UPDATES TO THE SECOND EDITION

11.3 Federal Communications Commission

In July 2024, the FCC announced a settlement with TracFone Wireless to resolve investigations into whether TracFone failed to reasonably protect its customers’ information from unauthorized access in connection with three data breaches.  The breaches resulted in the unauthorized access to and exposure of customer proprietary network information (CPNI) and personally identifiable information, as well as unauthorized transfers of customers' phone numbers to other carriers. The FCC alleged that failure to reasonably secure customers’ proprietary information violates a carrier’s duty under Section 222 of the Communications Act and also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act.  The Commission also alleged that it is a violation of Section 222 to impermissibly use, disclose, or permit access to individually identifiable CPNI without customer approval. 

In the settlement, the company agreed to revise its information security program to incorporate specific measures, including

• employee training on safeguarding customer data;

• access controls consistent with NIST or OWASP (Open Worldwide Application Security Project) standards, including encryption of administrative credentials, authentication mechanisms "reasonably designed to verify" identity, and a prohibition on security questions as the exclusive means of verification for customer authentication or password-rest purposes;

• encryption of data transmitted to and from any web application;

• validation and sanitization of any input data to a web app to prevent SQL injection, cross-site scripting attacks, or command injection;

• logging and monitoring of all security activities on web apps;

• asset inventory;

• patch and security update management;

• implementation of a program reasonably designed to identify, assess and remediate well-known and reasonably foreseeable vulnerabilities within customer facing web apps, including the use of specified secure software development practices;

• risk assessment;

• secure methods to authenticate a customer's identity before effectuating a port-out or SIM change request.

11.6.3 HIPAA Enforcement After MD Anderson

HHS has brought at least two enforcement actions against covered entities that were the victim of ransomware attacks. The first, announced in October 2023, involved a medical management company that provided medical billing and other services, making it a business associate. In 2018, it suffered a ransomware attack that encrypted the electronic protected health information of 206,695 individuals. After investigation, OCR alleged that the company failed to conduct an accurate and thorough risk analysis; failed to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. In a settlement, the company agreed to pay $100,000 and to implement a corrective action plan.

The second involved Green Ridge Behavioral Health (GRBH). In February 2019, GRBH filed a breach report. OCR initiated an investigation, which revealed that GRBH had been subject to a ransomware attack resulting in the acquisition of the protected health information of over 14,000 patients. According to the settlement between GRBH and the government, the evidence gathered by OCR indicated GRBH's noncompliance with the Privacy and Security Rules, specifically --

• The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI. (See 45 C.F.R. § 164.308(a)(l)(ii)(A)).

• The requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. (See 45 C.F.R. § 164.308(a)(I)(ii)(B)).

• The requirement to implement policies and procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (See 45 C.F.R. § 164.308(a)(l)(ii) (A)).

• The requirement to not use or disclose protected health information except as permitted by the Privacy Rule. (See 45 C.F.R. § 164.502(a)).

Note that, notwithstanding MD Anderson, the OCR alleged that GRBH, in falling victim to an adversarial attack, had violated the Privacy Rule as well as the Security Rule.

Without agreeing to liability, GRBH agreed to pay $40,000 and entered into a Corrective Action Plan that will be monitored by OCR for three years. Among other items, the plan requires the company to:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, subject to HHS review and approval;

• Design a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the risk analysis, subject to HHS review and approval;

• Provide workforce training on HIPAA policies and procedures;

• Conduct an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and

• Report to OCR when workforce members fail to comply with HIPAA.

11.7.1 SEC Enforcement Actions Against Regulated Entities in the Financial Markets 

In an August 2024 cyber-related enforcement action, the SEC invoked yet another rule against yet another type of regulated entity: Exchange Act Rule 17Ad-12 (the “Safeguarding Rule”), which regulates Transfer Agents.  TAs play a critical role in the settlement of securities transactions, including canceling and issuing certificates and distributing dividends and other payments to security holders.  Rule 17Ad-12 requires registered TAs to assure that: (1) securities are handled, in light of all facts and circumstances, in a manner reasonably free from the risk of theft, loss, or destruction; and (2) funds are protected, in light of all facts and circumstances, against misuse.  In the August 2024 matter, threat actors used a spoofed email address to send instructions to the TA to issue and liquidate new shares and then transfer the proceeds to a foreign bank.  Contrary to its own internal procedures, the TA did not verify the email instructions by a call-back to the requestor.  In another incident, a threat actor opened online accounts with the TA using stolen Social Security numbers of certain accountholders of the TA.  Respondent’s online platform automatically linked those fraudulent accounts to legitimate accounts that used the same SSN. The threat actor was then able to transfer cash from those accounts to a third-party bank.  Respondent was censured and ordered to cease and desist from committing or causing any violations and any future violations of Section 17A(d) of the Exchange Act and Rule 17Ad-12 thereunder and to pay a civil money penalty in the amount of $850,000. In the Matter of Equiniti Trust Company, LLC f/k/a American Stock Transfer & Trust Company, LLC.

In May 2024, the SEC entered into a settlement that at first seems unduly harsh in requiring the respondents to pay a $10 million penalty for failing to report to the Commission a cybersecurity event that was ultimately determined to be insignificant. But the proceeding makes sense in light of the nature of the entities affected and the purpose of the disclosure rule that was at issue.

The entities were The Intercontinental Exchange, Inc. (ICE) and its subsidiaries, which include the New York Stock Exchange. The rule was Reg SCI, 17 C.F.R. §§ 242.1000-242.1007, which requires securities exchanges and certain other entities to immediately notify Commission staff and also provide a written notification “[w]ithin 24 hours” when they have “a reasonable basis to conclude” that they were the subject of events constituting systems disruptions, system compliance issues, or systems intrusions (“SCI events”). Notification is required unless the covered entity also immediately concludes or reasonably estimates, pursuant to Rule 1002(b)(5) of Reg SCI, that an SCI event had or would have no or a de minimis impact on the covered entity’s operations or on market participants (“de minimis” event). 

In 2021, according to the SEC, ICE determined that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days. As a result, those subsidiaries did not properly assess the intrusion to fulfill their disclosure obligations under Regulation SCI. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, respondents instead took four days to assess its impact and internally conclude it was a de minimis event.

In announcing the settlement, the Commission said: “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.” In the agreed upon order, the SEC explained that SCI required immediate notice, even before the extent of an incident was known, because “any delay could hinder its ability to evaluate risk and take steps necessary to prevent harm to investors and market integrity.”

11.7.2 SEC Enforcement Actions Against Publicly Traded Companies

SolarWinds

On July 18, 2024, a district court dismissed some claims that the SEC had filed against SolarWinds and its vice president in charge of the company's information security, but upheld others. SEC v. SolarWinds, 23 Civ. 9518 (PAE) (S.D.N.Y. July 18, 2024). Context: SolarWinds designs and sells software used by companies and government agencies to manage their computer systems, including "Orion," which it describes as a platform that helps monitor and manage IT infrastructure. In 2019, threat actors inserted malicious code into the Orion software as it was being developed and SolarWinds unwittingly pushed that corrupted software to its customers, thus compromising their systems.

For alleged material misrepresentations and omissions in filings and other public statements, the SEC sued SolarWinds and the VP under Section 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j(b), and its implementing rule, Rule 10b-5(b); Section 13(a) of the Exchange Act, 15 U.S.C. § 78m(a), and its implementing rules, Rules 12b-20, 13a-1, 13a-11, and 13a-13; and Section 17(a) of the Securities Act of 1933, 15 U.S.C. § 77q(a). SolarWinds had posted on its website a “Security Statement,” in which it made extensive claims about the security of its network and its software development process. The court held that the SEC had adequately alleged that the statement was materially misleading in at least two respects, regarding SolarWinds' access controls and password protection policies; the court cited evidence internally acknowledging the deficiencies.

On the other hand, the court dismissed claims based on company-approved press releases, blog posts, and podcasts, as non-actionable corporate puffery, "too general to cause a reasonable investor to rely upon them." The court also dismissed any claims based on cautionary risk disclosure statements made in the company’s Form S-1 registration and subsequent periodic Form 10-K, 10-Q, and S-8 filings. The court also dismissed claims based on statements made about the attack on the Orion product. The court noted that the company’s 8-K about the incident “by any measure bluntly reported brutally bad news for SolarWinds.” “The lengthy Form 8-K disclosure, read as a whole, captured the big picture: the severity of the [Orion] attack.” Likewise, the court found that a follow-up 8-K with more details was not false or misleading. (Nor was there scienter for either.)

The SEC also had also advanced the novel theory that SolarWinds' cybersecurity deficiencies were actionable under Section 13(b)(2)(B)(iii) of the Exchange Act, 15 U.S.C. § 78m(b)(2)(B), because (1) the company's source code, databases, and products were its most vital assets, but (2) as a result of its poor access controls, weak internal password policies, and VPN security gaps, the company failed to limit access to these "only in accordance with management's general or specific authorization," enabling access by external attackers. Solar Winds countered that although Section 13(b)(2)(B) gives the SEC authority to regulate an issuer's "system of internal accounting controls," it cannot, as a matter of statutory construction, reasonably be interpreted to cover a company's cybersecurity controls such as its password and VPN protocols. The court held that SolarWinds was “clearly correct” and dismissed the claim. In holding that Section 13(b)(2)(B)(iii) relates to internal accounting controls, not cybersecurity controls, the court seems to have rejected the theory relied on by the SEC in the R.R. Donnelley enforcement action described below.

Finally, the court dismissed a claim based on Exchange Act Rule 13a-15(a), which requires companies to "maintain disclosure controls and procedures." 17 C.F.R. § 240.13a-15. The company’s incident response plan, the court concluded based on the pleadings, was adequate and was adequately followed.

Other SEC Enforcement Actions

11.7.2 Enforcement Actions Against Publicly Traded Companies

As noted in the book, in 2021, the SEC opened an investigation regarding the disclosures of public companies using the compromised Orion software product made by the SolarWinds Corp. Since the compromise of the SolarWinds software opened a vulnerability in the networks of entities using the SolarWinds product, the SEC was interested in how those SolarWinds customers disclosed any attacks they suffered. In October 2024, the SEC announced settlements with four companies, which agreed to pay civil penalties ranging from $4 million to $990,000.

According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. The SEC’s order against Unisys found that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The SEC’s order against Avaya found that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. The SEC’s order against Check Point found that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast found that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed. Across the four companies, the SEC found violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, and/or 13a-13 thereunder. Against Unisys, it also found a violation of Exchange Act Rule 13a-15(a), which requires companies  to maintain disclosure controls designed to ensure that information potentially required to be disclosed by an issuer is reported to and reviewed by senior management and disclosure decision-makers in a timely fashion.

The SEC’s June 2024 enforcement action against R.R. Donnelley (RRD) represented an effort by the Commission to transform its public disclosure regime into a regulation of cybersecurity practices. RRD settled in June 2024, but the July 2024 district court opinion regarding SolarWinds calls into question at least part of the SEC’s theory against RRD. Of course, the district court opinion in SolarWinds controls only that case, so the SEC may yet try to use Exchange Act Section 13(b)(2)(B) to scrutinize the cybersecurity practices of publicly-traded companies.

In 2021, when it was a publicly-traded company, RRD experienced a ransomware network intrusion. The SEC’s order states that RRD’s internal intrusion detection systems issued alerts, which were visible to both its security personnel and its managed security services provider (MSSP), about certain malware in the RRD network.  The MSSP received these alerts and escalated three of them to RRD’s internal security personnel. According to the SEC, RRD reviewed the escalated alerts but, in partial reliance on its MSSP, did not promptly take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise.  The MSSP also reviewed, but did not escalate to RRD, other alerts related to the same activity, including alerts regarding the same malware being installed or executed on multiple other computers.  Broadening its access, the threat actor was able to install encryption software and exfiltrated 70 gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.

The SEC alleged that RRD violated Exchange Act Section 13(b)(2)(B) by failing to reasonably design and maintain internal controls. But the alleged failings sound more like failures of cybersecurity monitoring and incident response than failures of internal accounting controls: “Namely, … RRD’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents.  In addition, RRD failed to establish sufficient internal controls to oversee the MSSP’s review and escalation of the alerts.”   The SEC ultimately tied the failures in handling alerts to core securities regulation interests, characterizing them as a failure to maintain “effective disclosure-related controls and procedures to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure” and as a failure to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization.” But the failures were, at core, a failure to respond to cybersecurity alerts and set guidance for an MSSP.

The company agreed to pay a civil money penalty of $2.125 million. The Commission noted favorably the company’s remedial acts promptly undertaken once the intrusion was recognized and the cooperation afforded the Commission staff, including reporting the intrusion to the staff prior to its first EDGAR filing disclosing the incident and voluntarily revising incident response policies and procedures, adopting new cybersecurity technology and controls, updating employee training, and increasing cybersecurity personnel.

____________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

11.2 Consumer Financial Protection Bureau

With the exception of the Dwolla and Equifax enforcement actions described in the book, the CFPB has been a no-show on cybersecurity. However, on August 11, 2022, the Bureau issued a circular in which it reiterated that inadequate security for the sensitive consumer information collected, processed, maintained, or stored by “covered persons” and “service providers” subject to the Consumer Financial Protection Act (CFPA) can violate the Act’s prohibition of unfair acts or practices, 12 U.S.C. 5536(a)(1)(B). In particular, the circular called out three sets of data security practices: Multi-factor authentication, adequate password management, and timely software updates: “Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.” As relevant precedent for how it would view inadequate procedures in these three areas, the CFPB cited enforcement actions of the Federal Trade Commission, signaling that it would follow the FTC’s common law of data security.

[New subchapter:] 11.6.3  HIPAA Safe Harbor Rule

Public Law 116-321 became law on Jan. 5, 2021 and is codified at 42 U.S.C. § 17941. Sometimes referred to as the HIPAA Safe Harbor Act, it provides that the Secretary of HSS, when making determinations relating to (1) imposing HIPAA fines under 42 U.S.C. § 1320d-5 and 42 U.S.C. § 1320d-6, (2) decreasing the length and extent of an audit under 42 U.S.C. § 17940, or (3) other remedies otherwise agreed to by the Secretary, shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may mitigate fines under 1320d-5; result in the early, favorable termination of an audit; and mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule.

The term “recognized security practices” is defined as the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, 15 U.S.C. § 272(c)(15)) (most specifically the NIST framework for critical infrastructure, but maybe referring to additional NIST products); the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, 26 U.S.C. § 501; and “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” The section also states that “Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule,” apparently meaning that the regulated entity gets to pick and choose among applicable standards and guidelines. Like other safe harbor provisions, this one seems to be intended to shift the focus of any enforcement action from the specific cybersecurity failing that resulted in a breach to the broader cybersecurity posture of the regulated entity. Facing an enforcement action for an admitted breach or an audit, the regulated entity may argue that, overall, it had a very good program that just missed this one attack and therefore it should get a break on fines or other remedies.

[New subchapter:] 11.6.4 HIPAA Enforcement after MD Anderson 

In March 2022, HHS announced what may be its first cybersecurity settlement since MD Anderson. The matter began in January 2015, when the U.S. Department of Veterans Affairs reported a breach of unsecured protected health information (PHI) involving a telehealth program managed by a VA business associate called, after a subsequent merger, Peachstate. In August 2016, OCR initiated a compliance review of the company to determine its compliance with the Privacy and Security Rules related to the breach. The review, expanded to encompass the merged entity, found potential violations of the Security Rule. Notably, the HHS did not assert violation of the Privacy Rule, suggesting that it had accepted the ruling of the Fifth Circuit that a breach is not a disclosure in violation of the Privacy Rule. Peachstate settled, agreeing to pay $25,000 and to implement a corrective action plan similar to those imposed pre-MD Anderson.

11.7.1 Enforcement Actions Against Regulated Entities in the Financial Markets

Cetera, etc (2021)

In August 2021, the Securities and Exchange Commission sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm. All eight firms were Commission-registered as broker dealers, investment advisory firms, or both. The SEC's orders against each of the firms found that they had violated Rule 30(a) of Regulation S-P, aka the Safeguards Rule. One set of respondents was also found to have violated Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder (17 C.F.R. § 275.206(4)-7). As always, the agency’s orders should be read closely to discern what kinds of failures it will focus on in an enforcement action. In these cases, they included failure to adopt sufficiently robust written policies and procedures to safeguard records and information of brokerage customers and advisory clients; failure to use multi-factor authentication to protect employee and customer accounts; failure to adopt a customized Incident Response Policy; and use of misleading language in breach notice letters.

 11.7.2 SEC Enforcement Actions Against Publicly Traded Companies

In June 2021, the SEC entered into an Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, In the Matter of First American Financial Corporation, File No. 3-20367 (June 14, 2021). The matter began in May 2019 when a cybersecurity journalist notified First American that its application for sharing document images related to title and escrow transactions had a vulnerability exposing over 800 million document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, First American issued a statement for inclusion in the journalist’s report and furnished a Form 8-K to the Commission. However, First American’s senior executives responsible for the press statement and Form 8-K were not informed that the company’s information security personnel had identified the vulnerability several months earlier in a January 2019 manual penetration test of the relevant application or that the company had failed to remediate the vulnerability in accordance with its policies.

This indicated that First American had not maintained disclosure controls and procedures designed to ensure that senior management had the relevant information about the January 2019 Report prior to issuing the company’s disclosures about the vulnerability. Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15, requires issuers of registered securities to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms. The respondent agreed to cease and desist from committing any future violations of Exchange Act Rule 13a-15 and to pay a civil money penalty in the amount of $487,616.

Whereas the SEC focused in the First American case on the company’s failure to ensure that senior management were aware the vulnerability, a case settled in August 2021 suggests that the Commission will come down much harder on a company when senior management did know of a breach and nevertheless filed a 6-K that spoke only hypothetically of the risk of breaches and, when contacted by the media, made statements that understated the nature and scope of the incident and overstated the company’s data protections. Order Instituting Cease-and-Desist Proceedings, Pursuant to Section 8a of the Securities Act of 1933 and Section 21c of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, In the Matter of Pearson plc, File No. 3-20462. For example, the company stated to the media that the breach may have included dates of births and email addresses, when, in fact, it knew that such records were stolen. And it said that it had had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. This, the SEC found, violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. The company agreed to pay a civil money penalty in the amount of $1,000,000.

The SEC’s heightened interest in cybersecurity disclosure was confirmed in June 2021, when the staff of the SEC initiated an investigation regarding the compromise of software made by the SolarWinds Corp. As part of this investigation, the staff issued a letter to public companies they thought might have been affected by the SolarWinds vulnerability, asking them to provide information to the staff on a voluntary basis. The SEC offered amnesty to companies for disclosure of matters within the scope of the inquiry. According to Reuters, the SEC sent letters to “hundreds of companies, including many in the technology, finance and energy sectors.” It seems there could be two separate questions in such an inquiry involving a supply chain attack: (1) did the company install the compromised version of the SolarWinds product and if so did it report and disclose that fact, and (2) did the company experience a data breach as a result of the Solar Winds vulnerability and if so did it report and disclose the breach?  As to the first question, it would be quite remarkable if every company were expected to report every time it learned it was using a vulnerable third-party product. Moreover, it would seem to be unwise to require companies to disclose use of a vulnerable product before the vulnerability could be patched or the reliance otherwise mitigated. And if a vulnerability has been found and patched before it could be exploited, why make a disclosure that could be misleading? Answers await further clarification from the SEC on the disclosure obligations of public companies regarding vulnerabilities in third-party software or services they use. But the foundational point is that companies need to have a sound policy (and follow it) for identifying cyber risks and cyber incidents and then deciding which deserve to be disclosed. For that, it is worth returning to the SEC’s 2018 guidance:

Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company's business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

Last updated: Oct. 23, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.