The new bill on the protection of large user data (BPDN)

Previously, only large-scale organizations could afford a serious infrastructure for storing and analyzing Big Data. Today, big data is becoming more and more diverse in various fields. At the same time, the development of Big Data not only opens up opportunities, but also carries with it many difficulties. Modern organizations are increasingly using machine learning and cognitive technologies, which often allow for more efficient use of big data. Also, in this area there are also their own, inherent in relatively new technologies, the threat to information security.

Around 2013, the Cloud Security Alliance (CSA) organization conducted an analysis of the major security problems of Big Data technology. CSA is a non-profit organization created to promote the use of best practices in ensuring the security of "cloud computing", as well as raising awareness on this topic of all stakeholders. Based on the analysis, they identified 10 main ones:
')

1. Secure computing in distributed programming structures
2. Security recommendations for non-relational data warehouses
3. Secure data storage and transaction logs
4. Check / filter endpoint input
5. Real-time security monitoring
6. Scalable and Comprehensive Data Mining and Analytics
7. Cryptographically enhanced data security
8. Granular Access Control
9. Granular audit
10. Data prediction

Later added 3 more new questions:

1. Simulation: formalizing a threat model that covers most cyber-attack or data breach scenarios
2. Analysis: search for acceptable solutions based on the threat model
3. Implementation: implementation of the solution into existing infrastructures

If anyone is interested, the full version of the report can be obtained by reference .

In 2016, CSA publishes under the heading Big Data Security and Privacy Guide: 100 Best Practices (Big Data Security and Privacy Handbook). The material is available in the workgroup catalog for large data by reference .

It states that information security vulnerabilities are determined by the diversity of big data sources and formats, the streaming nature of data collection, and the need to transfer data between distributed cloud infrastructures. In addition, large amounts of such data contribute to an increase in the attack surface.

Two years have passed and on October 17, 2018, the news appeared on the official website of MegaFon that the “Association of Big Data Market Participants” was created in Russia. MegaFon, Mail.Ru Group, oneFactor, Tinkoff Bank, Yandex and Sberbank establish the Big Data Market Participants Association. Anna Serebryanikova, MegaFon's Operations Director, was elected President of the organization.

Quote from the press release of the company Megaphone:

“The members of the Association will be engaged in creating unified principles and standards for processing, storing, transferring and using big data. Joint development will form the basis of the big data treatment policy of each company participating in the Association. The priority tasks of the organization are to develop a business-oriented strategy for the development of the big data market, increase the technical and operational efficiency of interaction between industry participants, and form a code of ethics to protect the interests of users. ”

The plot of the famous video “Seven Red Lines” surfaced in my head:

“Our company has developed a new strategic initiative to expand market penetration, maximize brand loyalty and increase intangible assets. To achieve these goals ... we started a new project. "

At about the same time, 10/23/2018, a draft of the new Federal Law appears on the website of the Legislative Security System. Under this link you can familiarize yourself with the entire package of documents submitted for this project.

We will go briefly on the accompanying documents and the Federal Law itself. To begin with, I will quote an explanatory note to it:

“Every day, as a result of using various social networks, services, devices, and other information technologies, users leave a vast array of impersonal information about themselves on the Internet, which is commonly called“ large user data ”. This information as a result of automated processing allows you to determine individual user characteristics that are later used by large user data operators for their own purposes or are transferred by them to other interested parties for free or for a fee. However, such data is not personal data.

The legal vacuum in the regulation of large user data in the Russian Federation deprives individuals (users) of adequate legal protection and support. ”

From the same place:

“By the Decree of the President of the Russian Federation of May 7, 2018 No. 204“ On the national goals and strategic objectives of the development of the Russian Federation for the period up to 2024 ”, the Government of the Russian Federation, together with the state authorities of the constituent entities of the Russian Federation, is instructed to ensure the creation and secure information and telecommunications infrastructure for high-speed transmission, processing and storage of large amounts of data, accessible to all organizations and households; creation of a global competitive infrastructure for the transfer, processing and storage of data mainly based on domestic developments; information security based on domestic developments in the transmission, processing and storage of data, guaranteeing the protection of the interests of the individual, business and the state. "

In the bill itself, it is proposed in the Federal Law of July 27, 2006 No. 149- “On Information, Information Technologies and on Information Protection” to define the concepts:

• "Large user data",
• "Operator of large user data",
• "Processing large user data".

It is also proposed to establish the features of state regulation of processing large user data (the order of collection, transfer and other processing of large user data). And also, the duties of the operator of large user data.

A group of State Duma deputies headed by Mikhail Romanov suggested that by large user data a set of information about individuals and their behavior, which does not contain personal data, but allows one to identify a specific person without using additional information and processing. It is clarified that we are talking about information collected from various sources, including the Internet, the number of which exceeds a thousand network addresses.

It is supposed to establish a rule according to which users will be obliged to inform about such processing by placing a large user data on the operator’s website of the corresponding information message, and if it is not available, in another available way. The law may introduce a provision prohibiting the processing of large user data aimed at identifying a specific individual. However, it is planned that it will not be applied to the processing of such data at the request of federal executive bodies carrying out operational investigative activities.

Requirements for the information message and its form, as well as the maintenance of the register of operators of big data “by tradition” were hung on Roskomnadzor. Immediately, an obvious analogy can be traced: "operator", "user data", "notify" ...

The protection of personal data is not enough for us, now we are starting to protect according to the law Large User Data (BPD). It is possible that a suddenly forgotten project GOST “Information Security when Using Cloud Technologies” will soon be pulled out from under the cloth . General provisions. "

Our research will help to study the issue of processing personal data to Russia in accordance with the regulatory legal acts:

• White Paper on the Federal Law number 152. Over 4500 book downloads.