« 米国:以前の勤務先のシステムをハッキングした元管理者に対し拘禁刑2年の判決 | トップページ | Tort Law Textbook 2nd edition »

2009年7月28日 (火曜日)

個人データの暗号化を要求する立法例

個人情報の保護は,法的な保護だけではもちろん足りないので技術的な保護も必要となる。しかし,例えば,データの暗号化にはそれなりの技術と費用と管理とを要することから,技術が存在するというだけではうまくいかないことがある。そこで,個人情報(個人データ)の暗号化を要求する立法例が存在するかを検索してみたら,米国内の州法として存在していた。今後,全米に広がる可能性があるから,いずれは世界的な趨勢となるかもしれないと予測している。

[ネバダ州の立法例]

NRS 597.970  Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2.  As used in this section:

  (a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

  (b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

[マサチューセッツ州の立法例]

CMR 17.04:  Computer System Security Requirements

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

(1) Secure user authentication protocols including:

    (i) control of user IDs and other identifiers;

    (ii) a secure method of assigning and selecting passwords consisting of at least seven letters and numbers;

    (iii) control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access;

    (iv) restricting access to active users and active user accounts only; and

    (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2)  Secure access control measures that:

    (i)  restrict access to records and files containing personal information to those who need such information to perform their job duties; and

    (ii) assign a unique identification plus a password, which is not vendor supplied, to each person with computer access;

(3)  Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks. 

(4)  Periodic monitoring of networks and systems, for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times and success or failure of login;

(5)  Periodic review of audit trails restricted to those with job-related need to view audit trails;

(6)  For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches, including operating system security patches.  A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.

(7) The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date  patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

(8)  Education and training of employees on the proper use of the computer security system and the importance of personal information security.

(9)  Restricted physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted. When notified of any unauthorized entry into a secure area by either an employee or any other unauthorized person, the integrity of the computerized records must be reviewed.

ちなみに,「暗号化された個人情報は個人情報ではない」との珍説がまことしやかに流布されたことがあるが,上記の立法例を読んでみれば,そのような説がいかに荒唐無稽であり,法理論としては全く顧慮に値しないものであるのかを即座に理解することができる。

|

« 米国:以前の勤務先のシステムをハッキングした元管理者に対し拘禁刑2年の判決 | トップページ | Tort Law Textbook 2nd edition »

コメント

コメントを書く



(ウェブ上には掲載しません)


コメントは記事投稿者が公開するまで表示されません。



« 米国:以前の勤務先のシステムをハッキングした元管理者に対し拘禁刑2年の判決 | トップページ | Tort Law Textbook 2nd edition »