來(lái)源:DATACONOMY 時(shí)間:2019-09-23 14:57:36 作者:Ralph Tkatchuk
NEW YORK DEPLOYS ITS SHIELD ACT; IS THE TECH WORLD READY FOR TOUGHER REGULATION?
數(shù)據(jù)觀丨(譯)
What is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act?How does it affect the residents of New York?What does it mean for the future of companies?Read on.
什么是《阻止黑客入侵并改善電子數(shù)據(jù)安全(盾牌)法》?它對(duì)紐約的居民有什么影響?它對(duì)公司的未來(lái)發(fā)展意味著什么?欲知詳情如何,請(qǐng)接著往下看.
The past few years have seen data breaches affecting millions of people in ways ranging from harmless to disastrous. High-profile breaches at companies over the past three years alone have resulted in millions of users and individuals being placed at risk,and billions of dollars’worth of data being seized. While the US government has taken some steps towards constructing stronger security frameworks on a national level,individual users must rely on state governments to protect their interests. In this regard,the response has been mixed,but there are positive signs on the horizon.
過(guò)去幾年,數(shù)以百萬(wàn)計(jì)的人受到數(shù)據(jù)泄露的影響,其影響可能是輕微的也可能是毀滅性的。僅在過(guò)去三年,由于各公司頻頻出現(xiàn)的數(shù)據(jù)泄露事件就導(dǎo)致數(shù)百萬(wàn)用戶身陷囹圄以及數(shù)十億美元的財(cái)產(chǎn)損失。為了改善由于數(shù)據(jù)泄露造成的不良影響,美國(guó)政府已經(jīng)搭建更強(qiáng)有力的國(guó)家級(jí)數(shù)據(jù)安全框架,為個(gè)人用戶提供有效途徑去維護(hù)自己的利益,雖然大家對(duì)此褒貶不一,但是積極的信號(hào)已露端倪。
Most recently,the State of New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act,which sets requirements for companies to protect the data of New York residents. The law is one of several that have been passed across the US at the state level with the aim of protecting individuals from companies which are increasingly exposed to threats and repeatedly found to be lacking in both protections and concern. With the damage wrought by breaches also on the rise,these new laws represent a significant change in the status quo for companies that have until now neglected their security and users’privacy.
最近,紐約通過(guò)了《阻止黑客入侵并改善電子數(shù)據(jù)安全(盾牌)法》,該法案規(guī)定,公司有義務(wù)保護(hù)用戶數(shù)據(jù)信息安全。該法案是美國(guó)各州通過(guò)的多項(xiàng)法案之一,其目的是為了保護(hù)個(gè)人不受公司的威脅,這些公司數(shù)據(jù)安全保護(hù)意識(shí)都缺乏,更別說(shuō)信息安全保護(hù)措施了。對(duì)那些長(zhǎng)久以來(lái)一直忽視數(shù)據(jù)安全和用戶隱私的公司來(lái)說(shuō),新法案的頒布意味著泄露用戶數(shù)據(jù)的公司將承擔(dān)更為嚴(yán)峻的懲罰,所以新法案的頒布的確有助于改變公司頻頻泄露用戶數(shù)據(jù)的現(xiàn)狀。
Shielding Users From Negligent Tech Security 保護(hù)用戶不受疏忽性技術(shù)安全的影響
The increasing digitization of most day-to-day services—from e-commerce to paying utilities and even buying groceries—means that users’data is held or partially owned by a variety of companies. Despite this expanded digital footprint,and the easy access malicious actors have to users’information,corporations have been woefully slow to implement security measures that defend against current threats.
服務(wù)數(shù)字化是大勢(shì)所趨,從電子商務(wù)到支付工具再到雜貨購(gòu)買(mǎi),這意味著用戶的數(shù)據(jù)由各種公司全部或者部分持有。隨著數(shù)字化進(jìn)程的進(jìn)一步推進(jìn),不懷好意者很容易就能獲取用戶的信息,但是企業(yè)在實(shí)施安全措施以抵御數(shù)據(jù)泄露風(fēng)險(xiǎn)方面的進(jìn)度,實(shí)在是差強(qiáng)人意。
Most people still hold the common view that hacks and breaches are perpetrated by lone-wolf hackers and malicious actors sitting alone at their computer typing in lines of code. However, hacking today is far removed from these dated perceptions. Today’s virtual attackers have increased their sophistication,and especially when it comes to targeting state and enterprise-level targets. More than simply attempting to brute force their way in,today’s hacking groups prefer the advanced persistent threat (APT) model. More than a constant stream of threats,APT refers to long-term attacks on corporations,enterprise companies,and even state actors undertaken by large collectives.
大多數(shù)人仍單純地認(rèn)為,黑客行為和網(wǎng)絡(luò)入侵是由獨(dú)狼式的黑客和惡意行為人獨(dú)自坐在電腦前輸入代碼造成的。其實(shí)不然,當(dāng)前的黑客入侵與這些過(guò)時(shí)的觀念相去甚遠(yuǎn)。虛擬攻擊者增加了網(wǎng)絡(luò)入侵行為的復(fù)雜性,特別是在針對(duì)國(guó)家級(jí)別或者企業(yè)級(jí)別的入侵目標(biāo)時(shí)?,F(xiàn)在的黑客組織比起簡(jiǎn)單粗暴的網(wǎng)絡(luò)入侵更傾向于制造定向威脅攻擊(APT),這種高級(jí)可持續(xù)性攻擊指的是大型組織針對(duì)企業(yè)甚至國(guó)家展開(kāi)的持續(xù)有效的攻擊活動(dòng)。
APT attacks start when groups infiltrate targets’networks and slowly expand their presence. After securing themselves,undetected,within servers and networks,these groups gain full access and can safely extract any amount of data they want or need,as well as do serious harm to existing infrastructure. These attacks have already been wildly successful,and companies have suffered in more than one way as a result. Equifax,for instance,ended up paying nearly $650 million to resolve claims that resulted from its massive 2017 breach in which 147 million consumers’data was stolen.
當(dāng)黑客組織滲透并潛伏于目標(biāo)網(wǎng)絡(luò)時(shí),定向威脅攻擊(APT)就開(kāi)始了。黑客組織躲過(guò)匹配檢測(cè)后,可以獲得服務(wù)器和互聯(lián)網(wǎng)的完全訪問(wèn)權(quán)限,然后以此順利獲取任何他們需要或者想要的信息數(shù)據(jù),同時(shí),也能夠?qū)ΜF(xiàn)有的網(wǎng)絡(luò)基礎(chǔ)設(shè)施實(shí)施破壞。黑客入侵造成的損失是巨大的,公司因此遭受的損失也是多方面的。例如,2017年,美國(guó)信用局Equifax支付了大約6.5億美元去解決因大規(guī)模數(shù)據(jù)泄露事件導(dǎo)致的索賠,據(jù)了解,在此次事件中,1.47億消費(fèi)者數(shù)據(jù)被竊取。
Elsewhere,Quest Diagnostics was slapped with a class-action lawsuit following a breach that saw 12 million patients’personal data leaked,while Capital One received a similar notice for a hack that saw 100 million users’data compromised. Uber reached a settlement with all 50 states to pay a then-record $148 million after it failed to disclose a 2016 data breach.
此類新聞不勝枚舉,臨床診斷巨頭——奎斯特診斷公司(Quest Diagnostics)因1200萬(wàn)患者個(gè)人信息數(shù)據(jù)泄露而遭到集體訴訟;美國(guó)信用卡發(fā)行商第一資本金融公司(Capital One)因?yàn)楹诳腿肭謱?dǎo)致1億用戶的數(shù)據(jù)遭到泄露;網(wǎng)約車巨頭優(yōu)步(Uber)因?yàn)槲茨芗皶r(shí)向有關(guān)部門(mén)披露其在2016年的數(shù)據(jù)泄露事件,從而導(dǎo)致它與美國(guó)50個(gè)州簽署金額高達(dá)1.48億美元的和解協(xié)議。
What the SHIELD Act Means《盾牌法》意味著什么?
New York’s SHIELD Act seeks to crystalize protections for individuals and set standards for companies that have access to users’private information. The law clarifies what counts as a data breach (even including“access to data”which reduces the threshold to simply viewing data without authorization instead of obtaining copies of it) and expands the enforcement capabilities and consequences for companies that fail to comply. Some of that language clearly stems from recent high-profile cases such as the Cambridge Analytica fiasco,where Facebook let the analytics firm access user data without their consent.
紐約頒布的《盾牌法》試圖為個(gè)人制定信息保護(hù)方案,并為能夠獲取用戶私人信息的公司制定相關(guān)標(biāo)準(zhǔn)。該法案明確“數(shù)據(jù)泄露”的定義(甚至包括“數(shù)據(jù)訪問(wèn)”的定義,該定義降低了公司在未經(jīng)用戶授權(quán)的情況下查看數(shù)據(jù)而不是獲取數(shù)據(jù)副本的門(mén)檻),并提出對(duì)于不遵守相關(guān)法律法規(guī)的公司將加大執(zhí)法力度、強(qiáng)化整治措施。該法案中的一些條例顯然源于最近備受關(guān)注的案例,比如劍橋分析公司(Cambridge Analytica)的慘敗——Facebook允許劍橋分析公司(Cambridge Analytica)在未經(jīng)用戶同意的情況下訪問(wèn)用戶數(shù)據(jù)。
More importantly,the SHIELD Act raises the bar for security requirements,including the ways to test and assess risk vulnerability,the designation of people in charge of network security,and the development of better technical frameworks for security. For companies that already have security systems in place,this means creating better testing standards and tools to evaluate their protection. For those without strong security,it means having to invest in better infrastructure.
更值得一提的是,《盾牌法》提高了對(duì)企業(yè)數(shù)據(jù)安全要求的門(mén)檻,包括測(cè)試和評(píng)估風(fēng)險(xiǎn)脆弱性的方法、指定負(fù)責(zé)網(wǎng)絡(luò)安全的人員以及制定更好的安全技術(shù)框架。對(duì)于已有數(shù)據(jù)安全管理系統(tǒng)的公司來(lái)說(shuō),該法律條例意味著將會(huì)有更健全的測(cè)試標(biāo)準(zhǔn)和更專業(yè)的測(cè)試工具對(duì)其數(shù)據(jù)安全管理系統(tǒng)進(jìn)行安全強(qiáng)度測(cè)評(píng)。對(duì)于那些數(shù)據(jù)安全管理系統(tǒng)還不夠完善的公司來(lái)說(shuō),這意味著要加大基礎(chǔ)設(shè)施投資了。
This will undoubtedly be a positive catalyst for the cybersecurity sector,which is already forecast to experience significant growth over the coming years. More specifically,the market for automated breach and attack simulation testing is set to reach over $720 million by 2024. This sector includes testing for APT alongside more immediate threats such as DDoS and malware attacks.
該法案的頒布對(duì)于網(wǎng)絡(luò)安全部門(mén)的建立的來(lái)說(shuō)無(wú)疑將起到積極的推動(dòng)作用,預(yù)計(jì)網(wǎng)絡(luò)安全部門(mén)的數(shù)量在未來(lái)幾年將出現(xiàn)顯著增長(zhǎng)。具體來(lái)說(shuō),到2024年,自動(dòng)入侵和攻擊模擬測(cè)試的市場(chǎng)規(guī)模將達(dá)到7.2億美元以上。這部分包括對(duì)于定向威脅攻擊(APT)的測(cè)試,以及一些更為直接的網(wǎng)絡(luò)威脅,比如分布式拒絕服務(wù)攻擊(DDoS)和惡意軟件攻擊。
Stronger Standards, Safer Experiences 更完善的標(biāo)準(zhǔn),更安全的體驗(yàn)
New York’s legislation raises the bar on data protection laws with sweeping language that clarifies a previously murky topic. Although most states already have data privacy laws on the books,many of them remain concerningly vague,or simply toothless when it comes to enforcement and actual consequences.
紐約的立法提高了數(shù)據(jù)保護(hù)法的門(mén)檻,用簡(jiǎn)練的語(yǔ)言描述了之前含糊不清的話題。雖然大多數(shù)州已經(jīng)有了明文規(guī)定的數(shù)據(jù)隱私保護(hù)法,但其中許多法律條例要么含糊不清,要么在執(zhí)法和懲罰方面效果不佳。
The SHIELD Act brings a much needed and welcomed clarity to the matter,expanding the definition of a breach and creating a stronger framework for enforcement. With the number of breaches seemingly on the rise and companies still none the wiser,the SHIELD Act could be a serious motivator for upgrading to stronger security standards and constructing better user protections.
《盾牌法》滿足了人們對(duì)于數(shù)據(jù)安全的迫切需要,《盾牌法》的通過(guò)是人們樂(lè)見(jiàn)的。由于數(shù)據(jù)泄露事件不斷發(fā)生,而公司尚未采取更有效的措施去制止這些行為,所以《盾牌法》對(duì)于制定更健全的數(shù)據(jù)安全標(biāo)準(zhǔn)和建立更完善的用戶數(shù)據(jù)保護(hù)框架來(lái)說(shuō)是一個(gè)重要的激勵(lì)器。(石煜倩)
?
注:《譯科技| 紐約:《盾牌法》能否成為數(shù)據(jù)泄露的救贖?》來(lái)源于DATACONOMY(點(diǎn)擊查看原文)。本文系數(shù)據(jù)觀原創(chuàng)編譯,譯者數(shù)據(jù)觀/石煜倩,轉(zhuǎn)載請(qǐng)務(wù)必注明譯者和來(lái)源。
責(zé)任編輯:張薇