北郵國(guó)院大三電商在讀，隨課程進(jìn)行整理知識(shí)點(diǎn)。僅整理PPT中相對(duì)重要的知識(shí)點(diǎn)，內(nèi)容駁雜并不做期末突擊復(fù)習(xí)用。個(gè)人認(rèn)為相對(duì)不重要的細(xì)小的知識(shí)點(diǎn)不列在其中。如有錯(cuò)誤請(qǐng)指出。轉(zhuǎn)載請(qǐng)注明出處，祝您學(xué)習(xí)愉快。

編輯軟件為Effie，如需要pdf/docx/effiesheet/markdown格式的文件請(qǐng)私信聯(lián)系或微信聯(lián)系

WEEK1

以下是一些比較定義性的東西，所以基本都是PPT內(nèi)容翻譯。如果考試是類似電商法的case式考法，這些就不用背只需要了解，大概知道什么是什么，有話說就可以。如果有其他變化和新理解，后續(xù)會(huì)修改這段話

在Week1中，很難總結(jié)出像電商法那種很有邏輯的東西，換句話說，PPT給的信息冗雜且無用，閱讀下來完全不像電商法那種分幾大塊去介紹的感覺，法條的占比被拉得很低，對(duì)于這個(gè)課的更多想法還要在觀察一周的課程。Week1的東西就挑著背背吧，畢竟往年題還沒有

什么是Cybersecurity

Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks

網(wǎng)絡(luò)安全是技術(shù)、流程和控制的應(yīng)用，以保護(hù)系統(tǒng)、網(wǎng)絡(luò)、程序、設(shè)備和數(shù)據(jù)免受網(wǎng)絡(luò)攻擊

It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies

它旨在降低網(wǎng)絡(luò)攻擊的風(fēng)險(xiǎn)，防止系統(tǒng)、網(wǎng)絡(luò)和技術(shù)受到未經(jīng)授權(quán)的利用

Three distinct elements: information security, privacy and data protection and cybercrime

三個(gè)不同的要素:信息安全、隱私和數(shù)據(jù)保護(hù)以及網(wǎng)絡(luò)犯罪

Information Security 信息安全

Seeks to protect all information assets, whether in hard copy or in digital form

力求保護(hù)所有信息資產(chǎn)，無論是紙質(zhì)副本還是數(shù)字形式

Information is one of the most valuable assets

信息是最有價(jià)值的資產(chǎn)之一

Good business practice

Digital revolution changed how people communicate and conduct business

數(shù)字革命改變了人們溝通和開展業(yè)務(wù)的方式

New possibilities & challenges

Privacy and Data Protection 隱私與數(shù)據(jù)保護(hù) （概念辨析）

Data privacy are the regulations, or policies, that governs the use of my data when shared with any entity

數(shù)據(jù)隱私是指在與任何實(shí)體共享時(shí)管理我的數(shù)據(jù)使用的法規(guī)或政策

Data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share

數(shù)據(jù)保護(hù)是一種機(jī)制，即工具和程序，用于執(zhí)行政策和法規(guī)，包括防止未經(jīng)授權(quán)的訪問或?yàn)E用我同意共享的數(shù)據(jù)

• 這兩個(gè)都是Control of personal data
• PPT給出了對(duì)control的定義，可以拿來湊字?jǐn)?shù)。Control = the ability to specify the collection, use, and sharing of their data

Information Security x Privacy （概念辨析）

Privacy is an individual’s right to control the use and disclosure of their own personal information

隱私是個(gè)人控制使用和披露自己個(gè)人信息的權(quán)利

Information security is the process used to keep data private

信息安全是用來保持?jǐn)?shù)據(jù)私密性的過程

• Security is the process; privacy is the result

Cybercrime 網(wǎng)絡(luò)犯罪

Cybercrime is an act that violates the law, by using information and communication technology (ICT) to either target networks, systems, data, websites and/or technology or facilitate a crime

網(wǎng)絡(luò)犯罪是一種違法行為，通過使用信息和通信技術(shù)(ICT)攻擊網(wǎng)絡(luò)、系統(tǒng)、數(shù)據(jù)、網(wǎng)站和/或技術(shù)，或?yàn)榉缸锾峁┍憷?/p>

Cybercrime knows no physical or geographic boundaries and can be conducted with less effort, greater ease, and at greater speed and scale than traditional crime

網(wǎng)絡(luò)犯罪沒有物理或地理的界限，與傳統(tǒng)犯罪相比，可以更輕松、更輕松、更快、更大規(guī)模地進(jìn)行

這門課我們會(huì)學(xué)到的三方面的Cybersecurity Law

• Information security obligations 信息安全義務(wù)
• Privacy and data protection laws 隱私和數(shù)據(jù)保護(hù)法
• Cybercrime substantive and procedural laws 網(wǎng)絡(luò)犯罪實(shí)體法和程序法

網(wǎng)絡(luò)安全遇到的Challenge

Technical

Growing number of devices

越來越多的設(shè)備

Every computer program, app or website are also software and software often has vulnerabilities

每一個(gè)電腦程序，應(yīng)用程序或網(wǎng)站也是軟件，軟件往往有漏洞

A virtualized information technology infrastructure (cloud services)

虛擬化的信息技術(shù)基礎(chǔ)設(shè)施(云服務(wù))

Legal

Increasing number, scope and complexity of legal obligations in relation to information security, privacy and data protection, different approaches

與信息安全、隱私和數(shù)據(jù)保護(hù)有關(guān)的法律義務(wù)的數(shù)量、范圍和復(fù)雜性不斷增加，方法也有所不同

Different legal systems between countries, variations in national cybercrime laws, differences in the rules of evidence and criminal procedure, applicability of international treaties

各國(guó)法律體系不同，各國(guó)網(wǎng)絡(luò)犯罪法律的差異，證據(jù)規(guī)則和刑事訴訟規(guī)則的差異，國(guó)際條約的適用性

網(wǎng)絡(luò)安全的Trends

With the advent of new technologies (e.g., Internet of Things, drones, robots, self-driving cars), new cybercrime trends will be identified and therefore new information security and privacy measures will need to be developed

隨著新技術(shù)(如物聯(lián)網(wǎng)、無人機(jī)、機(jī)器人、自動(dòng)駕駛汽車)的出現(xiàn)，將發(fā)現(xiàn)新的網(wǎng)絡(luò)犯罪趨勢(shì)，因此需要制定新的信息安全和隱私措施

Cyber attacks may involve:

• SPAM with the capacity to deliver range of malware
• 有能力傳遞各種惡意軟件的垃圾郵件
• Spyware and keystroke loggers (3,7 million South Carolina tax records)
• 間諜軟件和鍵盤記錄(南卡羅來納州3700萬份稅務(wù)記錄)
• Worms, virus, Trojans
• 蠕蟲病毒特洛伊木馬
• Phishing / Spear Phishing / Whaling
• 釣魚/魚叉釣魚/捕鯨
• DoS / DDoS

Drivers of Cybersecurity

• Legal
  • Growing legal framework establishing safeguarding and information obligation
  • 建立保護(hù)和信息義務(wù)的法律框架不斷完善
• Regulatory
  • Growing enforcement as a response to ineffective self-regulation
  • 加強(qiáng)執(zhí)法是對(duì)無效的自我監(jiān)管的回應(yīng)
• Commercial
  • Growing awareness of risk, economic and legal consequences, trustworthiness of business transactions
  • 對(duì)風(fēng)險(xiǎn)、經(jīng)濟(jì)和法律后果、商業(yè)交易可信度的意識(shí)不斷增強(qiáng)

Information Security 是要保護(hù)什么

Processes, procedures and infrastructure to preserve:

• confidentiality 保密性
• integrity 完整性
• availability of information 信息的可用性
• 這三個(gè)簡(jiǎn)稱CIA
• 

Confidentiality 保密性

Confidentiality means that only people with the right permission can access and use information

保密性意味著只有獲得正確許可的人才能訪問和使用信息

Protecting information from unauthorised access at all stages of its life cycle

保護(hù)信息在其生命周期的所有階段不受未經(jīng)授權(quán)的訪問

Information must be created, used, stored, transmitted, and destroyed in ways that protect its confidentiality

信息的創(chuàng)建、使用、存儲(chǔ)、傳輸和銷毀必須以保護(hù)其保密性的方式進(jìn)行

Ensuring confidentiality – encryption, access controls

確保機(jī)密性-加密，訪問控制

Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication

泄露機(jī)密——(有意的)肩窺，社會(huì)工程;(偶然的)公之于眾

It may result in identity theft, threats to public safety

這可能會(huì)導(dǎo)致身份盜竊，威脅公共安全

Integrity 完整性

Integrity means that information systems and their data are accurate

完整性意味著信息系統(tǒng)及其數(shù)據(jù)是準(zhǔn)確的

Changes cannot be made to data without appropriate permission

沒有適當(dāng)?shù)脑S可，不能對(duì)數(shù)據(jù)進(jìn)行更改

Ensuring integrity – controls ensuring the correct entry of information, authorization, antivirus

確保完整性-控制確保信息、授權(quán)、防病毒的正確輸入

Compromising integrity – (intentional) employee or external attacks; (accidental) employee error

損害誠(chéng)信——(故意的)員工或外部攻擊;(偶然的)員工失誤

Authentication 身份驗(yàn)證

Specific to integrity and confidentiality considerations

具體到完整性和保密性的考慮

Ensuring that a machine or person is that which they purport to be

確保機(jī)器或人是他們所宣稱的樣子

• Creator/sender/signatory of record 記錄的創(chuàng)建者/發(fā)送者/簽署人
• Person who seeks access to it 尋求接近它的人

In analogue world, signatures, handwriting, in person attestation, witnesses, notary public, etc.

在模擬世界中，簽名、筆跡、親自認(rèn)證、證人、公證人等。

In digital world, may not only be a person but also machine we are seeking to authenticate

在數(shù)字世界中，我們要驗(yàn)證的可能不僅是人，還有機(jī)器

• Digital Signatures – electronic PKI, other certificates of trust 數(shù)字簽名-電子PKI，其他信任證書

Availability

Availability is the security goal of making sure information systems are reliable

可用性是確保信息系統(tǒng)可靠的安全目標(biāo)

Data is accessible

數(shù)據(jù)是可訪問的

Individuals with proper permission can use systems and retrieve data in a dependable and timely manner

獲得適當(dāng)許可的個(gè)人可以可靠和及時(shí)地使用系統(tǒng)和檢索數(shù)據(jù)

Ensuring availability – recovery plans, backup systems

確?？捎眯?恢復(fù)計(jì)劃，備份系統(tǒng)

Compromising availability – (intentional) denial of service (DoS) attack, (accidental) outage

影響可用性-(故意的)拒絕服務(wù)(DoS)攻擊，(意外的)停機(jī)

Mitigating risks to the trustworthiness of information of corporations and governments 降低企業(yè)和政府信息可信度的風(fēng)險(xiǎn)的方法

• Development of strategies and 制定策略
• Implementation to technologies and procedures in order to preserve its 實(shí)施以技術(shù)和程序?yàn)橹?#xff0c;以保存其
  • confidentiality
  • integrity, and
  • availability

Risk management 風(fēng)險(xiǎn)管理

Risk management as means to justify information security laws

風(fēng)險(xiǎn)管理作為證明信息安全法律合理性的手段

= process of listing the risks that an organization faces and taking steps to control them

列出組織面臨的風(fēng)險(xiǎn)并采取措施控制這些風(fēng)險(xiǎn)的過程

• Vulnerabilities 缺陷
• Threats 威脅
• Risks 風(fēng)險(xiǎn)
• Safeguards 保障措施

Vulnerabilities 缺陷

• weakness or flaw in the information system that can be exploited 信息系統(tǒng)中可以被利用的弱點(diǎn)或缺陷
  • Construction, design mistake 結(jié)構(gòu)、設(shè)計(jì)錯(cuò)誤
  • Flaws how internal safeguards is used/not used 內(nèi)部安全措施使用/不使用的缺陷

Successful attacks take place when vulnerability is exploited

當(dāng)漏洞被利用時(shí)，就會(huì)發(fā)生成功的攻擊

Vulnerabilities的四方面

• People

  • separation of duties principle 職責(zé)分離原則
    • two or more people need to split a critical task functions 兩個(gè)或兩個(gè)以上的人需要拆分一個(gè)關(guān)鍵任務(wù)的職能

• Process

  • flaws in organization’s procedures 組織程序上的缺陷
    • missing step in a checklist/no checklist, failure to apply hardware and software patches 檢查表中缺少步驟/沒有檢查表，未能應(yīng)用硬件和軟件補(bǔ)丁

• Facility 設(shè)備

  • flaws in physical infrastructure 物理基礎(chǔ)設(shè)施缺陷
    • fences, locks, CCTV cameras 圍欄，門鎖，監(jiān)控?cái)z像頭

• Technology

  • design flaws 設(shè)計(jì)缺陷
    • unpatched applications, improperly configured equipment 未打補(bǔ)丁的應(yīng)用程序，配置不當(dāng)?shù)脑O(shè)備

Threats

Anything that can cause harm to an information system – successful exploits of vulnerabilities

任何可能對(duì)信息系統(tǒng)造成傷害的東西——成功地利用漏洞

• Threats to information, networks, systems have increased 對(duì)信息、網(wǎng)絡(luò)和系統(tǒng)的威脅有所增加
  • More devices, more use, more ‘a(chǎn)lways on’ 更多的設(shè)備，更多的使用，更多的“總是開啟”
  • More complex networks with greater ‘a(chǎn)ttack surface’ 具有更大“攻擊面”的更復(fù)雜網(wǎng)絡(luò)
  • More devices with IoT; smart watches possibly not connected to enterprise authentication systems 更多物聯(lián)網(wǎng)設(shè)備;智能手表可能沒有連接到企業(yè)認(rèn)證系統(tǒng).
• Attacks have grown more sophisticated 攻擊變得更加復(fù)雜
  • Attacks that take months to achieve goals; undetected
    • ‘Ransomware’ = threat to encrypt data unless paid “勒索軟件”=威脅加密數(shù)據(jù)，除非付費(fèi)

Relationship between a vulnerability and a threat

An organization does not have sufficient controls to prevent an employee from deleting critical computer files (lack of controls – vulnerability). An employee could delete files by mistake (employee – source of threat) (deleting critical files – threat). If the files are deleted, successful exploit of the vulnerability has taken place. If the file is not recoverable, the incident harms the organizations and its security. Availability is compromised.

組織沒有足夠的控制來防止員工刪除關(guān)鍵的計(jì)算機(jī)文件(缺乏控制-漏洞)。員工可能誤刪文件(員工-威脅來源)(刪除關(guān)鍵文件-威脅)。如果文件被刪除，則表明該漏洞已被成功利用。如果文件不可恢復(fù)，則該事件將損害組織及其安全?？捎眯允艿接绊?。

【簡(jiǎn)而言之，threat是利用了vulnerability達(dá)到的結(jié)果，是一個(gè)“事件”，而vulnerability是可以利用的漏洞，是一個(gè)“東西”】

Threats的四方面

• Human

  • internal and external, includes well-meaning employees and external attackers 內(nèi)部和外部，包括善意的員工和外部攻擊者

• Natural

  • uncontrollable events (fire, flood) 不可控制事件(火災(zāi)、洪水)

• Technology and operational

  • operate inside information systems (malicious code, hardware and software failures) 在信息系統(tǒng)內(nèi)部操作(惡意代碼、硬件和軟件故障)

• Physical and environmental

  • lack of physical security 缺乏人身安全保障
    • Accidental or intentional 意外或故意
    • Internal or external attackers 內(nèi)部或外部攻擊者

Risks

a likelihood that a threat will exploit a vulnerability and cause harm, where the harm is the impact to organization

威脅利用漏洞并造成危害的可能性，其中危害是對(duì)組織的影響

** Risk = vulnerability + threat **

Risks can occur at any layer of the information system:

• At the physical hardware or device layer, e.g. when a flood renders servers stored in a basement unavailable; 在物理硬件或設(shè)備層，例如當(dāng)洪水導(dǎo)致存儲(chǔ)在地下室的服務(wù)器不可用;
• At the various software layers, e.g. when hackers exploit a vulnerability in software; 在各個(gè)軟件層，例如當(dāng)黑客利用軟件中的漏洞時(shí);
• At the network layer, e.g. when a hacker intercepts data packets as they pass through the network from sender, via routers, to receiver; or, 在網(wǎng)絡(luò)層，例如，當(dāng)數(shù)據(jù)包從發(fā)送方通過路由器通過網(wǎng)絡(luò)傳遞到接收方時(shí)，黑客會(huì)攔截?cái)?shù)據(jù)包
• At the user layer, e.g. through ‘social engineering’, such as convincing users to share their passwords through ‘phishing’ emails 在用戶層，例如通過“社會(huì)工程”，例如說服用戶通過“網(wǎng)絡(luò)釣魚”電子郵件分享他們的密碼

Risk analysis and management to classify and respond to risks

風(fēng)險(xiǎn)分析和管理，對(duì)風(fēng)險(xiǎn)進(jìn)行分類和應(yīng)對(duì)

Probability a threat will exploit a vulnerability – high, medium, low

威脅利用漏洞的概率-高，中，低

Information security impact – loss of confidentiality, integrity and availability

信息安全影響-機(jī)密性、完整性和可用性的損失

Other impacts – loss of life, productivity or profit, property and reputation

其他影響-生命、生產(chǎn)力或利潤(rùn)、財(cái)產(chǎn)和聲譽(yù)的損失

Assessment of impact – address risks that have large impact on information security

影響評(píng)估-解決對(duì)信息安全有重大影響的風(fēng)險(xiǎn)

Types of responses: risk avoidance, risk mitigation, risk transfer, risk acceptance

反應(yīng)類型:風(fēng)險(xiǎn)規(guī)避、風(fēng)險(xiǎn)緩解、風(fēng)險(xiǎn)轉(zhuǎn)移、風(fēng)險(xiǎn)接受

Safeguards

safeguard reduces the harm posed by information security vulnerabilities or threats

保障措施降低信息安全漏洞或威脅帶來的危害

Safeguards can be put in place at all layers of the system:

• At the physical hardware or device layer, e.g. by physically securing server rooms against flooding; 在物理硬件或設(shè)備層，例如通過物理保護(hù)服務(wù)器機(jī)房免受水浸;
• At the various software layers, e.g. by installing the latest patches; 在不同的軟件層面，例如安裝最新的補(bǔ)丁;
• At the network layer, e.g. by using virtual private networks (‘VPN’); and, 在網(wǎng)絡(luò)層，例如使用虛擬專用網(wǎng)絡(luò)(VPN)
• At the user layer, by ensuring that all personnel receive appropriate training to recognise phishing emails and other forms of social engineering. 在用戶層，通過確保所有人員接受適當(dāng)?shù)呐嘤?xùn)，以識(shí)別網(wǎng)絡(luò)釣魚電子郵件和其他形式的社會(huì)工程

Safeguards的三方面

• Administrative 管理
  • actions and rules implemented to protect information (need to know rule) 為保護(hù)信息而實(shí)施的操作和規(guī)則(需要了解規(guī)則)
• Technical
  • logical rules that state how systems will operate (least privilege rule) 描述系統(tǒng)如何運(yùn)行的邏輯規(guī)則(最小特權(quán)規(guī)則)
• Physical
  • actions to protect actual physical resources 保護(hù)實(shí)際物理資源的行動(dòng)

Mechanisms Ensuring Information Security 保障信息安全的機(jī)制

No single information security law – no single definition

沒有單一的信息安全法律，沒有單一的定義

Different potential sources of liability: statutes, regulations, contracts, organizational governance, voluntary organizations, private law tort

不同的潛在責(zé)任來源:法規(guī)、規(guī)章、合同、組織治理、自愿組織、私法侵權(quán)

Different kinds of information often sought to be protected:

• personal data under data protection laws 數(shù)據(jù)保護(hù)法下的個(gè)人數(shù)據(jù)
• corporate financial information 企業(yè)財(cái)務(wù)信息
• health information 健康信息
• credit card information 信用卡信息

No such thing as perfect information security 沒有完美的信息安全

Sources of Obligations

• Laws – rules – regulations
  • Common law
    • body of law that developed through legal tradition and court cases (case law/judge-made law) – impact on torts, contract, and property law 通過法律傳統(tǒng)和法庭案件(判例法/法官制定的法律)發(fā)展起來的法律體系——對(duì)侵權(quán)法、合同法和財(cái)產(chǎn)法的影響
  • Statutory law 成文法
    • written law that is adopted by the governments 政府通過的成文法
  • 【關(guān)于這兩個(gè)法律的不同：（以下斜體答案來自newBing）The main difference between common law and statutory law is that common law is based on precedent, or previous court decisions, while statutory law is based on written laws passed by a legislature or other government agency. Common law is also procedural, meaning it regulates how lawsuits are conducted, while statutory law is substantive, meaning it defines rights and duties of citizens 普通法和成文法之間的主要區(qū)別在于普通法是基于先例或以前的法院判決，而成文法是基于立法機(jī)關(guān)或其他政府機(jī)構(gòu)通過的成文法。普通法也是程序法，這意味著它規(guī)定了訴訟如何進(jìn)行，而成文法是實(shí)體法，這意味著它規(guī)定了公民的權(quán)利和義務(wù)】
  • Rules
    • governments delegate power to agencies to create rules, enforce rules, and review rules 政府授權(quán)各機(jī)構(gòu)制定規(guī)則、執(zhí)行規(guī)則和審查規(guī)則
  • Regulations
    • regulatory authorities have the power to create and enforce regulations 監(jiān)管機(jī)構(gòu)有權(quán)制定和執(zhí)行法規(guī)
• Standards

Common Law

Tort law

• A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act 侵權(quán)行為，在普通法司法管轄區(qū)，是一種民事錯(cuò)誤，不公平地導(dǎo)致他人遭受損失或傷害，并導(dǎo)致實(shí)施侵權(quán)行為的人承擔(dān)法律責(zé)任
• Duty – breach – causation – harm elements

Contract Law

• A contract is an agreement, giving rise to obligations, which are enforced or recognised by law 合同是一種協(xié)議，產(chǎn)生了由法律強(qiáng)制執(zhí)行或承認(rèn)的義務(wù)

Regulations 規(guī)則

Sector regulators are increasingly auditing companies for their information security management and also issuing ‘regulatory guidance’ or ‘best practice advisories’ on information security

行業(yè)監(jiān)管機(jī)構(gòu)越來越多地對(duì)公司的信息安全管理進(jìn)行審計(jì)，并發(fā)布關(guān)于信息安全的“監(jiān)管指導(dǎo)”或“最佳實(shí)踐建議”

Standard

Emerging guidance in form of ‘standards’

以“標(biāo)準(zhǔn)”形式出現(xiàn)的指導(dǎo)

These standards determine how to comply with a legal duty or self-imposedobligation for adequate/reasonable/appropriate information security

這些標(biāo)準(zhǔn)確定如何遵守充分/合理/適當(dāng)?shù)男畔踩姆ǘx務(wù)或自我強(qiáng)制義務(wù)

• Standards bodies (ISO; PCI Council)
• International organizations (OECD Guidelines)
• Recent legislation with regulations detailing the necessary steps to the process that will meet the duty of care (GLBA, HIPAA)

Statutes 議會(huì)立法，章程

都是一些例子，直接看圖得了

Scope of Obligations

These legal obligations specify a duty:

這些法律義務(wù)規(guī)定了一種義務(wù):

• For example, to provide adequate or reasonable or appropriate security 例如，提供充分的、合理的或適當(dāng)?shù)谋Ｕ?/li>

They don’t usually give specific guidance as to what that means or how it is to be accomplished

他們通常不會(huì)給出具體的指導(dǎo)，說明這意味著什么或如何實(shí)現(xiàn)

Issues

The duty to keep information secure is not further specified in the statutes

保護(hù)信息安全的義務(wù)在法規(guī)中沒有進(jìn)一步規(guī)定

The GDPR indicates: ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’

GDPR指出:“考慮到技術(shù)水平和實(shí)施成本，此類措施應(yīng)確保與處理所代表的風(fēng)險(xiǎn)和被保護(hù)數(shù)據(jù)的性質(zhì)相適應(yīng)的安全水平?！?/p>

A cost/risk analysis qualifies an appropriate level of security

成本/風(fēng)險(xiǎn)分析確定了適當(dāng)?shù)陌踩?jí)別

【上面這些東西確實(shí)沒有一條主邏輯鏈，所以ppt很亂，我整理的也很亂，將就看吧，也沒啥內(nèi)容】

什么是cybersecurity中的cyber

It might potentially include any device that has the ability to communicate

它可能包括任何具有通信能力的設(shè)備

• Cybersecurity refers to the systems, contracts and policies we put in place to manage risk with regards to Cyberspace 網(wǎng)絡(luò)安全是指我們?yōu)楣芾砭W(wǎng)絡(luò)空間風(fēng)險(xiǎn)而制定的系統(tǒng)、合同和政策

網(wǎng)絡(luò)安全的main risk areas

• Threats to corporate files 公司文件威脅
  • Loss of files 文件丟失
  • Email attacks and theft 電子郵件攻擊和盜竊
• Threats to industrial control systems 對(duì)工業(yè)控制系統(tǒng)的威脅
• Threats to confidential information 對(duì)機(jī)密信息的威脅
• Other commercial risks

網(wǎng)絡(luò)安全的main vulnerabilities

• Password and policy issues 密碼和策略問題
• BYOD and shadow IT BYOD和影子IT
• Loss or theft of devices 設(shè)備丟失或被盜
• Technical flaws 技術(shù)的缺陷
• Out-of-date applications 過時(shí)的應(yīng)用程序
• Insider threats 內(nèi)部威脅
• Data storage issues 數(shù)據(jù)存儲(chǔ)問題
  • SQL injections, cryptographic flaws SQL注入，密碼漏洞
• Cloud-based storage and systems 基于云的存儲(chǔ)和系統(tǒng)

接下來要談的是EU的information security相關(guān)問題

Conclusions of EU

【為什么把conclusion放前面，因?yàn)镻PT的東西太亂了，conclusion給的應(yīng)該都是重點(diǎn)，帶著這些重點(diǎn)再往后看】

• No single source of Information Security obligations – no single definition 沒有單一來源的信息安全義務(wù)-沒有單一的定義
• Different types of information – different level of protection –different mechanisms 不同類型的信息——不同級(jí)別的保護(hù)——不同的機(jī)制
• EU approach is a principle-based regulation 歐盟的做法是基于原則的監(jiān)管

Directives / Regulations 指示/規(guī)例

• Privacy
  • EU General Data Protection Regulation (GDPR) 歐盟的通用數(shù)據(jù)保護(hù)條例
• Telecommunications networks/services
  • ePrivacy Directive (regulates the use of electronic communications services) 電子資料私隱指引(規(guī)管電子通訊服務(wù)的使用)
• Critical Infrastructure 關(guān)鍵基礎(chǔ)設(shè)施
  • Network and Information Systems Directive (NIS Directive) 網(wǎng)絡(luò)和信息系統(tǒng)指令(NIS指令)

GDPR

Introduction

Organisations that decide to collect and process personal data for their own purposes are known as controllers

決定為自己的目的收集和處理個(gè)人數(shù)據(jù)的組織被稱為控制者

A controller may engage a service provider or processor to process personal data on behalf of the controller

控制者可以聘請(qǐng)服務(wù)提供者或處理者代表控制者處理個(gè)人數(shù)據(jù)

A processor is an individual or legal person or other body that processes personal data on behalf of the controller

處理者是指代表控制者處理個(gè)人數(shù)據(jù)的個(gè)人、法人或其他團(tuán)體

Scope

The GDPR regulates the processing of personal data

GDPR規(guī)范了個(gè)人數(shù)據(jù)的處理

Personal data is any information relating to an identified or identifiable natural person (‘data subject’)

個(gè)人數(shù)據(jù)是指與已識(shí)別或可識(shí)別自然人(“數(shù)據(jù)主體”)有關(guān)的任何信息。

Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

可識(shí)別自然人是指可以直接或間接識(shí)別的自然人，特別是通過參考一個(gè)標(biāo)識(shí)符，如姓名、識(shí)別號(hào)碼、位置數(shù)據(jù)、在線標(biāo)識(shí)符，或參考該自然人的身體、生理、遺傳、心理、經(jīng)濟(jì)、文化或社會(huì)身份的一個(gè)或多個(gè)特定因素

Relates to living individuals only

只涉及活著的個(gè)人

Special categories of personal data is subject to a stricter regime

特殊類別的個(gè)人資料受到更嚴(yán)格的制度管制

• Racial or ethnic origin 種族或民族起源
• Political opinions 政治意見
• Religious or philosophical beliefs 宗教或哲學(xué)信仰
• Trade union membership 工會(huì)會(huì)員資格
• Genetic data 遺傳學(xué)數(shù)據(jù)
• Biometric data for the purpose of uniquely identifying a natural person 用于唯一識(shí)別自然人的生物特征數(shù)據(jù)
• Data concerning health 關(guān)于健康的數(shù)據(jù)
• Data concerning a natural person’s sex life or sexual orientation 有關(guān)自然人性生活或性取向的資料

Principles

• Principles-based regulation 基于原則的監(jiān)管
• The EU has adopted similar risk-based safeguarding and information obligations in respect of telecommunication networks and payment services, as well as under the NIS Directive and the e-Privacy Directive 歐盟在電信網(wǎng)絡(luò)和支付服務(wù)方面，以及在NIS指令和電子隱私指令下，也采取了類似的基于風(fēng)險(xiǎn)的保障和信息義務(wù)
  • Lawfulness, fairness and transparency 依法、公平、透明
  • Purpose limitation 目的限制
  • Data minimisation 數(shù)據(jù)最小化
  • Accuracy 準(zhǔn)確性
  • Storage limitation 儲(chǔ)存限量
  • Integrity and Confidentiality 數(shù)據(jù)完整性和隱私保護(hù)
    • ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 使用適當(dāng)?shù)募夹g(shù)或組織措施，確保個(gè)人資料的適當(dāng)安全，包括防止未經(jīng)授權(quán)或非法處理，以及防止意外遺失、破壞或損壞
  • Accountability 責(zé)任

Information Security Obligation 信息安全義務(wù)

• Safeguarding obligations, which require organisations to put in place ‘a(chǎn)ppropriate and proportionate’ security measures, and 保護(hù)義務(wù)，要求組織實(shí)施“適當(dāng)和相稱的”安全措施
• Information obligations, which require the sharing or disclosure of information 信息義務(wù)，即要求分享或披露信息
• Article 32 requires that the controller:
  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk 考慮到技術(shù)水平、實(shí)施成本、處理的性質(zhì)、范圍、背景和目的，以及對(duì)自然人的權(quán)利和自由具有不同可能性和嚴(yán)重程度的風(fēng)險(xiǎn)，控制者和處理者應(yīng)實(shí)施適當(dāng)?shù)募夹g(shù)和組織措施，以確保與風(fēng)險(xiǎn)相適應(yīng)的安全水平
• This includes, inter alia: 其中包括：
  • the pseudonymisation and encryption of personal data; 個(gè)人資料的假名化和加密;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 確保處理系統(tǒng)和服務(wù)的持續(xù)保密性、完整性、可用性和彈性的能力;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 在發(fā)生物理或技術(shù)事件時(shí)，及時(shí)恢復(fù)個(gè)人數(shù)據(jù)的可用性和訪問的能力;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing 定期測(cè)試、評(píng)估和評(píng)價(jià)確保處理安全的技術(shù)和組織措施的有效性的過程
  • 【關(guān)于inter alia，詳情可以看interalia在法律文件中的使用及譯法 (baidu.com)，拉丁語，可以理解為“其中”的意思】

Information Obligation

• Article 33 creates a legal a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority 第33條規(guī)定，所有組織都有法律義務(wù)向相關(guān)監(jiān)管機(jī)構(gòu)報(bào)告某些類型的個(gè)人數(shù)據(jù)泄露
  • within 72 hours of becoming aware of the breach, where feasible 在可能的情況下，在72小時(shí)內(nèi)發(fā)現(xiàn)該漏洞
• Article 34 requires the controller to notify data subjects affected or potentially affected by breach 第34條要求控制者通知受違約影響或可能受違約影響的數(shù)據(jù)主體

Data Breach 數(shù)據(jù)外泄

Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

數(shù)據(jù)泄露是指違反安全導(dǎo)致意外或非法破壞、丟失、更改、未經(jīng)授權(quán)披露或訪問個(gè)人數(shù)據(jù)

• This includes breaches that are the result of both accidental and deliberate causes 這包括意外和故意原因造成的違約
• A security incident that has affected the confidentiality, integrity or availability of personal data 影響個(gè)人資料的機(jī)密性、完整性或可用性的安全事件

When a personal data breach has occurred, organisations need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms

當(dāng)發(fā)生個(gè)人數(shù)據(jù)泄露時(shí)，組織需要確定由此對(duì)人們的權(quán)利和自由造成風(fēng)險(xiǎn)的可能性和嚴(yán)重程度

• Likelihood of risk –> need to report it 有風(fēng)險(xiǎn)的可能性- >需要報(bào)告
• No likelihood of risk –> no need to report it 風(fēng)險(xiǎn)的可能性- >需要報(bào)告

The adverse affect of a security incident on individuals may include emotional distress, and physical and material damage

安全事件對(duì)個(gè)人的不利影響可能包括情緒困擾、身體和物質(zhì)損害

Contract Law相關(guān)

GDPR Article 28 states that controllers must include in contracts with processors

GDPR第28條規(guī)定，控制者必須在與處理者的合同中包括

• The processor shall not engage another processor without prior specific or general written authorisation of the controller 未經(jīng)控制者事先明確或一般書面授權(quán)，處理者不得與其他處理者接觸
• Processing by a processor shall be governed by a contract or other legal act 處理者的處理應(yīng)受合同或其他法律行為的約束
• Sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller 列明處理的主題事項(xiàng)和持續(xù)時(shí)間、處理的性質(zhì)和目的、個(gè)人數(shù)據(jù)的類型和數(shù)據(jù)主體的類別，以及控制者的義務(wù)和權(quán)利

NIS Directive 2

Introduction

NIS Directive 2 regulates the cybersecurity of critical national infrastructure, and updates the previous version

NIS指令2規(guī)范了關(guān)鍵國(guó)家基礎(chǔ)設(shè)施的網(wǎng)絡(luò)安全，并更新了之前的版本

• It covers more sectors and activities than before, streamlines reporting obligations and addresses supply chain security 它涵蓋了比以前更多的部門和活動(dòng)，簡(jiǎn)化了報(bào)告義務(wù)，并解決了供應(yīng)鏈安全問題

It applies to providers of critical national infrastructure (CNI):

它適用于關(guān)鍵國(guó)家基礎(chǔ)設(shè)施(CNI)的提供商:

• Operators of essential services (OES), which are directly responsible for CNI 直接負(fù)責(zé)CNI的基本服務(wù)(OES)運(yùn)營(yíng)商
• Digital service providers (DSPs), which provide services upon which others, including OES, are reliant 數(shù)字服務(wù)提供商(dsp)，提供其他人(包括OES)依賴的服務(wù)

Scope

Operators of essential services (OES) provide a listed service in one of seven critical infrastructure sectors, and energy, transport, banking, financial markets, health, drinking water, and digital infrastructure

基本服務(wù)(OES)運(yùn)營(yíng)商在能源、交通、銀行、金融市場(chǎng)、衛(wèi)生、飲用水和數(shù)字基礎(chǔ)設(shè)施等七個(gè)關(guān)鍵基礎(chǔ)設(shè)施領(lǐng)域之一提供所列服務(wù)

they operate on such a scale that their service is “essential for the maintenance of critical societal and economic activities”

它們的運(yùn)作規(guī)模如此之大，以至于它們的服務(wù)“對(duì)于維持關(guān)鍵的社會(huì)和經(jīng)濟(jì)活動(dòng)至關(guān)重要”。

Digital service is a new subset of the category of service known as ‘information society services’ which is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services

數(shù)字服務(wù)是被稱為“信息社會(huì)服務(wù)”的服務(wù)類別的一個(gè)新子集，它是指通常通過電子手段并應(yīng)服務(wù)接受者的個(gè)人要求提供的有償服務(wù)

Digital service providers (DSPs) are: 數(shù)碼服務(wù)供應(yīng)商包括:

• an online marketplace; 在線市場(chǎng)
• an online search engine; or 在線搜索引擎
• a cloud computing service 云計(jì)算服務(wù)

Tort Law

A private law mechanism

私法機(jī)制

Data controllers can be held liable under the tort of negligence for damages caused by cybersecurity incidents that they should have reasonably foreseen and prevented or mitigated

根據(jù)過失侵權(quán)法，數(shù)據(jù)控制者可能對(duì)他們本應(yīng)合理預(yù)見、預(yù)防或減輕的網(wǎng)絡(luò)安全事件造成的損害承擔(dān)責(zé)任

To hold data controllers liable, a court would have to find that (i) the operator had a duty of care to the person(s) who suffered harm which (ii) the operator failed to fulfil

為了讓數(shù)據(jù)控制者承擔(dān)責(zé)任，法院必須認(rèn)定(i)運(yùn)營(yíng)者對(duì)遭受傷害的人負(fù)有注意義務(wù)，而(ii)運(yùn)營(yíng)者未能履行

Requirement

Duty – breach – causation – harm

義務(wù)-違約-因果-損害

A duty of care may arise from:

• common law principles governing negligence 管轄過失的普通法原則
• a special / contractual relationship between the defendant and the claimant 被告與索賠人之間的特殊/合同關(guān)系
• from a statute or regulation governing a specific activity 來自管理某一特定活動(dòng)的法令或規(guī)章

There must be a proximity between the parties for a duty of care to exist

為了注意義務(wù)的存在，當(dāng)事人之間必須有接近性

Foreseeability means that a person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others

可預(yù)見性意味著只有當(dāng)一個(gè)人合理地預(yù)見到自己的過失行為會(huì)危及他人時(shí)，他才能承擔(dān)責(zé)任

Damage needs to be proven by claimants – economic loss or emotional harm

損害需要由索賠人證明——經(jīng)濟(jì)損失或精神傷害

接下來是US的內(nèi)容

Privacy and data protection - 1. HIPAA - US Health Insurance Portability and Accountability Act (health information privacy)

Personal health information is considered very sensitive

個(gè)人健康信息被認(rèn)為非常敏感

• Confidential medical records 保密醫(yī)療記錄
• Public embarrassment, discrimination 公眾尷尬、歧視
• Medical identity theft - 醫(yī)療卡盜用

HIPAA protects privacy and security of personal health information

HIPAA保護(hù)個(gè)人健康信息的隱私和安全

Scope

Privacy and Security rules apply to covered entities and determine how they may create, store, use or disclose protected health information (PHI)

隱私和安全規(guī)則適用于所涵蓋的實(shí)體，并確定它們?nèi)绾蝿?chuàng)建、存儲(chǔ)、使用或披露受保護(hù)的健康信息(PHI)。

• Applies information security principles established in other industries 應(yīng)用在其他行業(yè)建立的信息安全原則

Definitions

PHI is any individually identifiable information about the health of the person, including past, present or future mental or physical health information

PHI是關(guān)于個(gè)人健康的任何可識(shí)別信息，包括過去、現(xiàn)在或未來的精神或身體健康信息.

Covered entities are those that handle PHI in a certain way – health plans, health care providers, health insurance companies, etc.

涉及實(shí)體是那些以某種方式處理PHI的實(shí)體——健康計(jì)劃、醫(yī)療保健提供者、健康保險(xiǎn)公司等。

It also applies to business associates of covered entities

它也適用于所涵蓋實(shí)體的業(yè)務(wù)伙伴

Security Rule

Covered Entity must “implement policies and procedures to prevent, detect, contain and correct security violations.”

涉及實(shí)體必須“實(shí)施策略和程序來防止、檢測(cè)、包含和糾正安全違規(guī)行為”。

The Security rule requires covered entities to use security safeguards, which must protect the confidentiality, integrity and availability of electronic protected health information (EPHI) from reasonably anticipated threats

安全規(guī)則要求所涵蓋的實(shí)體使用安全保障措施，這些措施必須保護(hù)受電子保護(hù)的健康信息(EPHI)的機(jī)密性、完整性和可用性，使其免受合理預(yù)期的威脅

Security Rule Standards

The Security Rule contains instructions how to use information security safeguards

安全規(guī)則包含如何使用信息安全保障措施的說明

Also contains standards, which are required to be met for each safeguard area

安全規(guī)則包含如何使用信息安全保障措施的說明

Detailed instructions for meeting the standards are implementation specifications (IS)

滿足標(biāo)準(zhǔn)的詳細(xì)說明見實(shí)施規(guī)范(IS)。

Implementation Specifications（IS）

Required specifications – compulsory

所需規(guī)范 - 強(qiáng)制性

Addressable specifications – covered entities decide whether it is reasonable and appropriate to the particular environment and the cost to implement these

可尋址規(guī)范-涉及 實(shí)體決定其是否合理和適合特定環(huán)境以及實(shí)現(xiàn)這些規(guī)范的成本

Covered entity can either 涉及實(shí)體可以

• Implement the IS as published 按照發(fā)布的IS實(shí)施
• Implement some alternative (and document why) 實(shí)現(xiàn)一些替代方案(并記錄原因)
• Not implement the IS at all (and document why) 根本沒有實(shí)現(xiàn)IS(并記錄原因)

Types of Safeguards - 三種

Administrative Safeguards 管理保障措施

• Actions, policies and procedures to prevent, detect, contain and correct information security violations 防止、檢測(cè)、控制和糾正信息安全違規(guī)行為的行動(dòng)、政策和程序
• The largest part of the Rule is the management process 規(guī)則中最重要的部分是管理過程

Physical Safeguards 實(shí)體防護(hù)

• Controls to protect physical resources 控制保護(hù)實(shí)體資源

Technical Safeguards 技術(shù)保障措施

• Controls applied in the hardware and software on an information system 在信息系統(tǒng)的硬件和軟件上應(yīng)用的控制

2. COPPA - Children’s Online Privacy Protection Act

Scope

Sectoral approach, the law is derived partly from federal statute, but also from state law, case law and increasingly from the decisions and guidance of the Federal Trade Commission (FTC)

部門方法，法律部分來自聯(lián)邦法規(guī)，但也來自州法、判例法，越來越多地來自聯(lián)邦貿(mào)易委員會(huì)(FTC)的決定和指導(dǎo)。

**Children’s Online Privacy Protection Act **(COPPA) requires that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13

兒童在線隱私保護(hù)法(COPPA)要求針對(duì)13歲以下兒童的商業(yè)網(wǎng)站和在線服務(wù)的運(yùn)營(yíng)商，或故意收集13歲以下兒童個(gè)人信息的一般受眾網(wǎng)站和在線服務(wù)的運(yùn)營(yíng)商，在收集、使用或披露13歲以下兒童的任何個(gè)人信息之前，必須獲得父母的同意

In 2011, the FTC and the games company Playdom agreed to a $3 million settlement over Playdom’s alleged breaches of the Children’s Online Privacy Act

2011年，美國(guó)聯(lián)邦貿(mào)易委員會(huì)與游戲公司Playdom就Playdom涉嫌違反《兒童在線隱私法》達(dá)成300萬美元的和解協(xié)議

In 2019, Google’s YouTube paid $170 million to settle allegations by the FTC and the New York attorney general for illegally collecting personal information from children without their parents’ consent; the highest settlement yet

2019年，谷歌旗下的YouTube支付了1.7億美元，以了結(jié)美國(guó)聯(lián)邦貿(mào)易委員會(huì)和紐約總檢察長(zhǎng)對(duì)其未經(jīng)父母同意非法收集兒童個(gè)人信息的指控;迄今為止最高的和解金額

3. CCPA - California Consumer Privacy Act

**California Consumer Privacy Act **(CCPA) came into effect in January 2020 – the most comprehensive privacy legislation to-date

加州消費(fèi)者隱私法案(CCPA)于2020年1月生效，這是迄今為止最全面的隱私立法

*Personally identifiable information *(PII) includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (under the CCPA)

個(gè)人身份信息(PII)包括識(shí)別、涉及、描述、能夠與特定消費(fèi)者或家庭直接或間接關(guān)聯(lián)或可以合理關(guān)聯(lián)的任何信息(根據(jù)CCPA)

Applies to any business that collects or processes PII from California residents, and

適用于從加州居民收集或處理個(gè)人身份信息的任何企業(yè)，以及

• has annual gross revenues of $25,000,000 or more; 年總收入在2500萬美元或以上;
• buys, collects, sells, shares, or otherwise receives the PII of 50,000 or more California consumers per year, households or devices; OR 每年購(gòu)買、收集、出售、共享或以其他方式接收50,000或更多加州消費(fèi)者、家庭或設(shè)備的PII;或
• derives at least 50% of its revenue from selling consumers’ personal information This will most likely capture most apps or free-to-play games 至少有50%的收益來自于銷售用戶的個(gè)人信息，這很可能會(huì)吸引大多數(shù)應(yīng)用或免費(fèi)游戲

Breach Notification Laws 違約通知法

Legislation adopted in 47 US states requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable data

美國(guó)47個(gè)州通過立法，要求私人或政府實(shí)體在涉及個(gè)人身份數(shù)據(jù)的信息安全漏洞時(shí)通知個(gè)人

Provisions include: 規(guī)定包括

• who must comply with the law (businesses, data/ information brokers, government entities); 誰必須遵守法律(企業(yè)、數(shù)據(jù)/信息經(jīng)紀(jì)人、政府實(shí)體);
• definitions of ‘personal information’ (name combined with SSN, drivers license or state ID, account numbers); “個(gè)人信息”的定義(姓名與社會(huì)安全號(hào)碼、駕駛執(zhí)照或州身份證、賬號(hào)的組合);
• what constitutes a breach (unauthorized acquisition of data); 什么構(gòu)成違規(guī)(未經(jīng)授權(quán)獲取數(shù)據(jù));
• requirements for notice (timing or method of notice, who must be notified) 通知要求(通知的時(shí)間或方法，必須通知誰)

FTC - Federal Trade Commission Act

Consumer Protection Regulations

消費(fèi)者保障條例

FTC is an independent federal agency and the most important regulatory authority for consumer protection issues

聯(lián)邦貿(mào)易委員會(huì)是一個(gè)獨(dú)立的聯(lián)邦機(jī)構(gòu)，也是消費(fèi)者保護(hù)問題最重要的監(jiān)管機(jī)構(gòu)

Section 5 forbids unfair and deceptive trade practices

第5條禁止不公平和欺騙性的貿(mào)易行為

The FTC has now brought over 50 information security cases

聯(lián)邦貿(mào)易委員會(huì)目前已經(jīng)提起了50多起信息安全案

Scope

Unfair 不公平

• Causes or likely to cause substantial harm/injury to consumer 對(duì)消費(fèi)者造成或可能造成重大損害/傷害的
• Consumer cannot reasonably avoid the harm 消費(fèi)者不能合理地避免傷害
• There is not a benefit to the practice that outweighs the harm 這種做法的利大于弊

Deceptive 欺騙性

• Representation or omission likely to mislead the consumer 可能誤導(dǎo)消費(fèi)者的陳述或遺漏
• Not reasonable from the perspective of the consumer 從消費(fèi)者的角度來看是不合理的
• Affects consumer’s decision; harm as otherwise, likely another decision 影響消費(fèi)者決策;傷害，否則，可能是另一個(gè)決定

Priorities 優(yōu)先處理的事

Children Under 18: Harmful conduct directed at children under 18 has been a source of significant public concern, now, FTC staff will similarly be able to expeditiously investigate any allegations in this important area

** 18歲以下兒童**:針對(duì)18歲以下兒童的有害行為一直是公眾關(guān)注的一個(gè)重要來源，現(xiàn)在，聯(lián)邦貿(mào)易委員會(huì)的工作人員將同樣能夠迅速調(diào)查這一重要領(lǐng)域的任何指控

Algorithmic and Biometric Bias*: *Allows staff to investigate allegations of bias in algorithms and biometrics

算法和生物識(shí)別偏見*:*允許員工調(diào)查算法和生物識(shí)別偏見的指控

Deceptive and Manipulative Conduct on the Internet: This includes, but is not limited to, the “manipulation of user interfaces,” including but not limited to dark patterns, also the subject of a recent FTC workshop

互聯(lián)網(wǎng)上的欺騙和操縱行為:這包括但不限于“用戶界面的操縱”，包括但不限于黑暗模式，這也是最近FTC研討會(huì)的主題

Limitations

In April 2021, the Supreme Court ruled in AMG Capital Mgmt., LLC v. FTC that the agency lacks power to seek monetary recovery under Section 13 of the FTC Act

2021年4月，最高法院對(duì)AMG資本管理公司一案做出了裁決。訴聯(lián)邦貿(mào)易委員會(huì)，根據(jù)聯(lián)邦貿(mào)易委員會(huì)法案第13條，該機(jī)構(gòu)缺乏尋求金錢賠償?shù)臋?quán)力

• To be rectified by the Congress? 要被國(guó)會(huì)糾正嗎?

Lack of technical expertise and staff to regulate consumer cybersecurity

缺乏管理消費(fèi)者網(wǎng)絡(luò)安全的技術(shù)專長(zhǎng)和人員

The ideal solution is for Congress to create a robust cybersecurity framework and an agency empowered to enforce it

理想的解決方案是國(guó)會(huì)建立一個(gè)健全的網(wǎng)絡(luò)安全框架，并授權(quán)一個(gè)機(jī)構(gòu)來執(zhí)行它

For the time being, FTC fills a void in America’s cybersecurity ecosystem

目前，FTC填補(bǔ)了美國(guó)網(wǎng)絡(luò)安全生態(tài)系統(tǒng)的空白

Tort Law

侵權(quán)法：一種民事法律制度，用于處理因他人的過失或不法行為而造成的損害賠償問題。

Information security lawsuits include claims of negligence, **breach of fiduciary duty **or breach of contract, individually or together, are common

信息安全訴訟包括疏忽，違反信義義務(wù)或違反合同的索賠，單獨(dú)或一起，是常見的

**Negligence **is generally defined as a breach of the duty not to impose an unreasonable risk on society

玩忽職守一般定義為違反不給社會(huì)帶來不合理風(fēng)險(xiǎn)的義務(wù)

**Breach of fiduciary duty **is a failure to fulfil an obligation to act in the best interest of another party

違反信義義務(wù)是指未能履行為另一方的最佳利益行事的義務(wù)

Some recent cases have argued that data breaches are subject to strict liability

最近的一些案例認(rèn)為，數(shù)據(jù)泄露需要承擔(dān)嚴(yán)格的責(zé)任

**Strict liability **means that the manufacturer of a product is automatically responsible for any injuries caused by the product (typically product liability cases)

嚴(yán)格責(zé)任是指產(chǎn)品制造商自動(dòng)對(duì)產(chǎn)品造成的任何傷害負(fù)責(zé)(通常是產(chǎn)品責(zé)任案件)。

Negligence 玩忽職守

To establish a claim, plaintiff has to prove:

要提出索賠，原告必須證明:

1. the existence of a legal duty on the part of the defendant not to expose the plaintiff to unreasonable risks 被告負(fù)有不使原告面臨不合理風(fēng)險(xiǎn)的法律義務(wù)

2. a breach of the duty – a failure on the part of the defendant as act reasonably, 違反義務(wù)-被告一方未能“合理”行事

3. a causal connection between defendant’s conduct and plaintiff’s harm and 被告的行為與原告的傷害之間存在因果關(guān)系

4. actual damage to the plaintiff resulting from the defendant’s negligence 由于被告的過失而對(duì)原告造成的實(shí)際損害

Negligence – Foreseeability 可預(yù)見性

Central concept of the law of negligence

過失侵權(quán)法的核心概念

A person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others

一個(gè)人只有在合理地預(yù)見到自己的過失行為會(huì)危及他人的時(shí)候才能被追究責(zé)任

A database owner fails to patch a security vulnerability, thereby paving the way for a cyber attacker to obtain unauthorized access to confidential information

數(shù)據(jù)庫(kù)所有者未能修補(bǔ)安全漏洞，從而為網(wǎng)絡(luò)攻擊者未經(jīng)授權(quán)訪問機(jī)密信息鋪平了道路

Negligence - Cases

In Anderson v. Hannaford Brothers Co., a third party stole a grocery store’s debit and credit card data, and the court used a negligence standard to assert a standard of care based on breach of implied contract

安德森訴漢納福德兄弟公司案。在美國(guó)，第三方竊取了雜貨店的借記卡和信用卡數(shù)據(jù)，法院使用過失標(biāo)準(zhǔn)來主張基于違反默示合同的注意標(biāo)準(zhǔn)

In Patco Construction Co. v. People’s United Bank, the bank had a state-of-the-art security program, but failed to set the fraud activity triggers at an appropriate level

在Patco Construction Co.訴People 's United Bank案中，該銀行擁有最先進(jìn)的安全程序，但未能將欺詐活動(dòng)觸發(fā)器設(shè)置在適當(dāng)?shù)募?jí)別

Fiduciary Duty

受托責(zé)任：一種法律義務(wù)，要求承擔(dān)受托責(zé)任的人（如律師、銀行家、公司董事等）在處理他人財(cái)產(chǎn)或事務(wù)時(shí)，必須誠(chéng)實(shí)、忠實(shí)、謹(jǐn)慎地行事，以保護(hù)受益人的利益

Special relationships – between a provider and consumer, employer and employee, or fiduciary and beneficiary – is usually based on a contractual promise (explicit or implied)

特殊關(guān)系——提供者和消費(fèi)者、雇主和雇員、受托人和受益人之間的關(guān)系——通?；诤贤兄Z(明示或暗示)。

Corporations owe fiduciary and good faith duties to shareholders to obey the scope of powers, be diligent and act for corporation’s interests

公司對(duì)股東負(fù)有信義和誠(chéng)信義務(wù)，必須遵守職權(quán)范圍，勤勉盡責(zé)，為公司利益而行動(dòng)

To establish a claim, plaintiff has to prove:

要提出索賠，原告必須證明:

1. the existence of a binding agreement; 有約束力的協(xié)議的存在
2. the non-breaching party fulfilled its obligations, if it had any; 非違約方履行了自己的義務(wù)(如果有的話)
3. the breaching party failed to fulfil obligations; 違約方未履行義務(wù)的;
4. the lack of a legal excuse; and 缺乏合法的借口
5. the existence of damages sustained due to the breach 由于違約而遭受損害的存在

Tort Law – Statutes II 章程

A statute may impose a duty of care for how entities use or limit access to personal information in the normal course of business

對(duì)于實(shí)體在正常業(yè)務(wù)過程中如何使用或限制對(duì)個(gè)人信息的訪問，法規(guī)可能會(huì)規(guī)定注意義務(wù)

Statutes 法規(guī)

• Fair Credit Reporting Act 公平信賴報(bào)告法案

In *Equifax *data breach, the Fair Credit Reporting Act imposes a specific statutory duty to maintain reasonable procedure to ensure information security and failure to do so creates civil liability for non- compliance

在Equifax數(shù)據(jù)泄露事件中，《公平信用報(bào)告法》規(guī)定了維護(hù)合理程序以確保信息安全的具體法定義務(wù)，否則將因不遵守規(guī)定而承擔(dān)民事責(zé)任

Tort Law – Harm

Actual harm is the most straightforward

實(shí)際的傷害是最直接的

Concrete and particularized injury that is actual or imminent, not conjectural or hypothetical

實(shí)際的或即將發(fā)生的具體的和特殊的傷害，而不是推測(cè)的或假設(shè)的

Problematic for cases of data breaches

在數(shù)據(jù)泄露的情況下是有問題的

Theory of ‘future harm’ establishing a threat of future identity theft

“未來傷害”理論建立了未來身份盜竊的威脅

Harm的cases

In these cases, the hackers intentionally targeted the personal information compromised in the data breaches – evidence of harm

在這些情況下，黑客故意針對(duì)數(shù)據(jù)泄露中受損的個(gè)人信息-傷害的證據(jù)

• In *Galaria (hackers broke into Nationwide’s computer network and stole the personal information of 1.1 million customers), 在Galaria *(黑客侵入了全國(guó)保險(xiǎn)公司的計(jì)算機(jī)網(wǎng)絡(luò)，竊取了110萬客戶的個(gè)人信息)，
• In *Remijas (why else would hackers break into a store’s database and steal consumers’ private information?) 在Remijas *(否則為什么黑客會(huì)闖入商店的數(shù)據(jù)庫(kù)并竊取消費(fèi)者的私人信息?)
• In *Pisciotta (scope and manner of intrusion into banking website’s hosting facility was sophisticated, intentional and malicious), 在Pisciotta *中(入侵銀行網(wǎng)站托管設(shè)施的范圍和方式是復(fù)雜的、故意的和惡意的)，

On the other hand, in *Katz *and *Beck *the claims were too speculative, there was no evidence that the stolen information has been accessed or misused or that they have suffered identity theft

另一方面，在*Katz 和Beck *中，這種說法過于推測(cè)，沒有證據(jù)表明被盜信息已被訪問或?yàn)E用，也沒有證據(jù)表明他們?cè)馐芰松矸荼I竊

Contract Law

Breach of contract is the failure to fulfil a condition of a contract

違反合同是指沒有履行合同的條件

Data breach claims – written agreement or privacy policy or that state consumer protection laws create an implied contract

數(shù)據(jù)泄露索賠-書面協(xié)議或隱私政策或州消費(fèi)者保護(hù)法創(chuàng)建的隱含合同

COPPA, HIPAA, and others require contracts with processors, other third parties with obligations to ensure that information is kept secure

COPPA、HIPAA和其他要求與處理者、其他有義務(wù)確保信息安全的第三方簽訂合同

The Massachusetts Data Security Regulations addresses the selection of third-party vendors, requiring companies to take *reasonable *steps to select and retain vendors that have the capacity to maintain appropriate security measures for personal information

《馬薩諸塞州數(shù)據(jù)安全條例》涉及第三方供應(yīng)商的選擇，要求公司采取“合理”步驟選擇并保留有能力為個(gè)人信息維護(hù)適當(dāng)安全措施的供應(yīng)商

Vendors also must be contractually required to maintain safeguards

供應(yīng)商還必須按照合同要求維護(hù)保障措施

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB

支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)(PCI DSS)是一個(gè)專有的信息安全標(biāo)準(zhǔn)，適用于處理來自主要信用卡方案(包括Visa、MasterCard、American Express、Discover和JCB)的品牌信用卡的組織

Control objectives: 控制目標(biāo)

• Build and maintain a secure network and systems 建立和維護(hù)一個(gè)安全的網(wǎng)絡(luò)和系統(tǒng)
• Protect cardholder data 保護(hù)持卡人資料
• Maintain a vulnerability management program 維護(hù)一個(gè)漏洞管理程序
• Implement strong access control measures 實(shí)施強(qiáng)有力的訪問控制措施
• Regularly monitor and test networks 定期監(jiān)控和測(cè)試網(wǎng)絡(luò)
• Maintain an information security policy 維護(hù)信息安全策略

接下來是China的內(nèi)容

PRC Cybersecurity Law

Provides for supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information

明確網(wǎng)絡(luò)空間監(jiān)管權(quán)限，明確網(wǎng)絡(luò)運(yùn)營(yíng)者的安全義務(wù)，加強(qiáng)對(duì)個(gè)人信息的保護(hù)

It also establishes a regulatory regime in respect of critical information infrastructure and imposes data localization requirements for certain industries

條例亦就關(guān)鍵資訊基建設(shè)立規(guī)管制度，并規(guī)定某些行業(yè)的數(shù)據(jù)本地化規(guī)定

Network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost

網(wǎng)絡(luò)運(yùn)營(yíng)者必須采取技術(shù)措施和其他必要措施，確保所收集的個(gè)人信息安全，防止個(gè)人信息泄露、破壞或者丟失

Network operators are subject to the following requirements when collecting and using personal information:

網(wǎng)絡(luò)運(yùn)營(yíng)者在收集和使用個(gè)人信息時(shí)，應(yīng)當(dāng)遵守以下要求:

• Collection and use of personal information must be legal, proper and necessary. 收集和使用個(gè)人信息必須合法、適當(dāng)和必要。
• Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected. 網(wǎng)絡(luò)運(yùn)營(yíng)者必須明確收集、使用個(gè)人信息的目的、方法和范圍，并征得被收集人的同意;不收集與所提供服務(wù)無關(guān)的個(gè)人信息。
• Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others. 網(wǎng)絡(luò)運(yùn)營(yíng)者不得泄露、篡改、銷毀收集到的個(gè)人信息;未經(jīng)被收集人同意，不得向他人提供該信息。
• In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations. 在發(fā)生數(shù)據(jù)泄露或者可能發(fā)生數(shù)據(jù)泄露的情況下，網(wǎng)絡(luò)運(yùn)營(yíng)商必須采取補(bǔ)救措施，及時(shí)通知用戶，并按照有關(guān)規(guī)定向政府主管部門報(bào)告。
• In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction. 非法或者未經(jīng)授權(quán)收集、使用個(gè)人信息的，有權(quán)要求網(wǎng)絡(luò)運(yùn)營(yíng)者刪除個(gè)人信息;當(dāng)收集到的信息有誤時(shí)，個(gè)人可以要求更正。

Operators of Critical Information Infrastructure 關(guān)鍵信息基礎(chǔ)設(shè)施運(yùn)營(yíng)商

Regulators and law enforcement have wide discretionary powers to review and inspect the IT systems of companies

監(jiān)管機(jī)構(gòu)和執(zhí)法部門擁有廣泛的自由裁量權(quán)，可以審查和檢查企業(yè)的IT系統(tǒng)

CSL requires critical information infrastructure operators in important sectors to fulfil certain security protection obligations

《信息安全法》要求重要行業(yè)的關(guān)鍵信息基礎(chǔ)設(shè)施運(yùn)營(yíng)者履行一定的安全保護(hù)義務(wù)

There is no definition yet of which organisations qualify as operators of critical information infrastructure

目前還沒有關(guān)于哪些組織有資格成為關(guān)鍵信息基礎(chǔ)設(shè)施運(yùn)營(yíng)商的定義

The Civil Code

‘Personal information’ is defined as all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons’ names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, email addresses, health information, whereabouts, etc.

“個(gè)人信息”是指以電子或其他方式記錄的可用于獨(dú)立識(shí)別或與其他信息結(jié)合識(shí)別特定自然人的各種信息，包括自然人的姓名、出生日期、身份證號(hào)碼、生物特征信息、地址、電話號(hào)碼、電子郵件地址、健康信息、行蹤等。

The Specification makes minor wording changes to the definition of ‘personal information’ under the CSL and the Civil Code

該規(guī)范對(duì)《個(gè)人信息法》和《民法典》中“個(gè)人信息”的定義進(jìn)行了細(xì)微的措辭修改

It also defines the ‘personal sensitive information’ as personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual’s personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused

它還將"個(gè)人敏感信息"定義為一旦泄露、非法提供或?yàn)E用，可能對(duì)人身或財(cái)產(chǎn)安全造成損害，或極有可能對(duì)個(gè)人聲譽(yù)或身心健康造成損害，或造成歧視待遇的個(gè)人信息

Data Localization

**Personal Information Protection Law (PIPL) **sets out a stricter data localization requirement, requiring that personal information processed by state organs, critical information infrastructure operators (not yet defined), and data processors that have reached or exceeded the personal information processing threshold, shall be stored inside China or undergo risk assessment by the National Cyberspace Administration or related departments when cross-border data transfer is required

**《個(gè)人信息保護(hù)法》**提出了更嚴(yán)格的數(shù)據(jù)本地化要求，要求國(guó)家機(jī)關(guān)、關(guān)鍵信息基礎(chǔ)設(shè)施運(yùn)營(yíng)者(未明確定義)、數(shù)據(jù)處理者處理的個(gè)人信息，達(dá)到或超過個(gè)人信息處理閾值的，在需要跨境數(shù)據(jù)傳輸時(shí)，應(yīng)當(dāng)存儲(chǔ)在中國(guó)境內(nèi)，或者由國(guó)家網(wǎng)信辦或相關(guān)部門進(jìn)行風(fēng)險(xiǎn)評(píng)估

To comply with this law, many US and EU companies have been taking compliance measures, such as segregating local Chinese data from other data. Various companies have also started offering cloud services (including Microsoft and Amazon Web Services) in China to meet the business needs of multinational companies doing business in China

為了遵守這一法律，許多美國(guó)和歐盟公司一直在采取合規(guī)措施，例如將中國(guó)本地?cái)?shù)據(jù)與其他數(shù)據(jù)隔離開來。許多公司也開始在中國(guó)提供云服務(wù)(包括微軟和亞馬遜網(wǎng)絡(luò)服務(wù))，以滿足在中國(guó)開展業(yè)務(wù)的跨國(guó)公司的業(yè)務(wù)需求

Who owns personal information?

China has not had a specific stipulation on the ownership of personal information, and it has been disputed whether personal information belongs to the relevant personal information subjects

中國(guó)對(duì)個(gè)人信息的所有權(quán)沒有具體規(guī)定，個(gè)人信息是否屬于相關(guān)個(gè)人信息主體一直存在爭(zhēng)議

The Civil Code stipulates the protection of personal information in the 'Personality Rights’ Chapter, indicating that the rights pertaining to personal information are personality rights of the personal information subjects

《民法典》在“人格權(quán)”一章中對(duì)個(gè)人信息的保護(hù)進(jìn)行了規(guī)定，表明與個(gè)人信息有關(guān)的權(quán)利是個(gè)人信息主體的人格權(quán)

Telecommunications / ISP Law

**The Provisions on Telecommunication and Internet User Personal Information Protection, **effective from September 1, 2013

**《電信和互聯(lián)網(wǎng)用戶個(gè)人信息保護(hù)規(guī)定》**自2013年9月1日起施行

It is applicable to telecommunications and Internet service providers

適用于電信和互聯(lián)網(wǎng)服務(wù)提供商

Duty to keep information in proper custody, mitigate harms from actual or suspected disclosure, breach (actual or suspected) notification obligation

有責(zé)任妥善保管信息，減輕因?qū)嶋H或疑似披露、違反(實(shí)際或疑似)通知義務(wù)而造成的損害

Article 13 imposes the following information security requirements on telecommunications operators and Internet service providers:

第十三條對(duì)電信經(jīng)營(yíng)者和互聯(lián)網(wǎng)服務(wù)提供者規(guī)定了下列信息安全要求:

• Specify the responsibilities of each department / role in terms of security of personal information; 訂明各部門/角色在個(gè)人資料保安方面的責(zé)任;
• Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information; 建立不同工作人員和代理人的權(quán)限，審查信息的輸出、復(fù)制和銷毀，并采取措施防止機(jī)密信息泄露;
• Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures; 妥善保管記錄用戶個(gè)人信息的硬拷貝介質(zhì)、光介質(zhì)、磁介質(zhì)等載體，并采取相應(yīng)的安全存儲(chǔ)措施;
• Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures; 對(duì)存儲(chǔ)用戶個(gè)人信息的信息系統(tǒng)進(jìn)行訪問檢查，并實(shí)施入侵防御、防病毒等措施;
• Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved; 記錄使用用戶個(gè)人信息進(jìn)行的操作，包括執(zhí)行操作的人員、操作的時(shí)間、地點(diǎn)和涉及的事項(xiàng);
• Undertake communications network security protection work as required by the relevant telecommunications authority 依電信主管機(jī)關(guān)之要求，承擔(dān)通訊網(wǎng)絡(luò)之安全保護(hù)工作

Breach Notification Law

The *PRC Cybersecurity Law *introduced a general requirement for the reporting and notification of actual or suspected personal information breaches

《中華人民共和國(guó)網(wǎng)絡(luò)安全法》引入了報(bào)告和通知實(shí)際或疑似個(gè)人信息泄露的一般要求

Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions

當(dāng)個(gè)人信息被泄露、丟失或扭曲(或有可能發(fā)生此類事件)時(shí)，組織必須立即采取相關(guān)措施減輕損害，并根據(jù)相關(guān)規(guī)定及時(shí)通知相關(guān)數(shù)據(jù)主體并向相關(guān)政府機(jī)構(gòu)報(bào)告

The *PIS Specification *provide detailed guidance on reporting and notification of personal data breaches or security incidents

個(gè)人資料保安服務(wù)規(guī)范就報(bào)告及通知個(gè)人資料外泄或保安事件提供詳細(xì)指引

Consumer Protection Law

The PRC Consumer Rights Protection Law, effective from March 15, 2014, contains data protection obligations which are applicable to all types of businesses that deals with consumers:

**自2014年3月15日起生效的《中華人民共和國(guó)消費(fèi)者權(quán)益保護(hù)法》**包含了適用于與消費(fèi)者打交道的各類企業(yè)的數(shù)據(jù)保護(hù)義務(wù):

• State the purpose, method, scope, and rules of collection of personal information of consumers; 規(guī)定收集消費(fèi)者個(gè)人信息的目的、方法、范圍和規(guī)則;
• Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others; 對(duì)消費(fèi)者的個(gè)人信息保密，不得泄露、出售或者非法提供給他人;
• Have mechanisms in place to ensure the security of information collected; and 設(shè)立機(jī)制確保所收集資料的安全
• Not send unsolicited communications to consumers 不向消費(fèi)者發(fā)送未經(jīng)請(qǐng)求的通信

E-Commerce Law

E-Commerce Law, effective from January 1, 2019, aims to gain greater control over the online consumer markets, where there has been little or no regulation

《電子商務(wù)法》將于2019年1月1日生效，旨在加強(qiáng)對(duì)在線消費(fèi)市場(chǎng)的控制，目前在線消費(fèi)市場(chǎng)幾乎沒有監(jiān)管

Together with other data protection and information security laws, the principles are:

與其他數(shù)據(jù)保護(hù)和信息安全法律一起，這些原則是:

• Data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities 數(shù)據(jù)控制者應(yīng)加強(qiáng)對(duì)用戶提供的信息的管理，禁止傳輸非法信息，并采取必要措施刪除侵權(quán)內(nèi)容，然后向監(jiān)管部門報(bào)告
• Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information 在收集及使用個(gè)人資料前，須取得資料當(dāng)事人的充分通知及同意
• Further obligations are imposed on mobile apps providers including but not limited to conducting real-name identification, undertaking information content review. 對(duì)移動(dòng)應(yīng)用提供商的進(jìn)一步義務(wù)包括但不限于進(jìn)行實(shí)名認(rèn)證，進(jìn)行信息內(nèi)容審查。
• Data subject have specific rights, such as, to access their data, to correction of their data, to request deletion of data in the event of a data breach, to de-register their account etc. 資料當(dāng)事人有特定權(quán)利，例如查閱資料、更正資料、在資料外泄時(shí)要求刪除資料、撤銷其帳戶等。

Private and Tort Law

PRC Tort Liability Law, effective from July 1, 2010, provides that tortious liability arises upon the infringement of ‘civil rights and interests’

自2010年7月1日起施行的《中華人民共和國(guó)侵權(quán)責(zé)任法》規(guī)定，侵權(quán)責(zé)任是因侵犯“民事權(quán)益”而產(chǎn)生的。

Provisions found in laws such as the **General Principles of Civil Law **and the **Tort Liability Law **have generally been used to interpret data protection rights as a *right of reputation *or right of privacy

《民法通則》和《侵權(quán)責(zé)任法》等法律中的規(guī)定通常被用來將數(shù)據(jù)保護(hù)權(quán)解釋為“名譽(yù)權(quán)”或“隱私權(quán)”

Article 36 of the Tort Law creates obligations for Internet service providers (ISPs) 《侵權(quán)行為法》第36條規(guī)定了互聯(lián)網(wǎng)服務(wù)提供商的義務(wù)。

• A network user or network service provider who infringes upon the civil right or interest of another person through network shall assume the tort liability 網(wǎng)絡(luò)用戶、網(wǎng)絡(luò)服務(wù)提供者通過網(wǎng)絡(luò)侵害他人民事權(quán)益的，應(yīng)當(dāng)承擔(dān)侵權(quán)責(zé)任

Chinese courts have allowed damages for emotional distress connected with disclosure

中國(guó)法院允許對(duì)與信息披露相關(guān)的精神損害賠償

Sources

Numerous legal sources that impose obligations on organisations to provide security to different kinds of information

許多法律來源規(guī)定組織有義務(wù)為不同類型的信息提供安全保障

The source of the legal obligation, the object or reason that the information is to be made secure can differ

法律義務(wù)的來源、保護(hù)信息的目的或原因可以有所不同

With these different legal obligations come potential sanctions or liabilities

隨著這些不同的法律義務(wù)而來的是潛在的制裁或責(zé)任

Greater risk to company that does not secure its information

不保護(hù)信息安全的公司面臨更大的風(fēng)險(xiǎn)

Issues

The duty to keep information secure is not further specified in the statutes

保護(hù)信息安全的義務(wù)在法規(guī)中沒有進(jìn)一步規(guī)定

The GDPR indicates:

• ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security *appropriate *to the risks represented by the processing and the nature of the data to be protected’ “考慮到目前的技術(shù)水平和實(shí)施成本，這些措施應(yīng)該確保與處理所代表的風(fēng)險(xiǎn)和要保護(hù)的數(shù)據(jù)的性質(zhì)相適應(yīng)的安全水平?！?/li>

A cost/risk analysis qualifies an appropriate level of security

成本/風(fēng)險(xiǎn)分析確定了適當(dāng)?shù)陌踩?jí)別

No further guidance

沒有進(jìn)一步的指導(dǎo)

Emerging Guidance 新興的指導(dǎo)（EU，US）

The **European Union General Data Protection Regulation **requires an “adequate” level of data protection but offers no explanation or definition for the term

歐盟通用數(shù)據(jù)保護(hù)條例要求“充分”的數(shù)據(jù)保護(hù)水平，但沒有對(duì)此術(shù)語進(jìn)行解釋或定義

In the United States, the **Health Insurance Portability and Accountability Act (HIPAA) Security Rule **for healthcare and the **Safeguards Rule **for financial services have been among the most prescriptive, and Massachusetts has led the way among states, providing 18 specific standards for protecting personal information

在美國(guó)，針對(duì)醫(yī)療保健的《健康保險(xiǎn)可攜帶性和責(zé)任法案》(HIPAA)安全規(guī)則和針對(duì)金融服務(wù)的《保障規(guī)則》是最具指導(dǎo)性的，馬薩諸塞州在各州中處于領(lǐng)先地位，提供了18項(xiàng)保護(hù)個(gè)人信息的具體標(biāo)準(zhǔn)

The **Federal Trade Commission **considers the collection of personal information without providing reasonable security to be an unfair practice, but the U.S. Court of Appeals for the 11th Circuit’s decision to vacate the commission’s order against LabMD in 2018 showed the legal challenges raised by an imprecise standard; the court found that the FTC’s requirement for “LabMD to overhaul and replace its data- security program” was unenforceable because of an “indeterminable standard of reasonableness.”

聯(lián)邦貿(mào)易委員會(huì)認(rèn)為，在沒有提供合理安全保障的情況下收集個(gè)人信息是一種不公平的做法，但美國(guó)第11巡回上訴法院在2018年撤銷該委員會(huì)針對(duì)LabMD的命令的決定，表明了一個(gè)不精確的標(biāo)準(zhǔn)所帶來的法律挑戰(zhàn);法院發(fā)現(xiàn)，聯(lián)邦貿(mào)易委員會(huì)要求“LabMD徹底檢查并更換其數(shù)據(jù)安全程序”的要求是不可執(zhí)行的，因?yàn)椤安淮_定的合理性標(biāo)準(zhǔn)”。

Standards

Consequently, many information technology organizations have focused instead on aligning their operations with recognized security frameworks such as the International Organization for Standardization (ISO) 27001, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and others.

因此，許多信息技術(shù)組織轉(zhuǎn)而關(guān)注將其操作與公認(rèn)的安全框架(如國(guó)際標(biāo)準(zhǔn)化組織(ISO) 27001、支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)(PCI DSS)、國(guó)家標(biāo)準(zhǔn)與技術(shù)研究所(NIST)等)保持一致。

Definition

Standard is…

• established or widely recognised as a model of authority or excellence (a standard reference work) 已建立或被廣泛認(rèn)可為權(quán)威或卓越的典范(標(biāo)準(zhǔn)參考作品)
• conforming to or constituting a standard of measurement or value; or of the usual or regularized or accepted kind (windows of standard width, standard fixtures, standard operating procedure) 標(biāo)準(zhǔn)的:符合或構(gòu)成測(cè)量或價(jià)值標(biāo)準(zhǔn)的;或通常的、規(guī)范的或可接受的類型(標(biāo)準(zhǔn)寬度的窗戶、標(biāo)準(zhǔn)固定裝置、標(biāo)準(zhǔn)操作程序)
• the ideal in terms of which something can be judged (they live by the standards of their community) 可以評(píng)判事物的理想(他們按照社區(qū)的標(biāo)準(zhǔn)生活)

ISO Definition

ISO/IEC Guide 2:1996 promulgated by the International Organization for Standardization (ISO) defines a standard as follows:

國(guó)際標(biāo)準(zhǔn)化組織(ISO)頒布的ISO/IEC指南2:1996對(duì)標(biāo)準(zhǔn)的定義如下:

• “a standard is a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.” “標(biāo)準(zhǔn)是經(jīng)協(xié)商一致制定并經(jīng)公認(rèn)機(jī)構(gòu)批準(zhǔn)的文件，它規(guī)定活動(dòng)或其結(jié)果的規(guī)則、準(zhǔn)則或特征，供共同和重復(fù)使用，目的是在某一特定環(huán)境中實(shí)現(xiàn)最佳程度的秩序?！?/li>

Types of Standard

Informal/formal 正式和非正式

• White wedding dresses / 802.11b 白色婚紗 / 802.11b

De facto standard 事實(shí)上的標(biāo)準(zhǔn)：一種在實(shí)際應(yīng)用中被廣泛接受和使用的標(biāo)準(zhǔn)，盡管它可能沒有正式的權(quán)威認(rèn)可。

• Achieved dominant position 取得主導(dǎo)地位
  • Tradition, enforcement, or market dominance – such as white wedding dresses, TCP/IP, iPhones or Microsoft Windows 傳統(tǒng)、強(qiáng)制或市場(chǎng)主導(dǎo)——比如白色婚紗、TCP/IP、iphone或微軟Windows
  • Not necessarily receiving formal approval by means of standardization process and may not be an official standard document

De jure standard 法定標(biāo)準(zhǔn) / 官方標(biāo)準(zhǔn)

• Standard contractual terms 標(biāo)準(zhǔn)合同條款

Social, technical, commercial, …

社會(huì)的、技術(shù)的、商業(yè)的……

Benefits

Joint mastery of problems 共同掌握問題

• Technical and other issues 技術(shù)和其他問題

Helps choices

• Reduces uncertainties 減少不確定性
  • No need to test further 無需進(jìn)一步測(cè)試

Makes operations smoother 使操作更順暢

• Conformity to expectations 與社會(huì)預(yù)期相一致

Advances progress 進(jìn)步

• Anticipate further developments 預(yù)測(cè)未來的發(fā)展

Avoids conflicts 避免沖突

Conformity with Standards 符合標(biāo)準(zhǔn)

Often by certification process – third party audit 通常通過認(rèn)證過程-第三方審核

• Testing labs 測(cè)試實(shí)驗(yàn)室

Value

• Mark of conformity 符合標(biāo)志：一個(gè)標(biāo)志或標(biāo)簽，表示產(chǎn)品或服務(wù)符合特定標(biāo)準(zhǔn)、規(guī)范或法規(guī)的要求。
• Quality certificate 質(zhì)量證書：一種證明產(chǎn)品或服務(wù)符合特定質(zhì)量標(biāo)準(zhǔn)的文件，通常由權(quán)威機(jī)構(gòu)頒發(fā)。
• Market entry requirements 市場(chǎng)準(zhǔn)入要求

Manufacturing and distribution of telecommunication equipment to meet national, regional, international standards of performance, safety, interoperability

制造和分銷電信設(shè)備，以滿足國(guó)家，地區(qū)，國(guó)際標(biāo)準(zhǔn)的性能，安全性，互操作性

National Standards Bodies 國(guó)家標(biāo)準(zhǔn)機(jī)構(gòu)

Usually an official national representative of ISO

通常是ISO的官方國(guó)家代表

May be responsible for uniform standardization throughout the country

可負(fù)責(zé)全國(guó)統(tǒng)一的標(biāo)準(zhǔn)化工作

Laws regulating the creation of standards

規(guī)范標(biāo)準(zhǔn)制定的法律

Compulsory – health and safety

強(qiáng)制性——健康和安全

Voluntary – other industries

自愿-其他行業(yè)

International Standards Bodies

Numerous recognised international bodies with standards making functions

眾多具有標(biāo)準(zhǔn)制定職能的公認(rèn)國(guó)際組織

Non-treaty bodies 非條約機(jī)構(gòu)

• International Organization for Standardization (ISO) 國(guó)際標(biāo)準(zhǔn)化組織(ISO)
• International Electrotechnical Commission (IEC) 國(guó)際電工委員會(huì)

Treaty bodies 條約機(jī)構(gòu)

• International Telecommunication Union (ITU) 國(guó)際電信聯(lián)盟

OECD 2002 Information Security Guidelines

OECD legal instruments: decisions, conventions, recommendations, guidelines

經(jīng)合發(fā)組織法律文書:決定、公約、建議、準(zhǔn)則

Guidelines = non-binding, represents political will of members, great ‘moral force’

準(zhǔn)則=不具約束力，代表成員的政治意愿，強(qiáng)大的“道德力量”

Standards setting role 標(biāo)準(zhǔn)制定角色

• OECD’s legal instruments set standards for members in a variety of policy areas 經(jīng)合組織的法律文書在各種政策領(lǐng)域?yàn)槌蓡T國(guó)制定了標(biāo)準(zhǔn)
• Non-members who adhere to OECD’s legal instruments agree to implement the standards and measures, including relevant legislation addressed by the instrument 遵守經(jīng)合組織法律文書的非成員同意執(zhí)行標(biāo)準(zhǔn)和措施，包括該文書涉及的相關(guān)立法

ISO/IEC

27001:2005: ‘Information technology – Security techniques – Information security management systems – Requirements’

27001:2005:“信息技術(shù)——安全技術(shù)——信息安全管理系統(tǒng)——要求”

• Information Security Management System (ISMS) 資訊保安管理系統(tǒng)(ISMS)
• Used with ISO 27002 ‘Code of Practice for Information Security Management’ 與ISO 27002“資訊保安管理實(shí)務(wù)守則”配合使用
  • Lists security control objectives 列出安全控制目標(biāo)
  • Recommends a range of specific security controls. 建議一系列特定的安全控制。
• Certification possible 認(rèn)證可能
  • Three stage audit by certification body 認(rèn)證機(jī)構(gòu)的三階段審核

Revised by ISO/IEC 27001:2013

經(jīng)ISO/IEC 27001:2013修訂

PIS Specification I

National Standard of Information Security Technology – Personal Information Security Specification, effective from October 1, 2020 (PIS Specification)

《信息安全技術(shù)國(guó)家標(biāo)準(zhǔn)——個(gè)人信息安全規(guī)范》，自2020年10月1日起實(shí)施(PIS規(guī)范)

A standard to determine whether companies are following China’s data protection rules

確定公司是否遵守中國(guó)數(shù)據(jù)保護(hù)規(guī)定的標(biāo)準(zhǔn)

Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks

在中國(guó)收集或處理個(gè)人信息的企業(yè)應(yīng)對(duì)照本規(guī)范檢查其目前的做法，以識(shí)別并盡量減少其潛在風(fēng)險(xiǎn)

De Jure Standards

Legal requirement for appropriate level of information security process:

適當(dāng)級(jí)別的資訊保安程序的法律要求:

US Health Insurance Portability and Accountability Act (HIPAA)

美國(guó)健康保險(xiǎn)流通與責(zé)任法案(HIPAA)

• Privacy rule: privacy standards, including who can have access to protected health information (PHI) (all forms) 隱私規(guī)則:隱私標(biāo)準(zhǔn)，包括誰可以訪問受保護(hù)的健康信息(所有形式)
• Security rule: controls for ensuring access only to those who should have it (electronic information only) 安全規(guī)則:確保只有應(yīng)該訪問的人才能訪問的控制措施(僅限電子信息)

Laws requiring compliance with PCI/DSS (The Payment Card Industry Data Security Standards)

要求遵守PCI/DSS(支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn))的法律

• Normally, PCI/DSS is a private standard with contractual liability only 通常，PCI/DSS是一個(gè)私人標(biāo)準(zhǔn)，僅具有合同責(zé)任

• (PCI DSS) are developed and promoted by the PCI Security Standards Council (PCI DSS)是由PCI安全標(biāo)準(zhǔn)委員會(huì)制定和推廣的

• The Council was formed by the five of the most prominent credit card payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – in response to increasing credit card fraud and data security breaches 該委員會(huì)由五個(gè)最著名的信用卡支付品牌——美國(guó)運(yùn)通、發(fā)現(xiàn)金融服務(wù)、JCB國(guó)際、萬事達(dá)全球和Visa, Inc.——組成，以應(yīng)對(duì)日益增加的信用卡欺詐和數(shù)據(jù)安全漏洞

• Some US states incorporated the standard into state law 美國(guó)一些州將該標(biāo)準(zhǔn)納入州法律