譯科技| 紐約：《盾牌法》能否成為數(shù)據(jù)泄露的救贖？

來源：DATACONOMY 時間：2019-09-23 14:57:36 作者：Ralph Tkatchuk

NEW YORK DEPLOYS ITS SHIELD ACT; IS THE TECH WORLD READY FOR TOUGHER REGULATION？

數(shù)據(jù)觀丨（譯）

　　What is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act？How does it affect the residents of New York？What does it mean for the future of companies？Read on.

　　什么是《阻止黑客入侵并改善電子數(shù)據(jù)安全（盾牌）法》？它對紐約的居民有什么影響？它對公司的未來發(fā)展意味著什么？欲知詳情如何，請接著往下看.

　　The past few years have seen data breaches affecting millions of people in ways ranging from harmless to disastrous. High-profile breaches at companies over the past three years alone have resulted in millions of users and individuals being placed at risk，and billions of dollars’worth of data being seized. While the US government has taken some steps towards constructing stronger security frameworks on a national level，individual users must rely on state governments to protect their interests. In this regard，the response has been mixed，but there are positive signs on the horizon.

　　過去幾年，數(shù)以百萬計的人受到數(shù)據(jù)泄露的影響，其影響可能是輕微的也可能是毀滅性的。僅在過去三年，由于各公司頻頻出現(xiàn)的數(shù)據(jù)泄露事件就導(dǎo)致數(shù)百萬用戶身陷囹圄以及數(shù)十億美元的財產(chǎn)損失。為了改善由于數(shù)據(jù)泄露造成的不良影響，美國政府已經(jīng)搭建更強有力的國家級數(shù)據(jù)安全框架，為個人用戶提供有效途徑去維護(hù)自己的利益，雖然大家對此褒貶不一，但是積極的信號已露端倪。

　　Most recently，the State of New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act，which sets requirements for companies to protect the data of New York residents. The law is one of several that have been passed across the US at the state level with the aim of protecting individuals from companies which are increasingly exposed to threats and repeatedly found to be lacking in both protections and concern. With the damage wrought by breaches also on the rise，these new laws represent a significant change in the status quo for companies that have until now neglected their security and users’privacy.

　　最近，紐約通過了《阻止黑客入侵并改善電子數(shù)據(jù)安全（盾牌）法》，該法案規(guī)定，公司有義務(wù)保護(hù)用戶數(shù)據(jù)信息安全。該法案是美國各州通過的多項法案之一，其目的是為了保護(hù)個人不受公司的威脅，這些公司數(shù)據(jù)安全保護(hù)意識都缺乏，更別說信息安全保護(hù)措施了。對那些長久以來一直忽視數(shù)據(jù)安全和用戶隱私的公司來說，新法案的頒布意味著泄露用戶數(shù)據(jù)的公司將承擔(dān)更為嚴(yán)峻的懲罰，所以新法案的頒布的確有助于改變公司頻頻泄露用戶數(shù)據(jù)的現(xiàn)狀。

　　Shielding Users From Negligent Tech Security 保護(hù)用戶不受疏忽性技術(shù)安全的影響

　　The increasing digitization of most day-to-day services—from e-commerce to paying utilities and even buying groceries—means that users’data is held or partially owned by a variety of companies. Despite this expanded digital footprint，and the easy access malicious actors have to users’information，corporations have been woefully slow to implement security measures that defend against current threats.

　　服務(wù)數(shù)字化是大勢所趨，從電子商務(wù)到支付工具再到雜貨購買，這意味著用戶的數(shù)據(jù)由各種公司全部或者部分持有。隨著數(shù)字化進(jìn)程的進(jìn)一步推進(jìn)，不懷好意者很容易就能獲取用戶的信息，但是企業(yè)在實施安全措施以抵御數(shù)據(jù)泄露風(fēng)險方面的進(jìn)度，實在是差強人意。

　　Most people still hold the common view that hacks and breaches are perpetrated by lone-wolf hackers and malicious actors sitting alone at their computer typing in lines of code. However， hacking today is far removed from these dated perceptions. Today’s virtual attackers have increased their sophistication，and especially when it comes to targeting state and enterprise-level targets. More than simply attempting to brute force their way in，today’s hacking groups prefer the advanced persistent threat (APT) model. More than a constant stream of threats，APT refers to long-term attacks on corporations，enterprise companies，and even state actors undertaken by large collectives.

　　大多數(shù)人仍單純地認(rèn)為，黑客行為和網(wǎng)絡(luò)入侵是由獨狼式的黑客和惡意行為人獨自坐在電腦前輸入代碼造成的。其實不然，當(dāng)前的黑客入侵與這些過時的觀念相去甚遠(yuǎn)。虛擬攻擊者增加了網(wǎng)絡(luò)入侵行為的復(fù)雜性，特別是在針對國家級別或者企業(yè)級別的入侵目標(biāo)時?，F(xiàn)在的黑客組織比起簡單粗暴的網(wǎng)絡(luò)入侵更傾向于制造定向威脅攻擊（APT），這種高級可持續(xù)性攻擊指的是大型組織針對企業(yè)甚至國家展開的持續(xù)有效的攻擊活動。

　　APT attacks start when groups infiltrate targets’networks and slowly expand their presence. After securing themselves，undetected，within servers and networks，these groups gain full access and can safely extract any amount of data they want or need，as well as do serious harm to existing infrastructure. These attacks have already been wildly successful，and companies have suffered in more than one way as a result. Equifax，for instance，ended up paying nearly $650 million to resolve claims that resulted from its massive 2017 breach in which 147 million consumers’data was stolen.

　　當(dāng)黑客組織滲透并潛伏于目標(biāo)網(wǎng)絡(luò)時，定向威脅攻擊（APT）就開始了。黑客組織躲過匹配檢測后，可以獲得服務(wù)器和互聯(lián)網(wǎng)的完全訪問權(quán)限，然后以此順利獲取任何他們需要或者想要的信息數(shù)據(jù)，同時，也能夠?qū)ΜF(xiàn)有的網(wǎng)絡(luò)基礎(chǔ)設(shè)施實施破壞。黑客入侵造成的損失是巨大的，公司因此遭受的損失也是多方面的。例如，2017年，美國信用局Equifax支付了大約6.5億美元去解決因大規(guī)模數(shù)據(jù)泄露事件導(dǎo)致的索賠，據(jù)了解，在此次事件中，1.47億消費者數(shù)據(jù)被竊取。

　　Elsewhere，Quest Diagnostics was slapped with a class-action lawsuit following a breach that saw 12 million patients’personal data leaked，while Capital One received a similar notice for a hack that saw 100 million users’data compromised. Uber reached a settlement with all 50 states to pay a then-record $148 million after it failed to disclose a 2016 data breach.

　　此類新聞不勝枚舉，臨床診斷巨頭——奎斯特診斷公司（Quest Diagnostics）因1200萬患者個人信息數(shù)據(jù)泄露而遭到集體訴訟；美國信用卡發(fā)行商第一資本金融公司（Capital One）因為黑客入侵導(dǎo)致1億用戶的數(shù)據(jù)遭到泄露；網(wǎng)約車巨頭優(yōu)步（Uber）因為未能及時向有關(guān)部門披露其在2016年的數(shù)據(jù)泄露事件，從而導(dǎo)致它與美國50個州簽署金額高達(dá)1.48億美元的和解協(xié)議。

　　What the SHIELD Act Means《盾牌法》意味著什么？

　　New York’s SHIELD Act seeks to crystalize protections for individuals and set standards for companies that have access to users’private information. The law clarifies what counts as a data breach (even including“access to data”which reduces the threshold to simply viewing data without authorization instead of obtaining copies of it) and expands the enforcement capabilities and consequences for companies that fail to comply. Some of that language clearly stems from recent high-profile cases such as the Cambridge Analytica fiasco，where Facebook let the analytics firm access user data without their consent.

　　紐約頒布的《盾牌法》試圖為個人制定信息保護(hù)方案，并為能夠獲取用戶私人信息的公司制定相關(guān)標(biāo)準(zhǔn)。該法案明確“數(shù)據(jù)泄露”的定義（甚至包括“數(shù)據(jù)訪問”的定義，該定義降低了公司在未經(jīng)用戶授權(quán)的情況下查看數(shù)據(jù)而不是獲取數(shù)據(jù)副本的門檻），并提出對于不遵守相關(guān)法律法規(guī)的公司將加大執(zhí)法力度、強化整治措施。該法案中的一些條例顯然源于最近備受關(guān)注的案例，比如劍橋分析公司（Cambridge Analytica）的慘敗——Facebook允許劍橋分析公司（Cambridge Analytica）在未經(jīng)用戶同意的情況下訪問用戶數(shù)據(jù)。

　　More importantly，the SHIELD Act raises the bar for security requirements，including the ways to test and assess risk vulnerability，the designation of people in charge of network security，and the development of better technical frameworks for security. For companies that already have security systems in place，this means creating better testing standards and tools to evaluate their protection. For those without strong security，it means having to invest in better infrastructure.

　　更值得一提的是，《盾牌法》提高了對企業(yè)數(shù)據(jù)安全要求的門檻，包括測試和評估風(fēng)險脆弱性的方法、指定負(fù)責(zé)網(wǎng)絡(luò)安全的人員以及制定更好的安全技術(shù)框架。對于已有數(shù)據(jù)安全管理系統(tǒng)的公司來說，該法律條例意味著將會有更健全的測試標(biāo)準(zhǔn)和更專業(yè)的測試工具對其數(shù)據(jù)安全管理系統(tǒng)進(jìn)行安全強度測評。對于那些數(shù)據(jù)安全管理系統(tǒng)還不夠完善的公司來說，這意味著要加大基礎(chǔ)設(shè)施投資了。

　　This will undoubtedly be a positive catalyst for the cybersecurity sector，which is already forecast to experience significant growth over the coming years. More specifically，the market for automated breach and attack simulation testing is set to reach over $720 million by 2024. This sector includes testing for APT alongside more immediate threats such as DDoS and malware attacks.

　　該法案的頒布對于網(wǎng)絡(luò)安全部門的建立的來說無疑將起到積極的推動作用，預(yù)計網(wǎng)絡(luò)安全部門的數(shù)量在未來幾年將出現(xiàn)顯著增長。具體來說，到2024年，自動入侵和攻擊模擬測試的市場規(guī)模將達(dá)到7.2億美元以上。這部分包括對于定向威脅攻擊（APT）的測試，以及一些更為直接的網(wǎng)絡(luò)威脅，比如分布式拒絕服務(wù)攻擊(DDoS)和惡意軟件攻擊。

　　Stronger Standards， Safer Experiences 更完善的標(biāo)準(zhǔn)，更安全的體驗

　　New York’s legislation raises the bar on data protection laws with sweeping language that clarifies a previously murky topic. Although most states already have data privacy laws on the books，many of them remain concerningly vague，or simply toothless when it comes to enforcement and actual consequences.

　　紐約的立法提高了數(shù)據(jù)保護(hù)法的門檻，用簡練的語言描述了之前含糊不清的話題。雖然大多數(shù)州已經(jīng)有了明文規(guī)定的數(shù)據(jù)隱私保護(hù)法，但其中許多法律條例要么含糊不清，要么在執(zhí)法和懲罰方面效果不佳。

　　The SHIELD Act brings a much needed and welcomed clarity to the matter，expanding the definition of a breach and creating a stronger framework for enforcement. With the number of breaches seemingly on the rise and companies still none the wiser，the SHIELD Act could be a serious motivator for upgrading to stronger security standards and constructing better user protections.

　　《盾牌法》滿足了人們對于數(shù)據(jù)安全的迫切需要，《盾牌法》的通過是人們樂見的。由于數(shù)據(jù)泄露事件不斷發(fā)生，而公司尚未采取更有效的措施去制止這些行為，所以《盾牌法》對于制定更健全的數(shù)據(jù)安全標(biāo)準(zhǔn)和建立更完善的用戶數(shù)據(jù)保護(hù)框架來說是一個重要的激勵器。(石煜倩)

?

　　注：《譯科技| 紐約：《盾牌法》能否成為數(shù)據(jù)泄露的救贖？》來源于DATACONOMY(點擊查看原文)。本文系數(shù)據(jù)觀原創(chuàng)編譯，譯者數(shù)據(jù)觀/石煜倩，轉(zhuǎn)載請務(wù)必注明譯者和來源。

責(zé)任編輯：張薇