In the
previous publication, we examined the basic concepts and paradigm of information security, and now we will move on to the analysis of Russian and international legislation governing various aspects of data protection, since without knowledge of the legislative rules governing the relevant areas of the company’s activities, it is correct to build a risk and business-oriented management system information security is impossible. Penalties, as well as reputational damage from non-compliance with legislative standards can make a significant correction to the organization’s functioning and development plans: we know that, for example, failure to comply with information protection standards in the national payment system may result in revocation of a license from a financial organization, and non-compliance with requirements in place primary collection and processing of personal data may lead to blocking access to the company’s website. Failure to comply with the safety standards of critical information infrastructure in general may result in imprisonment for up to 10 years. Of course, there are a huge number of applicable laws and regulations, so in this and the next two articles we will focus on the protection of personal data, the protection of critical information infrastructure objects and the information security of financial organizations.
So, in today's series - personal data, let's go!
First of all, it is necessary to talk about the fundamental document that governs the procedure for working with various information in the Russian Federation, including and with personal data - we are talking about
Federal Law No. 149 "On Information, Information Technologies and the Protection of Information" dated 07.27.2006. This document contains the basic concepts and definitions that are used in all normative legal acts related to the protection of information, and also, among other things, introduces the concept of the category of information (public information and information of limited distribution) and the type of information (freely distributed, provided on the basis of agreement to be distributed in accordance with the law, information of limited access / distribution and prohibited for distribution). In particular, personal data is classified as restricted information, and in accordance with Article 9, Clause 2 of this Law, confidentiality of such information is mandatory, as a result of which the state sets mandatory rules and rules for its processing. Unfortunately, not with all types of information of limited distribution there is a similar certainty - for example, to this day there is no legislative classification of types of secrets, only some of them can be distinguished: state, commercial, tax, banking, audit, medical, notarial, lawyer's secret, secret communications, investigations, legal proceedings, insider information, etc. In addition to information of limited distribution, there is also a classifier of types of information in Article 149-FZ (Article 8, Clause 4), access to which, on the contrary, cannot be limited - for example, regulatory legal acts, information on the activities of state bodies, the state of the environment, etc. .d.
Russian standards for the protection of personal data
Turning to the consideration of issues of protecting personal data, it should be noted that they remain invariably sharp over the past years and rise in the highest offices both in Russia and abroad, since they concern each of us, regardless of citizenship and position.
The security of personal data, in the foreign interpretation of privacy, is rooted in ensuring the inalienable rights and freedoms of citizens of developed countries - for example, in some European countries, the issue of indicating the name and surname of people living near mailboxes and doorbells was quite controversial. With the advent of information technology, the protection of personal data has become even more relevant. This is how the “Council of Europe Convention No. 108 on the Protection of Individuals with Automatic Processing of Personal Data” appeared, signed in 1981 and ratified by the Russian Federation in 2001. Already at that time, it laid the international foundations for the legitimate processing of personal data, which are applicable to this day: the use of personal data only for certain purposes and within certain periods, the redundancy and relevance of processed personal data and the peculiarities of their cross-border transfer, data protection guaranteed rights of a citizen - holder of personal data. In the same document, the very definition of personal data is given, which then “migrates” to the first edition of the domestic
Federal Law No. 152 “On Personal Data” dated July 27, 2006: “personal data” means any information about a specific or identifiable natural person. The purpose of ratification of this Convention was to comply with international regulatory requirements upon Russia's entry into the WTO (World Trade Organization), which took place in 2012.
The joint work of the countries parties to the Convention continues to this day. So, at the end of 2018, the Russian Federation together with other participating countries signed the “
Protocol No. 223 on Amendments to the Council of Europe Convention on the Protection of Personal Data”, which updates the Convention in terms of meeting current challenges: protection of biometric and genetic data, new rights individuals in the context of algorithmic decision-making by artificial intelligence, data protection requirements already at the stage of designing information systems, the obligation to notify the authorized supervisor about gan about data leaks. Citizens now have the opportunity to receive qualified protection on their personal data from the supervisor, and Russian companies forced to meet the requirements of the European GDPR (General Data Protection Regulation, we will talk about them later) will not be forced to apply additional protection measures, since Compliance with the provisions of the Convention means that the participating country provides an adequate legal regime for the processing of personal data.
So, in 2006, 152- “On personal data” was adopted, which not only largely repeated the requirements of the Convention, but also introduced additional definitions and requirements regarding the processing of personal data (hereinafter - PD). Over time, the Federal Law was amended, the main of which were introduced 261- dated 07/25/2011 and 242- dated 07/21/2014. The first law made significant changes to the basic principles of PD protection, and the second prohibited the primary processing of PD outside the territory of the Russian Federation. Note that the authorized state body for the protection of the rights of PD subjects is the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor), reporting to the Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation.
In Article 152-FZ, measures to ensure the safety of personal data are dealt with in article 19, which also states that operators should ensure security levels established by Government Decision No. 1119 of November 1, 2012, which are understood as a set of requirements that neutralize certain security threats. To simulate these threats, i.e. building a threat model (hereinafter - MU) and a model of the violator, one should rely on the following regulatory legal acts:
In addition, the FSTEC of Russia in 2015 developed the project “Methods for determining threats to information security in information systems”, which, after its approval, will be able to guide both operators of state information systems and private companies. It should be noted that state information systems (hereinafter referred to as GOSIS) are defined in 149-FZ (Article 13, Clause 1) as federal information systems and regional information systems created on the basis of federal laws, laws of the constituent entities of the Russian Federation, and legal acts state bodies in order to exercise the powers of state bodies and ensure the exchange of information between these bodies, as well as for other purposes established by federal laws.
Article 5 in 152-FZ speaks of the obligation of state bodies to develop sectoral MPs in their area of ​​responsibility. Such MUs were developed, for example, in the Central Bank of the Russian Federation (first in the form of RS BR IBBS-2.4, then in the form of
Bank of Russia Ordinance No. 389-U ), the Ministry of
Telecom and Mass Communications of the Russian Federation (“
Model of threats and security violator of personal data processed in standard ISPD of the industry ”and“
Model of threats and security violator PDN processed in special ISPD of the industry ”), by the Ministry of Health of the Russian Federation (“
The threat model of a typical medical IP of a typical medical institution ”).
In 152-, the obligation to ensure the security of personal data is assigned to the operator of the personal information system (hereinafter - ISPD) or to the person who processes the personal data on behalf of the operator (the so-called "processor"). PP-1119 provides specific organizational and technical protection measures that should be taken by the operator (or processor) to ensure the appropriate level of security for PD, while the choice of level depends on the category of PD processed (i.e., ISPD type), category and number of PD subjects and type of actual threats.
PD categories can be special (processing information on critical aspects of the life of the subject of PD, such as health status, national / racial affiliation, political and religious beliefs), biometric (processing PD, characterizing physiological and biological characteristics), public (PD is obtained from public sources ), other.
Actual threats can be of the 1st type (threats of using undeclared capabilities in system software are relevant for ISPD), of the 2nd type (threats of using undeclared capabilities in application software are relevant), of the 3rd type (the above threats are not relevant).
The choice of the level of security (hereinafter - KM) of personal data depends on the above characteristics of the ISDN (categories of processed PDs and the type of threats relevant to ISDN), as well as the category of subjects (operator’s employees or other persons) and the number of entities whose PDN are processed (more or less than 100,000 entries). The maximum ultrasound is the 1st, the minimum is the 4th.
PP-1119 offers a fairly concise list of PD protection measures, since FSTEC of Russia determines the detailed security measures:
Order No. 21 of 02/18/2013 approves the composition and contents of organizational and technical measures to ensure the safety of PD, and
Order No. 17 of 02/11/2013 regulates the requirements for protection of information in the State Institute of Information Security, including the protection of PD in them. In addition, the Federal Security Service of the Russian Federation also issued
Order No. 378 of July 10, 2014, which contains a description of PD security measures when using cryptographic information protection tools (hereinafter - CIP).
Consider first Order No. 21 . This document is devoted to PD protection measures for non-state IP and contains a list of specific measures to ensure one or another KP PD. In clause 4, non-state IP operators are granted an exemption in the form of permission not to use certified SIS in the absence of actual threats that they close, and clause 6 of the document sets a three-year interval for assessing the effectiveness of measures implemented. Order No. 21, as well as Order No. 17, offers the same algorithm for selecting and applying security measures: first, basic measures are selected based on the provisions of the corresponding Order, then the selected basic set of measures is adapted, excluding irrelevant “basic” measures, depending from the features of information systems and technologies used. Then, the adapted basic set of measures is specified to neutralize the current threats with previously unselected measures, and finally, the updated adapted basic set is supplemented with measures established by other applicable regulatory legal documents.
Order No. 21 in clause 10 contains an important note about the ability of the operator to apply compensatory measures when it is impossible to implement technical measures or if it is not economically feasible to apply measures from the basic set, which gives some flexibility when choosing new ones and justifying the use of already implemented protective equipment in order to ensure personal safety. If the operator uses certified SZI, the regulator in paragraph 12 of the Order makes requirements for the classes of used SZI and for computer equipment (hereinafter - CBT).
Certified firewalls, intrusion detection systems, information anti-virus protection tools, trusted boot tools, removable computer media control tools, operating systems in accordance with the recently introduced (2011-2016) FSTEC classifiers of Russia can have classes from 1 (maximum level of support protection) to 6 (minimum level). CBT can be classified at seven levels in accordance with the FSTEC Russia
guidance document . Requirements are also imposed to control the absence of undeclared capabilities in the SZI software - there are four levels of control. The current list of certified SIS is contained in the state
register of certified information security tools.
In Order No. 21, the following groups of measures to ensure the safety of PD are indicated, which should be applied depending on the required level of protection of PD:
• Identification and authentication of access subjects and access objects
• Access control of access subjects to access objects
• Limit software environment
• Protection of machine carriers PD
• Security event logging
• Antivirus protection
• Intrusion Detection
• Monitoring (analysis) of security PD
• Ensuring the integrity of IP and PD
• Ensuring the availability of PD
• Protecting virtualization environments
• Protection of technical means
• Protection of IP, its means, communication systems and data transmission
• Incident detection and response
• Management of the configuration of IP and security systems PD.
Order No. 17 establishes the requirements for ensuring the security of information of limited access to the GISIS, while paragraph 5 emphasizes that when processing PDs in GOSIS, PP-1119 should be guided. The order obliges GOSIS operators to use only certified SZI and receive a five-year certificate of compliance with information protection requirements. This document assumes that the operators take the following measures to ensure the protection of information (hereinafter - ZI): the formation of requirements for ZI; development, implementation and certification of IP IP system; providing ZI during operation and during decommissioning. Paragraph 14.3 of the Order speaks of the need to create a threat model and suggests using the FSTEC Russia Information Security Threat Data Bank (
BDU ), which we spoke about in a
previous publication. For GOSIS, a security class is established (from the maximum 1st to the minimum 3rd), which depends on the significance level of the information being processed and the scale of the system, where the significance level depends on the degree of possible damage to the security properties (confidentiality, integrity, availability) of information processed in the GISIS , and the scale of the system can be federal, regional or object.
In GISIS of the 1st class of protection, protection against the actions of violators with high potential should be provided, in GOSIS of the 2nd class - from violators with a potential not lower than the strengthened base (in the NOS their potential
is called "average", and in the draft Methodology for determining security threats information in IS - “basic increased”), in GISIS 3rd class - from intruders with a potential not lower than basic (in the NLD this potential
is called “low”). Since to ensure IS in GosIS it is permissible to use only certified SZI, paragraph 26 of Order No. 17 describes the acceptable classes of SZI, CBT and levels of control of the absence of NDV, depending on the class of GISIS. In clause 27, a connection is made between the GISIS security class and the security levels of PD processed in it: the implementation of the requirements of ZI measures for GISIS of the 1st class provides 1, 2, 3 and 4 security levels of PD, for the 2nd class - 2, 3 and 4 ultrasound, for the 3rd class - 3 and 4 ultrasound.
Information protection measures in the State Information System almost completely coincide with the measures from Order No. 21 described above, except for the absence of indications of incident detection and configuration management. These actions are carried out after the construction of the protection system, at the stage of operation of the certified GISIS, along with the management of the information protection system itself and control over ensuring the level of information security in GOSIS.
In addition to Order No. 17, in the implementation of relevant ZI measures, one can also be guided by the methodological document of the FSTEC of Russia “
Information Protection Measures in State Information Systems ”, which discloses in more detail the composition and content of all measures.
Order of the Federal Security Service of the Russian Federation No. 378 establishes standards for the application of one of the six classes of cryptographic information protection systems for the protection of personal disabilities: KS1 (minimum), KS2, KS3, KV1, KV2, KA1 (maximum). The cryptographic information protection class is selected depending on the required level of security of PD and on the type of actual threats. Despite the fact that cryptographic information protection classes neutralize threats originating from a certain type of intruder with a certain level of potential (there are only 6 types of intruders, from H1 to H6, they are defined in the violator's model), this Order ties the cryptographic information protection class to the level of security of personal data , and not to the possibilities of attackers. In addition to describing the required classes of cryptographic information protection, this document contains administrative requirements for the operator, such as organizing access to the premises (physical security - installing locks, bars), ensuring the safety of PD media, approval of the list of people who have access to PD.
International standards for the protection of personal data
If in Russia disputes regarding the enforcement of 152- and relevant by-laws do not cease, then in the European Union the last 3 years have been working to implement and comply with the GDPR (
General Data Protection Regulation ,
General Data Protection Regulation ). This document, from the moment of its adoption in April 2016 until the date of entry into force on May 25, 2018, as well as at the moment, raises many questions and disputes, since it concerns a large number of citizens and companies around the world.
The predecessor of GDPR in the European Union was the Directive of the European Parliament and of the Council of the European Union 95/46 / EC of October 24, 1995 “On the protection of individuals in the processing of personal data and on the free circulation of such data”. After the adoption of the GDPR, the rights of PD subjects significantly expanded, and the obligations of operators and penalties for their non-fulfillment increased significantly.
The definition of PD in the GDPR itself does not differ much from what was adopted in the Council of Europe Convention and from a similar definition in domestic 152-FZ: personal data within the framework of GDPR means any information relating to an identified or identifiable person (personal data subject). Identifiable person means a person who can be identified, directly or indirectly, in particular using identifiers such as name, identification number, location data, online identifier or using one or more factors specific to the physical, physiological, the genetic, mental, economic, cultural or social status of this person. Thus, the definition of PD includes not only the characteristics we are accustomed to, but also the IP address, cookie identifiers set by the user, user geolocation data, and other technical attributes.
An important new term in the GDPR is “profiling”, which means any form of automated processing of personal data in order to assess certain aspects of a person, in particular to analyze or predict a person’s working capacity, his material situation, health, personal preferences, interests , behavior, location or movement.
As in 152-FZ, the GDPR uses such concepts as “personal data processing”, “processor”, “operator” (English controller), “cross-border processing”, “pseudonymization” (depersonalization) and similar universal terms.
The scope of GDPR rules applies to all operators that process personal data of EU citizens and other citizens located in the EU. Moreover, the operator may not have a representative office in the EU, and its automated systems may also be located outside the EU. Examples concerning operator companies from the Russian Federation:
- a Russian bank must comply with GDPR standards when processing data of its customers, citizens of the Russian Federation, when they are in the EU;
- an online store with registration in the Russian Federation that provides services / products including to EU citizens, uses cookie identifiers and / or user behavior analytics on its website with an interface in EU languages, is also subject to GDPR standards;
- a subsidiary of a Russian company operating in the EU.
GDPR standards are based on six basic principles:
- legality, fairness and transparency of processing - compliance of PD processing with legislation, development and implementation of a publicly accessible policy for working with personal data (the so-called privacy policy);
- limitation of processing goals - PD processing is carried out for specific, clearly defined goals and no longer than the achievement of these goals requires;
- data minimization - processing of exactly such a volume of PD that is required to achieve processing goals;
- accuracy - the processed PDs are accurate and correct, otherwise the subject may demand to remove or correct incorrect PDs;
- storage limit - after reaching the processing goal, the data is deleted;
- integrity and confidentiality - PD processing is safe, data is protected from unauthorized access, accidental or intentional deletion, loss, damage, using appropriate technical and organizational measures.
The document does not provide operators with detailed protection instructions, giving them the freedom to choose measures and techniques. For example, you should, where possible, encrypt PD during storage, transmission and processing, as well as use pseudonymization algorithms. This is expected to reduce potential damage in the event of a leak, but the GDPR does not provide specific conditions for the application of these protective measures. In this, the European approach differs from the Russian one, in which state authorities clearly regulate the protective measures and the conditions for their application, not hoping for the prudence of the operators - and, it should be regretted, it is very justified.
In addition to the principles described above, the following norms are also present in the GDPR:
- PD subjects have the right to gain access to the data collected about them, the right to correct and delete incorrect PD in the operator’s systems, the right to forget, i.e. to delete personal data at their request, the right to transfer data from one system to another in a machine-readable form, the right to refuse to process personal data by artificial intelligence systems, profiling systems and automated decision-making systems (in this case, the operator is not entitled to infringe upon other the legal rights of the subject in the processing of his PD);
- the operator must assess the risks of violation of the rights and freedoms of PD subjects (i.e., conduct Data Protection Impact Assessment);
- the operator must maintain an up-to-date register of business processes for processing personal data, which reflects the goals and bases for processing personal data, categories of processed personal data, storage periods and applied measures to protect personal data;
- when designing automated personal data processing systems, operators should be guided by the principles of built-in privacy (privacy by design, i.e. implement security measures for personal data at all stages of system design and the life cycle of personal data processing) and default privacy (privacy by default, i.e. processed the volume of PD should be minimal to achieve clearly defined goals for their processing);
- consent to the processing of personal data must be given by the subject of personal data in the form of active conscious actions - the operator does not have the right to consider the consent of the subject as the default data, as he cannot give the user a choice or not give him the opportunity to withdraw consent without infringement of interests;
- The operator must designate a Data Privacy Officer in cases where:
- PD processing is carried out by a public company
- the company is systematically profiling a large number of PD subjects
- / ( , , , , , , );
- 72- (supervisory authority, Data Protection Authority — ) GDPR- , .. , , , .
In July 2016, the EU-US Privacy Shield privacy agreement was introduced . This agreement is a framework that defines the approaches of commercial companies to a secure exchange of personal data between the European Union and North America. The purpose of such an agreement is to bring the GDPR standards for the protection of PD in the EU and methods for ensuring their safety in the USA into line. The predecessor of this framework was the Safe Harbor Privacy Principles agreement.(“Safe Harbor Principles for the Protection of Personal Data”), which was in force from 2000 to 2015 and confirmed that the methods of ensuring personal data security in the USA comply with the European Directive 95/46 / EC “On the protection of individuals in the processing of personal data and on free handling of such data. ” This agreement was criticized because of the revealed facts of deliberate permanent access to personal data of European citizens by the US government, in particular, the National Security Agency. This was considered by the European Court, which ruled in October 2015 decisionthe invalidity of the Safe Harbor Principles. Thus, at present, US companies wishing to process personal data of EU citizens must comply with EU-US Privacy Shield. Confirmation of compliance is carried out in the form of voluntary self-certification at the US Department of Commerce. The operator company must comply with the following basic requirements , confirming the adequate level of protection of its PD for EU citizens:
- informing the subjects about the processing of their personal data, which includes an indication of the protection of personal data in accordance with the Privacy Shield in the policy of the company for the protection of personal data (Privacy Policy), notification of the personal data of their rights and a reminder of the obligations of the company itself in case of receiving a legitimate request for provision of PD by state authorities;
- , 45 , , , Data Protection Authorities ( );
- , Privacy Shield;
- , ;
- , :
- , , — (.. Notice and Choice Principles), ( , , );
- , , .. , — , , , — ;
- Privacy Shield;
- , Privacy Shield.
- , , Privacy Shield, , , 152-.
1. The fines charged for violation of the Russian legislation on the protection of personal data are regulated by Art. 13.11 Administrative Code, which provides for seven offenses introduced in July 2017. For example, part 1 of article 13.11 of the Administrative Code of the Russian Federation punishes operators for processing personal data in cases not prescribed by law, or processing incompatible with the purpose of collecting personal data, in the amount of up to 50 thousand rubles. Part 2 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation provides for punishment for processing PD without the consent of the subject or for violations in the process of obtaining such consent, in the amount of up to 75 thousand rubles. In addition, failure to comply with the rules on the localization of PD databases on the territory of the Russian Federation is a violation of Article 1242-FZ and Article 15.5 of 149-FZ, which threatens to block access to the offending company’s web resource on the basis of a court decision.
It should be borne in mind that a fine can be imposed for each fact of violation of legislative norms. Moreover, a bill has recently been submitted to the State Duma , which implies the introduction of two new offenses in the field of PD protection - deputies propose imposing millions of fines for failure to comply with 242-FZ, i.e. for refusing to localize PD databases of Russians in the territory of the Russian Federation, as well as for repeated violations of the localization requirements.
2. The fines levied by European regulators for non-compliance with GDPR in the case of minor violations amount to 10 million euros or 2% of the company's global annual turnover, and in the case of significant ones, up to 20 million euros or 4% of the global annual turnover. At the same time, disappointing statistics have already been summed up over the GDPR requirements year: more than 200,000 checks have been carried out against operators, and the total amount of fines is more than 56 million euros, while 50 million euros is the sum of the fine imposed by Google’s Internet giant by the French regulator protection areas
3. The fines charged by the US Federal Trade Commission for companies that do not comply with Privacy Shield principles amount to up to $ 40 thousand for a violation, plus $ 40 thousand for each subsequent day of illegal processing of personal data after violations are discovered.
Inspection procedure by Roskomnadzor
Roskomnadzor, the domestic authorized state body for the protection of the rights of PD subjects, has the right to inspect legal entities and individual entrepreneurs for compliance with the provisions of the Russian legislation in the field of PD protection. At the same time, inspections are carried out both by the Central Office (the inspection plan and activity reports are published on the official website ) and by the Federal Districts Departments (for example, the website of the Roskomnadzor Central Federal District posted activity plans and reports for the last 10 years). Inspections of Roskomnadzor are regulated by Decree of the Government of the Russian Federation No. 146dated February 13, 2019 “On the Approval of the Rules for the Organization and Implementation of State Control and Supervision of the Processing of Personal Data”. In accordance with this Decree, inspections are both scheduled (practice has shown that the regulator checks groups of companies united by a common principle, for example, by field of activity) and unscheduled: they can be carried out on behalf of the President, the Government of the Russian Federation or by decision The head of Roskomnadzor in the framework of the prosecutor’s audit, in case of failure to comply with the previous regulation of the regulator, as well as in the case of complaints from PD subjects. In this case, unscheduled inspections can only be on-site, and scheduled ones can be both documentary and field. When checking, the regulator examines the internal regulatory documents on PD processing, inspects PD storage places,requires to demonstrate the processing of PD in information systems. As a rule, in case of deficiencies, the regulator orders the elimination of violations in a timely manner, and fines for the lack of a legal basis for processing personal data (for example, for the lack of documented facts of consent by private individuals), for the mismatch of the processing goals and volume of personal data, for the lack of necessary notifications and policies on the operator’s website, subject to the collection of PD on it.for the lack of the necessary notifications and policies on the operator’s website, subject to the collection of PD on it.for the lack of the necessary notifications and policies on the operator’s website, subject to the collection of PD on it.