【北邮国院大三下】Cybersecurity Law 网络安全法 Week1【更新Topic4, 5】
北邮国院大三电商在读,随课程进行整理知识点。仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用。个人认为相对不重要的细小的知识点不列在其中。如有错误请指出。转载请注明出处,祝您学习愉快。
编辑软件为Effie,如需要pdf/docx/effiesheet/markdown格式的文件请私信联系或微信联系
WEEK1
以下是一些比较定义性的东西,所以基本都是PPT内容翻译。如果考试是类似电商法的case式考法,这些就不用背只需要了解,大概知道什么是什么,有话说就可以。如果有其他变化和新理解,后续会修改这段话
在Week1中,很难总结出像电商法那种很有逻辑的东西,换句话说,PPT给的信息冗杂且无用,阅读下来完全不像电商法那种分几大块去介绍的感觉,法条的占比被拉得很低,对于这个课的更多想法还要在观察一周的课程。Week1的东西就挑着背背吧,毕竟往年题还没有
什么是Cybersecurity
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks
网络安全是技术、流程和控制的应用,以保护系统、网络、程序、设备和数据免受网络攻击
It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies
它旨在降低网络攻击的风险,防止系统、网络和技术受到未经授权的利用
Three distinct elements: information security, privacy and data protection and cybercrime
三个不同的要素:信息安全、隐私和数据保护以及网络犯罪
Information Security 信息安全
Seeks to protect all information assets, whether in hard copy or in digital form
力求保护所有信息资产,无论是纸质副本还是数字形式
Information is one of the most valuable assets
信息是最有价值的资产之一
Good business practice
Digital revolution changed how people communicate and conduct business
数字革命改变了人们沟通和开展业务的方式
New possibilities & challenges
Privacy and Data Protection 隐私与数据保护 (概念辨析)
Data privacy are the regulations, or policies, that governs the use of my data when shared with any entity
数据隐私是指在与任何实体共享时管理我的数据使用的法规或政策
Data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share
数据保护是一种机制,即工具和程序,用于执行政策和法规,包括防止未经授权的访问或滥用我同意共享的数据
- 这两个都是Control of personal data
- PPT给出了对control的定义,可以拿来凑字数。Control = the ability to specify the collection, use, and sharing of their data
Information Security x Privacy (概念辨析)
Privacy is an individual’s right to control the use and disclosure of their own personal information
隐私是个人控制使用和披露自己个人信息的权利
Information security is the process used to keep data private
信息安全是用来保持数据私密性的过程
- Security is the process; privacy is the result
Cybercrime 网络犯罪
Cybercrime is an act that violates the law, by using information and communication technology (ICT) to either target networks, systems, data, websites and/or technology or facilitate a crime
网络犯罪是一种违法行为,通过使用信息和通信技术(ICT)攻击网络、系统、数据、网站和/或技术,或为犯罪提供便利
Cybercrime knows no physical or geographic boundaries and can be conducted with less effort, greater ease, and at greater speed and scale than traditional crime
网络犯罪没有物理或地理的界限,与传统犯罪相比,可以更轻松、更轻松、更快、更大规模地进行
这门课我们会学到的三方面的Cybersecurity Law
- Information security obligations 信息安全义务
- Privacy and data protection laws 隐私和数据保护法
- Cybercrime substantive and procedural laws 网络犯罪实体法和程序法
网络安全遇到的Challenge
Technical
Growing number of devices
越来越多的设备
Every computer program, app or website are also software and software often has vulnerabilities
每一个电脑程序,应用程序或网站也是软件,软件往往有漏洞
A virtualized information technology infrastructure (cloud services)
虚拟化的信息技术基础设施(云服务)
Legal
Increasing number, scope and complexity of legal obligations in relation to information security, privacy and data protection, different approaches
与信息安全、隐私和数据保护有关的法律义务的数量、范围和复杂性不断增加,方法也有所不同
Different legal systems between countries, variations in national cybercrime laws, differences in the rules of evidence and criminal procedure, applicability of international treaties
各国法律体系不同,各国网络犯罪法律的差异,证据规则和刑事诉讼规则的差异,国际条约的适用性
网络安全的Trends
With the advent of new technologies (e.g., Internet of Things, drones, robots, self-driving cars), new cybercrime trends will be identified and therefore new information security and privacy measures will need to be developed
随着新技术(如物联网、无人机、机器人、自动驾驶汽车)的出现,将发现新的网络犯罪趋势,因此需要制定新的信息安全和隐私措施
Cyber attacks may involve:
- SPAM with the capacity to deliver range of malware
- 有能力传递各种恶意软件的垃圾邮件
- Spyware and keystroke loggers (3,7 million South Carolina tax records)
- 间谍软件和键盘记录(南卡罗来纳州3700万份税务记录)
- Worms, virus, Trojans
- 蠕虫病毒特洛伊木马
- Phishing / Spear Phishing / Whaling
- 钓鱼/鱼叉钓鱼/捕鲸
- DoS / DDoS
Drivers of Cybersecurity
- Legal
- Growing legal framework establishing safeguarding and information obligation
- 建立保护和信息义务的法律框架不断完善
- Regulatory
- Growing enforcement as a response to ineffective self-regulation
- 加强执法是对无效的自我监管的回应
- Commercial
- Growing awareness of risk, economic and legal consequences, trustworthiness of business transactions
- 对风险、经济和法律后果、商业交易可信度的意识不断增强
Information Security 是要保护什么
Processes, procedures and infrastructure to preserve:
- confidentiality 保密性
- integrity 完整性
- availability of information 信息的可用性
- 这三个简称CIA
Confidentiality 保密性
Confidentiality means that only people with the right permission can access and use information
保密性意味着只有获得正确许可的人才能访问和使用信息
Protecting information from unauthorised access at all stages of its life cycle
保护信息在其生命周期的所有阶段不受未经授权的访问
Information must be created, used, stored, transmitted, and destroyed in ways that protect its confidentiality
信息的创建、使用、存储、传输和销毁必须以保护其保密性的方式进行
Ensuring confidentiality – encryption, access controls
确保机密性-加密,访问控制
Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication
泄露机密——(有意的)肩窥,社会工程;(偶然的)公之于众
It may result in identity theft, threats to public safety
这可能会导致身份盗窃,威胁公共安全
Integrity 完整性
Integrity means that information systems and their data are accurate
完整性意味着信息系统及其数据是准确的
Changes cannot be made to data without appropriate permission
没有适当的许可,不能对数据进行更改
Ensuring integrity – controls ensuring the correct entry of information, authorization, antivirus
确保完整性-控制确保信息、授权、防病毒的正确输入
Compromising integrity – (intentional) employee or external attacks; (accidental) employee error
损害诚信——(故意的)员工或外部攻击;(偶然的)员工失误
Authentication 身份验证
Specific to integrity and confidentiality considerations
具体到完整性和保密性的考虑
Ensuring that a machine or person is that which they purport to be
确保机器或人是他们所宣称的样子
- Creator/sender/signatory of record 记录的创建者/发送者/签署人
- Person who seeks access to it 寻求接近它的人
In analogue world, signatures, handwriting, in person attestation, witnesses, notary public, etc.
在模拟世界中,签名、笔迹、亲自认证、证人、公证人等。
In digital world, may not only be a person but also machine we are seeking to authenticate
在数字世界中,我们要验证的可能不仅是人,还有机器
- Digital Signatures – electronic PKI, other certificates of trust 数字签名-电子PKI,其他信任证书
Availability
Availability is the security goal of making sure information systems are reliable
可用性是确保信息系统可靠的安全目标
Data is accessible
数据是可访问的
Individuals with proper permission can use systems and retrieve data in a dependable and timely manner
获得适当许可的个人可以可靠和及时地使用系统和检索数据
Ensuring availability – recovery plans, backup systems
确保可用性-恢复计划,备份系统
Compromising availability – (intentional) denial of service (DoS) attack, (accidental) outage
影响可用性-(故意的)拒绝服务(DoS)攻击,(意外的)停机
Mitigating risks to the trustworthiness of information of corporations and governments 降低企业和政府信息可信度的风险的方法
- Development of strategies and 制定策略
- Implementation to technologies and procedures in order to preserve its 实施以技术和程序为主,以保存其
- confidentiality
- integrity, and
- availability
Risk management 风险管理
Risk management as means to justify information security laws
风险管理作为证明信息安全法律合理性的手段
= process of listing the risks that an organization faces and taking steps to control them
列出组织面临的风险并采取措施控制这些风险的过程
- Vulnerabilities 缺陷
- Threats 威胁
- Risks 风险
- Safeguards 保障措施
Vulnerabilities 缺陷
- weakness or flaw in the information system that can be exploited 信息系统中可以被利用的弱点或缺陷
- Construction, design mistake 结构、设计错误
- Flaws how internal safeguards is used/not used 内部安全措施使用/不使用的缺陷
Successful attacks take place when vulnerability is exploited
当漏洞被利用时,就会发生成功的攻击
Vulnerabilities的四方面
People
- separation of duties principle 职责分离原则
- two or more people need to split a critical task functions 两个或两个以上的人需要拆分一个关键任务的职能
- separation of duties principle 职责分离原则
Process
- flaws in organization’s procedures 组织程序上的缺陷
- missing step in a checklist/no checklist, failure to apply hardware and software patches 检查表中缺少步骤/没有检查表,未能应用硬件和软件补丁
- flaws in organization’s procedures 组织程序上的缺陷
Facility 设备
- flaws in physical infrastructure 物理基础设施缺陷
- fences, locks, CCTV cameras 围栏,门锁,监控摄像头
- flaws in physical infrastructure 物理基础设施缺陷
Technology
- design flaws 设计缺陷
- unpatched applications, improperly configured equipment 未打补丁的应用程序,配置不当的设备
- design flaws 设计缺陷
Threats
Anything that can cause harm to an information system – successful exploits of vulnerabilities
任何可能对信息系统造成伤害的东西——成功地利用漏洞
- Threats to information, networks, systems have increased 对信息、网络和系统的威胁有所增加
- More devices, more use, more ‘always on’ 更多的设备,更多的使用,更多的“总是开启”
- More complex networks with greater ‘attack surface’ 具有更大“攻击面”的更复杂网络
- More devices with IoT; smart watches possibly not connected to enterprise authentication systems 更多物联网设备;智能手表可能没有连接到企业认证系统.
- Attacks have grown more sophisticated 攻击变得更加复杂
- Attacks that take months to achieve goals; undetected
- ‘Ransomware’ = threat to encrypt data unless paid “勒索软件”=威胁加密数据,除非付费
- Attacks that take months to achieve goals; undetected
Relationship between a vulnerability and a threat
An organization does not have sufficient controls to prevent an employee from deleting critical computer files (lack of controls – vulnerability). An employee could delete files by mistake (employee – source of threat) (deleting critical files – threat). If the files are deleted, successful exploit of the vulnerability has taken place. If the file is not recoverable, the incident harms the organizations and its security. Availability is compromised.
组织没有足够的控制来防止员工删除关键的计算机文件(缺乏控制-漏洞)。员工可能误删文件(员工-威胁来源)(删除关键文件-威胁)。如果文件被删除,则表明该漏洞已被成功利用。如果文件不可恢复,则该事件将损害组织及其安全。可用性受到影响。
【简而言之,threat是利用了vulnerability达到的结果,是一个“事件”,而vulnerability是可以利用的漏洞,是一个“东西”】
Threats的四方面
Human
- internal and external, includes well-meaning employees and external attackers 内部和外部,包括善意的员工和外部攻击者
Natural
- uncontrollable events (fire, flood) 不可控制事件(火灾、洪水)
Technology and operational
- operate inside information systems (malicious code, hardware and software failures) 在信息系统内部操作(恶意代码、硬件和软件故障)
Physical and environmental
- lack of physical security 缺乏人身安全保障
- Accidental or intentional 意外或故意
- Internal or external attackers 内部或外部攻击者
- lack of physical security 缺乏人身安全保障
Risks
a likelihood that a threat will exploit a vulnerability and cause harm, where the harm is the impact to organization
威胁利用漏洞并造成危害的可能性,其中危害是对组织的影响
** Risk = vulnerability + threat **
Risks can occur at any layer of the information system:
- At the physical hardware or device layer, e.g. when a flood renders servers stored in a basement unavailable; 在物理硬件或设备层,例如当洪水导致存储在地下室的服务器不可用;
- At the various software layers, e.g. when hackers exploit a vulnerability in software; 在各个软件层,例如当黑客利用软件中的漏洞时;
- At the network layer, e.g. when a hacker intercepts data packets as they pass through the network from sender, via routers, to receiver; or, 在网络层,例如,当数据包从发送方通过路由器通过网络传递到接收方时,黑客会拦截数据包
- At the user layer, e.g. through ‘social engineering’, such as convincing users to share their passwords through ‘phishing’ emails 在用户层,例如通过“社会工程”,例如说服用户通过“网络钓鱼”电子邮件分享他们的密码
Risk analysis and management to classify and respond to risks
风险分析和管理,对风险进行分类和应对
Probability a threat will exploit a vulnerability – high, medium, low
威胁利用漏洞的概率-高,中,低
Information security impact – loss of confidentiality, integrity and availability
信息安全影响-机密性、完整性和可用性的损失
Other impacts – loss of life, productivity or profit, property and reputation
其他影响-生命、生产力或利润、财产和声誉的损失
Assessment of impact – address risks that have large impact on information security
影响评估-解决对信息安全有重大影响的风险
Types of responses: risk avoidance, risk mitigation, risk transfer, risk acceptance
反应类型:风险规避、风险缓解、风险转移、风险接受
Safeguards
safeguard reduces the harm posed by information security vulnerabilities or threats
保障措施降低信息安全漏洞或威胁带来的危害
Safeguards can be put in place at all layers of the system:
- At the physical hardware or device layer, e.g. by physically securing server rooms against flooding; 在物理硬件或设备层,例如通过物理保护服务器机房免受水浸;
- At the various software layers, e.g. by installing the latest patches; 在不同的软件层面,例如安装最新的补丁;
- At the network layer, e.g. by using virtual private networks (‘VPN’); and, 在网络层,例如使用虚拟专用网络(VPN)
- At the user layer, by ensuring that all personnel receive appropriate training to recognise phishing emails and other forms of social engineering. 在用户层,通过确保所有人员接受适当的培训,以识别网络钓鱼电子邮件和其他形式的社会工程
Safeguards的三方面
- Administrative 管理
- actions and rules implemented to protect information (need to know rule) 为保护信息而实施的操作和规则(需要了解规则)
- Technical
- logical rules that state how systems will operate (least privilege rule) 描述系统如何运行的逻辑规则(最小特权规则)
- Physical
- actions to protect actual physical resources 保护实际物理资源的行动
Mechanisms Ensuring Information Security 保障信息安全的机制
No single information security law – no single definition
没有单一的信息安全法律,没有单一的定义
Different potential sources of liability: statutes, regulations, contracts, organizational governance, voluntary organizations, private law tort
不同的潜在责任来源:法规、规章、合同、组织治理、自愿组织、私法侵权
Different kinds of information often sought to be protected:
- personal data under data protection laws 数据保护法下的个人数据
- corporate financial information 企业财务信息
- health information 健康信息
- credit card information 信用卡信息
No such thing as perfect information security 没有完美的信息安全
Sources of Obligations
- Laws – rules – regulations
- Common law
- body of law that developed through legal tradition and court cases (case law/judge-made law) – impact on torts, contract, and property law 通过法律传统和法庭案件(判例法/法官制定的法律)发展起来的法律体系——对侵权法、合同法和财产法的影响
- Statutory law 成文法
- written law that is adopted by the governments 政府通过的成文法
- 【关于这两个法律的不同:(以下斜体答案来自newBing)The main difference between common law and statutory law is that common law is based on precedent, or previous court decisions, while statutory law is based on written laws passed by a legislature or other government agency. Common law is also procedural, meaning it regulates how lawsuits are conducted, while statutory law is substantive, meaning it defines rights and duties of citizens 普通法和成文法之间的主要区别在于普通法是基于先例或以前的法院判决,而成文法是基于立法机关或其他政府机构通过的成文法。普通法也是程序法,这意味着它规定了诉讼如何进行,而成文法是实体法,这意味着它规定了公民的权利和义务】
- Rules
- governments delegate power to agencies to create rules, enforce rules, and review rules 政府授权各机构制定规则、执行规则和审查规则
- Regulations
- regulatory authorities have the power to create and enforce regulations 监管机构有权制定和执行法规
- Common law
- Standards
Common Law
Tort law
- A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act 侵权行为,在普通法司法管辖区,是一种民事错误,不公平地导致他人遭受损失或伤害,并导致实施侵权行为的人承担法律责任
- Duty – breach – causation – harm elements
Contract Law
- A contract is an agreement, giving rise to obligations, which are enforced or recognised by law 合同是一种协议,产生了由法律强制执行或承认的义务
Regulations 规则
Sector regulators are increasingly auditing companies for their information security management and also issuing ‘regulatory guidance’ or ‘best practice advisories’ on information security
行业监管机构越来越多地对公司的信息安全管理进行审计,并发布关于信息安全的“监管指导”或“最佳实践建议”
Standard
Emerging guidance in form of ‘standards’
以“标准”形式出现的指导
These standards determine how to comply with a legal duty or self-imposedobligation for adequate/reasonable/appropriate information security
这些标准确定如何遵守充分/合理/适当的信息安全的法定义务或自我强制义务
- Standards bodies (ISO; PCI Council)
- International organizations (OECD Guidelines)
- Recent legislation with regulations detailing the necessary steps to the process that will meet the duty of care (GLBA, HIPAA)
Statutes 议会立法,章程
都是一些例子,直接看图得了
Scope of Obligations
These legal obligations specify a duty:
这些法律义务规定了一种义务:
- For example, to provide adequate or reasonable or appropriate security 例如,提供充分的、合理的或适当的保障
They don’t usually give specific guidance as to what that means or how it is to be accomplished
他们通常不会给出具体的指导,说明这意味着什么或如何实现
Issues
The duty to keep information secure is not further specified in the statutes
保护信息安全的义务在法规中没有进一步规定
The GDPR indicates: ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’
GDPR指出:“考虑到技术水平和实施成本,此类措施应确保与处理所代表的风险和被保护数据的性质相适应的安全水平。”
A cost/risk analysis qualifies an appropriate level of security
成本/风险分析确定了适当的安全级别
【上面这些东西确实没有一条主逻辑链,所以ppt很乱,我整理的也很乱,将就看吧,也没啥内容】
什么是cybersecurity中的cyber
It might potentially include any device that has the ability to communicate
它可能包括任何具有通信能力的设备
- Cybersecurity refers to the systems, contracts and policies we put in place to manage risk with regards to Cyberspace 网络安全是指我们为管理网络空间风险而制定的系统、合同和政策
网络安全的main risk areas
- Threats to corporate files 公司文件威胁
- Loss of files 文件丢失
- Email attacks and theft 电子邮件攻击和盗窃
- Threats to industrial control systems 对工业控制系统的威胁
- Threats to confidential information 对机密信息的威胁
- Other commercial risks
网络安全的main vulnerabilities
- Password and policy issues 密码和策略问题
- BYOD and shadow IT BYOD和影子IT
- Loss or theft of devices 设备丢失或被盗
- Technical flaws 技术的缺陷
- Out-of-date applications 过时的应用程序
- Insider threats 内部威胁
- Data storage issues 数据存储问题
- SQL injections, cryptographic flaws SQL注入,密码漏洞
- Cloud-based storage and systems 基于云的存储和系统
接下来要谈的是EU的information security相关问题
Conclusions of EU
【为什么把conclusion放前面,因为PPT的东西太乱了,conclusion给的应该都是重点,带着这些重点再往后看】
- No single source of Information Security obligations – no single definition 没有单一来源的信息安全义务-没有单一的定义
- Different types of information – different level of protection –different mechanisms 不同类型的信息——不同级别的保护——不同的机制
- EU approach is a principle-based regulation 欧盟的做法是基于原则的监管
Directives / Regulations 指示/规例
- Privacy
- EU General Data Protection Regulation (GDPR) 欧盟的通用数据保护条例
- Telecommunications networks/services
- ePrivacy Directive (regulates the use of electronic communications services) 电子资料私隐指引(规管电子通讯服务的使用)
- Critical Infrastructure 关键基础设施
- Network and Information Systems Directive (NIS Directive) 网络和信息系统指令(NIS指令)
GDPR
Introduction
Organisations that decide to collect and process personal data for their own purposes are known as controllers
决定为自己的目的收集和处理个人数据的组织被称为控制者
A controller may engage a service provider or processor to process personal data on behalf of the controller
控制者可以聘请服务提供者或处理者代表控制者处理个人数据
A processor is an individual or legal person or other body that processes personal data on behalf of the controller
处理者是指代表控制者处理个人数据的个人、法人或其他团体
Scope
The GDPR regulates the processing of personal data
GDPR规范了个人数据的处理
Personal data is any information relating to an identified or identifiable natural person (‘data subject’)
个人数据是指与已识别或可识别自然人(“数据主体”)有关的任何信息。
Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
可识别自然人是指可以直接或间接识别的自然人,特别是通过参考一个标识符,如姓名、识别号码、位置数据、在线标识符,或参考该自然人的身体、生理、遗传、心理、经济、文化或社会身份的一个或多个特定因素
Relates to living individuals only
只涉及活着的个人
Special categories of personal data is subject to a stricter regime
特殊类别的个人资料受到更严格的制度管制
- Racial or ethnic origin 种族或民族起源
- Political opinions 政治意见
- Religious or philosophical beliefs 宗教或哲学信仰
- Trade union membership 工会会员资格
- Genetic data 遗传学数据
- Biometric data for the purpose of uniquely identifying a natural person 用于唯一识别自然人的生物特征数据
- Data concerning health 关于健康的数据
- Data concerning a natural person’s sex life or sexual orientation 有关自然人性生活或性取向的资料
Principles
- Principles-based regulation 基于原则的监管
- The EU has adopted similar risk-based safeguarding and information obligations in respect of telecommunication networks and payment services, as well as under the NIS Directive and the e-Privacy Directive 欧盟在电信网络和支付服务方面,以及在NIS指令和电子隐私指令下,也采取了类似的基于风险的保障和信息义务
- Lawfulness, fairness and transparency 依法、公平、透明
- Purpose limitation 目的限制
- Data minimisation 数据最小化
- Accuracy 准确性
- Storage limitation 储存限量
- Integrity and Confidentiality 数据完整性和隐私保护
- ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 使用适当的技术或组织措施,确保个人资料的适当安全,包括防止未经授权或非法处理,以及防止意外遗失、破坏或损坏
- Accountability 责任
Information Security Obligation 信息安全义务
- Safeguarding obligations, which require organisations to put in place ‘appropriate and proportionate’ security measures, and 保护义务,要求组织实施“适当和相称的”安全措施
- Information obligations, which require the sharing or disclosure of information 信息义务,即要求分享或披露信息
- Article 32 requires that the controller:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk 考虑到技术水平、实施成本、处理的性质、范围、背景和目的,以及对自然人的权利和自由具有不同可能性和严重程度的风险,控制者和处理者应实施适当的技术和组织措施,以确保与风险相适应的安全水平
- This includes, inter alia: 其中包括:
- the pseudonymisation and encryption of personal data; 个人资料的假名化和加密;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 确保处理系统和服务的持续保密性、完整性、可用性和弹性的能力;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 在发生物理或技术事件时,及时恢复个人数据的可用性和访问的能力;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing 定期测试、评估和评价确保处理安全的技术和组织措施的有效性的过程
- 【关于inter alia,详情可以看interalia在法律文件中的使用及译法 (baidu.com),拉丁语,可以理解为“其中”的意思】
Information Obligation
- Article 33 creates a legal a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority 第33条规定,所有组织都有法律义务向相关监管机构报告某些类型的个人数据泄露
- within 72 hours of becoming aware of the breach, where feasible 在可能的情况下,在72小时内发现该漏洞
- Article 34 requires the controller to notify data subjects affected or potentially affected by breach 第34条要求控制者通知受违约影响或可能受违约影响的数据主体
Data Breach 数据外泄
Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
数据泄露是指违反安全导致意外或非法破坏、丢失、更改、未经授权披露或访问个人数据
- This includes breaches that are the result of both accidental and deliberate causes 这包括意外和故意原因造成的违约
- A security incident that has affected the confidentiality, integrity or availability of personal data 影响个人资料的机密性、完整性或可用性的安全事件
When a personal data breach has occurred, organisations need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms
当发生个人数据泄露时,组织需要确定由此对人们的权利和自由造成风险的可能性和严重程度
- Likelihood of risk –> need to report it 有风险的可能性- >需要报告
- No likelihood of risk –> no need to report it 风险的可能性- >需要报告
The adverse affect of a security incident on individuals may include emotional distress, and physical and material damage
安全事件对个人的不利影响可能包括情绪困扰、身体和物质损害
Contract Law相关
GDPR Article 28 states that controllers must include in contracts with processors
GDPR第28条规定,控制者必须在与处理者的合同中包括
- The processor shall not engage another processor without prior specific or general written authorisation of the controller 未经控制者事先明确或一般书面授权,处理者不得与其他处理者接触
- Processing by a processor shall be governed by a contract or other legal act 处理者的处理应受合同或其他法律行为的约束
- Sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller 列明处理的主题事项和持续时间、处理的性质和目的、个人数据的类型和数据主体的类别,以及控制者的义务和权利
NIS Directive 2
Introduction
NIS Directive 2 regulates the cybersecurity of critical national infrastructure, and updates the previous version
NIS指令2规范了关键国家基础设施的网络安全,并更新了之前的版本
- It covers more sectors and activities than before, streamlines reporting obligations and addresses supply chain security 它涵盖了比以前更多的部门和活动,简化了报告义务,并解决了供应链安全问题
It applies to providers of critical national infrastructure (CNI):
它适用于关键国家基础设施(CNI)的提供商:
- Operators of essential services (OES), which are directly responsible for CNI 直接负责CNI的基本服务(OES)运营商
- Digital service providers (DSPs), which provide services upon which others, including OES, are reliant 数字服务提供商(dsp),提供其他人(包括OES)依赖的服务
Scope
Operators of essential services (OES) provide a listed service in one of seven critical infrastructure sectors, and energy, transport, banking, financial markets, health, drinking water, and digital infrastructure
基本服务(OES)运营商在能源、交通、银行、金融市场、卫生、饮用水和数字基础设施等七个关键基础设施领域之一提供所列服务
they operate on such a scale that their service is “essential for the maintenance of critical societal and economic activities”
它们的运作规模如此之大,以至于它们的服务“对于维持关键的社会和经济活动至关重要”。
Digital service is a new subset of the category of service known as ‘information society services’ which is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services
数字服务是被称为“信息社会服务”的服务类别的一个新子集,它是指通常通过电子手段并应服务接受者的个人要求提供的有偿服务
Digital service providers (DSPs) are: 数码服务供应商包括:
- an online marketplace; 在线市场
- an online search engine; or 在线搜索引擎
- a cloud computing service 云计算服务
Tort Law
A private law mechanism
私法机制
Data controllers can be held liable under the tort of negligence for damages caused by cybersecurity incidents that they should have reasonably foreseen and prevented or mitigated
根据过失侵权法,数据控制者可能对他们本应合理预见、预防或减轻的网络安全事件造成的损害承担责任
To hold data controllers liable, a court would have to find that (i) the operator had a duty of care to the person(s) who suffered harm which (ii) the operator failed to fulfil
为了让数据控制者承担责任,法院必须认定(i)运营者对遭受伤害的人负有注意义务,而(ii)运营者未能履行
Requirement
Duty – breach – causation – harm
义务-违约-因果-损害
A duty of care may arise from:
- common law principles governing negligence 管辖过失的普通法原则
- a special / contractual relationship between the defendant and the claimant 被告与索赔人之间的特殊/合同关系
- from a statute or regulation governing a specific activity 来自管理某一特定活动的法令或规章
There must be a proximity between the parties for a duty of care to exist
为了注意义务的存在,当事人之间必须有接近性
Foreseeability means that a person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others
可预见性意味着只有当一个人合理地预见到自己的过失行为会危及他人时,他才能承担责任
Damage needs to be proven by claimants – economic loss or emotional harm
损害需要由索赔人证明——经济损失或精神伤害
接下来是US的内容
Privacy and data protection - 1. HIPAA - US Health Insurance Portability and Accountability Act (health information privacy)
Personal health information is considered very sensitive
个人健康信息被认为非常敏感
- Confidential medical records 保密医疗记录
- Public embarrassment, discrimination 公众尴尬、歧视
- Medical identity theft - 医疗卡盗用
HIPAA protects privacy and security of personal health information
HIPAA保护个人健康信息的隐私和安全
Scope
Privacy and Security rules apply to covered entities and determine how they may create, store, use or disclose protected health information (PHI)
隐私和安全规则适用于所涵盖的实体,并确定它们如何创建、存储、使用或披露受保护的健康信息(PHI)。
- Applies information security principles established in other industries 应用在其他行业建立的信息安全原则
Definitions
PHI is any individually identifiable information about the health of the person, including past, present or future mental or physical health information
PHI是关于个人健康的任何可识别信息,包括过去、现在或未来的精神或身体健康信息.
Covered entities are those that handle PHI in a certain way – health plans, health care providers, health insurance companies, etc.
涉及实体是那些以某种方式处理PHI的实体——健康计划、医疗保健提供者、健康保险公司等。
It also applies to business associates of covered entities
它也适用于所涵盖实体的业务伙伴
Security Rule
Covered Entity must “implement policies and procedures to prevent, detect, contain and correct security violations.”
涉及实体必须“实施策略和程序来防止、检测、包含和纠正安全违规行为”。
The Security rule requires covered entities to use security safeguards, which must protect the confidentiality, integrity and availability of electronic protected health information (EPHI) from reasonably anticipated threats
安全规则要求所涵盖的实体使用安全保障措施,这些措施必须保护受电子保护的健康信息(EPHI)的机密性、完整性和可用性,使其免受合理预期的威胁
Security Rule Standards
The Security Rule contains instructions how to use information security safeguards
安全规则包含如何使用信息安全保障措施的说明
Also contains standards, which are required to be met for each safeguard area
安全规则包含如何使用信息安全保障措施的说明
Detailed instructions for meeting the standards are implementation specifications (IS)
满足标准的详细说明见实施规范(IS)。
Implementation Specifications(IS)
Required specifications – compulsory
所需规范 - 强制性
Addressable specifications – covered entities decide whether it is reasonable and appropriate to the particular environment and the cost to implement these
可寻址规范-涉及 实体决定其是否合理和适合特定环境以及实现这些规范的成本
Covered entity can either 涉及实体可以
- Implement the IS as published 按照发布的IS实施
- Implement some alternative (and document why) 实现一些替代方案(并记录原因)
- Not implement the IS at all (and document why) 根本没有实现IS(并记录原因)
Types of Safeguards - 三种
Administrative Safeguards 管理保障措施
- Actions, policies and procedures to prevent, detect, contain and correct information security violations 防止、检测、控制和纠正信息安全违规行为的行动、政策和程序
- The largest part of the Rule is the management process 规则中最重要的部分是管理过程
Physical Safeguards 实体防护
- Controls to protect physical resources 控制保护实体资源
Technical Safeguards 技术保障措施
- Controls applied in the hardware and software on an information system 在信息系统的硬件和软件上应用的控制
2. COPPA - Children’s Online Privacy Protection Act
Scope
Sectoral approach, the law is derived partly from federal statute, but also from state law, case law and increasingly from the decisions and guidance of the Federal Trade Commission (FTC)
部门方法,法律部分来自联邦法规,但也来自州法、判例法,越来越多地来自联邦贸易委员会(FTC)的决定和指导。
**Children’s Online Privacy Protection Act **(COPPA) requires that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13
儿童在线隐私保护法(COPPA)要求针对13岁以下儿童的商业网站和在线服务的运营商,或故意收集13岁以下儿童个人信息的一般受众网站和在线服务的运营商,在收集、使用或披露13岁以下儿童的任何个人信息之前,必须获得父母的同意
In 2011, the FTC and the games company Playdom agreed to a $3 million settlement over Playdom’s alleged breaches of the Children’s Online Privacy Act
2011年,美国联邦贸易委员会与游戏公司Playdom就Playdom涉嫌违反《儿童在线隐私法》达成300万美元的和解协议
In 2019, Google’s YouTube paid $170 million to settle allegations by the FTC and the New York attorney general for illegally collecting personal information from children without their parents’ consent; the highest settlement yet
2019年,谷歌旗下的YouTube支付了1.7亿美元,以了结美国联邦贸易委员会和纽约总检察长对其未经父母同意非法收集儿童个人信息的指控;迄今为止最高的和解金额
3. CCPA - California Consumer Privacy Act
**California Consumer Privacy Act **(CCPA) came into effect in January 2020 – the most comprehensive privacy legislation to-date
加州消费者隐私法案(CCPA)于2020年1月生效,这是迄今为止最全面的隐私立法
*Personally identifiable information *(PII) includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (under the CCPA)
个人身份信息(PII)包括识别、涉及、描述、能够与特定消费者或家庭直接或间接关联或可以合理关联的任何信息(根据CCPA)
Applies to any business that collects or processes PII from California residents, and
适用于从加州居民收集或处理个人身份信息的任何企业,以及
- has annual gross revenues of $25,000,000 or more; 年总收入在2500万美元或以上;
- buys, collects, sells, shares, or otherwise receives the PII of 50,000 or more California consumers per year, households or devices; OR 每年购买、收集、出售、共享或以其他方式接收50,000或更多加州消费者、家庭或设备的PII;或
- derives at least 50% of its revenue from selling consumers’ personal information This will most likely capture most apps or free-to-play games 至少有50%的收益来自于销售用户的个人信息,这很可能会吸引大多数应用或免费游戏
Breach Notification Laws 违约通知法
Legislation adopted in 47 US states requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable data
美国47个州通过立法,要求私人或政府实体在涉及个人身份数据的信息安全漏洞时通知个人
Provisions include: 规定包括
- who must comply with the law (businesses, data/ information brokers, government entities); 谁必须遵守法律(企业、数据/信息经纪人、政府实体);
- definitions of ‘personal information’ (name combined with SSN, drivers license or state ID, account numbers); “个人信息”的定义(姓名与社会安全号码、驾驶执照或州身份证、账号的组合);
- what constitutes a breach (unauthorized acquisition of data); 什么构成违规(未经授权获取数据);
- requirements for notice (timing or method of notice, who must be notified) 通知要求(通知的时间或方法,必须通知谁)
FTC - Federal Trade Commission Act
Consumer Protection Regulations
消费者保障条例
FTC is an independent federal agency and the most important regulatory authority for consumer protection issues
联邦贸易委员会是一个独立的联邦机构,也是消费者保护问题最重要的监管机构
Section 5 forbids unfair and deceptive trade practices
第5条禁止不公平和欺骗性的贸易行为
The FTC has now brought over 50 information security cases
联邦贸易委员会目前已经提起了50多起信息安全案
Scope
Unfair 不公平
- Causes or likely to cause substantial harm/injury to consumer 对消费者造成或可能造成重大损害/伤害的
- Consumer cannot reasonably avoid the harm 消费者不能合理地避免伤害
- There is not a benefit to the practice that outweighs the harm 这种做法的利大于弊
Deceptive 欺骗性
- Representation or omission likely to mislead the consumer 可能误导消费者的陈述或遗漏
- Not reasonable from the perspective of the consumer 从消费者的角度来看是不合理的
- Affects consumer’s decision; harm as otherwise, likely another decision 影响消费者决策;伤害,否则,可能是另一个决定
Priorities 优先处理的事
Children Under 18: Harmful conduct directed at children under 18 has been a source of significant public concern, now, FTC staff will similarly be able to expeditiously investigate any allegations in this important area
** 18岁以下儿童**:针对18岁以下儿童的有害行为一直是公众关注的一个重要来源,现在,联邦贸易委员会的工作人员将同样能够迅速调查这一重要领域的任何指控
Algorithmic and Biometric Bias*: *Allows staff to investigate allegations of bias in algorithms and biometrics
算法和生物识别偏见*:*允许员工调查算法和生物识别偏见的指控
Deceptive and Manipulative Conduct on the Internet: This includes, but is not limited to, the “manipulation of user interfaces,” including but not limited to dark patterns, also the subject of a recent FTC workshop
互联网上的欺骗和操纵行为:这包括但不限于“用户界面的操纵”,包括但不限于黑暗模式,这也是最近FTC研讨会的主题
Limitations
In April 2021, the Supreme Court ruled in AMG Capital Mgmt., LLC v. FTC that the agency lacks power to seek monetary recovery under Section 13 of the FTC Act
2021年4月,最高法院对AMG资本管理公司一案做出了裁决。诉联邦贸易委员会,根据联邦贸易委员会法案第13条,该机构缺乏寻求金钱赔偿的权力
- To be rectified by the Congress? 要被国会纠正吗?
Lack of technical expertise and staff to regulate consumer cybersecurity
缺乏管理消费者网络安全的技术专长和人员
The ideal solution is for Congress to create a robust cybersecurity framework and an agency empowered to enforce it
理想的解决方案是国会建立一个健全的网络安全框架,并授权一个机构来执行它
For the time being, FTC fills a void in America’s cybersecurity ecosystem
目前,FTC填补了美国网络安全生态系统的空白
Tort Law
侵权法:一种民事法律制度,用于处理因他人的过失或不法行为而造成的损害赔偿问题。
Information security lawsuits include claims of negligence, **breach of fiduciary duty **or breach of contract, individually or together, are common
信息安全诉讼包括疏忽,违反信义义务或违反合同的索赔,单独或一起,是常见的
**Negligence **is generally defined as a breach of the duty not to impose an unreasonable risk on society
玩忽职守一般定义为违反不给社会带来不合理风险的义务
**Breach of fiduciary duty **is a failure to fulfil an obligation to act in the best interest of another party
违反信义义务是指未能履行为另一方的最佳利益行事的义务
Some recent cases have argued that data breaches are subject to strict liability
最近的一些案例认为,数据泄露需要承担严格的责任
**Strict liability **means that the manufacturer of a product is automatically responsible for any injuries caused by the product (typically product liability cases)
严格责任是指产品制造商自动对产品造成的任何伤害负责(通常是产品责任案件)。
Negligence 玩忽职守
To establish a claim, plaintiff has to prove:
要提出索赔,原告必须证明:
the existence of a legal duty on the part of the defendant not to expose the plaintiff to unreasonable risks 被告负有不使原告面临不合理风险的法律义务
a breach of the duty – a failure on the part of the defendant as act reasonably, 违反义务-被告一方未能“合理”行事
a causal connection between defendant’s conduct and plaintiff’s harm and 被告的行为与原告的伤害之间存在因果关系
actual damage to the plaintiff resulting from the defendant’s negligence 由于被告的过失而对原告造成的实际损害
Negligence – Foreseeability 可预见性
Central concept of the law of negligence
过失侵权法的核心概念
A person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others
一个人只有在合理地预见到自己的过失行为会危及他人的时候才能被追究责任
A database owner fails to patch a security vulnerability, thereby paving the way for a cyber attacker to obtain unauthorized access to confidential information
数据库所有者未能修补安全漏洞,从而为网络攻击者未经授权访问机密信息铺平了道路
Negligence - Cases
In Anderson v. Hannaford Brothers Co., a third party stole a grocery store’s debit and credit card data, and the court used a negligence standard to assert a standard of care based on breach of implied contract
安德森诉汉纳福德兄弟公司案。在美国,第三方窃取了杂货店的借记卡和信用卡数据,法院使用过失标准来主张基于违反默示合同的注意标准
In Patco Construction Co. v. People’s United Bank, the bank had a state-of-the-art security program, but failed to set the fraud activity triggers at an appropriate level
在Patco Construction Co.诉People 's United Bank案中,该银行拥有最先进的安全程序,但未能将欺诈活动触发器设置在适当的级别
Fiduciary Duty
受托责任:一种法律义务,要求承担受托责任的人(如律师、银行家、公司董事等)在处理他人财产或事务时,必须诚实、忠实、谨慎地行事,以保护受益人的利益
Special relationships – between a provider and consumer, employer and employee, or fiduciary and beneficiary – is usually based on a contractual promise (explicit or implied)
特殊关系——提供者和消费者、雇主和雇员、受托人和受益人之间的关系——通常基于合同承诺(明示或暗示)。
Corporations owe fiduciary and good faith duties to shareholders to obey the scope of powers, be diligent and act for corporation’s interests
公司对股东负有信义和诚信义务,必须遵守职权范围,勤勉尽责,为公司利益而行动
To establish a claim, plaintiff has to prove:
要提出索赔,原告必须证明:
- the existence of a binding agreement; 有约束力的协议的存在
- the non-breaching party fulfilled its obligations, if it had any; 非违约方履行了自己的义务(如果有的话)
- the breaching party failed to fulfil obligations; 违约方未履行义务的;
- the lack of a legal excuse; and 缺乏合法的借口
- the existence of damages sustained due to the breach 由于违约而遭受损害的存在
Tort Law – Statutes II 章程
A statute may impose a duty of care for how entities use or limit access to personal information in the normal course of business
对于实体在正常业务过程中如何使用或限制对个人信息的访问,法规可能会规定注意义务
Statutes 法规
- Fair Credit Reporting Act 公平信赖报告法案
In *Equifax *data breach, the Fair Credit Reporting Act imposes a specific statutory duty to maintain reasonable procedure to ensure information security and failure to do so creates civil liability for non- compliance
在Equifax数据泄露事件中,《公平信用报告法》规定了维护合理程序以确保信息安全的具体法定义务,否则将因不遵守规定而承担民事责任
Tort Law – Harm
Actual harm is the most straightforward
实际的伤害是最直接的
Concrete and particularized injury that is actual or imminent, not conjectural or hypothetical
实际的或即将发生的具体的和特殊的伤害,而不是推测的或假设的
Problematic for cases of data breaches
在数据泄露的情况下是有问题的
Theory of ‘future harm’ establishing a threat of future identity theft
“未来伤害”理论建立了未来身份盗窃的威胁
Harm的cases
In these cases, the hackers intentionally targeted the personal information compromised in the data breaches – evidence of harm
在这些情况下,黑客故意针对数据泄露中受损的个人信息-伤害的证据
- In *Galaria (hackers broke into Nationwide’s computer network and stole the personal information of 1.1 million customers), 在Galaria *(黑客侵入了全国保险公司的计算机网络,窃取了110万客户的个人信息),
- In *Remijas (why else would hackers break into a store’s database and steal consumers’ private information?) 在Remijas *(否则为什么黑客会闯入商店的数据库并窃取消费者的私人信息?)
- In *Pisciotta (scope and manner of intrusion into banking website’s hosting facility was sophisticated, intentional and malicious), 在Pisciotta *中(入侵银行网站托管设施的范围和方式是复杂的、故意的和恶意的),
On the other hand, in *Katz *and *Beck *the claims were too speculative, there was no evidence that the stolen information has been accessed or misused or that they have suffered identity theft
另一方面,在*Katz 和Beck *中,这种说法过于推测,没有证据表明被盗信息已被访问或滥用,也没有证据表明他们遭受了身份盗窃
Contract Law
Breach of contract is the failure to fulfil a condition of a contract
违反合同是指没有履行合同的条件
Data breach claims – written agreement or privacy policy or that state consumer protection laws create an implied contract
数据泄露索赔-书面协议或隐私政策或州消费者保护法创建的隐含合同
COPPA, HIPAA, and others require contracts with processors, other third parties with obligations to ensure that information is kept secure
COPPA、HIPAA和其他要求与处理者、其他有义务确保信息安全的第三方签订合同
The Massachusetts Data Security Regulations addresses the selection of third-party vendors, requiring companies to take *reasonable *steps to select and retain vendors that have the capacity to maintain appropriate security measures for personal information
《马萨诸塞州数据安全条例》涉及第三方供应商的选择,要求公司采取“合理”步骤选择并保留有能力为个人信息维护适当安全措施的供应商
Vendors also must be contractually required to maintain safeguards
供应商还必须按照合同要求维护保障措施
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB
支付卡行业数据安全标准(PCI DSS)是一个专有的信息安全标准,适用于处理来自主要信用卡方案(包括Visa、MasterCard、American Express、Discover和JCB)的品牌信用卡的组织
Control objectives: 控制目标
- Build and maintain a secure network and systems 建立和维护一个安全的网络和系统
- Protect cardholder data 保护持卡人资料
- Maintain a vulnerability management program 维护一个漏洞管理程序
- Implement strong access control measures 实施强有力的访问控制措施
- Regularly monitor and test networks 定期监控和测试网络
- Maintain an information security policy 维护信息安全策略
接下来是China的内容
PRC Cybersecurity Law
Provides for supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information
明确网络空间监管权限,明确网络运营者的安全义务,加强对个人信息的保护
It also establishes a regulatory regime in respect of critical information infrastructure and imposes data localization requirements for certain industries
条例亦就关键资讯基建设立规管制度,并规定某些行业的数据本地化规定
Network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost
网络运营者必须采取技术措施和其他必要措施,确保所收集的个人信息安全,防止个人信息泄露、破坏或者丢失
Network operators are subject to the following requirements when collecting and using personal information:
网络运营者在收集和使用个人信息时,应当遵守以下要求:
- Collection and use of personal information must be legal, proper and necessary. 收集和使用个人信息必须合法、适当和必要。
- Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected. 网络运营者必须明确收集、使用个人信息的目的、方法和范围,并征得被收集人的同意;不收集与所提供服务无关的个人信息。
- Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others. 网络运营者不得泄露、篡改、销毁收集到的个人信息;未经被收集人同意,不得向他人提供该信息。
- In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations. 在发生数据泄露或者可能发生数据泄露的情况下,网络运营商必须采取补救措施,及时通知用户,并按照有关规定向政府主管部门报告。
- In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction. 非法或者未经授权收集、使用个人信息的,有权要求网络运营者删除个人信息;当收集到的信息有误时,个人可以要求更正。
Operators of Critical Information Infrastructure 关键信息基础设施运营商
Regulators and law enforcement have wide discretionary powers to review and inspect the IT systems of companies
监管机构和执法部门拥有广泛的自由裁量权,可以审查和检查企业的IT系统
CSL requires critical information infrastructure operators in important sectors to fulfil certain security protection obligations
《信息安全法》要求重要行业的关键信息基础设施运营者履行一定的安全保护义务
There is no definition yet of which organisations qualify as operators of critical information infrastructure
目前还没有关于哪些组织有资格成为关键信息基础设施运营商的定义
The Civil Code
‘Personal information’ is defined as all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons’ names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, email addresses, health information, whereabouts, etc.
“个人信息”是指以电子或其他方式记录的可用于独立识别或与其他信息结合识别特定自然人的各种信息,包括自然人的姓名、出生日期、身份证号码、生物特征信息、地址、电话号码、电子邮件地址、健康信息、行踪等。
The Specification makes minor wording changes to the definition of ‘personal information’ under the CSL and the Civil Code
该规范对《个人信息法》和《民法典》中“个人信息”的定义进行了细微的措辞修改
It also defines the ‘personal sensitive information’ as personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual’s personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused
它还将"个人敏感信息"定义为一旦泄露、非法提供或滥用,可能对人身或财产安全造成损害,或极有可能对个人声誉或身心健康造成损害,或造成歧视待遇的个人信息
Data Localization
**Personal Information Protection Law (PIPL) **sets out a stricter data localization requirement, requiring that personal information processed by state organs, critical information infrastructure operators (not yet defined), and data processors that have reached or exceeded the personal information processing threshold, shall be stored inside China or undergo risk assessment by the National Cyberspace Administration or related departments when cross-border data transfer is required
**《个人信息保护法》**提出了更严格的数据本地化要求,要求国家机关、关键信息基础设施运营者(未明确定义)、数据处理者处理的个人信息,达到或超过个人信息处理阈值的,在需要跨境数据传输时,应当存储在中国境内,或者由国家网信办或相关部门进行风险评估
To comply with this law, many US and EU companies have been taking compliance measures, such as segregating local Chinese data from other data. Various companies have also started offering cloud services (including Microsoft and Amazon Web Services) in China to meet the business needs of multinational companies doing business in China
为了遵守这一法律,许多美国和欧盟公司一直在采取合规措施,例如将中国本地数据与其他数据隔离开来。许多公司也开始在中国提供云服务(包括微软和亚马逊网络服务),以满足在中国开展业务的跨国公司的业务需求
Who owns personal information?
China has not had a specific stipulation on the ownership of personal information, and it has been disputed whether personal information belongs to the relevant personal information subjects
中国对个人信息的所有权没有具体规定,个人信息是否属于相关个人信息主体一直存在争议
The Civil Code stipulates the protection of personal information in the 'Personality Rights’ Chapter, indicating that the rights pertaining to personal information are personality rights of the personal information subjects
《民法典》在“人格权”一章中对个人信息的保护进行了规定,表明与个人信息有关的权利是个人信息主体的人格权
Telecommunications / ISP Law
**The Provisions on Telecommunication and Internet User Personal Information Protection, **effective from September 1, 2013
**《电信和互联网用户个人信息保护规定》**自2013年9月1日起施行
It is applicable to telecommunications and Internet service providers
适用于电信和互联网服务提供商
Duty to keep information in proper custody, mitigate harms from actual or suspected disclosure, breach (actual or suspected) notification obligation
有责任妥善保管信息,减轻因实际或疑似披露、违反(实际或疑似)通知义务而造成的损害
Article 13 imposes the following information security requirements on telecommunications operators and Internet service providers:
第十三条对电信经营者和互联网服务提供者规定了下列信息安全要求:
- Specify the responsibilities of each department / role in terms of security of personal information; 订明各部门/角色在个人资料保安方面的责任;
- Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information; 建立不同工作人员和代理人的权限,审查信息的输出、复制和销毁,并采取措施防止机密信息泄露;
- Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures; 妥善保管记录用户个人信息的硬拷贝介质、光介质、磁介质等载体,并采取相应的安全存储措施;
- Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures; 对存储用户个人信息的信息系统进行访问检查,并实施入侵防御、防病毒等措施;
- Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved; 记录使用用户个人信息进行的操作,包括执行操作的人员、操作的时间、地点和涉及的事项;
- Undertake communications network security protection work as required by the relevant telecommunications authority 依电信主管机关之要求,承担通讯网络之安全保护工作
Breach Notification Law
The *PRC Cybersecurity Law *introduced a general requirement for the reporting and notification of actual or suspected personal information breaches
《中华人民共和国网络安全法》引入了报告和通知实际或疑似个人信息泄露的一般要求
Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions
当个人信息被泄露、丢失或扭曲(或有可能发生此类事件)时,组织必须立即采取相关措施减轻损害,并根据相关规定及时通知相关数据主体并向相关政府机构报告
The *PIS Specification *provide detailed guidance on reporting and notification of personal data breaches or security incidents
个人资料保安服务规范就报告及通知个人资料外泄或保安事件提供详细指引
Consumer Protection Law
The PRC Consumer Rights Protection Law, effective from March 15, 2014, contains data protection obligations which are applicable to all types of businesses that deals with consumers:
**自2014年3月15日起生效的《中华人民共和国消费者权益保护法》**包含了适用于与消费者打交道的各类企业的数据保护义务:
- State the purpose, method, scope, and rules of collection of personal information of consumers; 规定收集消费者个人信息的目的、方法、范围和规则;
- Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others; 对消费者的个人信息保密,不得泄露、出售或者非法提供给他人;
- Have mechanisms in place to ensure the security of information collected; and 设立机制确保所收集资料的安全
- Not send unsolicited communications to consumers 不向消费者发送未经请求的通信
E-Commerce Law
E-Commerce Law, effective from January 1, 2019, aims to gain greater control over the online consumer markets, where there has been little or no regulation
《电子商务法》将于2019年1月1日生效,旨在加强对在线消费市场的控制,目前在线消费市场几乎没有监管
Together with other data protection and information security laws, the principles are:
与其他数据保护和信息安全法律一起,这些原则是:
- Data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities 数据控制者应加强对用户提供的信息的管理,禁止传输非法信息,并采取必要措施删除侵权内容,然后向监管部门报告
- Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information 在收集及使用个人资料前,须取得资料当事人的充分通知及同意
- Further obligations are imposed on mobile apps providers including but not limited to conducting real-name identification, undertaking information content review. 对移动应用提供商的进一步义务包括但不限于进行实名认证,进行信息内容审查。
- Data subject have specific rights, such as, to access their data, to correction of their data, to request deletion of data in the event of a data breach, to de-register their account etc. 资料当事人有特定权利,例如查阅资料、更正资料、在资料外泄时要求删除资料、撤销其帐户等。
Private and Tort Law
PRC Tort Liability Law, effective from July 1, 2010, provides that tortious liability arises upon the infringement of ‘civil rights and interests’
自2010年7月1日起施行的《中华人民共和国侵权责任法》规定,侵权责任是因侵犯“民事权益”而产生的。
Provisions found in laws such as the **General Principles of Civil Law **and the **Tort Liability Law **have generally been used to interpret data protection rights as a *right of reputation *or right of privacy
《民法通则》和《侵权责任法》等法律中的规定通常被用来将数据保护权解释为“名誉权”或“隐私权”
Article 36 of the Tort Law creates obligations for Internet service providers (ISPs) 《侵权行为法》第36条规定了互联网服务提供商的义务。
- A network user or network service provider who infringes upon the civil right or interest of another person through network shall assume the tort liability 网络用户、网络服务提供者通过网络侵害他人民事权益的,应当承担侵权责任
Chinese courts have allowed damages for emotional distress connected with disclosure
中国法院允许对与信息披露相关的精神损害赔偿
Sources
Numerous legal sources that impose obligations on organisations to provide security to different kinds of information
许多法律来源规定组织有义务为不同类型的信息提供安全保障
The source of the legal obligation, the object or reason that the information is to be made secure can differ
法律义务的来源、保护信息的目的或原因可以有所不同
With these different legal obligations come potential sanctions or liabilities
随着这些不同的法律义务而来的是潜在的制裁或责任
Greater risk to company that does not secure its information
不保护信息安全的公司面临更大的风险
Issues
The duty to keep information secure is not further specified in the statutes
保护信息安全的义务在法规中没有进一步规定
The GDPR indicates:
- ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security *appropriate *to the risks represented by the processing and the nature of the data to be protected’ “考虑到目前的技术水平和实施成本,这些措施应该确保与处理所代表的风险和要保护的数据的性质相适应的安全水平。”
A cost/risk analysis qualifies an appropriate level of security
成本/风险分析确定了适当的安全级别
No further guidance
没有进一步的指导
Emerging Guidance 新兴的指导(EU,US)
The **European Union General Data Protection Regulation **requires an “adequate” level of data protection but offers no explanation or definition for the term
欧盟通用数据保护条例要求“充分”的数据保护水平,但没有对此术语进行解释或定义
In the United States, the **Health Insurance Portability and Accountability Act (HIPAA) Security Rule **for healthcare and the **Safeguards Rule **for financial services have been among the most prescriptive, and Massachusetts has led the way among states, providing 18 specific standards for protecting personal information
在美国,针对医疗保健的《健康保险可携带性和责任法案》(HIPAA)安全规则和针对金融服务的《保障规则》是最具指导性的,马萨诸塞州在各州中处于领先地位,提供了18项保护个人信息的具体标准
The **Federal Trade Commission **considers the collection of personal information without providing reasonable security to be an unfair practice, but the U.S. Court of Appeals for the 11th Circuit’s decision to vacate the commission’s order against LabMD in 2018 showed the legal challenges raised by an imprecise standard; the court found that the FTC’s requirement for “LabMD to overhaul and replace its data- security program” was unenforceable because of an “indeterminable standard of reasonableness.”
联邦贸易委员会认为,在没有提供合理安全保障的情况下收集个人信息是一种不公平的做法,但美国第11巡回上诉法院在2018年撤销该委员会针对LabMD的命令的决定,表明了一个不精确的标准所带来的法律挑战;法院发现,联邦贸易委员会要求“LabMD彻底检查并更换其数据安全程序”的要求是不可执行的,因为“不确定的合理性标准”。
Standards
Consequently, many information technology organizations have focused instead on aligning their operations with recognized security frameworks such as the International Organization for Standardization (ISO) 27001, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and others.
因此,许多信息技术组织转而关注将其操作与公认的安全框架(如国际标准化组织(ISO) 27001、支付卡行业数据安全标准(PCI DSS)、国家标准与技术研究所(NIST)等)保持一致。
Definition
Standard is…
- established or widely recognised as a model of authority or excellence (a standard reference work) 已建立或被广泛认可为权威或卓越的典范(标准参考作品)
- conforming to or constituting a standard of measurement or value; or of the usual or regularized or accepted kind (windows of standard width, standard fixtures, standard operating procedure) 标准的:符合或构成测量或价值标准的;或通常的、规范的或可接受的类型(标准宽度的窗户、标准固定装置、标准操作程序)
- the ideal in terms of which something can be judged (they live by the standards of their community) 可以评判事物的理想(他们按照社区的标准生活)
ISO Definition
ISO/IEC Guide 2:1996 promulgated by the International Organization for Standardization (ISO) defines a standard as follows:
国际标准化组织(ISO)颁布的ISO/IEC指南2:1996对标准的定义如下:
- “a standard is a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.” “标准是经协商一致制定并经公认机构批准的文件,它规定活动或其结果的规则、准则或特征,供共同和重复使用,目的是在某一特定环境中实现最佳程度的秩序。”
Types of Standard
Informal/formal 正式和非正式
- White wedding dresses / 802.11b 白色婚纱 / 802.11b
De facto standard 事实上的标准:一种在实际应用中被广泛接受和使用的标准,尽管它可能没有正式的权威认可。
- Achieved dominant position 取得主导地位
- Tradition, enforcement, or market dominance – such as white wedding dresses, TCP/IP, iPhones or Microsoft Windows 传统、强制或市场主导——比如白色婚纱、TCP/IP、iphone或微软Windows
- Not necessarily receiving formal approval by means of standardization process and may not be an official standard document
De jure standard 法定标准 / 官方标准
- Standard contractual terms 标准合同条款
Social, technical, commercial, …
社会的、技术的、商业的……
Benefits
Joint mastery of problems 共同掌握问题
- Technical and other issues 技术和其他问题
Helps choices
- Reduces uncertainties 减少不确定性
- No need to test further 无需进一步测试
Makes operations smoother 使操作更顺畅
- Conformity to expectations 与社会预期相一致
Advances progress 进步
- Anticipate further developments 预测未来的发展
Avoids conflicts 避免冲突
Conformity with Standards 符合标准
Often by certification process – third party audit 通常通过认证过程-第三方审核
- Testing labs 测试实验室
Value
- Mark of conformity 符合标志:一个标志或标签,表示产品或服务符合特定标准、规范或法规的要求。
- Quality certificate 质量证书:一种证明产品或服务符合特定质量标准的文件,通常由权威机构颁发。
- Market entry requirements 市场准入要求
Manufacturing and distribution of telecommunication equipment to meet national, regional, international standards of performance, safety, interoperability
制造和分销电信设备,以满足国家,地区,国际标准的性能,安全性,互操作性
National Standards Bodies 国家标准机构
Usually an official national representative of ISO
通常是ISO的官方国家代表
May be responsible for uniform standardization throughout the country
可负责全国统一的标准化工作
Laws regulating the creation of standards
规范标准制定的法律
Compulsory – health and safety
强制性——健康和安全
Voluntary – other industries
自愿-其他行业
International Standards Bodies
Numerous recognised international bodies with standards making functions
众多具有标准制定职能的公认国际组织
Non-treaty bodies 非条约机构
- International Organization for Standardization (ISO) 国际标准化组织(ISO)
- International Electrotechnical Commission (IEC) 国际电工委员会
Treaty bodies 条约机构
- International Telecommunication Union (ITU) 国际电信联盟
OECD 2002 Information Security Guidelines
OECD legal instruments: decisions, conventions, recommendations, guidelines
经合发组织法律文书:决定、公约、建议、准则
Guidelines = non-binding, represents political will of members, great ‘moral force’
准则=不具约束力,代表成员的政治意愿,强大的“道德力量”
Standards setting role 标准制定角色
- OECD’s legal instruments set standards for members in a variety of policy areas 经合组织的法律文书在各种政策领域为成员国制定了标准
- Non-members who adhere to OECD’s legal instruments agree to implement the standards and measures, including relevant legislation addressed by the instrument 遵守经合组织法律文书的非成员同意执行标准和措施,包括该文书涉及的相关立法
ISO/IEC
27001:2005: ‘Information technology – Security techniques – Information security management systems – Requirements’
27001:2005:“信息技术——安全技术——信息安全管理系统——要求”
- Information Security Management System (ISMS) 资讯保安管理系统(ISMS)
- Used with ISO 27002 ‘Code of Practice for Information Security Management’ 与ISO 27002“资讯保安管理实务守则”配合使用
- Lists security control objectives 列出安全控制目标
- Recommends a range of specific security controls. 建议一系列特定的安全控制。
- Certification possible 认证可能
- Three stage audit by certification body 认证机构的三阶段审核
Revised by ISO/IEC 27001:2013
经ISO/IEC 27001:2013修订
PIS Specification I
National Standard of Information Security Technology – Personal Information Security Specification, effective from October 1, 2020 (PIS Specification)
《信息安全技术国家标准——个人信息安全规范》,自2020年10月1日起实施(PIS规范)
A standard to determine whether companies are following China’s data protection rules
确定公司是否遵守中国数据保护规定的标准
Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks
在中国收集或处理个人信息的企业应对照本规范检查其目前的做法,以识别并尽量减少其潜在风险
De Jure Standards
Legal requirement for appropriate level of information security process:
适当级别的资讯保安程序的法律要求:
US Health Insurance Portability and Accountability Act (HIPAA)
美国健康保险流通与责任法案(HIPAA)
- Privacy rule: privacy standards, including who can have access to protected health information (PHI) (all forms) 隐私规则:隐私标准,包括谁可以访问受保护的健康信息(所有形式)
- Security rule: controls for ensuring access only to those who should have it (electronic information only) 安全规则:确保只有应该访问的人才能访问的控制措施(仅限电子信息)
Laws requiring compliance with PCI/DSS (The Payment Card Industry Data Security Standards)
要求遵守PCI/DSS(支付卡行业数据安全标准)的法律
Normally, PCI/DSS is a private standard with contractual liability only 通常,PCI/DSS是一个私人标准,仅具有合同责任
(PCI DSS) are developed and promoted by the PCI Security Standards Council (PCI DSS)是由PCI安全标准委员会制定和推广的
The Council was formed by the five of the most prominent credit card payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – in response to increasing credit card fraud and data security breaches 该委员会由五个最著名的信用卡支付品牌——美国运通、发现金融服务、JCB国际、万事达全球和Visa, Inc.——组成,以应对日益增加的信用卡欺诈和数据安全漏洞
Some US states incorporated the standard into state law 美国一些州将该标准纳入州法律
【北邮国院大三下】Cybersecurity Law 网络安全法 Week1【更新Topic4, 5】相关推荐
- 【北邮国院大三下】Software Engineering 软件工程 Week1
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用.个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编 ...
- 【北邮国院大三下】Cybersecurity Law 网络安全法 Week3
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用.个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编 ...
- 【北邮国院大三下】Intellectual Property Law 知识产权基础 Week1
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT和相关法条中相对重要的知识点,个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编辑软件为Effie, ...
- 【北邮国院大三下】Logistics and Supply Chain Management 物流与供应链管理 Week1
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用.个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编 ...
- 【北邮国院大三下】Logistics and Supply Chain Management 物流与供应链管理 Week2
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用.个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编 ...
- 【北邮国院大三下】Software Engineering 软件工程 Week4
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用.个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. 编 ...
- 【北邮国院大二下】产品开发与营销知识点整理 Topic11
北邮国院大二电商在读,随课程进行整理知识点.仅整理PPT中相对重要的知识点,个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处 Topic 11 – Patents and I ...
- 【北邮国院大三上】电子商务法(e-commerce law)知识点整理——Banking Lawe-Payment
北邮国院大三电商在读,随课程进行整理知识点.仅整理PPT和相关法条中相对重要的知识点,个人认为相对不重要的细小的知识点不列在其中.如有错误请指出.转载请注明出处,祝您学习愉快. Why are leg ...
- 【北邮国院大三上】互联网协议_Internet Protocol_PART A
北邮国院大三电商在读,全文为PPT机翻+自己理解,仅做整体复习浏览知识点熟悉定义用,不做考前突击复习重点用.有任何问题可评论指出,有需要本文pdf/docx/md/Effiesheet格式的同学请私信 ...
最新文章
- 放大招了,送一波来自 Facebook、Google、网易、阿里的学习福利!
- 雷观(十七):想拉人入伙,合伙创业,请拿出一点认真的态度
- python中国大学排名爬虫写明详细步骤-Python爬虫 2020中国大学排名
- 懒人小工具1:winform自动生成Model,Insert,Select,Delete以及导出Excel的方法
- boost::spirit模块实现自定义用作容器数据的测试程序
- 「数据ETL」从数据民工到数据白领蜕变之旅(五)-使用dotNET脚本实现SSIS无限扩展...
- js字符串转数字(小数),数字转字符串
- 【Oracle】分区表中索引状态为N/A
- 爱奇艺多模态短视频内容标签技术及应用
- MySQL 5.7 + Navicat 下载安装教程(附安装包)
- 详解金盾2016替换机器码的几个关键步骤
- torch.optim.lr_scheduler源码和cosine学习率策略学习
- 搜查令——项目个人总结+个人自评
- vue中双击事件选中文本、通过输入框实现双击输入文字
- 那些年啊,那些事——一个程序员的奋斗史 ——39
- 解决VirtualBox增强功能异常
- 基于springboot+bboss整合的elasticsearch(好用的一匹)
- 腐蚀rust服务器命令_腐蚀Rust游戏指令大全 全游戏指令一览
- Session存值取值问题及取不到值的问题
- 模拟web访问有登录且有验证码的登录后抓取数据