Legal Report: Italy Criminalizes Some Protest Activities
Security Management’s Legal Report is a monthly column that highlights the instances where legal matters intersect with the security industry. Our team tracks court cases, new and developing legislation, and regulatory decisions or investigations that affect private organizations and security professionals worldwide.
To share a tip or notify Security Management about emerging legal issues, email Associate Editor Sara Mosqueda at [email protected].
Legislation
Italy
Anti-protest. A new law increases and creates penalties for some protest activities in Italy.
The Security Decree (Senate Act 1236) introduces harsher penalties for property damage and disruptive sit-ins that occur during a protest. It also creates penalties for participating in an unauthorized demonstration. The law criminalizes nonviolent forms of protest or civil disobedience, such as hunger strikes and blocking roads or railways. Individuals convicted of these crimes can be fined up to €300 ($350) and imprisoned for up to one month.
The law also criminalizes resisting or injuring an on-duty police officer and creates new rules against pickpockets on modes of public transportation. The Security Degree supports law enforcement by providing €10,000 ($11,623) in legal fees to officers under investigation for on-the-job conduct.
Additionally, the law allows sentences for incarcerated individuals involved in a riot or disobedience at a prison or migrant detention center to be extended by up to four years.
Under the new law, intelligence agencies are allowed to commit certain crimes without repercussion if done for the sake of national security. The UN Office of the High Commissioner for Human Rights warned that the law’s “vague anti-terrorism provisions could lead to arbitrary detention, and restrict freedom of expression.”
Judicial Decisions
United States
Data breach. A federal judge gave preliminary approval for a $177-million class action settlement to resolve several cases against telecommunications giant AT&T. The lawsuits were filed because of two data breaches that exposed tens of millions of customers’ personal information.
AT&T confirmed in 2024 that it experienced two significant data breaches in 2019 and 2024. In 2019, hackers accessed and exposed roughly 7.6 million current and 65.4 million former account holders’ data, including names, dates of birth, and Social Security numbers. The data appeared on the Dark Web in 2024, and AT&T subsequently launched an investigation. That same year, a hacker breached AT&T’s cloud storage provider, collecting the 2022 call and text records for nearly all U.S. customers. Authorities arrested two suspects allegedly involved in the 2024 breach.
If the settlement receives final approval in December 2025, the agreement will pay customers depending on how affected they were by the breaches. Larger payments will be earmarked for customers who can “fairly” trace damage linked to the data leaks, according to the proposed settlement. (In Re: AT&T Inc. Customer Data Security Breach Litigation, U.S. District Court for Northern District of Texas Dallas Division, No. 24-cv-00757-E, 2025)
Ransomware. An Iranian man pled guilty to participating in a ransomware attack against the City of Baltimore, Maryland.
Sina Gholinejad, 37, pled guilty to one charge of computer fraud and abuse and a separate charge of conspiracy to commit wire fraud. His actions were linked to the Robbinhood ransomware extortion scheme, which ran from January 2019 until at least March 2024. The scheme targeted the City of Baltimore, Maryland, causing more than $19 million in damages to its computer networks and months-long disruption to essential city services. The ransomware scheme also impacted Greenville, North Carolina; Yonkers, New York; and several other U.S. cities.
Along with municipal targets, Gholinejad and his co-conspirators also targeted other organizations, including a non-profit and a medical group.
Gholinejad is scheduled for a sentencing hearing in August 2025 and faces up to 30 years in federal prison. (United States v. Sina Gholinejad, a/k/a “Sina Ghaaf,” U.S. District Court for Eastern District of North Carolina, No. 24-cr-16-M-BM, 2025)
Regulations
Canada
Money laundering. Canaccord Genuity Corp. paid the Financial Transactions and Reports Analysis Centre (FINTRAC) of Canada a $544,500 fine for violating the nation’s money laundering act.
After investigating the financial services firm in 2023, FINTRAC determined that Canaccord Genuity violated the Proceeds of Crime and Terrorist Financing Act when it did not “submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence,” according to a FINTRAC press release.
Other violations included the failure to develop and implement written compliance policies, as well as failure to assess the risk of a money laundering or terrorist financing offense.
United Kingdom
Security measures. The Information Commissioner’s Office (ICO) fined 23andMe £2.31 million ($3.12 million) for inadequate security measures to protect users’ personal data.
The ICO began investigating the genetic testing company after a 2023 data breach exposed the users’ personal information. A hacker used credential stuffing to access 23andMe’s systems between April and September 2023. The hacker then gained access to more than 155,000 UK users’ personal information, including names, birth years, general locations, race, ethnicity, health reports, and potentially more.
The ICO determined that 23andMe failed “to implement appropriate security measures to protect the personal information of UK users,” according to a press release.
“Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data,” the ICO continued.
The company had not implemented mandatory multifactor authentication, secure password protocols, or unpredictable usernames, and it did not have a way to monitor, detect, or respond to cyber threats to customers’ information.
The office also determined that 23andMe’s response to the breach was “inadequate” because the company did not confirm that a breach had occurred until an employee discovered the stolen data advertised for sale on the social forum Reddit.
In March 2025, 23andMe filed for Chapter 11 bankruptcy in the United States as part of the company’s eventual sale to New York-based Regeneron Pharmaceuticals. The ICO took the filing and the company’s financial position into consideration before determining a fine.
Also of Interest
Security Management tracks court cases, bills, laws, and regulatory issues that impact the security industry. Here are some of the stories that are of current interest.
Arson. A Czech court sentenced Colombian national Andres Alfonso de la Hoz de la Cruz to eight years in prison for arson attacks. In 2024, de la Cruz was arrested for lighting fires on three public buses at a Prague bus depot. Authorities said he was planning another attack, possibly in connection with Russia’s hybrid war efforts.
Artificial intelligence (AI). New York legislators passed the RAISE Act (Assembly Bill A6453A), which is designed to prevent large-scale AI models with high computational power from being used to develop or contribute to disasters that could kill or injure more than 100 people or cause more than $1 billion in damage. New York Governor Kathy Hochul has until 27 July to veto or sign the bill into law.
Data security. The UK ICO is one step closer to collecting a fine it issued against TikTok for £12.7 million ($15.9 million). The social media platform was penalized for allegedly misusing children’s data and violating other protections for young users’ personal data. The UK’s First-tier Tribunal ruled that the ICO was within its power to issue a fine against the Chinese-owned company. TikTok can appeal the case to the Upper Tribunal. (TikTok Inc, et al. v. Information Commissioner, First-tier Tribunal for the General Regulatory Chamber, No. UKFTT 00798 (GRC), 2025)
Harassment. The Illinois Senate passed a bill that bans police ticketing students for misbehavior while at school. The bill, SB1519, would amend the state’s School Code, preventing school staff from referring students breaking school rules to law enforcement or a school resource officer. The Senate sent the bill to Illinois Governor J.B. Pritzker to sign.
Murder. Bryan Christopher Kohberger pled guilty to murdering four University of Idaho students in 2022. Kohberger stabbed the four students, who lived in off-campus housing. As part of the plea deal, Kohberger is expected to receive consecutive life sentences for each of the murders instead of the death penalty. His sentencing is set for 23 July. (State of Idaho v. Bryan C. Kohberger, Fourth Judicial District Court of Idaho for Ada County, No. CR01-24-31665, 2025)
