Cyber security and the internet in Russia
New laws introduced
02 October 2017
This summer Russia has passed three new cyber-security and Internet laws.
The main purpose of the CDI Law is to ensure that Russia's critical data infrastructure is secure and stable in the face of cyber attacks. The CDI Law will come into force on 1 January 2018; the implementing regulations have yet to be adopted by the Russian executive authorities. However, when the regulatory framework is fully in place, it will have an impact upon the majority of market participants.
The CDI Law imposes certain obligations upon Russian entities and (or) individual entrepreneurs (CDI Operators) that own, lease or have other legal rights to critical data infrastructure facilities operating in one of the following areas: (i) healthcare, (ii) science, (iii) transport, (vi) communications, (v) energy, (vi) banking and other sectors of financial markets, (vii) oil & gas, (viii) nuclear, (xi) defence, (x) rocket and space, (xi) mining, (xii) metals and (xiii) chemical industry (CDI Facilities).
Each CDI Operator is obligated, among other things, to:
- inform the federal agency (the Agency) and the Central Bank of the Russian Federation (if the CDI Operator operates in banking or other sectors of financial markets) immediately of any "cyber-incident";
- cooperate with the Agency with respect to (1) the detection, prevention or remedying of cyber-attacks and (2) determination of the causes and circumstances of cyber-incidents.
In addition to the above, the CDI Law provides that each CDI Operator is under an obligation to evaluate the "importance" of the CDI Facilities that it owns, leases or has other legal rights to in order to determine whether the CDI Facility should be classed as what is called an "important critical data infrastructure facility", and, if so, which level of importance needs to be assigned to it. The Russian Government has yet to adopt specific rules for these evaluations but the evaluative criteria will relate to:
- social importance: possible damage to people's lives and health or possible malfunctions or stoppages in life-supporting infrastructure facilities, the transport infrastructure or telecommunications networks or the unavailability of public services in excess of the maximum period permitted;
- political importance: possible damage to the interests of the Russian Federation in matters relating to its foreign or domestic policy;
- economic importance: potential direct or indirect damage to CDI Operators and (or) the budgets of the Russian Federation;
- ecological importance: impact on the environment; and
- importance for national defence and law and order.
The CDI Operator must within 10 days following completion of the evaluation, submit the results to the federal agency for security of the critical data infrastructure of the Russian Federation (the Security Agency). The Security Agency independently reviews the evaluation and, if it finds that the CDI Facility is an Important CDI Facility, it will put it on the register of important critical data infrastructure facilities that the Security Agency keeps (the Register).
Once an Important CDI Facility is on the Register, the CDI Operator will have additional obligations under the CDI Law. These include:
- complying with security regulations for Important CDI Facilities (the Security Regulations);
- complying with orders from the Security Agency to rectify violations of the Security Regulations;
- responding to cyber-incidents in accordance with the procedures adopted by the Agency and taking steps to remedy cyber-attacks on Important CDI Facilities; and
- providing unrestricted access to Important CDI Facilities for audits conducted by the Security Agency.
CDI Operators' compliance with requirements under the CDI Law will be monitored by the Security Agency through scheduled and unscheduled audits. Scheduled audits will take place every three years. Unscheduled audits will be carried out in the circumstances specified in the CDI Law (for example, in the event of a cyber-incident with negative consequences for an Important CDI Facility).
CDI Operators' officers may be criminally prosecuted for violations of (1) the operating rules for facilities for storing, processing and transferring data within the critical data infrastructure, CDI Facilities or telecommunications networks or (2) the rules for accessing such data, CDI Facilities or telecommunications networks, if the violation has resulted in damage to the critical data infrastructure. There is no specific administrative liability for such violations but the Russian Administrative Offences Code includes a general clause imposing administrative liability for violations of data security requirements, which envisages fines for officers and Russian companies.
The VPN Law will take effect on 1 November 2017. Federal Law No. 149-FZ "On Data, Information Technologies and Data Security" restricts access to certain data resources and data and telecommunications networks in Russia (restricted websites). Under the VPN Law, the owners of data and telecommunications networks and data resources that can be used to access restricted websites (VPN technology) are prohibited from providing users of VPN technology (users) with support to access restricted websites. The use of VPN technology is not prohibited but the VPN Law imposes certain obligations on (1) the owners of VPN technology (owners), (2) hosting providers and other persons providing for the distribution of VPN technology on the Internet (hosting providers) and (3) the operators of internet search-engines that publish advertisements for customers in Russia (search-engine operators).
The Federal Agency for Communications, Information Technology and Mass Media (Roskomnadzor) is responsible for monitoring compliance with the VPN Law. To this end, it will maintain a federal state database of data resources and data and telecommunications networks access to which is restricted in Russia (the Database).
The owners will be obligated to join the Database no later than 30 days from receipt of a request from Roskomnadzor. Roskomnadzor can identify an owner by itself or through a request to the hosting provider. Upon a request from Roskomnadzor, the hosting provider has an obligation to (1) disclose the details of the owner or (2) notify the owner that it must disclose its details on its Internet website. Search-engine operators also must join the Database. Once the owners or search-engine operators are in the Database, they must block users' access to restricted websites within 3 days.
If the owner fails to, among other things, (1) join the Database within the required period or (2) block users' access to restricted websites, Roskomnadzor will block access to the web-sites through which the VPN technology is distributed to users until the violations are rectified.
It is also important to note that the requirements of the VPN Law do not apply to the use of VPN technology where (1) the users are predetermined by the owner and (2) the VPN technology is used in order to support users' businesses.
From 1 January 2018, the anonymous use of instant messaging (IM) will be prohibited and IM service providers (IM Providers) will have certain obligations under the IM Law.
The main obligation of IM Providers will be to identify IM users by their mobile numbers. For this purpose, IM Providers must enter into an agreement with mobile operators allowing IM users to be identified. Russian IM Providers are allowed to identify IM users without any assistance from mobile operators. IM Providers must store data relating to the identification of IM users' mobile numbers in the Russia Federation only.
IM Providers are also obligated to:
- upon receiving a request from the relevant Russian authority, block the messages of the relevant IM user that contain information (i) the distribution of which is prohibited in Russia or (ii) which is distributed in violation of provisions of Russian law;
- provide IM users with the technical ability to reject messages from other IM users;
- ensure the privacy of IM messages;
- allow messaging at the request of the Russian authorities under Russian law; and
- block messages sent to IM users in the cases stipulated by and in accordance with the procedures set down by Russian law.
If IM Providers fail to perform their obligations under the IM Law, their IM applications may be blocked by a Russian court.