakness of the industry.

During Automechanika show, various stakeholders expressed their views on the challenges they are facing in the sector. G.S. Luthra, An export house owner dealing with wheel assembly parts, believes that we can be ahead of countries like China, but we lack good policy and incentive infrastructure. He explains, “In my opinion, we can be ahead of China, but we lack incentives schemes and government facilities like they do. However, we do export to China but it still low”.

According to a media report, the trade gap is quite wide in the automotive sector. In April-February 2018, China exported auto parts worth US$ 3.95 billion to India, while India exported auto parts worth US$ 295 billion. On this issue, industry sources believe that imports gained momentum because the Rupee was depreciating against the Dollar. Also, the local manufacturers were not able to meet new regulatory norms regarding emissions and safety established in the past few years. The same pattern was studied in the imports of Chinese tyres. In the past five years, imports have gradually increased. In 2013-14, it was ₹ 582.86 crores on value, while in 2017-18 it was ₹ 1,256.85 crores.

Counterfeit, Standardisation and Road safety

According to the data provided by the government, in 2017, only 1.47 lakh people died in road accidents. However, the same year, there was a slight decrease (of 3.27 per cent) in road accidents with 4,64,910 road accidents as compared to 4,80,652 in 2016. Having said that, the lack of mandatory standards and unchecked production and import of counterfeit parts, vehicle safety and road safety are other serious concerns for the sector. Hence, the industry is now putting in demands for the standards of quality of auto parts coming to India especially from China, as usage of spurious or counterfeit parts can be seen especially in the unorganised sector.

According to research, counterfeit components account for 45 per cent of the passenger car aftermarket. However, to minimise the usage of spurious auto parts, ACMA has been working closely with the Road and Highway Ministry to set standards for aftermarket products. The association claims that the penetration of counterfeit products has been reduced from 36 per cent (2010-11) to five per cent (2016-17), which is a great achievement.

The ACMA is driving campaigns such as “ACMA Safer Drives” in the wake of sensitising stakeholders about the menace of counterfeits and substandard components causing road accidents. It provides awareness and education about the use of genuine parts to prevent road accidents through exhibitions like Auto Expo, ACMA Automechanika, Regional Auto Shows, Road Shows and social media as the primary means of communication.

A member of ACMA informs us that ACMA has realised the need for an industry-accepted standard system for parts catalogue that the aftermarket trading partners could use. He says, “This system would enable data consistency at all levels in the demand chain and make the system more transparent and efficient. In this regard, ACMA has supported tech alliance to build the India Parts Catalogue with the data provided by its members. This catalogue will be released during ACMA’s Annual Session, later this year”.

Ramashankar-Pandey

On standardisation account, ACMA has been brainstorming for the two years. Under the supervision of Managing Director of Hella India, Ramashankar Pandey, an aftermarket committee has been formed and a list of at least 25 critical components in the aftermarket segment have been identified for standardisation. “Standardisation will help aftermarket stakeholders to fight against counterfeits and substandard parts and services, and help keep our vehicles fit to drive, safe to drive and avoid accidents due to this cause”, says Pandey.

A minimum standard for the independent aftermarket will help technicians, retailers and distributors to organise themselves and build a progressive digital IT platform and improve customer experience by bringing transparency and providing cost-effective solutions. This will also help consumers make more informed choices between an OEM’s authorised aftermarket and a roadside quick fit workshop on both extremes of service offerings and, hence, will encourage healthy competition to develop the industry further.

Transition Towards Better Powertrains

Right now, the biggest challenge that small and medium businesses face is to adapt themselves according to the changing patterns in the automotive sector, as it is moving towards electric vehicles. In the next few years, Indian roads will see plenty of electric vehicles running around. Experts believe that those into manufacturing engine parts will face maximum heat due to a shift in focus from fuel efficiency and engine management to drive motors and batteries.

Talking about IT and electronic advancing the vehicles, Pandey, Hella India, says, “The next wave of connected and autonomous features are being adopted. However, servicing them in the aftermarket will be more and more challenging by independent aftermarket players in India, mainly due to missing training to technicians for all the latest models in addition to missing information of parts and repair instructions in the public domain”. He adds, though it’s a challenge for small and medium businesses, many startups and Integrated Access Management (IAM) companies are working to solve this problem through their innovative solutions. On-board diagnostics, preventive service forecasts and online trainings through VR/AR are a few areas where we will see innovations in this industry.

Is India Ready for BS VI Standards?

Bharat Stage VI is an emission standard to bring down the emission levels coming out of automobiles. With its effective implementation, India will come at par with European and US cities and automotive markets. The Indian government aims for the implementation to set by 2020; however, taking a leap from BS IV to BS VI will be a challenge for the auto aftermarket. Europe took nine years to complete implementation of the Euro 6 standards.

A major challenge for OEMs and suppliers is the readiness for implementation. Automotive stakeholders together have to work, develop and update electronic control units (ECUs ) and to meet the 2020 deadline. Unlike Euro 6, for implementing BS VI, OEMs have to add on to design elements rather than adding the components. For instance, India has a huge product line (Tata, Mahindra, Maruti) from small passenger cars to trucks and tractors, which varies in design and size. Setting up a Euro 6-compliant diesel particulate filter (DPF) in India will require size change, which may lead to halt in productions and other losses.

Gurinder-Singh

Stakeholders have already started working on it, developing the infrastructure and emission control equipment with the help of experts in the field, tweaking ECUs and doing more R&D, but there is still a lot to do. Moreover, ACMA’s study on the aftermarket sector suggests that vehicle prices are bound to go up after the compliance of BS VI standards. “The price increase is expected to be in the range of ₹ 5000 – ₹6000 for two- and three-wheelers. The increase is expected to be around ₹ 20,000 for a petrol engined car, and up to ₹ 1,00,000 for a diesel engined variant. For a commercial vehicle, the cost increase could be as high as ₹ 1,50,000”, the report reveals. In order to supply these upgrades to the market at an affordable premium to the customer, the industry will need to ensure a high degree of localisation, which eventually translates to a growing opportunity for the component manufacturers in India.

Small Businesses Rely on Payments

Although GST compliance has made a huge difference in most industry segments, making the system organised, yet, small and medium stakeholders still have to deal with taxes and payment problems. The industry opines that there is no proper cash flow system at large. SME owners have to wait for payment credits on the same time they are bound to file taxes. A member of ACMA and Promoter of Able Spring Manufacturers in Chennai, Philip Verghese says, “Often payment gets delayed from the customer’s front, and small manufacturers still have to file excise duties as well as GST every month. In this scenario, they have to pay from their pockets, which makes the business operations cumbersome and then it becomes a game of surviving in such a huge market”.

Auto component makers are demanding the government to reduce the GST rates to a flat 18 per cent across all components. This will not only help small and medium business owners but also reduce the sales of spurious spare parts. At present, 18 per cent GST is levied on around 70 per cent of the auto parts, while the remaining 30 per cent auto parts attract 28 per cent GST.

Other than this, price-competition and brand establishment among big brands are other challenges in the sector. A stakeholder from Nagpur Pranjal Jeswani who is a lubricant dealer and wholesaler in the sector talks about the issue. According to him, the oil and lube sector has many brands, which makes the sector competitive and makes it difficult to establish its mark in new regions or markets. He says, “The price becomes so competitive due to multi brand presence, which affects the revenue shares”.

Conclusion

The aftermarket industry size depends largely on current vehicle parts in the country, and it includes not only four-wheelers but also consumer and passenger vehicles, two-wheelers, buses and tractors, too. And the rate of growth of India’s vehicle population is extremely robust. And since the aftermarket is also about after sales service and not only about parts, it needs local supply chains, workmanship and customer handling with a stronghold on the following fields:

  • Collaboration to organise data and information with an open source approach to provide parts and repair information to the industry.
  • Minimum standardisation for both parts and services.
  • Training and online support to technicians.
  • More IT innovations and skill management programmes to fulfill the needs of skilled workers.

Due to the unique nature of the aftermarket, it offers a natural advantage to local entrepreneurs to create value and satisfy consumers in their geography. Once the industry can “Organise, Standardise and Digitise” the Indian aftermarket, businesses will be better prepared to gain market share with more local value creation.

Share:

Thanks To Ransomware, Bitcoin Leaves A Bad Taste In Corporates’ Mouths – pymnts.com

The last several years have seen a surge in efforts among the cryptocurrency community to legitimize the technology. Once seen as a tool for the dark web and black markets, cryptocurrencies like bitcoin now want to be a part of the broader economy.

For many, however, the technology still conjures up images of cybercrime and illicit activity, and new data revealing the rising threat of ransomware is likely to fuel that negative reputation.

Ransomware threats are increasing, not only because the volume of attacks against businesses is on the rise, but because new, unique strains of ransomware are emerging that target larger organizations and demand higher payouts.

A new report from cybersecurity company Coveware put some numbers behind this trend. Between 2018’s fourth quarter and 2019’s first, the average cost of a ransomware attack spiked by a whopping 89 percent to $12,762. The average span of system downtime increased, too, to 7.3 days, while the average cost of the knock-on impact of ransomware-related downtime stood at $65,645.

The regulatory and cybersecurity community’s general consensus on ransomware attacks is to advise victims not to pay their attacker. However with Coveware finding that payouts yield a 96 percent success rate in securing a decryption tool that can restore enterprise data, it can be difficult for a company to resist adhering to cyberattackers’ demands.

Coveware Co-Founder and Chief Executive Officer Bill Siegel told PYMNTS it is imperative that businesses understand ransomware payouts should only be used as a last resort.

“It’s only in cases where a client says, ‘We are going to go out of business, we are going to miss payroll, this is going to ruin my company unless we explore this option,’” he said in a recent interview.

Bitcoin at the Center

If an organization is ultimately forced to pay the ransom, by far the most common vehicle to do so is bitcoin, Coveware’s analysis found, with 98 percent of demands requiring payment in bitcoin.

Unfortunately, this means that for many organizations, their first experience using a cryptocurrency isn’t to accelerate payments or boost the efficiency of global transactions, as many innovators want. Rather, it’s to pay off a cyberattacker.

“It’s a last resort, but the reality is, when a company has only two choices — fold their tents and tell customers they can’t do business anymore, or go through the business of dealing with the attacker and paying the ransom — the choice actually becomes very clear,” said Siegel. “And however unpalatable it is, they would rather do that than shut their company down.”

The widespread reliance on bitcoin to facilitate ransomware payouts is a “genuine challenge” for the cryptocurrency industry, he added. But the industry players that have a long-term, vested interest in the success and legitimacy of the technology are also the ones that take the issue of cybersecurity and regulatory compliance seriously.

And while corporates targeted by ransomware attacks may equate bitcoin to cybercrime, it’s actually the privacy coins, such as Dash or Monero, that are untraceable and therefore likely will face a harder time in the market providing legitimacy.

Shaping Regulations

That may be true, but bitcoin’s notorious reputation remains difficult to shake off. And for corporates that ultimately decide to pay a ransom using cryptocurrency, the regulatory and compliance implications of doing so are sure to stir up anxieties as well.

Siegel noted that though the cybersecurity and cryptocurrency regulatory landscape remains in relative infancy, authorities are taking notice of the use of crypto in ransomware payouts and beginning to act accordingly.

He pointed to the U.S. Department of Justice’s indictment last year of two Iranian men using ransomware to steal $30 million from a range of targets in the U.S. As a result, the DOJ, for the first time, placed information about digital currency wallets on its Specially Designated Nationals (SDN) and Blocked Persons list.

“There was no regulatory safe harbor, or any guidance provided, but our interpretation of that step by the Department of Justice validated our existing compliance program,” he said, adding that Coveware actively monitors the Office of Foreign Assets Control’s SDN list, as well as wallets associated with ransomware payouts to see if they ever end up on any sanctions lists moving forward.

“It’s a new area, and it’s something companies should be very careful on, because if you’re not careful and you pay into a wallet on a sanctions list, you can be subject to secondary sanctions,” he said, “which can be as existentially damaging to a business as actually losing all of your data.”

The use of cryptocurrency in ransomware and other cyberattacks may leave a bad taste in corporates’ mouths, and certainly presents an uphill battle for the crypto community to combat a negative reputation and encourage corporate adoption of the technology. A shifting regulatory landscape may present new compliance challenges for targeted corporates, but might also help to legitimize cryptocurrency as well.

Regardless, the best way to mitigate against the risk of non-compliance, and to avoid the challenges associated with ransomware payouts, is to protect IT infrastructure in the first place.

“We’ve entered a word where it is the standard to see the vast majority of attacks take place that are bespoke, targeted, and have very devastating and existentially risky consequences for a company,” said Siegel. “Whether you’re a small business or large business, it takes a considerable amount of persistent investment in your overall IT security to protect yourself.”

——————————–

Latest Insights:

Our data and analytics team has developed a number of creative methodologies and frameworks that measure and benchmark the innovation that’s reshaping the payments and commerce ecosystem. Check out our April 2019 Unattended Retail Report.