Implementation of personal data protection
The protection of personal data of citizens is designed to prevent their leakage and distribution among third parties, which could cause significant damage to their owners. How is the proper protection of this array of information ensured in accordance with the requirements of the current legislation?
Basic principles of personal data protection
The personal data of citizens are under threat, they are of interest to many: both individual criminals and large hacker groups. Thus, according to a report by Positive Technologies, the number of hacker attacks in the first quarter of 2018 increased by 36% compared to the same period last year, and the number of attacks aimed at obtaining personal data increased in almost the same ratio. The information is subsequently either resold or used to plan criminal acts against its owners. The increasing danger requires increased protection measures.
The processing of personal data should only be carried out using certified software - this is one of the basic tenets that should be taken into account when developing security measures in each specific legal entity. Currently, most legal entities that are not included in the register of personal data operators process this information in accounting or production programs (various versions of 1C), at best, in personnel programs. They do not have a sufficient level of protection to prevent leakage during processing.
Interestingly, even those companies and institutions (educational, medical) that are regularly audited by Roskomnadzor are confident that the use of general purpose utility software will help them get a positive assessment from the regulator and confirm compliance with the rules for protecting personal data.
When preparing for an audit, a legal entity will have to choose one of two methods of implementing the protection system:
- installation of certified software;
- fine-tuning the available programs.
Both methods of protecting personal data have their pros and cons. Obviously, any system should:
- ensure compliance with the requirements of the regulator for the protection of personal data;
- ensure their processing;
- eliminate their leakage;
- allow even inexperienced computer users to work with it.
The choice in the end will depend on the motivation of the heads of the legal entity to create a system that excludes the leakage of personal data.
The process of creating a personal data protection system
Companies whose activities are related to the field of personal data processing should structure their work according to the following algorithm:
- conducting an audit of the company's information security systems in order to identify how they comply with the requirements of the legislation on the protection of personal data;
- development of internal regulations governing the process of working with legally protected information arrays. The presence of such documentation is one of the requirements of Roskomnadzor;
- identification of the most likely threats and their sources, external and internal, that threaten the integrity of information processed in the personal data information system;
- determination of the necessary and sufficient level of protection. When developing a personal data protection system, there are different levels of security, and each company can determine its acceptable option;
- development of technical specifications for internal services or involved consultants to create a personal data security system;
- purchase of selected software, specially created or adapted to protect personal data;
- installation and implementation of this software;
- certification of a working system.
The last stage is optional for most companies working with personal data and individuals - their owners. Nevertheless, the implementation of the possibility of obtaining a certificate will help pass the checks and increase the investment attractiveness of the company. He will show her responsible attitude to compliance with the requirements of the legislation of the Russian Federation.
Accounting or HR software
Many companies opt for the revision of the accounting or HR software already installed in them, not even certified by the FSTEC, not considering it necessary to bear the financial and labor costs for the acquisition and implementation of a specialized program. Such software will fully play its role as a means of protecting information, but will not remove the risks of unauthorized copying and distribution of personal data by an internal user. The standard personal data processing system looks like this:
- storage is carried out on computers of the personnel unit, through a router connected to the server;
- at workplaces, software such as "1C: Salary and Personnel Management" or "KonturPersonal" is installed;
- the company has developed documentation on the protection of personal data;
- employees are familiar with it and with the requirements of federal laws on the protection of personal data;
- measures were implemented to exclude unauthorized access to databases;
- there are no specialized software solutions that exclude the possibility of unauthorized access to databases.
This leads to the need to create a threat model that can be implemented precisely in this configuration of the personal data protection system. Among them, first of all, the following should be mentioned:
- threats related to unauthorized user access. With the implemented system of passwords, different levels of access and personal responsibility, such threats are unlikely;
- threats associated with the low quality of software, their implementation is theoretically possible with "boxed versions" of programs or independent revision by the company's programmers, nevertheless they are possible;
- threats related to external penetration into the system. It is this category of threats to personal data protection systems implemented with the help of accounting or HR software that is most easily implemented.
Experts recommend that when upgrading the system to the 4th recommended security level, rely on the FSTEC Order No. 21 dated February 18, 2013 and implement:
- identification and authentication of users who have access to personal data protection systems;
- identity management;
- user account management;
- differentiation of access rights;
- information flow management;
- registration of security incidents;
- anti-virus protection.
The implementation of the totality of these personal data protection measures will make it possible to pass Roskomnadzor checks, provided that the firewall and antiviruses have class 5 or higher compliance certificates. Thus, even the presence of the FSTEC certificate in the accounting or personnel program does not negate the need to apply additional measures to protect personal data.
Benefits of certified software
Companies - members of the register are better off choosing software certified by FSTEC. It received a certificate of conformity from the FSTEC or the FSB and fully carries out the tasks of protecting personal data. At the same time, to ensure the 1st level of security, software products must have certificates of conformity of at least class 4; for the third level, certification of software products is not required. Nevertheless, when purchasing a certified program, you must keep in mind the following nuances:
- certificates are issued not for all copies of the program, but for a limited number of them;
- the certificate is issued only for a specific version; when updated, it becomes outdated;
- upgrades must also be certified, which affects their cost;
- the certificate is valid for no more than three years.
All this creates an imbalance in situations where the base program needs to be updated immediately, for example, when new reporting forms appear. At the same time, certification of the new version will take time and will require additional financial resources.
Judicial practice on the protection of personal data
Many are interested in whether cases related to the leakage of personal data of citizens have reached the court. Does the company face anything other than sanctions from the regulator? In the practice of district courts there are many cases related to the theft of money from citizens' cards by preliminary theft of their personal data. Frequent cases of transferring the client base of a company to competitors are also classified as offenses related to theft of personal data.
So, in Cheboksary, an employee of one of the companies was convicted under Article 183 of the Criminal Code of the Russian Federation (disclosure of bank or commercial secrets) for copying clients' personal data to an external medium. There is also a practice in which clients accuse banks of improper storage of their personal data, which is why money is stolen from accounts. For example, one of these cases was considered in Taganrog, where the plaintiff referred to the norms of consumer rights legislation on the inadequate quality of the service provided in terms of non-compliance with special safety rules. Figures in judicial practice and fictitious (forged) consent to the processing of personal data. Often the fact of their disclosure becomes the basis for the application of liability in the framework of labor relations.
Obviously, while cases of theft of personal data or their insufficient protection have not been singled out into a separate category, but the increased activity of those interested in them should lead to this result. This will become one of the reasons for increasing the responsibility of operators for inadequate protection of personal data and increasing attention to the quality of software, its certification and timely updating.