After Federal Law No. 242 on amendments to certain legislative acts of the Russian Federation for clarification of the procedure of personal data processing in Information and telecommunication networks was signed, а lot of companies had to think about bringing their infrastructure and business applications in accordance with the new legislation. Mr Vladislav Lantukh, Deputy CEO of IBS DataFort a data center firm and Ivan Guzev, director of information security, speak about the new requirements and the ways how corporate processes of large companies may be adapted them.
There are still lots of disputes over Federal Law No. 152. A number of people criticize its various amendments for being too tough. Also, they say law is merely another opportunity for the state to carry out one or another audits…
Vladislav Lantukh: Information security is one of the aspects of national security intended to protect the Russian citizens against information threats. In our opinion, this law is an essential measure that allows the creation of a legal basis for personal data protection.
We have been operating for over 14 years in telecommunications. We have developed our services in accordance with state regulatory mechanisms, in particular, with the Federal Law on communications. The Federal Supervision Agency for Information Technologies and Communications (Roskomnadzor) is responsible for regulation in this area.
Thanks to our approach to business, nothing has caught us off guard. Legislation is becoming more ordered and the regulator is the same.
As for the law, we believe that such an initiative on the part of the legislator indicates that the Federal government is interested in ensuring an adequate level of regulation of the complex processes in the framework of business informatization, including the protection of citizens and their personal information. This is a positive step in creating a functional and safe IT environment.
What does ‘personal data’ mean? Are there any special conditions for its processing and retention?
Ivan Guzev: Personal data includes a person’s full name with an additional attributes, which allows exact identification of the person. For example, passport data, data on marital status, education, Individual Taxpayer Number (INN), state pension insurance certificate ID number, medical insurance, employment history, social and property status, income details. Almost every organization, including multi-national ones, has this sort of data.
Federal Law No. 242 introduces amendments into the basic Federal Law No. 152 on personal data, and regulates the rules according to which recording, systematization, accumulation, retention, rectification (updating, alteration), and extraction of personal data of Russian citizens must be carried out using the data bases located in the territory of the Russian Federation now. All amendments take effect starting September 1, 2015. Consequently, companies with infrastructure and applications outside the Russian Federation have less than two months left to carry out a migration of personal data to reside physically on Russian soil.
Vladislav Lantukh: In the EU, Northern America, India and China, personal data is protected according to the long-established legislative norms. Let’s take for example the implementation experience of a similar law in Great Britain. The UK Data Protection Act was adopted in 1984 and amended in 1998 with issuing of the EU Directive on Data Protection. In a similar way, European legislation envisages compulsory registration of personal data operators. In this respect Law No. 152 is basically similar to the European legal acts.
Returning to the Russian practice, I would like to note that in our opinion the only problem is that the amendments to the law on personal Data entered not in quite time. The PD operators, including our customers, are forced to undertake costly measures to meet the requirements of No. 152-the IOF No. 242-FSW in conditions when their business is affected by negative economic factors.
What joint steps regarding maintenance of personal data security according to FL-152 may be taken for the companies performing personal data processing?
IG: At the moment Law No. 152-FZ and its bylaws establish the following general approach to the securing personal data protection: at the first stage the level of personal data protection is determined (according to RF Governmental Decree No. 1119). The second stage assumes that the basic package of measures for personal data protection is determined on the grounds of the level identified earlier (Order No. 21 Federal Service for Technology and Export Control (FSTEC of Russia), Order No.378 Federal Security Service of Russia (FSB)). Next, the list of immediate threats to security is prepared on the basis of the system analysis. Taking into account this list of immediate threats and technologies applied in each specific company or information system’s peculiarities the basic package of measures is to be corrected. Thus, the adapted package of information security measures to be implemented in compliance with the requirements of Law No. 152-FZ is implemented.
What punishment may be imposed on companies if they do not meet the requirements of Federal Law No. 152?
IG: Failure to comply with the requirements of Law No. 152 may involve administrative, civil, disciplinary and even criminal liability. Roskomnadzor may impose a fine or issue a halt of personal data processing. This may incur substantial business costs. In addition, the company performing personal data processing in contravention of the law bears risks related to possible civil claims from personal data subjects and, consequently, may run a risk of damaging its reputation. In some cases criminal liability may occur when there is a violation of privacy, and so on. All of this is very serious.
How does IBS DataFort bring its services into line with Law No. 152?
VL: We spent lots of time to gain insight into the current situation, we had a series of legal consultations and consequently we took a balanced approach to the selection of the scope and the volume of protective measures. For an operator of professional cloud services, it is of the utmost importance to find a balance between implementation of binding and recommended requirements of the FSTEC and the FSB, and then how best to investment into infrastructure.
According to our estimates, the situation in the present IT market is as follows: suppliers propose customers to invest into the widest range of solutions, which are not always necessary, trying to earn as much as possible on the issue of ‘statutory compliance’, plainly making use of the low expert awareness of their clients. We ultimately have a different approach: customers of IBS DataFort services do not need to purchase a substantial portion of the standard equipment and software required to implement the basic measures for information security. These measures already exist on the DF Cloud services platform and are included into what we charge.
IG: Having analyzed legislative requirements and various received requests, we have arrived at the conclusion that about 90 percent of the personal data processed by information systems meets the needs of third level of protection (LP-3). Our company has worked out a basic package of measures for personal data protection for the 3rd level of protection (LP-3). We have installed the essential and certified equipment for information protection and have developed a package of compensative organizational measures. Now, ‘professional’ DF Cloud services comply with all the requirements of Federal Law No. 152. Moreover, the basic requirements for the 2nd level of protection (LP-2) have also been elaborated. We are taking the essential organizational and technical measures. This means that clients with systems requiring protection according to LP-3/2 will spend much less time, resources, and money on projects assuring compliance with the new federal law. They will be able just to get the infrastructure resources for the deployment of information systems protected in accordance with the requirements of the regulator, the next day after treatment.
To comply with the legislation on personal Data (No. 152-FZ) remains, first, to prepare the required documentation (the position of processing personal Data, the classification act, the threat model, the technical specification for the system of protection of personal Data, etc.), secondly, to protect the leased infrastructure at the level of the OS and applications. This is achieved by incorporating the necessary means of information protection, according to the adapted complex information security measures for the respective IP and TIES. And third, they need to implement appropriate protection of information under the Federal law FZ-152 on its territory. Our company can provide consulting services on the issues or solve them in person.
Have you implemented any projects to address the migration of clients’ data from abroad?
VL: The issue of cross-border migration and transmission of existing bases into the territory of the Russian Federation is especially relevant for international companies whose headquarters are centrally serviced at foreign data centers by such companies such as IBM, HP, CSC, Capgemini, and Tata.
It is extremely difficult for these foreign companies to find a partner in Russia who is ready to speak in a common language, a language which is clear for them not only in terms of linguistics but in terms of professional services. DataFort has strong experience in system migration for this type of client. The primary and most essential advantage is the fact that companies do not need to invest into new infrastructure. Indeed, this factor in particular allows substantial savings for firms with data located overseas. In the conditions of the current economic situation, it is the first factor that draws the attention of clients. We are ready to operate in the mode which is most comfortable for a given client: either offering the whole spectrum of services (including administration at the level of operation systems and standard corporate software) or in cooperation with Russian or foreign partners working with the client who are responsible for administration of their business systems. In such cases, we cooperate by sharing our infrastructure, network services and information security services for these partners of the client to use.
The Moscow Times, Aug 06, 2015