Security of Critical Information Infrastructure: Legal Issues

Transcription

1 Security of Critical Information Infrastructure: Legal Issues Edward Bekeschenko, Partner INFOC Committee Meeting 26 May 2017

2 Agenda 1 Trends in Russia 3 2 International Practices 8

3 1 Trends in Russia

4 Recent Developments Draft Law "On Security of Critical Information Infrastructure of the Russian Federation" Prepared by the Federal Security Service of the Russian Federation Submitted to the Russian Parliament on 6 December 2016 Adopted in its first reading on 27 January 2017

5 Critical Information Infrastructure of the Russian Federation ("CII") IT systems and telecommunication networks applied by/in: state authorities defense industry transport financial system fuel industry space-rocket industry metallurgy industry healthcare industry communications industry energy industry nuclear industry mining industry chemicals sector + electric communication networks Objects of CII 5

6 Key Provisions categorization of objects of CII based on their social, political, economical, ecological and state security significance; register of significant objects of CII; security requirements for significant objects of CII; state system of detection, prevention and elimination of consequences of computer attacks against information resources of the Russian Federation; state supervision over the security of significant objects of CII. 6

7 Subjects of CII Subjects of Critical Information Infrastructure state authorities companies owning or otherwise lawfully possessing objects of CII telecoms providers maintaining connectivity between objects of CII Duties of Subjects of CII: notify Russian authorities on computer incidents; support Russian authorities in detection, prevention and investigation of computer attacks; comply with requirements to operation of technical facilities used to detect computer attacks; comply with special security requirements; comply with improvement notices issued by the Russian authorities with respect to implementation of security requirements; eliminate consequences of computer attacks; provide unimpeded access to the Russian authorities to significant objects of CII applicable to significant objects of CII only 7

8 2 International Practices

9 Regulation of Critical Information Infrastructure in China China Critical Information Infrastructure (CII) = infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest (specific reference is made to key sectors of economy and public management). Operators of CII are specifically required to store personal information and other "important data" collected and generated during operations within China. If it is "truly necessary" for a CII operator to store or provide such data overseas for business reasons, it must undergo a government security assessment/approval process. "Critical network equipment" and "specialized cybersecurity products" must satisfy the national compulsory standard and must be inspected or certified by a qualified institution before such products are permitted to be sold or provided in China. 9

10 Global Data Localization Trends (1/2) Kazakhstan Germany Vietnam A broad residency requirement for personal data effective 1 January No public enforcement of the law as of today. Requirement to retain and locally store connection meta data on German territory applicable to telecommunications and online service providers starting 1 July Requirement for IT service providers to maintain, within Vietnam, a copy of any information they hold in order to facilitate inspection by authorities. A requirement for online social networks, aggregated information websites, mobile telecom network-based services and online games services to have a local server in Vietnam (i.e., at least one server must be located in Vietnam). 10

11 Global Data Localization Trends (2/2) Indonesia Argentina Brazil Requirement for "public service providers" to store data locally for several years. The Ministry of Communications and Informatics has reiterated in a new personal data regulation that "electronic system operators in public services" must store personal data locally by October Argentina is working on new legislation that would require data residency for information collected or maintained by the Argentine government. Brazil included a data residency requirement in drafts of its 2014 Internet law, but removed the requirement shortly before the law was enacted. 11

12 Thank you! Edward Bekeschenko Partner Baker & McKenzie - CIS, Limited White Gardens, 10th Floor 9 Lesnaya Street Tel: Direct: Mobile: ed.bekeschenko@bakermckenzie.com Baker & McKenzie CIS, Limited is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as Attorney Advertising requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.