首页 资讯正文

译科技| 纽约:《盾牌法》能否成为数据泄露的救赎?

NEW YORK DEPLOYS ITS SHIELD ACT; IS THE TECH WORLD READY FOR TOUGHER REGULATION?

数据观丨(译)

  What is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act?How does it affect the residents of New York?What does it mean for the future of companies?Read on.

  什么是《阻止黑客入侵并改善电子数据安全(盾牌)法》?它对纽约的居民有什么影响?它对公司的未来发展意味着什么?欲知详情如何,请接着往下看.

  The past few years have seen data breaches affecting millions of people in ways ranging from harmless to disastrous. High-profile breaches at companies over the past three years alone have resulted in millions of users and individuals being placed at risk,and billions of dollars’worth of data being seized. While the US government has taken some steps towards constructing stronger security frameworks on a national level,individual users must rely on state governments to protect their interests. In this regard,the response has been mixed,but there are positive signs on the horizon.

  过去几年,数以百万计的人受到数据泄露的影响,其影响可能是轻微的也可能是毁灭性的。仅在过去三年,由于各公司频频出现的数据泄露事件就导致数百万用户身陷囹圄以及数十亿美元的财产损失。为了改善由于数据泄露造成的不良影响,美国政府已经搭建更强有力的国家级数据安全框架,为个人用户提供有效途径去维护自己的利益,虽然大家对此褒贬不一,但是积极的信号已露端倪。

  Most recently,the State of New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act,which sets requirements for companies to protect the data of New York residents. The law is one of several that have been passed across the US at the state level with the aim of protecting individuals from companies which are increasingly exposed to threats and repeatedly found to be lacking in both protections and concern. With the damage wrought by breaches also on the rise,these new laws represent a significant change in the status quo for companies that have until now neglected their security and users’privacy.

  最近,纽约通过了《阻止黑客入侵并改善电子数据安全(盾牌)法》,该法案规定,公司有义务保护用户数据信息安全。该法案是美国各州通过的多项法案之一,其目的是为了保护个人不受公司的威胁,这些公司数据安全保护意识都缺乏,更别说信息安全保护措施了。对那些长久以来一直忽视数据安全和用户隐私的公司来说,新法案的颁布意味着泄露用户数据的公司将承担更为严峻的惩罚,所以新法案的颁布的确有助于改变公司频频泄露用户数据的现状。

  Shielding Users From Negligent Tech Security 保护用户不受疏忽性技术安全的影响

  The increasing digitization of most day-to-day services—from e-commerce to paying utilities and even buying groceries—means that users’data is held or partially owned by a variety of companies. Despite this expanded digital footprint,and the easy access malicious actors have to users’information,corporations have been woefully slow to implement security measures that defend against current threats.

  服务数字化是大势所趋,从电子商务到支付工具再到杂货购买,这意味着用户的数据由各种公司全部或者部分持有。随着数字化进程的进一步推进,不怀好意者很容易就能获取用户的信息,但是企业在实施安全措施以抵御数据泄露风险方面的进度,实在是差强人意。

  Most people still hold the common view that hacks and breaches are perpetrated by lone-wolf hackers and malicious actors sitting alone at their computer typing in lines of code. However, hacking today is far removed from these dated perceptions. Today’s virtual attackers have increased their sophistication,and especially when it comes to targeting state and enterprise-level targets. More than simply attempting to brute force their way in,today’s hacking groups prefer the advanced persistent threat (APT) model. More than a constant stream of threats,APT refers to long-term attacks on corporations,enterprise companies,and even state actors undertaken by large collectives.

  大多数人仍单纯地认为,黑客行为和网络入侵是由独狼式的黑客和恶意行为人独自坐在电脑前输入代码造成的。其实不然,当前的黑客入侵与这些过时的观念相去甚远。虚拟攻击者增加了网络入侵行为的复杂性,特别是在针对国家级别或者企业级别的入侵目标时。现在的黑客组织比起简单粗暴的网络入侵更倾向于制造定向威胁攻击(APT),这种高级可持续性攻击指的是大型组织针对企业甚至国家展开的持续有效的攻击活动。

  APT attacks start when groups infiltrate targets’networks and slowly expand their presence. After securing themselves,undetected,within servers and networks,these groups gain full access and can safely extract any amount of data they want or need,as well as do serious harm to existing infrastructure. These attacks have already been wildly successful,and companies have suffered in more than one way as a result. Equifax,for instance,ended up paying nearly $650 million to resolve claims that resulted from its massive 2017 breach in which 147 million consumers’data was stolen.

  当黑客组织渗透并潜伏于目标网络时,定向威胁攻击(APT)就开始了。黑客组织躲过匹配检测后,可以获得服务器和互联网的完全访问权限,然后以此顺利获取任何他们需要或者想要的信息数据,同时,也能够对现有的网络基础设施实施破坏。黑客入侵造成的损失是巨大的,公司因此遭受的损失也是多方面的。例如,2017年,美国信用局Equifax支付了大约6.5亿美元去解决因大规模数据泄露事件导致的索赔,据了解,在此次事件中,1.47亿消费者数据被窃取。

  Elsewhere,Quest Diagnostics was slapped with a class-action lawsuit following a breach that saw 12 million patients’personal data leaked,while Capital One received a similar notice for a hack that saw 100 million users’data compromised. Uber reached a settlement with all 50 states to pay a then-record $148 million after it failed to disclose a 2016 data breach.

  此类新闻不胜枚举,临床诊断巨头——奎斯特诊断公司(Quest Diagnostics)因1200万患者个人信息数据泄露而遭到集体诉讼;美国信用卡发行商第一资本金融公司(Capital One)因为黑客入侵导致1亿用户的数据遭到泄露;网约车巨头优步(Uber)因为未能及时向有关部门披露其在2016年的数据泄露事件,从而导致它与美国50个州签署金额高达1.48亿美元的和解协议。

  What the SHIELD Act Means《盾牌法》意味着什么?

  New York’s SHIELD Act seeks to crystalize protections for individuals and set standards for companies that have access to users’private information. The law clarifies what counts as a data breach (even including“access to data”which reduces the threshold to simply viewing data without authorization instead of obtaining copies of it) and expands the enforcement capabilities and consequences for companies that fail to comply. Some of that language clearly stems from recent high-profile cases such as the Cambridge Analytica fiasco,where Facebook let the analytics firm access user data without their consent.

  纽约颁布的《盾牌法》试图为个人制定信息保护方案,并为能够获取用户私人信息的公司制定相关标准。该法案明确“数据泄露”的定义(甚至包括“数据访问”的定义,该定义降低了公司在未经用户授权的情况下查看数据而不是获取数据副本的门槛),并提出对于不遵守相关法律法规的公司将加大执法力度、强化整治措施。该法案中的一些条例显然源于最近备受关注的案例,比如剑桥分析公司(Cambridge Analytica)的惨败——Facebook允许剑桥分析公司(Cambridge Analytica)在未经用户同意的情况下访问用户数据。

  More importantly,the SHIELD Act raises the bar for security requirements,including the ways to test and assess risk vulnerability,the designation of people in charge of network security,and the development of better technical frameworks for security. For companies that already have security systems in place,this means creating better testing standards and tools to evaluate their protection. For those without strong security,it means having to invest in better infrastructure.

  更值得一提的是,《盾牌法》提高了对企业数据安全要求的门槛,包括测试和评估风险脆弱性的方法、指定负责网络安全的人员以及制定更好的安全技术框架。对于已有数据安全管理系统的公司来说,该法律条例意味着将会有更健全的测试标准和更专业的测试工具对其数据安全管理系统进行安全强度测评。对于那些数据安全管理系统还不够完善的公司来说,这意味着要加大基础设施投资了。

  This will undoubtedly be a positive catalyst for the cybersecurity sector,which is already forecast to experience significant growth over the coming years. More specifically,the market for automated breach and attack simulation testing is set to reach over $720 million by 2024. This sector includes testing for APT alongside more immediate threats such as DDoS and malware attacks.

  该法案的颁布对于网络安全部门的建立的来说无疑将起到积极的推动作用,预计网络安全部门的数量在未来几年将出现显著增长。具体来说,到2024年,自动入侵和攻击模拟测试的市场规模将达到7.2亿美元以上。这部分包括对于定向威胁攻击(APT)的测试,以及一些更为直接的网络威胁,比如分布式拒绝服务攻击(DDoS)和恶意软件攻击。

  Stronger Standards, Safer Experiences 更完善的标准,更安全的体验

  New York’s legislation raises the bar on data protection laws with sweeping language that clarifies a previously murky topic. Although most states already have data privacy laws on the books,many of them remain concerningly vague,or simply toothless when it comes to enforcement and actual consequences.

  纽约的立法提高了数据保护法的门槛,用简练的语言描述了之前含糊不清的话题。虽然大多数州已经有了明文规定的数据隐私保护法,但其中许多法律条例要么含糊不清,要么在执法和惩罚方面效果不佳。

  The SHIELD Act brings a much needed and welcomed clarity to the matter,expanding the definition of a breach and creating a stronger framework for enforcement. With the number of breaches seemingly on the rise and companies still none the wiser,the SHIELD Act could be a serious motivator for upgrading to stronger security standards and constructing better user protections.

  《盾牌法》满足了人们对于数据安全的迫切需要,《盾牌法》的通过是人们乐见的。由于数据泄露事件不断发生,而公司尚未采取更有效的措施去制止这些行为,所以《盾牌法》对于制定更健全的数据安全标准和建立更完善的用户数据保护框架来说是一个重要的激励器。(石煜倩)

 

  注:《译科技| 纽约:《盾牌法》能否成为数据泄露的救赎?》来源于DATACONOMY(点击查看原文)。本文系数据观原创编译,译者数据观/石煜倩,转载请务必注明译者和来源。

责任编辑:张薇

分享: