MINISTRY OF FINANCE 5.12.2003Counsellor, Docent Tuomas Pöysti1 The laws of information security by Dr. Tuomas Pöysti counsellor of the Ministry of Finance

5.12.2003Counsellor, Docent Tuomas Pöysti 1MINISTRY OF FINANCE

The laws of information security

by Dr. Tuomas Pöysticounsellor of the Ministry of Finance

(chief adviser on public economic and public law, regulatory policy, management and governance issues),

deputy member of the Government board of public sector information management, docent of administrative law (university of Helsinki)

The information security has been a concern for law for a long time. Initially information security has been tacit knowledge embedded in the rationale of many rules of law. In the age of computing information security became explicit technical knowledge. In the information age and network society information security has become a legal principle and constitutional meta-right which is part of the requirements of good governance.

The regulatory change is connected to informatiosation and convergence which all are parts of the emergence of network society. The law of network society regulates information security generally and in its particular fields. Current information security regulation calls for a new pluri-disciplinary co-operation and new role for lawyers.

These lectures aim to systematise current information security legislation in European and Finnish law and to build an understanding of the inter-action between technology and security theory and law.

5.12.2003Counsellor, docent Tuomas Pöysti 2MINISTRY OF FINANCE

The unfortunate company The company strategy was based on the increase of

market value of its shares and then a eventual merger. IT –boom accelerated rise of the value.

Eventually disputes among the company management and particularly among the Board members

Helsingin sanomat (a major Finnish newspaper) made critical reports on the disputes and bad atmosphere. Company started to investigate ’’leaks’’.

Sonere security chief and his team, eventually on the request or at least for the CEO used information Sonera possessed as telecom operator on the communications the board members and personnel had made to press (traffic data).

Sidestory: networking of the security personnel. The head of security of Government got access to and used Sonera telecom operator traffic data to analyse a case in which driver of the Prime Minister and from a portable phone at the disposal of the Prime Minister in his car calls were made to a person suspected of serious tax fraud.


FICORA decision on the ’’Sonera telecom espionage’’

Request by FICORA (Finnish Communications Regulatory Authority, in Finnish Viestintävirasto) to Sonera. Response: first an internal investigation report, at the further request: system login reports, data protection and information security instructions and policies and internal audit reports.

According to FICORA the general information security policy and awareness of it were sufficient. Recording of the processing of traffic data was, however, not sufficient, and the purpose of the processing in cases where information was drawn from the operator systems was not systematically written down. In some areas the internal information security policies were not uniform enogh or comprehensive. The supervision of the compliance with the security policies had to be strenghened.

According to FICORA there is reason to believe that operator traffic data has been processed in unlawful manner and FICORA forwards its report to the police investigating the case.


The unfortunate company

The e-mail services of TeliaSonera overloaded due to the messages and return messages sent as a consequence of viruses.

Consequently sending e-mails via TeliaSonera was slowed down substantially, even by several days or weeks

Finnish communications regulatory authority (FICORA) asked the service provider to set the e-mail communications to the good technical level required by the Communications Market Act. Additionally FICORA found that the operator had not been informing its clients sufficiently


The unfortunate society

Virus attack causes a disfuntion of the electricity network may cause a blackout or atleast slow down

recovery from a failure evidence that this was partially the reason to

the slow recovery of the recent blackout in the U.S.

=> warning letter of the Ministry of Trafic and Communications and the National Emergency Supply Agency


Information security Information security is a state of affairs in

which there is no significant risk to Availability Integrity & authentication Confidentiality Auditability is an additional information

security feature. Information security refers to the entirety of

measures aiming at guaranteeing availability, integrity, authentication and confidentiality in all circumstances (information security work)


Availability

Accessibility and availability of information, ITC system and services

Ability to utilise information, service and systems in correct time usability availability of updates, meta-data & meta-

information (name-servers, structured documents)

In legal sense: making access-to rights effective in the infrastructure and practise


Integrity and authentication

data unaltered and correct (structurally, logically), non-compromised

completeness of data recognition and confirmation of the asserted

identity, user or source Non-repudiation of the message and content


Confidentiality

protection of the data and messages against interception and access by unauthorised persons and protection of information from accidental or intentional but non-authorised losses

protection of data and systems against unlawful use or use for an unlawful purpose

safeguarding the secrecy & confidentiality rights and other exclusive rights to information and information processing


Information security is often about risks

Different definitions of risks1. risk is a propability of an adverse event (loss

or other)2. monetary value of an adverse event or

expected monetary value of an adverse event: monetary value x propabilility

3. propability of the realisation of a threat


Dimensions of information security

Distinguishing the different dimensions helps planning and management of information security measures

1. Administrative and organisational security2. Personnel security3. Physical security4. Communications security5. Hardware security / facilities security6. Software security7. Data security8. Operations security


Data security – information security – security of knowledge The pyramid of data, information and

knowledge

Data

Information

Knowledge

Intuition, wisdomTacit knowledge

Knowledge managementPersonnel securityIPR and business secrets

Technical security and legal principles concerning it

Documented knowledge


Historical evolution and driving forces of information security regulation First stage: information security is tacit knowledge and

embedded in the rationale of some rules and principles of law. form requirements in private law individual information security rules and

administrative regulations (noticeboards, archives, notarius publicus system)

Computing brings gradually information security as explicit , documented knowledge distinct from document management and archiving. Information security, however, does not yet have a status in the recognised legal knowledge

Personal data laws have been the source of development of legal information security rules and principles.

Confidentiality rules in the public administration defined the development of information security rules


Historical evolution and driving forces of information security legislation First generation data protection laws: concept of data

protection and information security not clearly distinguished. Register –based rules on access to personal data, no very well defined information security rules

Second generation data protection laws (in Finland the Personal Registry Act of 1987). Fairly wide concept of personal register and the requirements of good register practise. Particular information security obligations and information security a clear embedded objective of data protection laws. Information security is not yet an explicit obligation.

Third generation personal data legislation: logical concept of personal register in which law regulates all computerised use of personal data. General information security obligation and particular information security provisions. Good information management practise as a leading concern.

Fourth generation: information security as a legal institution of its own, regulated in the information security and management acts. Abuse model in the personal data legislation. General laws governing the digital communications


Phenomena leading the development of information security law Informatiosation – the Information Age – and the

emergence of the network society. Networks and networking are essential modes of organisation and work in public and private sector. Information, information processing capacity and knowledge are the strategic assets or key success factors of individuals, organisations and societies. information and network depedence of

individuals, organisations and societies as a whole Commoditification of information and the related

juridification of information and information processing. Information is increasingly a product, a commodity, and subject for value and trade.

Convergence of technologies and media. Different medias and platforms are able to provide similar or inter-operable services. Convergence has a technical, economic, cultura, legal l and societal dimension


Information security law today Necessity for the efficiency of information-bound

fundamental and basic rights Legal principle and constitutional meta-right Part of the requirements of good governance General obligation prescibed in European and

national law and in contracts, general object for legal protection

Particular information security obligations and working tools for information security work in sectoral legislation

Normative element in the system and infrastructure design, operation and in organisation management proactive and preventive law challenge for lawyers


The constitutional foundation of information security law Evolution of rule of law: From formal rule of law to

material rule of law. The efficiency of rights is an essential component of

rights in the contemporary legal thinking the ECHR practise the EC law

Positive obligation to promote the realisation of fundamental and basic rights

Concept of good constitutional governance embodies the requirements of materiality of fundamental and basic rights and the efficiency of rights.

In today’s context technical security is needed for the efficiency of rights. In other words technical security is a necessary condition for legal certainty (legal security)


Information security – legal certainty

Technical security Legal certainty

Requirement for the efficiency of rights and thereby legal certainty

Information security: encountering technical reguirements and thelegal interests related to information and information processing• technical and legal security encounter• risk management is a common backbone for both•genuine encountering requires that neither technical nor legal aspect suppress the other perspective. This requires new pluri-disciplinary co-operation and discussion

Dependent of technical infra-structure


Systematics of information security law General information security legislation and soft law General public information security law – e-Goverment

acts Particular information security provisions covering

some aspects of: 1. Administrative and organisational security

provisions2. Personnel security provisions3. Physical security provisions4. Communications security provisions5. Hardware security / facilities security provisions6. Software security provisions7. Data security provisions8. Operations security provisionsLaw in this dimension either establishes obligations for security work, or provides governance tools or sets limits and boundaries for information security work

Information security contracts


General information security legislation

EC personal data directive 95/46/EC and the implementing national personal data laws article 17: general information security

obligation particular information security rules information security as a principle of

information infrastructure EC directive on privacy and electronic

communications (2002/58/EC) information security requirements for

electronic communications Penal law provisions on information crime:

Council of Europe Cybercrime convention


Principles of general information security legislation

The general doctrines of information security in law which are part of the general doctrines of information law

Establishment of information security as meta-right and legal principle

General information security obligation: technical, organisational and other measures (art 17 of Personal data directive, art. 4 of the privacy and electronic communications directive)

Requirement for effective risk management risk analyses, establishment of management

responsibilities and measures for prevention and limitation of risks

Principle of proportionality and reasonableness on risk measures

Principle of due care (precaution). Stance to technology as enablener and duty to follow technical development


General Public Information Security Legislation

Trend towards more general e-Government acts or government information management acts

Examples: the U.S. e-Government Act of 2002, Finnish Act on the Openness in the

Government


Good information management practise

Openness of Government Act, section 18 Obligation to safeguard

accessibility availability protection integrity other factors having an influence on the quality of information

of the information in documents and information systems


Good Information Management Obligations in section 18

Obligations cover the whole life cycle of information

from creation to destroying emphasis on the planning procedures

planning optimism as a model of rationality


Objective of section 18

Efficient and easy use of the principle of openness

Information security Quality of information Efficiency

efficiency of administration economic efficiency and functioning of the

markets


Key contents of section 18

Obligation to create and maintain good information management practise

Creation of catalogues and reports serving the implementation of openness

Mapping and preserving the rights related to information

Planning obligations Principle of information security Principle of the quality of information


Good information management practise in the systematic of the Act on the Opennes of Government

Right to information public information

exception: exhaustive (?) list of secrecy grounds

access to file of a party Obligations safeguarding the openness

duty to promote access to information good information management practise

Principles concerning the interpretation Openness-friendly interpretation


Section 18 and the paradigm of law of the network society

Regulation focuses also on the information infrastructure and information logistics

Good practise as a regulatory model codes of conducts

Efficiency as a concern for positive law; scarcity of law and rights


Problems related to Act on the Openness of Government

Law-making risk ? Attempt of the all at once -solution Recognition of the imperfect governance ? Exhaustive and wide list of rules and

exceptions Lack of the recognition of codes of conducts

planning optimism Formulation and appearance


Administrative and organisational security

Administrative and organisational security is the backbone of the information security work.

Administrative security is often the reason for serious information security problems (together with the malicious software and junk mail).

The EC personal data directive and EC privacy and electronic communications directive require particular attention to organisational security. ex. internal ’’Chinese walls’’ concerning the use of

traffic data in a communications enterprise Sectoral regulation may in some ares establish additional

requirements. Example financial market law in which high

information security is embeddly required. Information security provisions in contracts often require

organisational information security measures.


Dimensions of administrative and organisational information security1. Security environment

1. Ethical and moral principles and their implementation in practise

2. Organisational policies3. Definition of responsibilities4. Organisational structure favouring security5. Sufficient financial resourses and reliability6. Sufficient skills and expertice, continous learning and

education7. Awareness of legal and security requirements among

management and personnel

2. Objectives and risks, riskmanagement3. Supervision and controls, security audits4. Follow-up, reporting and learning


Personnel security

Main sources of law concerning personnel security are the obligations set for employee in the labour legislation and the prohibition of unauthorised use of business secrets.

In Finnish law: the Act on Work Contracts

Main contractual instruments for personnel security are the non-disclosure agreements and non-recruitement clauses. The labour legislation may limit the

possibilities to agree on the duration of non-disclosure and no-use clauses

Act on Security Clearances: a security clearance procedure for the protection of state security


Physical security

Physical security is legally protected by the penal law provisions concerning trespassing, inviolability of public and private premises and damaging property.

Certain penal law provisions recognise information security as the additional objective of legal protection. Example:

General and particular information security provisions require often physical security measures. Ex. electronic accounting documents, Ministry of

Trade and Commerce Decision (47/1998) 6 § 2 parag. Double copies, other copy shall be kept in a secure location and separate from other copy

Organisations own norms require often particular physical security measures


Communications security Communications security is the fastest developing area of

regulation Privacy on electronic communications directive and

implementing e-communications privacy and information security laws

Universal service rules and communication markets: a user access to (technically) high quality communication services imply also right to information security example: FICORA decisions Informatoion security is a part of a wider right to quality

Electronic signatures directive and law on electronic signatures

Uncitral model law on electronic signatures covers certain areas which have not been regulated in the EC electronic signature directive

The new Act on the Use of Freedom of Speech in Mass Communications


Particular security requirements for electronic signature certification service providers

Art. 6: particular liability rules for issuers of qualified certificates

Annex II of the directive organisational and economic security and

reliability personnel security and adequate personnel and

expertice adequate hardware and software systems and

security adequate data recording and promt revocation

lists prohibition of storing private keys as part of

key-management


Hardware security / facilities security

In the communications sector some particular hardware requirements.

A hardware connected to general communications network may not cause harm to the network or to the others. Only standard-conforming equipment may be used.

Risk-division: each party bears the risks related to the hardware in his possession. This risk-provision is standardly repeated in the information security provisions in contracts.


Software security

General rules follow from personal data directive and privacy and electronic communications directive

Act on the Electronic Communications with the Public Authorities

Particular problem: the liability for defective software and creating proper incentives for good software in law


Data security

Technical measures for the protection of copyright: article 6 of the Infosoc –directive (directive 2001/29/EC). In the U.S. the DMCA

Directive on the conditional access services Several sectoral rules on the data security Contractual provisions often require secure

storing and even deletion of stored data implementation of these provisions. A follow-

up report should be required


Operations security

Electronic commerce directive establishes rules on the operations security in the e-commerce

In sensitive domains the operations security require constant surveillance and instruction / training

In security sensitive services contractual provisions on operations security and risk-division may be required


Information security provisions in contracts

Contract is the principal governance tool of business co-operation. Contract is among the legal devices to built reasoned trust and a tool in the risk prevention and risk management

Due to importance of information security risks and strategic value of information information security provisions are often needed in contracts.

A good information security provision is not the transfer of all responsibility to other party. Legislation may limit such a contract.

More sensitive information risk is the more detailed and clear contract is needed.

Documents

MINISTRY OF FINANCE 5.12.2003Counsellor, Docent Tuomas Pöysti1 The laws of information security by Dr. Tuomas Pöysti counsellor of the Ministry of Finance