Cyber security: how to take care of protecting the company's personal data from attacks?
Analytics from MK Legal Service provide answers to questions that are important for every owner who wants to protect the security of their company's data: What should you pay attention to when transferring personal data to cloud storage? What are the nuances of regulation of data coding and encryption? How to train staff for proper handling of personal data? Why does business data protection need a lawyer?
Preparing servers and transferring data to cloud storageAt the enterprise, it is necessary to implement policies for working with server equipment and monitor the compliance of the built systems with legal requirements. The list of such requirements depends on the type of data to be processed. For example, to work with the public sector, your hardware complex will need special certification.
Today, the most effective way to protect personal data is to transfer it to cloud storage - virtual remote servers. A reliable provider of cloud services with an international certificate or a Ukrainian expert opinion will be able to take care of the proper protection of confidential information.
At the same time, the responsibility for processing personal data and complying with the requirements of the law remains with the business. Therefore, when contacting providers, it is necessary to conduct a legal examination of their activities and carefully familiarize yourself with the terms of the contract for cloud services: in particular, with the terms of information protection and the parties' liability for their violation.
Organization of encryption and codingTo protect data from cyberattacks aimed at accessing it while in transit, it needs to be encrypted or encoded. There are many software tools for this. However, there are special requirements when working with personal data or information with limited access.
Technical and cryptographic protection of information with limited access and their state expertise is regulated by a number of regulatory acts that contradict each other and do not take into account the realities of technical progress:
1) Laws of Ukraine:
- "About information"
- "On personal data protection"
- "On the protection of information in IT"
- "On the main principles of ensuring cyber security of Ukraine"
- "On technical regulations and conformity assessment"
- Resolution of the CMU of March 29, 2006 No. 373 "On Approval of the Rules for Information Protection in Information, Telecommunication, and Information and Telecommunication Systems"
- Order of the Administration of the State Service for Special Communications and Information Protection of Ukraine dated May 16, 2007 No. 93 "On Approval of the Regulation on State Expertise in the Field of Technical Information Protection"
- Decree of the President of Ukraine dated May 22, 1998 No. 505/98 "On Regulations on the Procedure for Implementing Cryptographic Protection of Information in Ukraine"
3) state standards — DSTU 3396.1-96 dated July 1, 1997 "Information protection. Technical protection of information. The order of work" etc.
Without the involvement of professional legal assistance, it is quite difficult to understand the variety of regulatory acts, not to mention their content. However, without their implementation, it will not be possible to protect the business from cyber attacks, and what is even worse, from their consequences.
To date, our team has considerable experience in consulting and legal expertise on the organization of cyber protection, data encryption in compliance with the requirements of current regulations and cooperation with providers who have fully implemented them in their work.
Instruction and training of IT personnelThe organization of internal work processes at the enterprise is of great importance in cyber protection in general and the protection of personal data in particular. The key process is the development of documentation, instructions and policies containing:
- information about the data being collected,
- purpose of data processing,
- data access procedure.
Special trainings are held for staff to clarify the specifics of working with personal data at the enterprise and responsibility for violation of requirements.
It is no secret that in the field of IT, personnel who are given access to work with personal data are mainly divided into external contractors (FPOs) and officially registered employees. NDAs (non-disclosure agreements), as case law shows, are often not enough. Accordingly, the lawyer's task is to take care of the competent design of obligations and requirements regarding non-disclosure of data in contracts with external contractors and carefully examine the job descriptions of employees.
It is worth paying special attention to this issue, because it is the human factor that causes many failures in protection and leaks of information. Especially when it comes to the people responsible for maintaining the security of your data.
Now it is clear why to ensure cyber protection it is necessary to involve a lawyer in the first place, and not a technical specialist. Lawyers at MK Legal Service have extensive experience and skills in the field of personal data protection, and to protect your business and personal data from cyber attacks at various levels, we can:
- carry out an analysis of the sensitivity of personal data,
- choose areas of regulation and requirements for protection,
- conduct an examination of the activities of external service providers and contracts with them,
- advise on legal issues in the field of technical and cryptographic protection of information
- develop internal documents at the enterprise,
- conduct an audit of contracts and job descriptions,
- provide legal support when interacting with state authorities
- protect interests in courts, etc.
The article is posted on the resourceLiga: BOOK