Topic 1 Introduction to Cybersecurity Law
@Maxw
What is Cybersecurity?
• Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks
网络安全是指技术、过程和控制的应用,以保护系统、网络、程序、设备和数据免受网络攻击
• It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies
它旨在减少网络攻击的风险,并防止对系统、网络和技术的未经授权的利用
• Three distinct elements:
information security,
privacy and data protection
cybercrime
Information Security
The main objectives of information security are to protect the :
confidentiality,
integrity,
availability
(CIA) of information
Confidentiality - 机密性
Confidentiality means that only people with the right permission can access and use information
保密意味着只有拥有正确许可的人才可以访问和使用信息
Protecting information from unauthorised access at all stages of its life cycle
保护信息在其生命周期的所有阶段不受未经授权的访问
• Ensuring confidentiality – encryption, access controls
确保机密性-------加密、访问控制
• Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication
损害保密性-
Example - Metaverse avatars 元宇宙形象化符号
Risk of identity theft, avatar duplication and misuse creates an issue for interoperability. 身份盗窃、头像复制和误用的风险给互操作性造成了问题。
Identity authentication built on blockchain will be crucial in this respect, as it is more resistant to cyber-attacks than a centralised system. .建立在区块链基础上的身份认证在这方面将是至关重要的,因为它比一个集中化的系统更能抵御网络攻击。
Integrity - 完整性
• Integrity means that information systems and their data are accurate
完整性意味着信息系统及其数据是准确的
Changes cannot be made to data without appropriate permission
未经适当的许可,不能对数据进行更改
• Ensuring integrity – controls ensuring the correct entry of information, authorization (身份验证), antivirus
确保完整性--进行控制,确保正确输入信息、授权、防病毒软件
• Compromising integrity – (intentional) employee or external attacks; (accidental) employee error
损害完整性-(故意)员工或外部攻击;(意外)员工错误
Example - Security of Metaverse enabling devices
Security of Metaverse enabling devices Characteristics of such devices could lead to serious data breaches, as the sensitive data needed for such devices to function, such as voice control or facial movement, could be reproduced. VR technology enables emotions and consciousness to be manipulated and gives hackers access not only to the victim's psyche, but also to their body. Furthermore, hackers gaining access to such a device would be able to control what the victim was seeing and hearing, and would be able to see inside their office or home, with serious security consequences.
这些设备的特性可能会导致严重的数据泄露,因为这些设备的功能所需的敏感数据,如语音控制或面部运动,可以被复制。虚拟现实技术可以操纵情绪和意识,黑客不仅可以进入受害者的心理,还可以进入他们的身体。此外,使用这种设备的黑客将能够控制受害者所看到和听到的东西,并能够看到他们的办公室或家里,从而造成严重的安全后果。
Availability
• Availability is the security goal of making sure information systems are
reliable
可用性是确保信息系统可靠的安全目标
• Data is accessible
数据是可访问的
• Individuals with proper permission can use systems and retrieve data
in a dependable and timely manner
获得适当许可的个人可以可靠和及时地使用系统和检索数据
• Ensuring availability – recovery plans, backup systems
• Compromising availability – (intentional) denial of service (DoS)
attack, (accidental) outage
Example: Fortnite 2 – the ‘blackhole event’
In 2019, after nearly two days offline, Fortnite returned for Chapter 2, a new version of the game that included an entirely new map. The entire environment was suspended, and no one could access their accounts. Players realised their assumptions about owning skins, virtual currency and other in-game items were misplaced. The only ‘right’ players have is the right to access and use the item within the limitations set up by the end-user license agreement (EULA).
2019年,在离线近两天后,《堡垒之夜》回归了包含全新地图的新版本。整个环境都被暂停了,没有人可以访问他们的帐户。玩家意识到他们关于拥有皮肤、虚拟货币和其他游戏内物品的假设是错误的。玩家唯一拥有的“权利”是在最终用户许可协议(EULA)设置的限制范围内访问和使用该物品的权利。
Topic 2 Information Security-Key Concepts
• Vulnerabilities
• Threats
• Risks
• Safeguards
Vulnerabilities 易伤性;脆弱性;漏洞
weakness or flaw in the information system that can be exploited 在信息系统中可以被利用的弱点或缺陷
Threats
anything that can cause harm to an information system – successful exploits of vulnerabilities
任何可能对信息系统造成伤害的东西——成功地利用漏洞
Risks
a likelihood that a threat will exploit a vulnerability and cause harm
Risk = vulnerability + threat
Safeguards 防护措施
safeguard reduces the harm posed by information security vulnerabilities or threats 保障减少信息安全漏洞或威胁造成的危害
Sources of Obligations 义务来源
Common Law 习惯法;不成文法
Tort law
A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act
在普通法管辖范围内,侵权行为是一种民事错误,它不公平地使他人遭受损失或损害,从而对实施侵权行为的人承担法律责任
Duty – breach – causation – harm
Contract Law
A contract is an agreement, giving rise to obligations, which are enforced or recognised by law
Statutes 成文法
Privacy
• EU GDPR
• US Gramm-Leach-Bliley (financial information privacy) and
• US Health Insurance Portability and Accountability Act (health information privacy)
• California Consumer Privacy Act (CCPA)
• China Cybersecurity Law
Telecommunications security
• EU Electronic Communications Privacy Directive (e-Privacy Directive)
• Electronic Communications Framework Directive
• US Telecommunications Act
Corporate financial reporting integrity and transparency 公司财务报告的完整性和透明度
US Sarbanes Oxley Act (SOX)
Regulations
• UK Financial Service Authority fined Nationwide Building Society £1 million for a failure to have adequate systems and controls in place to manage information security risks 英国金融服务管理局对全国建房互助协会处以100万英镑的罚款,原因是它没有建立足够的系统和控制系统来管理信息安全风险
Standards
• Standards bodies (ISO; PCI Council)
• International organizations (OECD Guidelines)
• Recent legislation with regulations detailing the necessary steps to the
process that will meet the duty of care (GLBA, HIPAA)
Topic 3 Sources of Obligations (EU) 义务来源-EU
Information Security EU: Directives / Regulations 欧盟信息安全:指令/法规
• Privacy
• EU General Data Protection Regulation (GDPR)
• Telecommunications networks/services
• ePrivacy Directive (regulates the use of electronic communications services)
• Critical Infrastructure
• Network and Information Systems Directive (NIS Directive)
GDPR – EU General Data Protection Regulation 欧盟通用数据保护条例
GDPR – Information Security Obligation
1. Safeguarding obligations, which require organisations to put in
place ‘appropriate and proportionate’ security measures, and
1.保障义务,要求组织采取“适当和适当”的安全措施,以及
2. Information obligations, which require the sharing or disclosure of
information
2.信息义务,要求共享或披露信息的义务
GDPR – 1 Safeguarding Obligation
Article 32
Article 32 requires that the controller:
• Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
第32条要求控制人:考虑到技术水平、实施成本、处理的性质、范围、背景和目的以及自然人权利和自由的不同可能性和严重程度的风险,控制人和处理者应实施适当的技术和组织措施,以确保适合该风险的安全水平
This includes, inter alia: 其中包括:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical
incident;
a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for
ensuring the security of the processing
1.个人数据的假名化和加密;
2.确保处理系统和服务的持续机密性、完整性、可用性和弹性的能力;
3.在发生物理或技术事件时及时恢复个人数据的可用性和访问性的能力;
4.定期测试、评估和评估技术和组织措施的有效性以确保处理安全的过程
GDPR – 2 Information Obligation
Article 33
Article 33
creates a legal a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority
第十三条规定,所有组织都有向有关监督当局报告某些类型的个人数据泄露行为的法律义务
Article 34
Article 34
requires the controller to notify data subjects affected or potentially affected by breach ->指data breach 数据泄露
第三十四条要求控制人通知受数据泄露影响或可能受影响的数据主体
NIS Directive
Network and Information Systems Directive 网络和信息系统指令
NIS Directive regulates the cybersecurity of critical national infrastructure NIS指令规范了关键国家基础设施的网络安全
• It applies to providers of critical national infrastructure
它适用于关键的国家基础设施(CNI)的提供者
1. Operators of essential services (OES), which are directly responsible for CNI
2. Digital service providers (DSPs), which provide services upon which others, including OES, are reliant
1.基本服务的运营商(OES),他们直接负责CNI
2.数字服务提供商(DSPs),它们提供包括OES在内的其他机构所依赖的服务
NIS Directive – Information Security Obligation
NIS Directive – Safeguarding Obligation
Member States must ensure that OES and DSPs:
• take ‘appropriate and proportionate technical and organisational measures’ with regard to the security of the network and information systems they use in the provision of their services;
成员国必须确保OES和dsp:就其在提供服务时使用的网络和信息系统的安全采取“适当和适当的技术和组织措施”
NIS Directive – Information Obligation
• The NIS Directive requires OES and DSPs to notify the relevant authority of security incidents without undue delay
NIS指令要求OES和DSPs毫不拖延地将安全事件通知相关主管部门
• Security breaches that disrupt an essential or digital service
破坏基本服务或数字服务的安全漏洞
• Notification requirements are triggered when incidents have a ‘significant’ or ‘substantial’ impact on service continuity
当突发事件对服务连续性有“重大”或“实质性”影响时,就会触发通知要求
Contract Law
GDPR Article 28
states that controllers must include in contracts with processors
The processor shall not engage another processor without prior specific or general written authorisation of the controller 未经控制人事先具体或一般的书面授权,处理人不得与another processor接触
Processing by a processor shall be governed by a contract or other legal act 处理人的处理应受合同或其他法律行为的管辖
sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller 列出处理的主题和持续时间、处理的性质和目的、个人数据的类型和数据主体的类别,以及控制人的义务和权利
Tort Law - 复习重点
1819_EBU6008_A_Solutions Question 2 考过
Data controllers can be held liable under the tort of negligence for damages caused by cybersecurity incidents that they should have reasonably foreseen and prevented or mitigated
数据控制人可以对网络安全事件造成的损害承担过失侵权责任,他们本应合理预见和防止或减轻
To hold data controllers liable, a court would have to find that 要让数据控制者承担责任,法院必须认定
(i) the operator had a duty of care to the person(s) who suffered harm which
(ii) the operator failed to fulfill
(i)经营者对受到伤害的人负有注意义务,
而(ii)经营者未能履行该义务
Tort Law – Requirements
Duty – breach – causation – harm
There must be a proximity between the parties for a duty of care to exist
双方之间必须有接近,才能存在注意义务
Foreseeability means that a person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others 可预见性是指只有当一个人应该合理地预见到自己的过失行为会危及他人时,他才可以承担责任
•Damage needs to be proven by claimants – economic loss or emotional harm 损害需要由索赔人证明-------经济损失或情感伤害
Cases (UK)
Vidal-Hall v Google Inc [2015]
a high-profile case which established that compensation could be awarded to individuals under English law if they suffered non-pecuniary loss such as distress arising from a breach of data protection legislation
一个引人注目的案例表明,根据英国法律,如果个人受到违反数据保护法律的行为而遭受非金钱损失,则可以给予他们赔偿
WM Morrison Supermarkets v Various Claimants [2017]
Alternative tortious remedies may be available that avoid these limitations, such as the findings of strict liability under the doctrine of vicarious liability in WM Morrison Supermarkets v Various Claimants [2017] where the claimant was held liable for a rogue employee’s unauthorised disclosure of personal data, even though they were found to have implemented ‘appropriate’ security measures under the Data Protection Act 1998
替代侵权补救措施可以避免这些限制,如严格责任的发现下替代责任原则WM莫里森超市v各种原告[2017],原告(也就是VM Morrison)负责流氓员工的未经授权的个人数据,尽管他们被发现实现“适当的”安全措施在1998年数据保护法案
但注意在2020,
[the decision was overturned by the Supreme Court in 2020]
For the reasons explained above, the circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer. Morrisons cannot therefore be held liable for Skelton’s conduct. It follows that the appeal must be allowed
由于上述原因,Skelton 对索赔人犯下错误的情况并未导致其雇主承担替代责任。因此,Morrisons 不对 Skelton 的行为负责。因此,必须允许上诉
Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48
the wrongful conduct must be closely connected with the acts that the employee was authorised to do by the employer, that the employee might be regarded as acting ordinarily.
不当行为必须与雇主授权雇员进行的行为密切相关,雇员可能会公平地并适当地被视为在他们的正常工作过程中行事
Lloyd v Google [2018]
the case reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those claims
该案件强调,在这种情况下获得赔偿之前,索赔人必须证明“损害”;并明确表示,法院不允许在不仔细审查这些索赔的基础的情况下,代表潜在的大量索赔人提出代表索赔
Topic 4 Sources of Obligations (US)
Sources of legal obligations in the US
• Statutes
• Tort law
• Contract Law
Information Security US: Statutes
Privacy
• US Health Insurance Portability and Accountability Act (health information privacy) (HIPAA)
• Children's Online Privacy Protection Rule (COPPA)
• California Consumer Privacy Act (CCPA) 1st Jan 2020
HIPAA
Personal health information is considered very sensitive
个人健康信息被认为非常敏感
Confidential medical records 保密医疗记录
Public embarrassment, discrimination 公众尴尬、歧视
Medical identity theft - 医疗卡盗用
HIPAA protects privacy and security of personal health information
HIPAA保护个人健康信息的隐私和安全
COPPA
Children’s Online Privacy Protection Act (COPPA) requires that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13
儿童在线隐私保护法(COPPA)要求针对13岁以下儿童的商业网站和在线服务的运营商,或故意收集13岁以下儿童个人信息的一般受众网站和在线服务的运营商,在收集、使用或披露13岁以下儿童的任何个人信息之前,必须获得父母的同意
CCPA
California Consumer Privacy Act (CCPA) came into effect in January 2020 – the most comprehensive privacy legislation to-date
加州消费者隐私法案(CCPA)于2020年1月生效,这是迄今为止最全面的隐私立法
Breach Notification Laws 违约通知法
Legislation adopted in 47 US states requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable data
美国47个州通过立法,要求私人或政府实体在涉及个人身份数据的信息安全漏洞时通知个人
FTC - Federal Trade Commission Act
FTC is an independent federal agency and the most important regulatory authority for consumer protection issues
联邦贸易委员会是一个独立的联邦机构,也是消费者保护问题最重要的监管机构
Tort Law
感觉不如EU的写得细
侵权法:一种民事法律制度,用于处理因他人的过失或不法行为而造成的损害赔偿问题。
Some recent cases have argued that data breaches are subject to strict liability
最近的一些案例认为,数据泄露需要承担严格的责任
Strict liability means that the manufacturer of a product is automatically responsible for any injuries caused by the product (typically product liability cases)
严格责任是指产品制造商自动对产品造成的任何伤害负责(通常是产品责任案件)。
Negligence
To establish a claim, plaintiff has to prove:
要提出索赔,原告必须证明:
the existence of a legal duty on the part of the defendant not to expose the plaintiff to unreasonable risks 被告负有不使原告面临不合理风险的法律义务
a breach of the duty – a failure on the part of the defendant as act reasonably, 违反义务-被告一方未能“合理”行事
a causal connection between defendant’s conduct and plaintiff’s harm and 被告的行为与原告的伤害之间存在因果关系
actual damage to the plaintiff resulting from the defendant’s negligence 由于被告的过失而对原告造成的实际损害
Negligence – Foreseeability 可预见性
Central concept of the law of negligence
过失侵权法的核心概念
A person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others
一个人只有在合理地预见到自己的过失行为会危及他人的时候才能被追究责任
Negligence - Cases
In Anderson v. Hannaford Brothers Co.,
a third party stole a grocery store’s debit and credit card data, and the court used a negligence standard to assert a standard of care based on breach of implied contract
安德森诉汉纳福德兄弟公司案。
在美国,第三方窃取了杂货店的借记卡和信用卡数据,法院使用过失标准来主张基于违反默示合同的注意标准
In Patco Construction Co. v. People’s United Bank,
the bank had a state-of-the-art security program, but failed to set the fraud activity triggers at an appropriate level
在Patco Construction Co.诉People 's United Bank案中,
该银行拥有最先进的安全程序,但未能将欺诈活动触发器设置在适当的级别
Tort Law – Special Relationships
Special relationships – between a provider and consumer, employer and employee, or fiduciary and beneficiary – is usually based on a contractual promise (explicit or implied)
特殊关系——提供者和消费者、雇主和雇员、受托人和受益人之间的关系——通常基于合同承诺(明示或暗示)
To establish a claim, plaintiff has to prove:
要提出索赔,原告必须证明:
the existence of a binding agreement; 有约束力的协议的存在
the non-breaching party fulfilled its obligations, if it had any; 非违约方履行了自己的义务(如果有的话)
the breaching party failed to fulfil obligations; 违约方未履行义务的;
the lack of a legal excuse; and 缺乏合法的借口
the existence of damages sustained due to the breach 由于违约而遭受损害的存在
Tort Law – Harm
Concrete and particularized injury that is actual or imminent, not conjectural or hypothetical
实际的或即将发生的具体的和特殊的伤害,而不是推测的或假设的
Contract Law
Breach of contract is the failure to fulfil a condition of a contract
违反合同是指没有履行合同的条件
COPPA, HIPAA, and others require contracts with processors, other third parties with obligations to ensure that information is kept secure
COPPA、HIPAA和其他要求与处理者、其他有义务确保信息安全的第三方签订合同
Topic 5 Sources of Obligations (China)
China Information Security: Statutes
• Privacy law
• Telecommunications / ISPs law
• Breach notification law
• Consumer protection law
• E-Commerce law
• Private and tort Law
PRC Cybersecurity Law
Network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost
网络运营者必须采取技术措施和其他必要措施,确保所收集的个人信息安全,防止个人信息泄露、破坏或者丢失
Network operators are subject to the following requirements when collecting and using personal information:
网络运营者在收集和使用个人信息时,应当遵守以下要求:
Collection and use of personal information must be legal, proper and necessary. 收集和使用个人信息必须合法、适当和必要。
Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected. 网络运营者必须明确收集、使用个人信息的目的、方法和范围,并征得被收集人的同意;不收集与所提供服务无关的个人信息。
Breach Notification Law 泄露通知法
PRC Cybersecurity Law :
Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions
当个人信息被泄露、丢失或扭曲(或有可能发生此类事件)时,组织必须立即采取相关措施减轻损害,并根据相关规定及时通知相关数据主体并向相关政府机构报告
Telecommunications / ISP Law
The Provisions on Telecommunication and Internet User Personal Information Protection, effective from September 1, 2013
《电信和互联网用户个人信息保护规定》自2013年9月1日起施行
Article 13 imposes the following information security requirements on telecommunications operators and Internet service providers:
第十三条对电信经营者和互联网服务提供者规定了下列信息安全要求:
Specify the responsibilities of each department / role in terms of security of personal information; 订明各部门/角色在个人资料保安方面的责任;
Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information; 建立不同工作人员和代理人的权限,审查信息的输出、复制和销毁,并采取措施防止机密信息泄露;
Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures; 妥善保管记录用户个人信息的硬拷贝介质、光介质、磁介质等载体,并采取相应的安全存储措施;
Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures; 对存储用户个人信息的信息系统进行访问检查,并实施入侵防御、防病毒等措施;
Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved; 记录使用用户个人信息进行的操作,包括执行操作的人员、操作的时间、地点和涉及的事项;
Undertake communications network security protection work as required by the relevant telecommunications authority 依电信主管机关之要求,承担通讯网络之安全保护工作
Consumer Protection Law
The PRC Consumer Rights Protection Law
State the purpose, method, scope, and rules of collection of personal information of consumers; 规定收集消费者个人信息的目的、方法、范围和规则;
Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others; 对消费者的个人信息保密,不得泄露、出售或者非法提供给他人;
Have mechanisms in place to ensure the security of information collected; and 设立机制确保所收集资料的安全
Not send unsolicited communications to consumers 不向消费者发送未经请求的通信
Tort Law
PRC Tort Liability Law《中华人民共和国侵权责任法》
Article 36 of the Tort Law creates obligations for Internet service providers (ISPs) 《侵权行为法》第36条规定了互联网服务提供商的义务。
A network user or network service provider who infringes upon the civil right or interest of another person through network shall assume the tort liability 网络用户、网络服务提供者通过网络侵害他人民事权益的,应当承担侵权责任
Tutorial 1 Exercise
You have been tasked with creating a cybersecurity plan for your company.
• How can you successfully plan for cyber risks?
• List the necessary steps included in your plan.
Answer:
Map on reality
Understand which law and regulation apply to u
Assess what level of risk
Priorities what u do first
Continually refactoring renewing
1807
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
