Information Security and Privacy Law

法律作为电商交叉学科的第二专业,还挺艰辛的,毕竟要手写十几张纯英文的case analysis…
我一直习惯在纸上写笔记写总结,然而当经历了三小时一刻的知识产权法之后,用了一整管钢笔水,我的手都要废了,眼镜要瞎了,无奈第二天还有一门Information Security and Privacy Law我已经放弃手写了,转手敲电子版,顺便把资料整理一下放到博客上。



Information: information extracts from data -> valuable and meaningful
Information Security concerns everyone.
Privacy: an individual’s right to control the use and disclosure of their own personal information.
(control of personal data, where control is the ability to specify the collection, use, and sharing of their data.)
Personal information should be private, not publicly available.
Information Security is the process used to keep data private.
Security is the process, privacy is the result.

Scope of Information Security (the processes, procedures and infrastructure) to preserve:
- confidentiality
含义? Only people with right permission can access and use information, protecting it from unauthorised access
如何保证? Encryption, access control
否则,后果? Identity theft, threats to public safety

- integrity
含义? Information systems and their data are accurate, predictable when processing, remain the same when not processing, accuracy and completeness
如何保证? Controls ensuring the correct entry of information, authorization, antivirus
那些情况会造成? Intentional employee or external attacks, accidental employee error

- availability
含义? Make sure information system is reliable, accessible when people with proper permission want to
如何保证? Recovery plan, backup systems
那些情况会造成? Intentional DoS attack, accidental outage

Information Security Laws
US - Gramm-Leach-Bliley Act, regulates consumer financial information
Payment Card Industry Standards, regulates credit card information
EU - General Data Protection Regulation (GDPR), regulates privacy and data protection
China - Cyber Security Law, regulates privacy and data protection

Authentication, specific measure to integrity and confidentiality considerations; ensure that a machine or person is that which they purport to be.
实现方法: digital signature, electronic PKI, multi-words password, block chain for cryptocurrency

Risk Management, as means to justify information security laws, process of listing the risks that on organization faces and taking steps to control them.
- vulnerabilities
Weakness or flaw in the information system that can be exploited.
(people, process, facility, technology)

- threats
Anything that can cause harm – successful exploits of vulnerabilities
Anything that has the potential to cause harm
要会找出Source of threat, threat

- risks
A likelihood that a threat will exploit a vulnerability and cause harm, with information security impact, maybe high, medium, low

- safeguards
Safeguard reduces the harm posed by vulnerabilities or threats, a measure to eliminating or reduce risk of harm

• Administrative Safeguards
– Actions, policies and procedures to prevent, detect, contain and correct information security violations
– The largest part of the Rule is the management process

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Arrangements

• Physical Safeguards
– Controls to protect physical resources

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

• Technical Safeguards
– Controls applied in the hardware and software on an information system

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security


- Shoulder surfing, social engineering
- SPAM with the capacity to deliver range of malware
- Spyware and keystroke loggers (3,7 million South Carolina tax records)
- Worms, virus, Trojans
- Creation of ‘bot nets’
- Logic bombs, backdoors
- Phishing/Spear Phishing/Whaling
- DoS/DDoS

How can you meet the legal requirements, therefore?

->Reasonable, appropriate, adequate security

Source of Laws
• Laws – rules – regulations
• Common law – body of law that developed through legal tradition and court cases (case law/judge-made law) – impact on torts, contract, and property law 习惯法,来自于案例
• Statutory law – written law that is adopted by the governments 成文法
• Rules – governments delegate power to agencies to create rules, enforce rules, and review rules
• Regulations – regulatory authorities have the power to create and enforce regulations

– Privacy
• EU Data Protection Directive (article 17)
• US Gramm-Leach-Bliley (financial information privacy) and
• US Health Insurance Portability and Accountability Act (health information privacy)
The US Health Insurance Portability and Accountability Act (HIPAA)
electronic protected health information (ePHI).

• Laws about Telecommunications networks/services
– EU Electronic Communications Privacy Directive (e-Privacy Directive)
– Electronic Communications Framework Directive
– US Telecommunications Act
• Federal Communications Commission presumes that there is inadequate security where customer proprietary network information (CPNI) is breached.
• Corporate Governance Laws
– Financial transparency and securities market reporting and audit obligations
– US Sarbanes Oxley Act (SOX)

• Cyber Security Law (effective from 1 June 2017) 没有关于时间的规定

Tort Law

• A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act
• Information security – duty of care to secure information
• Action or lack of action that causes harm = liability

\1. defendant 有没有duty of care?
\2. 有没有breach of duty?
\3. show harm.
然后就conduct successful tort lawsuit了

Contract Law
• A contract is an agreement, giving rise to obligations, which are enforced or recognised by law
• Information security – contractual obligation to secure information
• Failure to secure information = liability
签订了Contract就代表形成了special relationship, 存在关于数据保护的agreement,如果没有效实现obligations,那么就liable

What is a data breach?
答案:lose the control of data, no longer access the control of the information


美国的:US Health Insurance Portability and Accountability Act (HIPAA)
• Privacy rule: privacy standards, including who can have access to protected health information (PHI) (all forms)
• Security Rule: controls for ensuring access only to those who should have it (electronic information only)
• Health Insurance Portability and Accountability Act 1996
• The required implementation specification at § 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
• The required implementation specification at § 164.308(a)(1)(ii)(B), for Risk Management, requires a covered entity to “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”
• Personal health information is considered very sensitive
o Confidential medical records
o Public embarrassment, discrimination
o Medical identity theft
• HIPAA protects privacy and security of personal health information
• Scope: Privacy and Security rules apply to covered entities and determine how they may create, store, use or disclose protected health information (PHI)
• PHI is any individually identifiable information about the health of the person, including past, present or future mental or physical health information
• Covered entities are those that handle PHI in a certain way – health plans, health care providers, health insurance companies, etc.
要背的:Covered Entity must
“implement policies and procedures to prevent, detect, contain and correct security violations.”我他妈觉得所有的法都在说这条啊

国际的: ISO/IEC 27001:2005 Information Security Management Systems
– Requirements (有哪些duty)
Information Security Management System (ISMS)
• Risk-based approach
• Reviews the processes that management teams must consider operating, monitor, review, and maintain IT systems
Specification for an Information Security Management System (ISMS)
• Way to measure, monitor and control security management from a top down perspective
• Details how to apply ISO/IEC 27002
• This is the part currently certified
• Part 2 defines a six-step ‘process’, essentially:
• Define a security policy
• Define the scope of the ISMS
• Undertake a risk assessment
• Manage the risk
• Select control objectives and controls to be implemented
• Prepare a statement of applicability
• PDCA plan, do, check, act

国际的:ISO/IEC 27002:2005 Code of Practice for Information Security Management Set of security controls: the measures and safeguards for potential implementation
• Control Objectives
– General statements of security goals for each domain
• Controls
– Specific means to implement control objectives

中国的China Consumer Law Principles:
– Enhanced penalties for consumer rights violations
– Public interest litigation to remedy harms
– Vendors have burden of proof
– Unauthorized disclosures of consumer PI banned; required to be kept strictly confidential
– Requires vendors/businesses to establish appropriate technical measures to safeguard information

China Consumer Rights Law (2014)
(personal information of consumers) requirements:
- State the purpose, method, scope, and rules of collection of personal information of consumers;
- Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others;
- Have mechanisms in place to ensure the security of information collected; and
Not send unsolicited communications to consumers

中国的Cyber Security Law (effective from 1 June 2017)
– Provides for supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information
– It also establishes a regulation regime in respect of critical information infrastructure and imposes data localization requirements for certain industries

中国的Corporate Governance Law
PRC Basic Standard for Enterprise Internal Control (aka ‘C SOX’) (2009)
– Regulation requiring the establishment of internal controls and self-audits with annual reporting
– Mandatory for listed companies
– Build internal control strategies around the five ‘COSO’ control elements
• Five key components of internal control:
– Control environment
– Risk assessment
– Control activities
– Information and communication
– Monitoring

为什么云计算could computing是个大问题?
Data is not stored on company’s own physical infrastructure
Loss of control of data, lessen security
Loss of privacy of data
Dependency on a third party for critical infrastructure
Potential security and technological defects in the cloud’s provider infrastructure
No control over third parties contractually connected with the provider
– Cloud computing presents many benefits, but also new challenges
– Lack of transparency, dependency, loss of control
– Cloud computing governed by contract
– Data and infrastructure localization

Risk Analysis Process
\1. Identify the scope of the analysis.
\2. Gather data.
\3. Identify and document potential threats and vulnerabilities.
\4. Assess current security measures.
\5. Determine the likelihood of threat occurrence.
\6. Determine the potential impact of threat occurrence.
\7. Determine the level of risk.

Risk Management Process
\1. Develop and implement a risk management plan.
\2. Implement security measures.
\3. Evaluate and maintain security measures.


有个online retail company跟顾客说我们有privacy policy来保证data secure,结果顾客发现data并不secure,问这个公司有什么legal duty?
Claim, issue: 肯定是legal duty of information security啊
Law: Consumer Law, Cybersecurity Law, Tort Law, Contract Law, Corporate Governance Law - C SOX
Evaluation: xx法说要有责任干嘛干嘛
Outcomes: 所以xx公司必须干嘛干嘛

Privacy is the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organizations - “The Right to be Let Alone”



Week 3:(更多注重在个人隐私保护)
Data protection:(Information)指对数据的保护,要大于个人隐私。


Data Protection:

\1. EU GDPR:专门立法 综合法
\2. Sectoral Law:中国立法 部门法
\3. Self-Regulation:行业自律
\4. Technologies:可以通过科技的手段保护,数字签名。

EUDPD:很重要!!! 现在换成GDPR了

Sectoral protection
Specific laws:部门法,类似于中国,多个法律共同保护
Omnibus Data Protection:综合法,这些规定合到一起,组成了一部法律。香港和欧洲。

Data Protection in the EU:
其中一个重要的点:Article 8, Council of Europe Convention on Human Rights and Fundamental Freedoms: Right to respect for private life 类似于宪法,高于众多的法律。告诉你有必要去尊重每个人的隐私生活。

EU DP law的一些关键词汇需要记忆

 Defined in GDPR Article 4在GDPR的第四条中做出的明确定义:
– Data Subject:指你,指你生成的数据
– Personal Data
– Processing:处理信息的过程,包括传递和存
– Sensitive Data:敏感信息,在乎的信息
– Data Controller:控制数据的人
– Data Processor:处理数据的人,例如微博。
EU: very high standards of DP:在DP管辖的EU,隐私保护很好,

GDPR Article 45
– “A transfer of personal data to a third country or an international organization may take place where the Commission has decided that [it] ensures and adequate level of protection.” 向第三国或国际组织转让个人资料,可在委员会决定[其]确保充分保护的情况下进行。EU向中国传递数据时,必须要确定第三方是否有资格保护我的数据。

“appropriate safeguards”需要确定第三方有合适的保护机制。
Enforceable data subject rights available 可强制执行的数据主体权利。
Effective legal remedies for data subjects available 对数据主体的有效法律补救

What is ‘adequate’ protection? 什么是足够的保护?
Nature of the Data:数据类型有所谓,健康类的sentitive应该保护
Purpose and duration:数据的目的

2002:EU Electronic Communications Privacy Directive这个要写全称。
Cookies:必须要Opt in,用户必须确定consent。就是登录邮箱后会提醒是否记住密码,这个需要用户同意。
Traffic data:data retention. 到底能存多久

Cookies:notice and opt in,和之前的一样。
Spam Email: “soft opt-out” 网站必须要有可以关闭的按钮

答题时:不要说根据某个具体的法条,直接说**according to EU GDPR**和 e-Communications Privacy 这个两个法律就**ok**!!

Search Engines:之前没有出题

Week 4:

Protection Minors Law:未成年人保护法,指18岁以下。第四条尊重了“personal dignity”(个人尊严)
(考试答题:中国的Protection Minors对其“personal dignity”进行保护,他是未满18岁的,所以受保护)
学有余力:“No organisation or individual may disclose the personal secrets of minors”,任何公司不得泄露你的个人信息。
Cybersecurity law:**不需要记忆,答题时需要写:2017年颁布了最新的Cybersecurity Law,这个法律出台了很多新的原则,关于providers的。这个法律规范了这些行为,让他们必须更注意用户隐私。就OK Chinese Criminal Law**:中国刑法:
Constitution of China**:中国宪法**
The freedom and privacy of correspondence:只需要记住一点,尊重通信自由!!!
Anti-Spam Provisions:对垃圾邮件做出限制。只有你同意才可以给你发广告邮件,否则就不行。Opt-in consent to receiving advertising email
(考试的时候只需要跟在一大堆法律的后面就OK,直接写同时中国也对垃圾啊邮件做出了限制,Opt-in consent to receiving advertising email)

Regulations 2012:需要有user consent在收集信息,只能收集你需要的信息,不能瞎收集。用户的同意不能被mislead。

Regulation 2013:和2012的区别是规定了sensitive personal information,然后需要informed consent。

Data Breaches:如果data被别人获取的话,需要在15天内给予通知

Regulation 2014:罚款涨到了5万。

Regulation 2015:增加了对消费者的关注

Cybersecurity Law: 如果你做了Transfer of “personal information” outside of China这种行为,需要参照这部法律。还需要记忆:实名制。Real identity

Civil Law:民法,不需要记忆。理解关于公民的名誉权

Tort Law:第36条规定了第三方的责任


类型一:案例题,给一个公司的情况,问你它的隐私保护做的怎么样?Or 给你一个法律有没有comply**隐私保护?(Week 1的内容,其实就是考你risk assessment)**

(Week 1 第2个ppt,全的版本在第8个ppt,背不下来第八个就背简洁的2就行)







中国:CSOX(简称,具体内容,5 internal control), tort, criminal, regulations,consumer ,cyber security law

美国:SOX,Gramm-Leach-Bliley, HIPPA

欧洲:EU data protection directive, GDPR

2.具体的standard:HIPPA &OSI 27002


​ 4.measure:preventative,detective,reactive或者是physical,technical,people

​ 5.答:过程process OSI27001 PDCA (PDD)

6.没做到:criminal penalty.

(关于楼上的standard和law,一般包括2类内容:1.duty 2.怎么做Implementation Specification)

类型二:问HIPPA or OSI 27002,27001**,CSOX或者是比较,或者隐晦的问你standard(类型一的一个具体变形比较难,需要背诵)**

背:HIPPA administrative,technical,physical

OSI17799 10 domain



类型三:案例分析题,谁谁谁在网上买了书,干了啥,等等。考你中国的各种regulations**或者考EU DPD**?EU GDPR




中国:1. Minor no reveal minor protection +cybersecurity
​ 2.E-mail:1.opt-in ads 2.anti-spam measures for E-mail service
​ 3.collet information:user consent (no misleading) Regulation 2012
​ Express consent(sensitive)
​ Delete 用完就删 Regulation 2013
​ Consumer Regulation 2015
​ 4.breach(黑客):report in 15 Regulation2013
​ 5. Transfer: Cybersecurity
​ 6.Penalty:1-3万 Regulation2013
​ 5万 Regulation2014

还可以补充的中国法律:1.宪法constitutional law 2.civil law 3.criminal law 4.tort law 5.CSOX

\1. EU:1. Human right 要求保护private right (GDPR+ePrivacy Directive
​ 总的来说A25 adequate level A26 contractual
可能出现的案例1.E-mail opt out 2.hack了没通知 retention 4.search转发给third-party A 26 consent
比中国法多的情况5. Cookie notice&opt in

类型四:论述分析EU GDPR**和中国法的区别,哪个好?
1.EU DPD是综合法omnibus,很全面
4.EU好在标准高(Article 25),全面
Key points should include that sectoral approaches are able to be more
tailored to better suit an individual context, while omnibus laws can give clearer rights to
the consumer. Also, student should give consideration to the interface between
protecting privacy and stimulating the ecommerce economy. Should an easier approach,
as currently taken in China, be preferred in order to keep the burden on businesses to a
minimum, or do consumers need stronger, EU style regulation to encourage trust in
ecommerce (and therefore stimulate the market)?

类型五:APEC OECD**比较 (变形考HK SAR Data Protection**)
Vlad and Lucy’s situation should be addressed by application of the Hong Kong Ordinance.
Key issues here:
Personal data belonging to both Vlad and Lucy has been collected – rights they have
in relation to this.
o Was this collected in accordance with the processing and collection rules?
o How can they expect their information to be treated?
o Have these rights been breached?
Vlad has been receiving spam email
o Lack of opportunity to indicate preferences
o Are in breach of the law?
Lucy’s Credit card hacked
o HK Ordinance requires adequate technological protection
o Are BankChan in breach of this?
o Hacking alone not proof of deficiency in this area.


Scan the QR code to add me on Wechat