What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Data Protection & Cyber Security
Both data controller and data processor are required to ensure security and confidentiality of PII being processed. The important difference is that the scope of measures implemented by the processor depends on the data controller’s assignment/instructions.
Russian data protection laws set out four-layered approach to the data protection.
As the first layer, the Personal Data Law sets out very broad list of security measures that might be applied by the data controller. Such general measures, for example, include appointment of the data protection officer, data recovery, implementation of internal policies, use of information security tools, keeping records of PII media etc.
In addition to the general measures prescribed by laws, Russian Government defined a number of specific measures the data controller shall implement (second layer). The extent of these measures will depend on the types of security threats to the PII. The companies shall perform security threat modelling of the database or system that processes/stores PII in order to identify and categorize the threats that most likely will affect the database or system.
Based on the security threat modelling, the information system shall be placed into one of three categories of security threats. The category of security threat will determine the level of data protection and particular set of security measures that must be implemented to safeguard the PII.
There is another detailed statutory guidance on how different organizational and technical security measures prescribed by the Russian Government shall be implemented (third layer). This guidance is provided by FSTEC (see Q.1).
In its respective order, FSTEC specifies general groups of security measures (e.g., identification and authentication of persons and objects having access to PII; restricting software environment; ensuring safety of machine-readable mediums which are used for storage and processing of PII; recording of any events related to information protection; ensuring of antivirus protection, etc.). Each of the outlined general groups includes the list of more particular measures, which are mandatory for particular level of PII protection. This list is named “basic list of security measures”.
The fourth layer includes implementation of the exact solutions corresponding to the basic security measures required to the company.
Practically speaking, all mentioned guidance are quite general and give discretion to companies regarding security threat modeling . So, in the course of auditing its data protection system the company may considerably influence particular level of data protection and applicable data security measures.
The Data Protection Law states that the responsible person or user of a database shall adopt the necessary technical and organizational measures to guarantee the protection and confidentiality of personal data.
In that connection, through Resolution No. 47/2018 the Data Protection Authority approved security measures for the processing and conservation of personal data that serve as a set of guidelines to comply with the security obligation described in the above paragraph. Annex I of this regulation includes recommendations for data stored through electronic means, in particular regarding: a) the collection of data; b) the control of access to data; c) the control of modifications to data; d) backup and recovery; e) vulnerability management; f) destruction of information; g) security incidents; and h) development environment.
In addition, the data controller and any person who intervenes in any phase of the processing of personal data have a duty of professional secrecy. The duty will persist even after the relationship with the data subject is terminated. The duty of secrecy will be exempted if required by a judicial resolution or for public safety, national defense, or public health reasons
The LGPD establishes that processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
The Internet Act provides security requirements for internet service providers. Decree 8.771/2016 provides the security standards for handling personal data and private communications, as follow:
- Definition of responsibilities and authentication mechanisms so as to ensure individualization of the persons who will have access to and handle data, as well as detailed access logs;
- Creation of detailed inventory of access to connection records and access to applications containing time, duration, identity of the designated employee or individual responsible for the access in the company and the accessed file; and
- Management solutions of records through techniques that ensure the inviolability of data, such as the use of encryption or equivalent protection measures. The safeguard and availability of connection logs and access data, as well as PII and the content of private communications, must meet the security requirements to preserve intimacy, privacy and image of the parties directly or indirectly involved.
Moreover, the Brazilian Central Bank issued Resolution 4.658/2018, which provides a cyber security policy and the requirements for contracting services of data processing, data storage and cloud computing to be observed by financial institutions and other institutions licensed by the Brazilian Central Bank.
GDPR requires PII owners to ensure that they process personal data in a manner that provides an adequate level of data security. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5 (f) GDPR).
When implementing appropriate technical or organisational measures, controllers and processors must consider the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing against the risks to the data subjects’ rights and freedoms. When choosing appropriate measures, the following are considered:
- Pseudonymisation and encryption of personal data
- Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the measures’ effectiveness for ensuring secure processing
- The ability to ensure that any personel of the controller or processor that has access to personal data does not process them except: on the controller’s instructions; or if EU or member state law requires the processing (Article 32 GDPR).
The above security obligations fully apply in Bulgaria. In addition to GDPR requirements, the PDPA introduces the following security-related specific rules:
- Pursuant to Article 25g, para. 2 PDPA data controllers providing electronic services shall take appropriate technical and organisational measures which prevent the national personal identification number/ the personal identification number of a foreigner from being the only means of identifying the user when providing remote access to the service.
With the entry into effect of the GDPR the Bulgarian Ordinance No 1 of 30 January 2013 on the Minimum Level of Technical and Organizational Measures and the Admissible Type of Personal Data Protection (Ordinance No 1) was repealed. The Bulgarian CPDP has announced that it will issue a soft-law instrument (Metodical Guidelines) replacing the Ordinance No 1 but the exact time when this will happen remains unknown.
Art. 7 FADP sets out that personal data must be protected against unauthorised processing through adequate technical and organisational measures. Switzerland has chosen a risk-based approach, i.e. it did not specify the necessary security measures.
Art. 8 of the Ordinance to the FADP sets out that the technical and organisational measures must be adequate. In particular, they must take account of the following criteria:
- the purpose of the data processing;
- the nature and extent of the data processing;
- an assessment of the possible risks to the data subjects;
- the current state of the art.
It further requires that the measures must be periodically reviewed.
More specifically, art. 9 of the Ordinance to the FADP requires the following kind of measures:
- Entrance Control: Unauthorised persons must be denied access to facilities in which personal data is being processed;
- Personal Data Carrier Control: Unauthorised persons must be prevented from reading, copying, altering or removing data carriers;
- Transport Control: On the disclosure of personal data as well as during the transport of data carriers, the unauthorised reading, copying, alteration or deletion of data must be prevented;
- Disclosure Control: Data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable;
- Storage Control: Unauthorised storage in the memory as well as the unauthorised knowledge, alteration or deletion of stored personal data must be prevented;
- Usage Control: The use by unauthorised persons of automated data processing systems by means of devices for data transmission must be prevented;
- Access Control: The access by authorised persons must be limited to the personal data that they required to fulfilment their task ("need-to-know");
- Input Control: In automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.
There is not an official list of security measures established by any regulations, so companies shall analyse their particularities to define the security measures applicable to them. Controllers can apply the international or national security standards, like ISOs, although it is not a compulsory requirement.
For small businesses, the Spanish cyber security institute, an organisation related to the government whose objective is the development of cyber security and the digital trust of citizens, regularly publishes guidelines for entities to help them observe the minimum security measures to protect their information.
- In relation to security matters we can mention the implementation on the year of 1993, the Law No. 19,223 on cybercrimes with four provisions; nevertheless, this law is nowadays outdated. In April of 2017, Chile deposited the instrument of accession to the Budapest Convention on Cybercrime and in August of 2017, Chile became the 54th signatory country to the Treaty and the first country of South America. Law No. 19,223 on cybercrimes is a sub-category in the field of cybercrime related with the disturbance of the logical components of cyberspace (computer programs, information systems, databases) called computer-related crimes; it is describing the non-authorized access, theft and destruction of information systems and/or information.
- In addition, in October of 2018, the government introduced a bill in the Congress (Bill No. 12192-25) that establishes new rules on cybercrimes, revoking Law No. 19,223 and amending other legal bodies in order to bring them into line with the Budapest Convention.
- According to Net Neutrality Law No. 20,453, states the principle by which the ISPs and those that own and administrate the backbone structure of the internet service, shall not make any discrimination and differentiation among the information that runs through their equipment or the network infrastructure. This law was complemented by a special regulation, published on 18 March 2011, which establishes the specific requirements that ISPs shall accomplish in connection with these network neutrality legal obligations. In addition, PTS concessionaires that provide internet access services (IAS), services providers (SP) and also ISPs: cannot arbitrarily block, interfere with, discriminate against, obstruct or restrict the right of any internet user to use, send, receive or offer any content, application or legitimate service through the internet, as well as any other activity or legitimate use performed through the network. They shall provide each user with an internet service access or connectivity with the provider of internet access, as appropriate, which cannot arbitrarily distinguish content, applications or services, based on the source or ownership thereof, taking into account the different configurations of the internet connection under the current contract with the users; cannot limit the right of a user to add or use any sort of tools or devices on the network, provided that they are legitimate and that they do not damage or harm the network or the service quality; shall provide, at the expense of users who request such services, parental control services for contents against the law, morality or good customs, provided that the user is clearly and precisely informed in advance about the scope of such services; and shall publish on its website all information connecting to the characteristics of internet access service offered, speed, link quality, distinguishing between national and international networks, as well as the nature of the service and service warranties. Nevertheless, providers of PTS and ISPs could take the measures or actions necessary for traffic and network management, in the exclusive scope of activity that has been licensed to them, if this is not designed to perform actions that affect or may affect free competition. Providers of PTS and ISPs shall seek to preserve user privacy, virus protection and network security.
Security obligations are imposed specifically by Artt. 5, 25 and 32 GDPR. Art. 5 GDPR establishes the principles of the GDPR, especially the protection of the right of data self-determination. According to this principle, service providers, controllers and processors alike, must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The concept of Privacy by Design set out in Art. 25 GDPR addresses the controller in particular. A controller is obliged to effectively implement technical and organizational measures to protect the rights of data subjects, taking into account the costs of implementation, the nature, scope, context and purposes of processing. Possible measures include purpose limitation, data minimization via privacy enhancing technologies, accuracy, storage limitation by setting up retention periods as well as providing integrity and confidentiality, e.g. by making sure, that no unauthorized third parties gain access to data.
Art. 32 GDPR provides technical and organizational measures for controllers and processors to ensure an appropriate level of security, e.g. pseudonymization and encryption of personal data as well as a data protection management.
The Privacy Rules require body corporates to implement security practices and standards and have comprehensive information security programme & policies (that contain managerial, technical, operational and physical security control measures) that are commensurate with the information being protected. This requirement is applicable for both, PII & sensitive PII.
One such standard prescribed under the Privacy Rules is the ISO Code.
Any body corporate which collects, receives, stores, deals or handles PII and sensitive PII has to ensure these security practices and standards are implemented. As stated above, if any such body corporate intends to transfer the PII and/or sensitive PII, the transferee should ensure the same level of data protection.
The Privacy Bill proposes for the data fiduciaries to: -
(a) implement policies & measures to ensure that the technology used in processing PD is in accordance with commercially accepted or certified standards; and
(b) implement managerial, organizational, business practices & technical systems to anticipate, identify & avoid harm to Data Subjects.
Additionally, data fiduciaries and data processors are required to implement appropriate security safeguards (to protect the integrity of PD, prevent misuse, disclosure) in view of the nature of PD being processed, risks associated with processing and the severity of harm that may result from such processing. It also entitles the Authority to prescribe security safeguard standards, which will apply to data fiduciaries and data processors.
The CSL imposes security obligations on network operators that encompass owners, administrators and providers of network systems. Network operators shall keep the user information that they have collected in strict confidence and shall establish and improve their user information protection system.45 Network operators shall take technical and other necessary measures to ensure the security of personal information it collects, and to protect such information from disclosure, damage or loss.46
Under the PI Specification, personal information controllers should establish appropriate data security capabilities, implement necessary managerial and technical measures, and prevent personal information from leakage, damage and loss.47 Security measures such as encryption should be taken for transferring and storing sensitive personal information.48
45 - CSL. § 40.
46 - CSL. § 42.
47 - PI Specification. 10.3.
48 - PI Specification. 6.3 a).
In regard to security obligations, GR 82/2012 specifically requires ESO to implement several measures in order to protect their electronic system operational activity, including: (i) providing an audit trail for the purposes of monitoring, law enforcement, dispute settlement, verification, testing, incident response, and mitigation; (ii) securing the components of ESO’s electronic systems; (iii) having and implementing procedure and facility for securing electronic systems to avoid disruption, failure, and loss; (iv) providing a security system including a system and procedure for handling and preventing any cyber threats; and (v) preserving the confidentiality, integrity, authenticity, accessibility, availability, and traceability of electronic information maintained by ESO.
The above security obligations have been further elaborated in the MCI Regulation 20/2016 by requiring ESO that processes Personal Data to store all personal information in its possession in an encrypted form. Further, ESO is obliged to make internal regulations in respect of Personal Data protection as a form of preventive step to avoid breach protection. The internal regulations must consider several aspects i.e., technological applications, human resources, methods, costs and any other considerations which may be stipulated in other relevant laws and regulations. In addition, the preventive actions must at least comprise of the following activities: (i) raising the awareness of human resources within ESO’s environment to provide Personal Data protection; and (ii) organizing training for the prevention of Personal Data protection failures in the electronic system under ESO’s management.
Further, there are stringent requirement for ESO for Public Services in respect of security obligation. Under MCI Regulation No. 4 of 2016 regarding Information Security Management System (“MCI Regulation 4/2016”), the ESO for Public Services is divided into three categories based on their risks, namely: (i) strategic electronic systems, which have a serious impact on public interest, public services, state administration continuity, or national security and defense; (ii) high-level electronic systems, which have limited impact for sectoral and/or regional interests; and (iii) low-level electronic systems, which do not fall under the categories of strategic and high-level electronic systems. Specifically, for ESO for Public Services who utilizes strategic or high-level Electronic Systems must employ SNI ISO/IEC 27001 as its standard information security management system.
According to article 32 of the GDPR, the controller and the processor shall (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and protect the personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, including inter alia as appropriate:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In this respect and although it only applies to the public sector it is worth to mention the Resolution of the Council of Ministers no. 41/2018, March 22nd that established the minimum technical requirements applicable to networks and information systems of the Public Administration that need to be implemented until the end of September 2019.
Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. The parties should take into account factors such as the state of the art, implementation costs and the context of processing. Such measures could include pseudonymisation, encryption of personal data and a process for regularly testing the effectiveness of such measures.
Measures should be put in place following an evaluation of the risks in order to prevent unauthorised or accidental processing and to ensure it is possible to establish the precise details of any processing that takes place. The measures must ensure the confidentiality, integrity and availability of the systems and services that process personal data, and the data itself. Such measures should enable the controller to restore the personal data in a timely manner in the event of a physical or technical incident.
According to article 32 of the GDPR, both the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
In addition to the above, the NIS Act requires operators of essential services (in relation to networks and information systems that they use to provide essential services) and digital service providers (in relation to networks and information systems that they use), to take appropriate and proportionate technical and organisational measures to manage risks that threaten the security as well as take measures to prevent and minimize the impact of incidents.
The NIS Ordinance stipulates that when digital service providers assess whether a security measure ensures a level of security in networks and information systems that is appropriate in relation to the risk, they must take into account inter alia the security in systems and installations, incident management as well as monitoring, auditing and testing.
The HDPA refers to the provisions of the GDPR on the obligations of the controller and the processor regarding security of processing. These obligations are explicitly defined in article 32 of the GDPR. In addition, article 24 of the GDPR provides for the overall responsibility of the controller to identify and implement appropriate technical and organizational measures. The objective of the security measures is to maintain confidentiality, integrity and availability of personal data.
The GDPR suggests "appropriate" technical and organizational security measures such as the pseudonymization and encryption of personal data, adherence to an approved code of conduct or an approved certification mechanism to demonstrate compliance, procedures on how to handle data breach cases, etc.
Security measures can be documented in individual procedures or in more general security policies. The choice of appropriate security measures shall be made taking into consideration the latest developments, the cost of implementation, the processing features, the scope and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
With regards to the individual security measures and the security policies and procedures that an organization must follow, it should be noted that the HDPA, in an earlier text of informative nature, suggests a code of conduct, a security policy, a security plan and/or a disaster recovery plan. Finally, the ‘’ex officio’’ investigations conducted by the HDPA on the security measures of various websites include the https protocol settings, the validity of digital certificates, the password security criteria, and so on.
Law No. 6698 obliges data controllers to take all necessary measures to ensure security of the personal data that they process. However, it does not explicitly or directly require any particular data security measures to be taken by data controllers. The data security measures to be taken by the controllers are left to their own discretion. Data controllers are expected to decide which security measures must be taken in order to ensure adequate security to the personal data they are processing based on the sensitivity, scope of and the possible risks posed to their data processing operations. So, the “risk-based approach” is recognized by the data protection legislation. The Board have published a guidance document for data controllers that illustrates data security measures that are recommended to be taken by them. However, this document is recommendatory by its nature.
While the à la carte data security measure is the rule, there are two main exemptions to this:
First, there are certain sector specific legislation which includes mandatory information security measures to be taken by the players from critical sectors such as finance, energy, telecommunication etc. These measures are generally included in the secondary legislations prepared by the relevant sectoral regulatory bodies.
Secondly, there are certain data security measures to be implemented where the data controller processes special categories of personal data (e.g. health, religion, criminal conviction). Such mandatory measures have been listed under a Board decision published on the official gazette. The mandatory measures expected to be taken includes measures such as:
- Storing sensitive data by using cryptographic methods
- Securely logging records of all activities performed on the data,
- Providing at least two-stage authentication system if the sensitive data can be accessed remotely,
- If the data is being transferred between servers in different physical locations, to transfer the data by establishing an encrypted connection.
As a basic principle, the provisions of the GDPR also apply to such matters.
However, there are lines of business that have defined their own and very specific security requirements (e.g. doctors, banks). In principle, these must also be observed by processors.
Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. The parties should take into account factors such as the state of the art, implementation costs and the context of processing (GDPR, Article 32).
The CNIL recommends controllers and processors to identify the processing of personal data, assess the risks generated by each processing, implement and verify the security measures, and have periodic safety audits carried out. Security measures should be put in place in order to prevent unauthorised or accidental processing. The CNIL recommends implementing systematically the following basic precautions:
- raise awareness among users (make each user aware of security and privacy issues);
- authenticate users (recognize its users so that it can then give them the necessary access);
- manage authorizations (limit access to the only data a user needs);
- track access and manage incidents (log access and provide procedures to manage incidents in order to be able to react in the event of data security breaches such as breach of confidentiality, integrity and availability);
- secure workstations (prevent fraudulent access, virus execution or remote control, especially via the Internet);
- secure mobile computing (anticipate data security breaches due to the theft or loss of mobile equipment);
- protect the internal computer system (authorize only the network functions necessary for the processing operations set up);
- secure servers (strengthen security measures applied to servers);
- secure websites (ensure that minimum good practices are applied to websites);
- safeguard and provide for business continuity (perform regular backups to limit the impact of unwanted data loss);
- secure archiving (archive data that is no longer used on a daily basis but have not yet reached their storage limit, for example because it is stored in order to be used in the event of litigation);
- supervise the maintenance and destruction of data (ensure data security at all stages of the hardware and software life cycle);
- manage subcontracting (monitor data security with subcontractors);
- secure exchanges with other organizations (reinforce the security of any transmission of personal data);
- protect the premises (strengthen the security of the premises hosting the computer servers and network equipment);
- supervise IT developments (integrate security and privacy as early as possible in projects); and
- encrypt, guarantee integrity or sign (ensure the integrity, confidentiality and authenticity of information).
More guidance by the CNIL is available on its website.
The U.S. relies primarily on industry standards to mandate “reasonable and appropriate security measures.” FTC guidance advises entities to implement a “comprehensive security program that is reasonably designed to address security risks” and “protect the privacy, security, confidentiality, and integrity” of consumers’ information. In a series of FTC enforcement actions, these security programs have been required to address a wide range of potential risks, including:
- employee training and management;
- product design, development and research;
- secure software design, development and testing, including for default settings, access key and secret key management, and secure cloud storage;
- application software design;
- information systems, such as network and software design, information processing, storage, transmission, and disposal;
- review and assessment of as well as response to third-party security vulnerability reports; and
- prevention and detection of as well as response to attacks, intrusions, or other system failures or vulnerabilities.
Following the identification of security risks, FTC guidance indicates that entities must also:
- design and implement “reasonable safeguards” to control the identified risks;
- conduct regular testing of the effectiveness of key controls, systems and procedures, and evaluate and adjust information security programs based on the results of the testing;
- have a written information security policy;
- adequately train personnel to perform data security-related tasks and responsibilities;
- ensure that third-party service providers implement reasonable security measures to protect personal information, such as through the use of contractual obligations;
- regularly monitor systems and assets to identify data security events and verify the effectiveness of protective measures;
- track unsuccessful login attempts;
- secure remote access;
- restrict access to data systems based on employee job functions;
- develop comprehensive password policies, addressing password complexity, prohibiting reuse of passwords to access different servers and services, and deploying reasonable controls to prevent the retention of passwords and encryption keys in clear text files on the company’s network; and
- conduct vulnerability and penetration testing, security architecture reviews, code reviews, and other reasonable and appropriate assessments, audits, reviews or other tests to identify potential security failures and verify that access to devices and information is restricted consistent with user security settings.
In addition to these federal standards, at least 24 states have laws that address data security practices of private sector entities. Most of these state laws relate to entities that maintain personal information about residents of that state and require the entity to maintain “reasonable security procedures and practices” appropriate to the type of information and the risk. In keeping with current state laws, the CCPA does not contain an explicit, stand-alone security requirement. However, entities subject to the CCPA can be penalized for not maintaining “reasonable security procedures and practices appropriate to the nature of the personal information,” and the CCPA will create a private right of action, which may be brought on a classwide basis, with no requirement to demonstrate harm and the potential for statutory damages if certain types of PII are compromised due to a failure to maintain reasonable security.