北郵國院大三電商在讀，隨課程進行整理知識點。僅整理PPT中相對重要的知識點，內容駁雜并不做期末突擊復習用。個人認為相對不重要的細小的知識點不列在其中。如有錯誤請指出。轉載請注明出處，祝您學習愉快。

編輯軟件為Effie，如需要pdf/docx/effiesheet/markdown格式的文件請私信聯(lián)系或微信聯(lián)系

WEEK1

以下是一些比較定義性的東西，所以基本都是PPT內容翻譯。如果考試是類似電商法的case式考法，這些就不用背只需要了解，大概知道什么是什么，有話說就可以。如果有其他變化和新理解，后續(xù)會修改這段話

在Week1中，很難總結出像電商法那種很有邏輯的東西，換句話說，PPT給的信息冗雜且無用，閱讀下來完全不像電商法那種分幾大塊去介紹的感覺，法條的占比被拉得很低，對于這個課的更多想法還要在觀察一周的課程。Week1的東西就挑著背背吧，畢竟往年題還沒有

什么是Cybersecurity

Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks

網(wǎng)絡安全是技術、流程和控制的應用，以保護系統(tǒng)、網(wǎng)絡、程序、設備和數(shù)據(jù)免受網(wǎng)絡攻擊

It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies

它旨在降低網(wǎng)絡攻擊的風險，防止系統(tǒng)、網(wǎng)絡和技術受到未經(jīng)授權的利用

Three distinct elements: information security, privacy and data protection and cybercrime

三個不同的要素:信息安全、隱私和數(shù)據(jù)保護以及網(wǎng)絡犯罪

Information Security 信息安全

Seeks to protect all information assets, whether in hard copy or in digital form

力求保護所有信息資產(chǎn)，無論是紙質副本還是數(shù)字形式

Information is one of the most valuable assets

信息是最有價值的資產(chǎn)之一

Good business practice

Digital revolution changed how people communicate and conduct business

數(shù)字革命改變了人們溝通和開展業(yè)務的方式

New possibilities & challenges

Privacy and Data Protection 隱私與數(shù)據(jù)保護 （概念辨析）

Data privacy are the regulations, or policies, that governs the use of my data when shared with any entity

數(shù)據(jù)隱私是指在與任何實體共享時管理我的數(shù)據(jù)使用的法規(guī)或政策

Data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share

數(shù)據(jù)保護是一種機制，即工具和程序，用于執(zhí)行政策和法規(guī)，包括防止未經(jīng)授權的訪問或濫用我同意共享的數(shù)據(jù)

• 這兩個都是Control of personal data
• PPT給出了對control的定義，可以拿來湊字數(shù)。Control = the ability to specify the collection, use, and sharing of their data

Information Security x Privacy （概念辨析）

Privacy is an individual’s right to control the use and disclosure of their own personal information

隱私是個人控制使用和披露自己個人信息的權利

Information security is the process used to keep data private

信息安全是用來保持數(shù)據(jù)私密性的過程

• Security is the process; privacy is the result

Cybercrime 網(wǎng)絡犯罪

Cybercrime is an act that violates the law, by using information and communication technology (ICT) to either target networks, systems, data, websites and/or technology or facilitate a crime

網(wǎng)絡犯罪是一種違法行為，通過使用信息和通信技術(ICT)攻擊網(wǎng)絡、系統(tǒng)、數(shù)據(jù)、網(wǎng)站和/或技術，或為犯罪提供便利

Cybercrime knows no physical or geographic boundaries and can be conducted with less effort, greater ease, and at greater speed and scale than traditional crime

網(wǎng)絡犯罪沒有物理或地理的界限，與傳統(tǒng)犯罪相比，可以更輕松、更輕松、更快、更大規(guī)模地進行

這門課我們會學到的三方面的Cybersecurity Law

• Information security obligations 信息安全義務
• Privacy and data protection laws 隱私和數(shù)據(jù)保護法
• Cybercrime substantive and procedural laws 網(wǎng)絡犯罪實體法和程序法

網(wǎng)絡安全遇到的Challenge

Technical

Growing number of devices

越來越多的設備

Every computer program, app or website are also software and software often has vulnerabilities

每一個電腦程序，應用程序或網(wǎng)站也是軟件，軟件往往有漏洞

A virtualized information technology infrastructure (cloud services)

虛擬化的信息技術基礎設施(云服務)

Legal

Increasing number, scope and complexity of legal obligations in relation to information security, privacy and data protection, different approaches

與信息安全、隱私和數(shù)據(jù)保護有關的法律義務的數(shù)量、范圍和復雜性不斷增加，方法也有所不同

Different legal systems between countries, variations in national cybercrime laws, differences in the rules of evidence and criminal procedure, applicability of international treaties

各國法律體系不同，各國網(wǎng)絡犯罪法律的差異，證據(jù)規(guī)則和刑事訴訟規(guī)則的差異，國際條約的適用性

網(wǎng)絡安全的Trends

With the advent of new technologies (e.g., Internet of Things, drones, robots, self-driving cars), new cybercrime trends will be identified and therefore new information security and privacy measures will need to be developed

隨著新技術(如物聯(lián)網(wǎng)、無人機、機器人、自動駕駛汽車)的出現(xiàn)，將發(fā)現(xiàn)新的網(wǎng)絡犯罪趨勢，因此需要制定新的信息安全和隱私措施

Cyber attacks may involve:

• SPAM with the capacity to deliver range of malware
• 有能力傳遞各種惡意軟件的垃圾郵件
• Spyware and keystroke loggers (3,7 million South Carolina tax records)
• 間諜軟件和鍵盤記錄(南卡羅來納州3700萬份稅務記錄)
• Worms, virus, Trojans
• 蠕蟲病毒特洛伊木馬
• Phishing / Spear Phishing / Whaling
• 釣魚/魚叉釣魚/捕鯨
• DoS / DDoS

Drivers of Cybersecurity

• Legal
  • Growing legal framework establishing safeguarding and information obligation
  • 建立保護和信息義務的法律框架不斷完善
• Regulatory
  • Growing enforcement as a response to ineffective self-regulation
  • 加強執(zhí)法是對無效的自我監(jiān)管的回應
• Commercial
  • Growing awareness of risk, economic and legal consequences, trustworthiness of business transactions
  • 對風險、經(jīng)濟和法律后果、商業(yè)交易可信度的意識不斷增強

Information Security 是要保護什么

Processes, procedures and infrastructure to preserve:

• confidentiality 保密性
• integrity 完整性
• availability of information 信息的可用性
• 這三個簡稱CIA
• 

Confidentiality 保密性

Confidentiality means that only people with the right permission can access and use information

保密性意味著只有獲得正確許可的人才能訪問和使用信息

Protecting information from unauthorised access at all stages of its life cycle

保護信息在其生命周期的所有階段不受未經(jīng)授權的訪問

Information must be created, used, stored, transmitted, and destroyed in ways that protect its confidentiality

信息的創(chuàng)建、使用、存儲、傳輸和銷毀必須以保護其保密性的方式進行

Ensuring confidentiality – encryption, access controls

確保機密性-加密，訪問控制

Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication

泄露機密——(有意的)肩窺，社會工程;(偶然的)公之于眾

It may result in identity theft, threats to public safety

這可能會導致身份盜竊，威脅公共安全

Integrity 完整性

Integrity means that information systems and their data are accurate

完整性意味著信息系統(tǒng)及其數(shù)據(jù)是準確的

Changes cannot be made to data without appropriate permission

沒有適當?shù)脑S可，不能對數(shù)據(jù)進行更改

Ensuring integrity – controls ensuring the correct entry of information, authorization, antivirus

確保完整性-控制確保信息、授權、防病毒的正確輸入

Compromising integrity – (intentional) employee or external attacks; (accidental) employee error

損害誠信——(故意的)員工或外部攻擊;(偶然的)員工失誤

Authentication 身份驗證

Specific to integrity and confidentiality considerations

具體到完整性和保密性的考慮

Ensuring that a machine or person is that which they purport to be

確保機器或人是他們所宣稱的樣子

• Creator/sender/signatory of record 記錄的創(chuàng)建者/發(fā)送者/簽署人
• Person who seeks access to it 尋求接近它的人

In analogue world, signatures, handwriting, in person attestation, witnesses, notary public, etc.

在模擬世界中，簽名、筆跡、親自認證、證人、公證人等。

In digital world, may not only be a person but also machine we are seeking to authenticate

在數(shù)字世界中，我們要驗證的可能不僅是人，還有機器

• Digital Signatures – electronic PKI, other certificates of trust 數(shù)字簽名-電子PKI，其他信任證書

Availability

Availability is the security goal of making sure information systems are reliable

可用性是確保信息系統(tǒng)可靠的安全目標

Data is accessible

數(shù)據(jù)是可訪問的

Individuals with proper permission can use systems and retrieve data in a dependable and timely manner

獲得適當許可的個人可以可靠和及時地使用系統(tǒng)和檢索數(shù)據(jù)

Ensuring availability – recovery plans, backup systems

確?？捎眯?恢復計劃，備份系統(tǒng)

Compromising availability – (intentional) denial of service (DoS) attack, (accidental) outage

影響可用性-(故意的)拒絕服務(DoS)攻擊，(意外的)停機

Mitigating risks to the trustworthiness of information of corporations and governments 降低企業(yè)和政府信息可信度的風險的方法

• Development of strategies and 制定策略
• Implementation to technologies and procedures in order to preserve its 實施以技術和程序為主，以保存其
  • confidentiality
  • integrity, and
  • availability

Risk management 風險管理

Risk management as means to justify information security laws

風險管理作為證明信息安全法律合理性的手段

= process of listing the risks that an organization faces and taking steps to control them

列出組織面臨的風險并采取措施控制這些風險的過程

• Vulnerabilities 缺陷
• Threats 威脅
• Risks 風險
• Safeguards 保障措施

Vulnerabilities 缺陷

• weakness or flaw in the information system that can be exploited 信息系統(tǒng)中可以被利用的弱點或缺陷
  • Construction, design mistake 結構、設計錯誤
  • Flaws how internal safeguards is used/not used 內部安全措施使用/不使用的缺陷

Successful attacks take place when vulnerability is exploited

當漏洞被利用時，就會發(fā)生成功的攻擊

Vulnerabilities的四方面

• People

  • separation of duties principle 職責分離原則
    • two or more people need to split a critical task functions 兩個或兩個以上的人需要拆分一個關鍵任務的職能

• Process

  • flaws in organization’s procedures 組織程序上的缺陷
    • missing step in a checklist/no checklist, failure to apply hardware and software patches 檢查表中缺少步驟/沒有檢查表，未能應用硬件和軟件補丁

• Facility 設備

  • flaws in physical infrastructure 物理基礎設施缺陷
    • fences, locks, CCTV cameras 圍欄，門鎖，監(jiān)控攝像頭

• Technology

  • design flaws 設計缺陷
    • unpatched applications, improperly configured equipment 未打補丁的應用程序，配置不當?shù)脑O備

Threats

Anything that can cause harm to an information system – successful exploits of vulnerabilities

任何可能對信息系統(tǒng)造成傷害的東西——成功地利用漏洞

• Threats to information, networks, systems have increased 對信息、網(wǎng)絡和系統(tǒng)的威脅有所增加
  • More devices, more use, more ‘a(chǎn)lways on’ 更多的設備，更多的使用，更多的“總是開啟”
  • More complex networks with greater ‘a(chǎn)ttack surface’ 具有更大“攻擊面”的更復雜網(wǎng)絡
  • More devices with IoT; smart watches possibly not connected to enterprise authentication systems 更多物聯(lián)網(wǎng)設備;智能手表可能沒有連接到企業(yè)認證系統(tǒng).
• Attacks have grown more sophisticated 攻擊變得更加復雜
  • Attacks that take months to achieve goals; undetected
    • ‘Ransomware’ = threat to encrypt data unless paid “勒索軟件”=威脅加密數(shù)據(jù)，除非付費

Relationship between a vulnerability and a threat

An organization does not have sufficient controls to prevent an employee from deleting critical computer files (lack of controls – vulnerability). An employee could delete files by mistake (employee – source of threat) (deleting critical files – threat). If the files are deleted, successful exploit of the vulnerability has taken place. If the file is not recoverable, the incident harms the organizations and its security. Availability is compromised.

組織沒有足夠的控制來防止員工刪除關鍵的計算機文件(缺乏控制-漏洞)。員工可能誤刪文件(員工-威脅來源)(刪除關鍵文件-威脅)。如果文件被刪除，則表明該漏洞已被成功利用。如果文件不可恢復，則該事件將損害組織及其安全。可用性受到影響。

【簡而言之，threat是利用了vulnerability達到的結果，是一個“事件”，而vulnerability是可以利用的漏洞，是一個“東西”】

Threats的四方面

• Human

  • internal and external, includes well-meaning employees and external attackers 內部和外部，包括善意的員工和外部攻擊者

• Natural

  • uncontrollable events (fire, flood) 不可控制事件(火災、洪水)

• Technology and operational

  • operate inside information systems (malicious code, hardware and software failures) 在信息系統(tǒng)內部操作(惡意代碼、硬件和軟件故障)

• Physical and environmental

  • lack of physical security 缺乏人身安全保障
    • Accidental or intentional 意外或故意
    • Internal or external attackers 內部或外部攻擊者

Risks

a likelihood that a threat will exploit a vulnerability and cause harm, where the harm is the impact to organization

威脅利用漏洞并造成危害的可能性，其中危害是對組織的影響

** Risk = vulnerability + threat **

Risks can occur at any layer of the information system:

• At the physical hardware or device layer, e.g. when a flood renders servers stored in a basement unavailable; 在物理硬件或設備層，例如當洪水導致存儲在地下室的服務器不可用;
• At the various software layers, e.g. when hackers exploit a vulnerability in software; 在各個軟件層，例如當黑客利用軟件中的漏洞時;
• At the network layer, e.g. when a hacker intercepts data packets as they pass through the network from sender, via routers, to receiver; or, 在網(wǎng)絡層，例如，當數(shù)據(jù)包從發(fā)送方通過路由器通過網(wǎng)絡傳遞到接收方時，黑客會攔截數(shù)據(jù)包
• At the user layer, e.g. through ‘social engineering’, such as convincing users to share their passwords through ‘phishing’ emails 在用戶層，例如通過“社會工程”，例如說服用戶通過“網(wǎng)絡釣魚”電子郵件分享他們的密碼

Risk analysis and management to classify and respond to risks

風險分析和管理，對風險進行分類和應對

Probability a threat will exploit a vulnerability – high, medium, low

威脅利用漏洞的概率-高，中，低

Information security impact – loss of confidentiality, integrity and availability

信息安全影響-機密性、完整性和可用性的損失

Other impacts – loss of life, productivity or profit, property and reputation

其他影響-生命、生產(chǎn)力或利潤、財產(chǎn)和聲譽的損失

Assessment of impact – address risks that have large impact on information security

影響評估-解決對信息安全有重大影響的風險

Types of responses: risk avoidance, risk mitigation, risk transfer, risk acceptance

反應類型:風險規(guī)避、風險緩解、風險轉移、風險接受

Safeguards

safeguard reduces the harm posed by information security vulnerabilities or threats

保障措施降低信息安全漏洞或威脅帶來的危害

Safeguards can be put in place at all layers of the system:

• At the physical hardware or device layer, e.g. by physically securing server rooms against flooding; 在物理硬件或設備層，例如通過物理保護服務器機房免受水浸;
• At the various software layers, e.g. by installing the latest patches; 在不同的軟件層面，例如安裝最新的補丁;
• At the network layer, e.g. by using virtual private networks (‘VPN’); and, 在網(wǎng)絡層，例如使用虛擬專用網(wǎng)絡(VPN)
• At the user layer, by ensuring that all personnel receive appropriate training to recognise phishing emails and other forms of social engineering. 在用戶層，通過確保所有人員接受適當?shù)呐嘤?#xff0c;以識別網(wǎng)絡釣魚電子郵件和其他形式的社會工程

Safeguards的三方面

• Administrative 管理
  • actions and rules implemented to protect information (need to know rule) 為保護信息而實施的操作和規(guī)則(需要了解規(guī)則)
• Technical
  • logical rules that state how systems will operate (least privilege rule) 描述系統(tǒng)如何運行的邏輯規(guī)則(最小特權規(guī)則)
• Physical
  • actions to protect actual physical resources 保護實際物理資源的行動

Mechanisms Ensuring Information Security 保障信息安全的機制

No single information security law – no single definition

沒有單一的信息安全法律，沒有單一的定義

Different potential sources of liability: statutes, regulations, contracts, organizational governance, voluntary organizations, private law tort

不同的潛在責任來源:法規(guī)、規(guī)章、合同、組織治理、自愿組織、私法侵權

Different kinds of information often sought to be protected:

• personal data under data protection laws 數(shù)據(jù)保護法下的個人數(shù)據(jù)
• corporate financial information 企業(yè)財務信息
• health information 健康信息
• credit card information 信用卡信息

No such thing as perfect information security 沒有完美的信息安全

Sources of Obligations

• Laws – rules – regulations
  • Common law
    • body of law that developed through legal tradition and court cases (case law/judge-made law) – impact on torts, contract, and property law 通過法律傳統(tǒng)和法庭案件(判例法/法官制定的法律)發(fā)展起來的法律體系——對侵權法、合同法和財產(chǎn)法的影響
  • Statutory law 成文法
    • written law that is adopted by the governments 政府通過的成文法
  • 【關于這兩個法律的不同：（以下斜體答案來自newBing）The main difference between common law and statutory law is that common law is based on precedent, or previous court decisions, while statutory law is based on written laws passed by a legislature or other government agency. Common law is also procedural, meaning it regulates how lawsuits are conducted, while statutory law is substantive, meaning it defines rights and duties of citizens 普通法和成文法之間的主要區(qū)別在于普通法是基于先例或以前的法院判決，而成文法是基于立法機關或其他政府機構通過的成文法。普通法也是程序法，這意味著它規(guī)定了訴訟如何進行，而成文法是實體法，這意味著它規(guī)定了公民的權利和義務】
  • Rules
    • governments delegate power to agencies to create rules, enforce rules, and review rules 政府授權各機構制定規(guī)則、執(zhí)行規(guī)則和審查規(guī)則
  • Regulations
    • regulatory authorities have the power to create and enforce regulations 監(jiān)管機構有權制定和執(zhí)行法規(guī)
• Standards

Common Law

Tort law

• A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act 侵權行為，在普通法司法管轄區(qū)，是一種民事錯誤，不公平地導致他人遭受損失或傷害，并導致實施侵權行為的人承擔法律責任
• Duty – breach – causation – harm elements

Contract Law

• A contract is an agreement, giving rise to obligations, which are enforced or recognised by law 合同是一種協(xié)議，產(chǎn)生了由法律強制執(zhí)行或承認的義務

Regulations 規(guī)則

Sector regulators are increasingly auditing companies for their information security management and also issuing ‘regulatory guidance’ or ‘best practice advisories’ on information security

行業(yè)監(jiān)管機構越來越多地對公司的信息安全管理進行審計，并發(fā)布關于信息安全的“監(jiān)管指導”或“最佳實踐建議”

Standard

Emerging guidance in form of ‘standards’

以“標準”形式出現(xiàn)的指導

These standards determine how to comply with a legal duty or self-imposedobligation for adequate/reasonable/appropriate information security

這些標準確定如何遵守充分/合理/適當?shù)男畔踩姆ǘx務或自我強制義務

• Standards bodies (ISO; PCI Council)
• International organizations (OECD Guidelines)
• Recent legislation with regulations detailing the necessary steps to the process that will meet the duty of care (GLBA, HIPAA)

Statutes 議會立法，章程

都是一些例子，直接看圖得了

Scope of Obligations

These legal obligations specify a duty:

這些法律義務規(guī)定了一種義務:

• For example, to provide adequate or reasonable or appropriate security 例如，提供充分的、合理的或適當?shù)谋Ｕ?/li>

They don’t usually give specific guidance as to what that means or how it is to be accomplished

他們通常不會給出具體的指導，說明這意味著什么或如何實現(xiàn)

Issues

The duty to keep information secure is not further specified in the statutes

保護信息安全的義務在法規(guī)中沒有進一步規(guī)定

The GDPR indicates: ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’

GDPR指出:“考慮到技術水平和實施成本，此類措施應確保與處理所代表的風險和被保護數(shù)據(jù)的性質相適應的安全水平?！?/p>

A cost/risk analysis qualifies an appropriate level of security

成本/風險分析確定了適當?shù)陌踩墑e

【上面這些東西確實沒有一條主邏輯鏈，所以ppt很亂，我整理的也很亂，將就看吧，也沒啥內容】

什么是cybersecurity中的cyber

It might potentially include any device that has the ability to communicate

它可能包括任何具有通信能力的設備

• Cybersecurity refers to the systems, contracts and policies we put in place to manage risk with regards to Cyberspace 網(wǎng)絡安全是指我們?yōu)楣芾砭W(wǎng)絡空間風險而制定的系統(tǒng)、合同和政策

網(wǎng)絡安全的main risk areas

• Threats to corporate files 公司文件威脅
  • Loss of files 文件丟失
  • Email attacks and theft 電子郵件攻擊和盜竊
• Threats to industrial control systems 對工業(yè)控制系統(tǒng)的威脅
• Threats to confidential information 對機密信息的威脅
• Other commercial risks

網(wǎng)絡安全的main vulnerabilities

• Password and policy issues 密碼和策略問題
• BYOD and shadow IT BYOD和影子IT
• Loss or theft of devices 設備丟失或被盜
• Technical flaws 技術的缺陷
• Out-of-date applications 過時的應用程序
• Insider threats 內部威脅
• Data storage issues 數(shù)據(jù)存儲問題
  • SQL injections, cryptographic flaws SQL注入，密碼漏洞
• Cloud-based storage and systems 基于云的存儲和系統(tǒng)

接下來要談的是EU的information security相關問題

Conclusions of EU

【為什么把conclusion放前面，因為PPT的東西太亂了，conclusion給的應該都是重點，帶著這些重點再往后看】

• No single source of Information Security obligations – no single definition 沒有單一來源的信息安全義務-沒有單一的定義
• Different types of information – different level of protection –different mechanisms 不同類型的信息——不同級別的保護——不同的機制
• EU approach is a principle-based regulation 歐盟的做法是基于原則的監(jiān)管

Directives / Regulations 指示/規(guī)例

• Privacy
  • EU General Data Protection Regulation (GDPR) 歐盟的通用數(shù)據(jù)保護條例
• Telecommunications networks/services
  • ePrivacy Directive (regulates the use of electronic communications services) 電子資料私隱指引(規(guī)管電子通訊服務的使用)
• Critical Infrastructure 關鍵基礎設施
  • Network and Information Systems Directive (NIS Directive) 網(wǎng)絡和信息系統(tǒng)指令(NIS指令)

GDPR

Introduction

Organisations that decide to collect and process personal data for their own purposes are known as controllers

決定為自己的目的收集和處理個人數(shù)據(jù)的組織被稱為控制者

A controller may engage a service provider or processor to process personal data on behalf of the controller

控制者可以聘請服務提供者或處理者代表控制者處理個人數(shù)據(jù)

A processor is an individual or legal person or other body that processes personal data on behalf of the controller

處理者是指代表控制者處理個人數(shù)據(jù)的個人、法人或其他團體

Scope

The GDPR regulates the processing of personal data

GDPR規(guī)范了個人數(shù)據(jù)的處理

Personal data is any information relating to an identified or identifiable natural person (‘data subject’)

個人數(shù)據(jù)是指與已識別或可識別自然人(“數(shù)據(jù)主體”)有關的任何信息。

Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

可識別自然人是指可以直接或間接識別的自然人，特別是通過參考一個標識符，如姓名、識別號碼、位置數(shù)據(jù)、在線標識符，或參考該自然人的身體、生理、遺傳、心理、經(jīng)濟、文化或社會身份的一個或多個特定因素

Relates to living individuals only

只涉及活著的個人

Special categories of personal data is subject to a stricter regime

特殊類別的個人資料受到更嚴格的制度管制

• Racial or ethnic origin 種族或民族起源
• Political opinions 政治意見
• Religious or philosophical beliefs 宗教或哲學信仰
• Trade union membership 工會會員資格
• Genetic data 遺傳學數(shù)據(jù)
• Biometric data for the purpose of uniquely identifying a natural person 用于唯一識別自然人的生物特征數(shù)據(jù)
• Data concerning health 關于健康的數(shù)據(jù)
• Data concerning a natural person’s sex life or sexual orientation 有關自然人性生活或性取向的資料

Principles

• Principles-based regulation 基于原則的監(jiān)管
• The EU has adopted similar risk-based safeguarding and information obligations in respect of telecommunication networks and payment services, as well as under the NIS Directive and the e-Privacy Directive 歐盟在電信網(wǎng)絡和支付服務方面，以及在NIS指令和電子隱私指令下，也采取了類似的基于風險的保障和信息義務
  • Lawfulness, fairness and transparency 依法、公平、透明
  • Purpose limitation 目的限制
  • Data minimisation 數(shù)據(jù)最小化
  • Accuracy 準確性
  • Storage limitation 儲存限量
  • Integrity and Confidentiality 數(shù)據(jù)完整性和隱私保護
    • ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 使用適當?shù)募夹g或組織措施，確保個人資料的適當安全，包括防止未經(jīng)授權或非法處理，以及防止意外遺失、破壞或損壞
  • Accountability 責任

Information Security Obligation 信息安全義務

• Safeguarding obligations, which require organisations to put in place ‘a(chǎn)ppropriate and proportionate’ security measures, and 保護義務，要求組織實施“適當和相稱的”安全措施
• Information obligations, which require the sharing or disclosure of information 信息義務，即要求分享或披露信息
• Article 32 requires that the controller:
  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk 考慮到技術水平、實施成本、處理的性質、范圍、背景和目的，以及對自然人的權利和自由具有不同可能性和嚴重程度的風險，控制者和處理者應實施適當?shù)募夹g和組織措施，以確保與風險相適應的安全水平
• This includes, inter alia: 其中包括：
  • the pseudonymisation and encryption of personal data; 個人資料的假名化和加密;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 確保處理系統(tǒng)和服務的持續(xù)保密性、完整性、可用性和彈性的能力;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 在發(fā)生物理或技術事件時，及時恢復個人數(shù)據(jù)的可用性和訪問的能力;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing 定期測試、評估和評價確保處理安全的技術和組織措施的有效性的過程
  • 【關于inter alia，詳情可以看interalia在法律文件中的使用及譯法 (baidu.com)，拉丁語，可以理解為“其中”的意思】

Information Obligation

• Article 33 creates a legal a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority 第33條規(guī)定，所有組織都有法律義務向相關監(jiān)管機構報告某些類型的個人數(shù)據(jù)泄露
  • within 72 hours of becoming aware of the breach, where feasible 在可能的情況下，在72小時內發(fā)現(xiàn)該漏洞
• Article 34 requires the controller to notify data subjects affected or potentially affected by breach 第34條要求控制者通知受違約影響或可能受違約影響的數(shù)據(jù)主體

Data Breach 數(shù)據(jù)外泄

Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

數(shù)據(jù)泄露是指違反安全導致意外或非法破壞、丟失、更改、未經(jīng)授權披露或訪問個人數(shù)據(jù)

• This includes breaches that are the result of both accidental and deliberate causes 這包括意外和故意原因造成的違約
• A security incident that has affected the confidentiality, integrity or availability of personal data 影響個人資料的機密性、完整性或可用性的安全事件

When a personal data breach has occurred, organisations need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms

當發(fā)生個人數(shù)據(jù)泄露時，組織需要確定由此對人們的權利和自由造成風險的可能性和嚴重程度

• Likelihood of risk –> need to report it 有風險的可能性- >需要報告
• No likelihood of risk –> no need to report it 風險的可能性- >需要報告

The adverse affect of a security incident on individuals may include emotional distress, and physical and material damage

安全事件對個人的不利影響可能包括情緒困擾、身體和物質損害

Contract Law相關

GDPR Article 28 states that controllers must include in contracts with processors

GDPR第28條規(guī)定，控制者必須在與處理者的合同中包括

• The processor shall not engage another processor without prior specific or general written authorisation of the controller 未經(jīng)控制者事先明確或一般書面授權，處理者不得與其他處理者接觸
• Processing by a processor shall be governed by a contract or other legal act 處理者的處理應受合同或其他法律行為的約束
• Sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller 列明處理的主題事項和持續(xù)時間、處理的性質和目的、個人數(shù)據(jù)的類型和數(shù)據(jù)主體的類別，以及控制者的義務和權利

NIS Directive 2

Introduction

NIS Directive 2 regulates the cybersecurity of critical national infrastructure, and updates the previous version

NIS指令2規(guī)范了關鍵國家基礎設施的網(wǎng)絡安全，并更新了之前的版本

• It covers more sectors and activities than before, streamlines reporting obligations and addresses supply chain security 它涵蓋了比以前更多的部門和活動，簡化了報告義務，并解決了供應鏈安全問題

It applies to providers of critical national infrastructure (CNI):

它適用于關鍵國家基礎設施(CNI)的提供商:

• Operators of essential services (OES), which are directly responsible for CNI 直接負責CNI的基本服務(OES)運營商
• Digital service providers (DSPs), which provide services upon which others, including OES, are reliant 數(shù)字服務提供商(dsp)，提供其他人(包括OES)依賴的服務

Scope

Operators of essential services (OES) provide a listed service in one of seven critical infrastructure sectors, and energy, transport, banking, financial markets, health, drinking water, and digital infrastructure

基本服務(OES)運營商在能源、交通、銀行、金融市場、衛(wèi)生、飲用水和數(shù)字基礎設施等七個關鍵基礎設施領域之一提供所列服務

they operate on such a scale that their service is “essential for the maintenance of critical societal and economic activities”

它們的運作規(guī)模如此之大，以至于它們的服務“對于維持關鍵的社會和經(jīng)濟活動至關重要”。

Digital service is a new subset of the category of service known as ‘information society services’ which is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services

數(shù)字服務是被稱為“信息社會服務”的服務類別的一個新子集，它是指通常通過電子手段并應服務接受者的個人要求提供的有償服務

Digital service providers (DSPs) are: 數(shù)碼服務供應商包括:

• an online marketplace; 在線市場
• an online search engine; or 在線搜索引擎
• a cloud computing service 云計算服務

Tort Law

A private law mechanism

私法機制

Data controllers can be held liable under the tort of negligence for damages caused by cybersecurity incidents that they should have reasonably foreseen and prevented or mitigated

根據(jù)過失侵權法，數(shù)據(jù)控制者可能對他們本應合理預見、預防或減輕的網(wǎng)絡安全事件造成的損害承擔責任

To hold data controllers liable, a court would have to find that (i) the operator had a duty of care to the person(s) who suffered harm which (ii) the operator failed to fulfil

為了讓數(shù)據(jù)控制者承擔責任，法院必須認定(i)運營者對遭受傷害的人負有注意義務，而(ii)運營者未能履行

Requirement

Duty – breach – causation – harm

義務-違約-因果-損害

A duty of care may arise from:

• common law principles governing negligence 管轄過失的普通法原則
• a special / contractual relationship between the defendant and the claimant 被告與索賠人之間的特殊/合同關系
• from a statute or regulation governing a specific activity 來自管理某一特定活動的法令或規(guī)章

There must be a proximity between the parties for a duty of care to exist

為了注意義務的存在，當事人之間必須有接近性

Foreseeability means that a person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others

可預見性意味著只有當一個人合理地預見到自己的過失行為會危及他人時，他才能承擔責任

Damage needs to be proven by claimants – economic loss or emotional harm

損害需要由索賠人證明——經(jīng)濟損失或精神傷害

接下來是US的內容

Privacy and data protection - 1. HIPAA - US Health Insurance Portability and Accountability Act (health information privacy)

Personal health information is considered very sensitive

個人健康信息被認為非常敏感

• Confidential medical records 保密醫(yī)療記錄
• Public embarrassment, discrimination 公眾尷尬、歧視
• Medical identity theft - 醫(yī)療卡盜用

HIPAA protects privacy and security of personal health information

HIPAA保護個人健康信息的隱私和安全

Scope

Privacy and Security rules apply to covered entities and determine how they may create, store, use or disclose protected health information (PHI)

隱私和安全規(guī)則適用于所涵蓋的實體，并確定它們如何創(chuàng)建、存儲、使用或披露受保護的健康信息(PHI)。

• Applies information security principles established in other industries 應用在其他行業(yè)建立的信息安全原則

Definitions

PHI is any individually identifiable information about the health of the person, including past, present or future mental or physical health information

PHI是關于個人健康的任何可識別信息，包括過去、現(xiàn)在或未來的精神或身體健康信息.

Covered entities are those that handle PHI in a certain way – health plans, health care providers, health insurance companies, etc.

涉及實體是那些以某種方式處理PHI的實體——健康計劃、醫(yī)療保健提供者、健康保險公司等。

It also applies to business associates of covered entities

它也適用于所涵蓋實體的業(yè)務伙伴

Security Rule

Covered Entity must “implement policies and procedures to prevent, detect, contain and correct security violations.”

涉及實體必須“實施策略和程序來防止、檢測、包含和糾正安全違規(guī)行為”。

The Security rule requires covered entities to use security safeguards, which must protect the confidentiality, integrity and availability of electronic protected health information (EPHI) from reasonably anticipated threats

安全規(guī)則要求所涵蓋的實體使用安全保障措施，這些措施必須保護受電子保護的健康信息(EPHI)的機密性、完整性和可用性，使其免受合理預期的威脅

Security Rule Standards

The Security Rule contains instructions how to use information security safeguards

安全規(guī)則包含如何使用信息安全保障措施的說明

Also contains standards, which are required to be met for each safeguard area

安全規(guī)則包含如何使用信息安全保障措施的說明

Detailed instructions for meeting the standards are implementation specifications (IS)

滿足標準的詳細說明見實施規(guī)范(IS)。

Implementation Specifications（IS）

Required specifications – compulsory

所需規(guī)范 - 強制性

Addressable specifications – covered entities decide whether it is reasonable and appropriate to the particular environment and the cost to implement these

可尋址規(guī)范-涉及 實體決定其是否合理和適合特定環(huán)境以及實現(xiàn)這些規(guī)范的成本

Covered entity can either 涉及實體可以

• Implement the IS as published 按照發(fā)布的IS實施
• Implement some alternative (and document why) 實現(xiàn)一些替代方案(并記錄原因)
• Not implement the IS at all (and document why) 根本沒有實現(xiàn)IS(并記錄原因)

Types of Safeguards - 三種

Administrative Safeguards 管理保障措施

• Actions, policies and procedures to prevent, detect, contain and correct information security violations 防止、檢測、控制和糾正信息安全違規(guī)行為的行動、政策和程序
• The largest part of the Rule is the management process 規(guī)則中最重要的部分是管理過程

Physical Safeguards 實體防護

• Controls to protect physical resources 控制保護實體資源

Technical Safeguards 技術保障措施

• Controls applied in the hardware and software on an information system 在信息系統(tǒng)的硬件和軟件上應用的控制

2. COPPA - Children’s Online Privacy Protection Act

Scope

Sectoral approach, the law is derived partly from federal statute, but also from state law, case law and increasingly from the decisions and guidance of the Federal Trade Commission (FTC)

部門方法，法律部分來自聯(lián)邦法規(guī)，但也來自州法、判例法，越來越多地來自聯(lián)邦貿易委員會(FTC)的決定和指導。

**Children’s Online Privacy Protection Act **(COPPA) requires that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13

兒童在線隱私保護法(COPPA)要求針對13歲以下兒童的商業(yè)網(wǎng)站和在線服務的運營商，或故意收集13歲以下兒童個人信息的一般受眾網(wǎng)站和在線服務的運營商，在收集、使用或披露13歲以下兒童的任何個人信息之前，必須獲得父母的同意

In 2011, the FTC and the games company Playdom agreed to a $3 million settlement over Playdom’s alleged breaches of the Children’s Online Privacy Act

2011年，美國聯(lián)邦貿易委員會與游戲公司Playdom就Playdom涉嫌違反《兒童在線隱私法》達成300萬美元的和解協(xié)議

In 2019, Google’s YouTube paid $170 million to settle allegations by the FTC and the New York attorney general for illegally collecting personal information from children without their parents’ consent; the highest settlement yet

2019年，谷歌旗下的YouTube支付了1.7億美元，以了結美國聯(lián)邦貿易委員會和紐約總檢察長對其未經(jīng)父母同意非法收集兒童個人信息的指控;迄今為止最高的和解金額

3. CCPA - California Consumer Privacy Act

**California Consumer Privacy Act **(CCPA) came into effect in January 2020 – the most comprehensive privacy legislation to-date

加州消費者隱私法案(CCPA)于2020年1月生效，這是迄今為止最全面的隱私立法

*Personally identifiable information *(PII) includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (under the CCPA)

個人身份信息(PII)包括識別、涉及、描述、能夠與特定消費者或家庭直接或間接關聯(lián)或可以合理關聯(lián)的任何信息(根據(jù)CCPA)

Applies to any business that collects or processes PII from California residents, and

適用于從加州居民收集或處理個人身份信息的任何企業(yè)，以及

• has annual gross revenues of $25,000,000 or more; 年總收入在2500萬美元或以上;
• buys, collects, sells, shares, or otherwise receives the PII of 50,000 or more California consumers per year, households or devices; OR 每年購買、收集、出售、共享或以其他方式接收50,000或更多加州消費者、家庭或設備的PII;或
• derives at least 50% of its revenue from selling consumers’ personal information This will most likely capture most apps or free-to-play games 至少有50%的收益來自于銷售用戶的個人信息，這很可能會吸引大多數(shù)應用或免費游戲

Breach Notification Laws 違約通知法

Legislation adopted in 47 US states requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable data

美國47個州通過立法，要求私人或政府實體在涉及個人身份數(shù)據(jù)的信息安全漏洞時通知個人

Provisions include: 規(guī)定包括

• who must comply with the law (businesses, data/ information brokers, government entities); 誰必須遵守法律(企業(yè)、數(shù)據(jù)/信息經(jīng)紀人、政府實體);
• definitions of ‘personal information’ (name combined with SSN, drivers license or state ID, account numbers); “個人信息”的定義(姓名與社會安全號碼、駕駛執(zhí)照或州身份證、賬號的組合);
• what constitutes a breach (unauthorized acquisition of data); 什么構成違規(guī)(未經(jīng)授權獲取數(shù)據(jù));
• requirements for notice (timing or method of notice, who must be notified) 通知要求(通知的時間或方法，必須通知誰)

FTC - Federal Trade Commission Act

Consumer Protection Regulations

消費者保障條例

FTC is an independent federal agency and the most important regulatory authority for consumer protection issues

聯(lián)邦貿易委員會是一個獨立的聯(lián)邦機構，也是消費者保護問題最重要的監(jiān)管機構

Section 5 forbids unfair and deceptive trade practices

第5條禁止不公平和欺騙性的貿易行為

The FTC has now brought over 50 information security cases

聯(lián)邦貿易委員會目前已經(jīng)提起了50多起信息安全案

Scope

Unfair 不公平

• Causes or likely to cause substantial harm/injury to consumer 對消費者造成或可能造成重大損害/傷害的
• Consumer cannot reasonably avoid the harm 消費者不能合理地避免傷害
• There is not a benefit to the practice that outweighs the harm 這種做法的利大于弊

Deceptive 欺騙性

• Representation or omission likely to mislead the consumer 可能誤導消費者的陳述或遺漏
• Not reasonable from the perspective of the consumer 從消費者的角度來看是不合理的
• Affects consumer’s decision; harm as otherwise, likely another decision 影響消費者決策;傷害，否則，可能是另一個決定

Priorities 優(yōu)先處理的事

Children Under 18: Harmful conduct directed at children under 18 has been a source of significant public concern, now, FTC staff will similarly be able to expeditiously investigate any allegations in this important area

** 18歲以下兒童**:針對18歲以下兒童的有害行為一直是公眾關注的一個重要來源，現(xiàn)在，聯(lián)邦貿易委員會的工作人員將同樣能夠迅速調查這一重要領域的任何指控

Algorithmic and Biometric Bias*: *Allows staff to investigate allegations of bias in algorithms and biometrics

算法和生物識別偏見*:*允許員工調查算法和生物識別偏見的指控

Deceptive and Manipulative Conduct on the Internet: This includes, but is not limited to, the “manipulation of user interfaces,” including but not limited to dark patterns, also the subject of a recent FTC workshop

互聯(lián)網(wǎng)上的欺騙和操縱行為:這包括但不限于“用戶界面的操縱”，包括但不限于黑暗模式，這也是最近FTC研討會的主題

Limitations

In April 2021, the Supreme Court ruled in AMG Capital Mgmt., LLC v. FTC that the agency lacks power to seek monetary recovery under Section 13 of the FTC Act

2021年4月，最高法院對AMG資本管理公司一案做出了裁決。訴聯(lián)邦貿易委員會，根據(jù)聯(lián)邦貿易委員會法案第13條，該機構缺乏尋求金錢賠償?shù)臋嗔?/p>

• To be rectified by the Congress? 要被國會糾正嗎?

Lack of technical expertise and staff to regulate consumer cybersecurity

缺乏管理消費者網(wǎng)絡安全的技術專長和人員

The ideal solution is for Congress to create a robust cybersecurity framework and an agency empowered to enforce it

理想的解決方案是國會建立一個健全的網(wǎng)絡安全框架，并授權一個機構來執(zhí)行它

For the time being, FTC fills a void in America’s cybersecurity ecosystem

目前，FTC填補了美國網(wǎng)絡安全生態(tài)系統(tǒng)的空白

Tort Law

侵權法：一種民事法律制度，用于處理因他人的過失或不法行為而造成的損害賠償問題。

Information security lawsuits include claims of negligence, **breach of fiduciary duty **or breach of contract, individually or together, are common

信息安全訴訟包括疏忽，違反信義義務或違反合同的索賠，單獨或一起，是常見的

**Negligence **is generally defined as a breach of the duty not to impose an unreasonable risk on society

玩忽職守一般定義為違反不給社會帶來不合理風險的義務

**Breach of fiduciary duty **is a failure to fulfil an obligation to act in the best interest of another party

違反信義義務是指未能履行為另一方的最佳利益行事的義務

Some recent cases have argued that data breaches are subject to strict liability

最近的一些案例認為，數(shù)據(jù)泄露需要承擔嚴格的責任

**Strict liability **means that the manufacturer of a product is automatically responsible for any injuries caused by the product (typically product liability cases)

嚴格責任是指產(chǎn)品制造商自動對產(chǎn)品造成的任何傷害負責(通常是產(chǎn)品責任案件)。

Negligence 玩忽職守

To establish a claim, plaintiff has to prove:

要提出索賠，原告必須證明:

1. the existence of a legal duty on the part of the defendant not to expose the plaintiff to unreasonable risks 被告負有不使原告面臨不合理風險的法律義務

2. a breach of the duty – a failure on the part of the defendant as act reasonably, 違反義務-被告一方未能“合理”行事

3. a causal connection between defendant’s conduct and plaintiff’s harm and 被告的行為與原告的傷害之間存在因果關系

4. actual damage to the plaintiff resulting from the defendant’s negligence 由于被告的過失而對原告造成的實際損害

Negligence – Foreseeability 可預見性

Central concept of the law of negligence

過失侵權法的核心概念

A person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others

一個人只有在合理地預見到自己的過失行為會危及他人的時候才能被追究責任

A database owner fails to patch a security vulnerability, thereby paving the way for a cyber attacker to obtain unauthorized access to confidential information

數(shù)據(jù)庫所有者未能修補安全漏洞，從而為網(wǎng)絡攻擊者未經(jīng)授權訪問機密信息鋪平了道路

Negligence - Cases

In Anderson v. Hannaford Brothers Co., a third party stole a grocery store’s debit and credit card data, and the court used a negligence standard to assert a standard of care based on breach of implied contract

安德森訴漢納福德兄弟公司案。在美國，第三方竊取了雜貨店的借記卡和信用卡數(shù)據(jù)，法院使用過失標準來主張基于違反默示合同的注意標準

In Patco Construction Co. v. People’s United Bank, the bank had a state-of-the-art security program, but failed to set the fraud activity triggers at an appropriate level

在Patco Construction Co.訴People 's United Bank案中，該銀行擁有最先進的安全程序，但未能將欺詐活動觸發(fā)器設置在適當?shù)募墑e

Fiduciary Duty

受托責任：一種法律義務，要求承擔受托責任的人（如律師、銀行家、公司董事等）在處理他人財產(chǎn)或事務時，必須誠實、忠實、謹慎地行事，以保護受益人的利益

Special relationships – between a provider and consumer, employer and employee, or fiduciary and beneficiary – is usually based on a contractual promise (explicit or implied)

特殊關系——提供者和消費者、雇主和雇員、受托人和受益人之間的關系——通?；诤贤兄Z(明示或暗示)。

Corporations owe fiduciary and good faith duties to shareholders to obey the scope of powers, be diligent and act for corporation’s interests

公司對股東負有信義和誠信義務，必須遵守職權范圍，勤勉盡責，為公司利益而行動

To establish a claim, plaintiff has to prove:

要提出索賠，原告必須證明:

1. the existence of a binding agreement; 有約束力的協(xié)議的存在
2. the non-breaching party fulfilled its obligations, if it had any; 非違約方履行了自己的義務(如果有的話)
3. the breaching party failed to fulfil obligations; 違約方未履行義務的;
4. the lack of a legal excuse; and 缺乏合法的借口
5. the existence of damages sustained due to the breach 由于違約而遭受損害的存在

Tort Law – Statutes II 章程

A statute may impose a duty of care for how entities use or limit access to personal information in the normal course of business

對于實體在正常業(yè)務過程中如何使用或限制對個人信息的訪問，法規(guī)可能會規(guī)定注意義務

Statutes 法規(guī)

• Fair Credit Reporting Act 公平信賴報告法案

In *Equifax *data breach, the Fair Credit Reporting Act imposes a specific statutory duty to maintain reasonable procedure to ensure information security and failure to do so creates civil liability for non- compliance

在Equifax數(shù)據(jù)泄露事件中，《公平信用報告法》規(guī)定了維護合理程序以確保信息安全的具體法定義務，否則將因不遵守規(guī)定而承擔民事責任

Tort Law – Harm

Actual harm is the most straightforward

實際的傷害是最直接的

Concrete and particularized injury that is actual or imminent, not conjectural or hypothetical

實際的或即將發(fā)生的具體的和特殊的傷害，而不是推測的或假設的

Problematic for cases of data breaches

在數(shù)據(jù)泄露的情況下是有問題的

Theory of ‘future harm’ establishing a threat of future identity theft

“未來傷害”理論建立了未來身份盜竊的威脅

Harm的cases

In these cases, the hackers intentionally targeted the personal information compromised in the data breaches – evidence of harm

在這些情況下，黑客故意針對數(shù)據(jù)泄露中受損的個人信息-傷害的證據(jù)

• In *Galaria (hackers broke into Nationwide’s computer network and stole the personal information of 1.1 million customers), 在Galaria *(黑客侵入了全國保險公司的計算機網(wǎng)絡，竊取了110萬客戶的個人信息)，
• In *Remijas (why else would hackers break into a store’s database and steal consumers’ private information?) 在Remijas *(否則為什么黑客會闖入商店的數(shù)據(jù)庫并竊取消費者的私人信息?)
• In *Pisciotta (scope and manner of intrusion into banking website’s hosting facility was sophisticated, intentional and malicious), 在Pisciotta *中(入侵銀行網(wǎng)站托管設施的范圍和方式是復雜的、故意的和惡意的)，

On the other hand, in *Katz *and *Beck *the claims were too speculative, there was no evidence that the stolen information has been accessed or misused or that they have suffered identity theft

另一方面，在*Katz 和Beck *中，這種說法過于推測，沒有證據(jù)表明被盜信息已被訪問或濫用，也沒有證據(jù)表明他們遭受了身份盜竊

Contract Law

Breach of contract is the failure to fulfil a condition of a contract

違反合同是指沒有履行合同的條件

Data breach claims – written agreement or privacy policy or that state consumer protection laws create an implied contract

數(shù)據(jù)泄露索賠-書面協(xié)議或隱私政策或州消費者保護法創(chuàng)建的隱含合同

COPPA, HIPAA, and others require contracts with processors, other third parties with obligations to ensure that information is kept secure

COPPA、HIPAA和其他要求與處理者、其他有義務確保信息安全的第三方簽訂合同

The Massachusetts Data Security Regulations addresses the selection of third-party vendors, requiring companies to take *reasonable *steps to select and retain vendors that have the capacity to maintain appropriate security measures for personal information

《馬薩諸塞州數(shù)據(jù)安全條例》涉及第三方供應商的選擇，要求公司采取“合理”步驟選擇并保留有能力為個人信息維護適當安全措施的供應商

Vendors also must be contractually required to maintain safeguards

供應商還必須按照合同要求維護保障措施

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB

支付卡行業(yè)數(shù)據(jù)安全標準(PCI DSS)是一個專有的信息安全標準，適用于處理來自主要信用卡方案(包括Visa、MasterCard、American Express、Discover和JCB)的品牌信用卡的組織

Control objectives: 控制目標

• Build and maintain a secure network and systems 建立和維護一個安全的網(wǎng)絡和系統(tǒng)
• Protect cardholder data 保護持卡人資料
• Maintain a vulnerability management program 維護一個漏洞管理程序
• Implement strong access control measures 實施強有力的訪問控制措施
• Regularly monitor and test networks 定期監(jiān)控和測試網(wǎng)絡
• Maintain an information security policy 維護信息安全策略

接下來是China的內容

PRC Cybersecurity Law

Provides for supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information

明確網(wǎng)絡空間監(jiān)管權限，明確網(wǎng)絡運營者的安全義務，加強對個人信息的保護

It also establishes a regulatory regime in respect of critical information infrastructure and imposes data localization requirements for certain industries

條例亦就關鍵資訊基建設立規(guī)管制度，并規(guī)定某些行業(yè)的數(shù)據(jù)本地化規(guī)定

Network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost

網(wǎng)絡運營者必須采取技術措施和其他必要措施，確保所收集的個人信息安全，防止個人信息泄露、破壞或者丟失

Network operators are subject to the following requirements when collecting and using personal information:

網(wǎng)絡運營者在收集和使用個人信息時，應當遵守以下要求:

• Collection and use of personal information must be legal, proper and necessary. 收集和使用個人信息必須合法、適當和必要。
• Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected. 網(wǎng)絡運營者必須明確收集、使用個人信息的目的、方法和范圍，并征得被收集人的同意;不收集與所提供服務無關的個人信息。
• Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others. 網(wǎng)絡運營者不得泄露、篡改、銷毀收集到的個人信息;未經(jīng)被收集人同意，不得向他人提供該信息。
• In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations. 在發(fā)生數(shù)據(jù)泄露或者可能發(fā)生數(shù)據(jù)泄露的情況下，網(wǎng)絡運營商必須采取補救措施，及時通知用戶，并按照有關規(guī)定向政府主管部門報告。
• In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction. 非法或者未經(jīng)授權收集、使用個人信息的，有權要求網(wǎng)絡運營者刪除個人信息;當收集到的信息有誤時，個人可以要求更正。

Operators of Critical Information Infrastructure 關鍵信息基礎設施運營商

Regulators and law enforcement have wide discretionary powers to review and inspect the IT systems of companies

監(jiān)管機構和執(zhí)法部門擁有廣泛的自由裁量權，可以審查和檢查企業(yè)的IT系統(tǒng)

CSL requires critical information infrastructure operators in important sectors to fulfil certain security protection obligations

《信息安全法》要求重要行業(yè)的關鍵信息基礎設施運營者履行一定的安全保護義務

There is no definition yet of which organisations qualify as operators of critical information infrastructure

目前還沒有關于哪些組織有資格成為關鍵信息基礎設施運營商的定義

The Civil Code

‘Personal information’ is defined as all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons’ names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, email addresses, health information, whereabouts, etc.

“個人信息”是指以電子或其他方式記錄的可用于獨立識別或與其他信息結合識別特定自然人的各種信息，包括自然人的姓名、出生日期、身份證號碼、生物特征信息、地址、電話號碼、電子郵件地址、健康信息、行蹤等。

The Specification makes minor wording changes to the definition of ‘personal information’ under the CSL and the Civil Code

該規(guī)范對《個人信息法》和《民法典》中“個人信息”的定義進行了細微的措辭修改

It also defines the ‘personal sensitive information’ as personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual’s personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused

它還將"個人敏感信息"定義為一旦泄露、非法提供或濫用，可能對人身或財產(chǎn)安全造成損害，或極有可能對個人聲譽或身心健康造成損害，或造成歧視待遇的個人信息

Data Localization

**Personal Information Protection Law (PIPL) **sets out a stricter data localization requirement, requiring that personal information processed by state organs, critical information infrastructure operators (not yet defined), and data processors that have reached or exceeded the personal information processing threshold, shall be stored inside China or undergo risk assessment by the National Cyberspace Administration or related departments when cross-border data transfer is required

**《個人信息保護法》**提出了更嚴格的數(shù)據(jù)本地化要求，要求國家機關、關鍵信息基礎設施運營者(未明確定義)、數(shù)據(jù)處理者處理的個人信息，達到或超過個人信息處理閾值的，在需要跨境數(shù)據(jù)傳輸時，應當存儲在中國境內，或者由國家網(wǎng)信辦或相關部門進行風險評估

To comply with this law, many US and EU companies have been taking compliance measures, such as segregating local Chinese data from other data. Various companies have also started offering cloud services (including Microsoft and Amazon Web Services) in China to meet the business needs of multinational companies doing business in China

為了遵守這一法律，許多美國和歐盟公司一直在采取合規(guī)措施，例如將中國本地數(shù)據(jù)與其他數(shù)據(jù)隔離開來。許多公司也開始在中國提供云服務(包括微軟和亞馬遜網(wǎng)絡服務)，以滿足在中國開展業(yè)務的跨國公司的業(yè)務需求

Who owns personal information?

China has not had a specific stipulation on the ownership of personal information, and it has been disputed whether personal information belongs to the relevant personal information subjects

中國對個人信息的所有權沒有具體規(guī)定，個人信息是否屬于相關個人信息主體一直存在爭議

The Civil Code stipulates the protection of personal information in the 'Personality Rights’ Chapter, indicating that the rights pertaining to personal information are personality rights of the personal information subjects

《民法典》在“人格權”一章中對個人信息的保護進行了規(guī)定，表明與個人信息有關的權利是個人信息主體的人格權

Telecommunications / ISP Law

**The Provisions on Telecommunication and Internet User Personal Information Protection, **effective from September 1, 2013

**《電信和互聯(lián)網(wǎng)用戶個人信息保護規(guī)定》**自2013年9月1日起施行

It is applicable to telecommunications and Internet service providers

適用于電信和互聯(lián)網(wǎng)服務提供商

Duty to keep information in proper custody, mitigate harms from actual or suspected disclosure, breach (actual or suspected) notification obligation

有責任妥善保管信息，減輕因實際或疑似披露、違反(實際或疑似)通知義務而造成的損害

Article 13 imposes the following information security requirements on telecommunications operators and Internet service providers:

第十三條對電信經(jīng)營者和互聯(lián)網(wǎng)服務提供者規(guī)定了下列信息安全要求:

• Specify the responsibilities of each department / role in terms of security of personal information; 訂明各部門/角色在個人資料保安方面的責任;
• Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information; 建立不同工作人員和代理人的權限，審查信息的輸出、復制和銷毀，并采取措施防止機密信息泄露;
• Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures; 妥善保管記錄用戶個人信息的硬拷貝介質、光介質、磁介質等載體，并采取相應的安全存儲措施;
• Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures; 對存儲用戶個人信息的信息系統(tǒng)進行訪問檢查，并實施入侵防御、防病毒等措施;
• Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved; 記錄使用用戶個人信息進行的操作，包括執(zhí)行操作的人員、操作的時間、地點和涉及的事項;
• Undertake communications network security protection work as required by the relevant telecommunications authority 依電信主管機關之要求，承擔通訊網(wǎng)絡之安全保護工作

Breach Notification Law

The *PRC Cybersecurity Law *introduced a general requirement for the reporting and notification of actual or suspected personal information breaches

《中華人民共和國網(wǎng)絡安全法》引入了報告和通知實際或疑似個人信息泄露的一般要求

Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions

當個人信息被泄露、丟失或扭曲(或有可能發(fā)生此類事件)時，組織必須立即采取相關措施減輕損害，并根據(jù)相關規(guī)定及時通知相關數(shù)據(jù)主體并向相關政府機構報告

The *PIS Specification *provide detailed guidance on reporting and notification of personal data breaches or security incidents

個人資料保安服務規(guī)范就報告及通知個人資料外泄或保安事件提供詳細指引

Consumer Protection Law

The PRC Consumer Rights Protection Law, effective from March 15, 2014, contains data protection obligations which are applicable to all types of businesses that deals with consumers:

**自2014年3月15日起生效的《中華人民共和國消費者權益保護法》**包含了適用于與消費者打交道的各類企業(yè)的數(shù)據(jù)保護義務:

• State the purpose, method, scope, and rules of collection of personal information of consumers; 規(guī)定收集消費者個人信息的目的、方法、范圍和規(guī)則;
• Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others; 對消費者的個人信息保密，不得泄露、出售或者非法提供給他人;
• Have mechanisms in place to ensure the security of information collected; and 設立機制確保所收集資料的安全
• Not send unsolicited communications to consumers 不向消費者發(fā)送未經(jīng)請求的通信

E-Commerce Law

E-Commerce Law, effective from January 1, 2019, aims to gain greater control over the online consumer markets, where there has been little or no regulation

《電子商務法》將于2019年1月1日生效，旨在加強對在線消費市場的控制，目前在線消費市場幾乎沒有監(jiān)管

Together with other data protection and information security laws, the principles are:

與其他數(shù)據(jù)保護和信息安全法律一起，這些原則是:

• Data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities 數(shù)據(jù)控制者應加強對用戶提供的信息的管理，禁止傳輸非法信息，并采取必要措施刪除侵權內容，然后向監(jiān)管部門報告
• Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information 在收集及使用個人資料前，須取得資料當事人的充分通知及同意
• Further obligations are imposed on mobile apps providers including but not limited to conducting real-name identification, undertaking information content review. 對移動應用提供商的進一步義務包括但不限于進行實名認證，進行信息內容審查。
• Data subject have specific rights, such as, to access their data, to correction of their data, to request deletion of data in the event of a data breach, to de-register their account etc. 資料當事人有特定權利，例如查閱資料、更正資料、在資料外泄時要求刪除資料、撤銷其帳戶等。

Private and Tort Law

PRC Tort Liability Law, effective from July 1, 2010, provides that tortious liability arises upon the infringement of ‘civil rights and interests’

自2010年7月1日起施行的《中華人民共和國侵權責任法》規(guī)定，侵權責任是因侵犯“民事權益”而產(chǎn)生的。

Provisions found in laws such as the **General Principles of Civil Law **and the **Tort Liability Law **have generally been used to interpret data protection rights as a *right of reputation *or right of privacy

《民法通則》和《侵權責任法》等法律中的規(guī)定通常被用來將數(shù)據(jù)保護權解釋為“名譽權”或“隱私權”

Article 36 of the Tort Law creates obligations for Internet service providers (ISPs) 《侵權行為法》第36條規(guī)定了互聯(lián)網(wǎng)服務提供商的義務。

• A network user or network service provider who infringes upon the civil right or interest of another person through network shall assume the tort liability 網(wǎng)絡用戶、網(wǎng)絡服務提供者通過網(wǎng)絡侵害他人民事權益的，應當承擔侵權責任

Chinese courts have allowed damages for emotional distress connected with disclosure

中國法院允許對與信息披露相關的精神損害賠償

Sources

Numerous legal sources that impose obligations on organisations to provide security to different kinds of information

許多法律來源規(guī)定組織有義務為不同類型的信息提供安全保障

The source of the legal obligation, the object or reason that the information is to be made secure can differ

法律義務的來源、保護信息的目的或原因可以有所不同

With these different legal obligations come potential sanctions or liabilities

隨著這些不同的法律義務而來的是潛在的制裁或責任

Greater risk to company that does not secure its information

不保護信息安全的公司面臨更大的風險

Issues

The duty to keep information secure is not further specified in the statutes

保護信息安全的義務在法規(guī)中沒有進一步規(guī)定

The GDPR indicates:

• ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security *appropriate *to the risks represented by the processing and the nature of the data to be protected’ “考慮到目前的技術水平和實施成本，這些措施應該確保與處理所代表的風險和要保護的數(shù)據(jù)的性質相適應的安全水平?！?/li>

A cost/risk analysis qualifies an appropriate level of security

成本/風險分析確定了適當?shù)陌踩墑e

No further guidance

沒有進一步的指導

Emerging Guidance 新興的指導（EU，US）

The **European Union General Data Protection Regulation **requires an “adequate” level of data protection but offers no explanation or definition for the term

歐盟通用數(shù)據(jù)保護條例要求“充分”的數(shù)據(jù)保護水平，但沒有對此術語進行解釋或定義

In the United States, the **Health Insurance Portability and Accountability Act (HIPAA) Security Rule **for healthcare and the **Safeguards Rule **for financial services have been among the most prescriptive, and Massachusetts has led the way among states, providing 18 specific standards for protecting personal information

在美國，針對醫(yī)療保健的《健康保險可攜帶性和責任法案》(HIPAA)安全規(guī)則和針對金融服務的《保障規(guī)則》是最具指導性的，馬薩諸塞州在各州中處于領先地位，提供了18項保護個人信息的具體標準

The **Federal Trade Commission **considers the collection of personal information without providing reasonable security to be an unfair practice, but the U.S. Court of Appeals for the 11th Circuit’s decision to vacate the commission’s order against LabMD in 2018 showed the legal challenges raised by an imprecise standard; the court found that the FTC’s requirement for “LabMD to overhaul and replace its data- security program” was unenforceable because of an “indeterminable standard of reasonableness.”

聯(lián)邦貿易委員會認為，在沒有提供合理安全保障的情況下收集個人信息是一種不公平的做法，但美國第11巡回上訴法院在2018年撤銷該委員會針對LabMD的命令的決定，表明了一個不精確的標準所帶來的法律挑戰(zhàn);法院發(fā)現(xiàn)，聯(lián)邦貿易委員會要求“LabMD徹底檢查并更換其數(shù)據(jù)安全程序”的要求是不可執(zhí)行的，因為“不確定的合理性標準”。

Standards

Consequently, many information technology organizations have focused instead on aligning their operations with recognized security frameworks such as the International Organization for Standardization (ISO) 27001, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and others.

因此，許多信息技術組織轉而關注將其操作與公認的安全框架(如國際標準化組織(ISO) 27001、支付卡行業(yè)數(shù)據(jù)安全標準(PCI DSS)、國家標準與技術研究所(NIST)等)保持一致。

Definition

Standard is…

• established or widely recognised as a model of authority or excellence (a standard reference work) 已建立或被廣泛認可為權威或卓越的典范(標準參考作品)
• conforming to or constituting a standard of measurement or value; or of the usual or regularized or accepted kind (windows of standard width, standard fixtures, standard operating procedure) 標準的:符合或構成測量或價值標準的;或通常的、規(guī)范的或可接受的類型(標準寬度的窗戶、標準固定裝置、標準操作程序)
• the ideal in terms of which something can be judged (they live by the standards of their community) 可以評判事物的理想(他們按照社區(qū)的標準生活)

ISO Definition

ISO/IEC Guide 2:1996 promulgated by the International Organization for Standardization (ISO) defines a standard as follows:

國際標準化組織(ISO)頒布的ISO/IEC指南2:1996對標準的定義如下:

• “a standard is a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.” “標準是經(jīng)協(xié)商一致制定并經(jīng)公認機構批準的文件，它規(guī)定活動或其結果的規(guī)則、準則或特征，供共同和重復使用，目的是在某一特定環(huán)境中實現(xiàn)最佳程度的秩序?！?/li>

Types of Standard

Informal/formal 正式和非正式

• White wedding dresses / 802.11b 白色婚紗 / 802.11b

De facto standard 事實上的標準：一種在實際應用中被廣泛接受和使用的標準，盡管它可能沒有正式的權威認可。

• Achieved dominant position 取得主導地位
  • Tradition, enforcement, or market dominance – such as white wedding dresses, TCP/IP, iPhones or Microsoft Windows 傳統(tǒng)、強制或市場主導——比如白色婚紗、TCP/IP、iphone或微軟Windows
  • Not necessarily receiving formal approval by means of standardization process and may not be an official standard document

De jure standard 法定標準 / 官方標準

• Standard contractual terms 標準合同條款

Social, technical, commercial, …

社會的、技術的、商業(yè)的……

Benefits

Joint mastery of problems 共同掌握問題

• Technical and other issues 技術和其他問題

Helps choices

• Reduces uncertainties 減少不確定性
  • No need to test further 無需進一步測試

Makes operations smoother 使操作更順暢

• Conformity to expectations 與社會預期相一致

Advances progress 進步

• Anticipate further developments 預測未來的發(fā)展

Avoids conflicts 避免沖突

Conformity with Standards 符合標準

Often by certification process – third party audit 通常通過認證過程-第三方審核

• Testing labs 測試實驗室

Value

• Mark of conformity 符合標志：一個標志或標簽，表示產(chǎn)品或服務符合特定標準、規(guī)范或法規(guī)的要求。
• Quality certificate 質量證書：一種證明產(chǎn)品或服務符合特定質量標準的文件，通常由權威機構頒發(fā)。
• Market entry requirements 市場準入要求

Manufacturing and distribution of telecommunication equipment to meet national, regional, international standards of performance, safety, interoperability

制造和分銷電信設備，以滿足國家，地區(qū)，國際標準的性能，安全性，互操作性

National Standards Bodies 國家標準機構

Usually an official national representative of ISO

通常是ISO的官方國家代表

May be responsible for uniform standardization throughout the country

可負責全國統(tǒng)一的標準化工作

Laws regulating the creation of standards

規(guī)范標準制定的法律

Compulsory – health and safety

強制性——健康和安全

Voluntary – other industries

自愿-其他行業(yè)

International Standards Bodies

Numerous recognised international bodies with standards making functions

眾多具有標準制定職能的公認國際組織

Non-treaty bodies 非條約機構

• International Organization for Standardization (ISO) 國際標準化組織(ISO)
• International Electrotechnical Commission (IEC) 國際電工委員會

Treaty bodies 條約機構

• International Telecommunication Union (ITU) 國際電信聯(lián)盟

OECD 2002 Information Security Guidelines

OECD legal instruments: decisions, conventions, recommendations, guidelines

經(jīng)合發(fā)組織法律文書:決定、公約、建議、準則

Guidelines = non-binding, represents political will of members, great ‘moral force’

準則=不具約束力，代表成員的政治意愿，強大的“道德力量”

Standards setting role 標準制定角色

• OECD’s legal instruments set standards for members in a variety of policy areas 經(jīng)合組織的法律文書在各種政策領域為成員國制定了標準
• Non-members who adhere to OECD’s legal instruments agree to implement the standards and measures, including relevant legislation addressed by the instrument 遵守經(jīng)合組織法律文書的非成員同意執(zhí)行標準和措施，包括該文書涉及的相關立法

ISO/IEC

27001:2005: ‘Information technology – Security techniques – Information security management systems – Requirements’

27001:2005:“信息技術——安全技術——信息安全管理系統(tǒng)——要求”

• Information Security Management System (ISMS) 資訊保安管理系統(tǒng)(ISMS)
• Used with ISO 27002 ‘Code of Practice for Information Security Management’ 與ISO 27002“資訊保安管理實務守則”配合使用
  • Lists security control objectives 列出安全控制目標
  • Recommends a range of specific security controls. 建議一系列特定的安全控制。
• Certification possible 認證可能
  • Three stage audit by certification body 認證機構的三階段審核

Revised by ISO/IEC 27001:2013

經(jīng)ISO/IEC 27001:2013修訂

PIS Specification I

National Standard of Information Security Technology – Personal Information Security Specification, effective from October 1, 2020 (PIS Specification)

《信息安全技術國家標準——個人信息安全規(guī)范》，自2020年10月1日起實施(PIS規(guī)范)

A standard to determine whether companies are following China’s data protection rules

確定公司是否遵守中國數(shù)據(jù)保護規(guī)定的標準

Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks

在中國收集或處理個人信息的企業(yè)應對照本規(guī)范檢查其目前的做法，以識別并盡量減少其潛在風險

De Jure Standards

Legal requirement for appropriate level of information security process:

適當級別的資訊保安程序的法律要求:

US Health Insurance Portability and Accountability Act (HIPAA)

美國健康保險流通與責任法案(HIPAA)

• Privacy rule: privacy standards, including who can have access to protected health information (PHI) (all forms) 隱私規(guī)則:隱私標準，包括誰可以訪問受保護的健康信息(所有形式)
• Security rule: controls for ensuring access only to those who should have it (electronic information only) 安全規(guī)則:確保只有應該訪問的人才能訪問的控制措施(僅限電子信息)

Laws requiring compliance with PCI/DSS (The Payment Card Industry Data Security Standards)

要求遵守PCI/DSS(支付卡行業(yè)數(shù)據(jù)安全標準)的法律

• Normally, PCI/DSS is a private standard with contractual liability only 通常，PCI/DSS是一個私人標準，僅具有合同責任

• (PCI DSS) are developed and promoted by the PCI Security Standards Council (PCI DSS)是由PCI安全標準委員會制定和推廣的

• The Council was formed by the five of the most prominent credit card payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – in response to increasing credit card fraud and data security breaches 該委員會由五個最著名的信用卡支付品牌——美國運通、發(fā)現(xiàn)金融服務、JCB國際、萬事達全球和Visa, Inc.——組成，以應對日益增加的信用卡欺詐和數(shù)據(jù)安全漏洞

• Some US states incorporated the standard into state law 美國一些州將該標準納入州法律