Introduction
The law understands cyber security in a much narrower sense than it must be viewed by company practices. As the existing law stands, we must separate cyber security of the state from other forms of information security of the individual, that is personal data protection, commercial secrets protection, protection from standard criminal activities directed to information (information criminality) etc. Security manager must therefore employ not only legislation directly concerned with cyber security but also a vast criminal, administrative and civil legislation defining those legal obligations which bear upon various forms of obtaining, processing, storing and communication of information.
Hence, the law perceives cyber security as the defence of the national cyberspace against security threats. Isolated security incidents can of course achieve such intensity as to have a negative impact on a national scale, e.g. failure of a trunk network. However, majority of normally occurring incidents do not attain such an intensity to warrant a response on the national cyber security – these phenomena are then dealt with legally using standard protection statutes of the criminal, administrative and civil legislation. A typical example can be a leak of personal data or penetration into a company information system.
In the relation of cyber security in the narrower sense of the word (that is, as it is perceived by existing law) it is necessary in company practice to tackle primarily the issues of protecting company information infrastructure from external attacks and this includes also the appropriate detection of such attacks. Of equal importance, from the legal point of view, is also the prevention of company information infrastructure to be used for an outside attack. Under existing law it is short of impossible to punish a company for not using appropriate security measures in an own network (the only exceptions in this direction are related to secret information). However, in some definite cases a company can be made legally responsible for damage caused to the employees, customers or third parties due to insufficient security of the information infrastructure. Similar to other Euro-Atlantic countries, intensive work has been underway in the Czech Republic in the area of specific legal framework of national cyber security. This framework shall primarily and newly demand that providers of electronic services implement in their networks certified security technologies. At the same time, under the coordination of the National Security Authority, a supervisory government body will be created and this will operate as the centre of the protection for the state and critical communication infrastructure as well as a body for critical management in case of a massive attack on a national scope. Furthermore, the activities of the national supervisory body will be amended to include information evaluation of security incidents coming from the private sphere and to coordinate protection modes with the providers of concrete networks (the national body is in a work-in-progress operation at present, as based on a memorandum between CZ.NIC and Ministry of the Interior of the Czech Republic.
JUDr. Radim Polčák, Ph.D. |
Head, Institute of Law and Technologies, Masaryk University in Brno |
Constitutional Order
2/193 Col., Charter of fundamental rights and freedoms |
110/1998 Col., On the security of the Czech Republic |
Laws
240/2000 Col., On crisis management and change of some laws |
365/2000 Col., On information systems of the public sector |
480/2004 Col., On some services of the information society |
127/2005 Col., On electronic communications |
412/2005 Col., On the protection of secret information and on the security capability, as amended in later provisions |
181/2014 Col., on cyber security and change of some laws (Cyber Security Law) |
Government Resolutions
677/2007 Action plan of measures fulfilled in the National security strategy of the Czech Republic |
564/2011 On the Strategy for cyber security of the Czech Republic for 2011-2015 |
781/20111 On the establishment of the national security authority as a coordinator of the issues of cyber security and also the national authority in this area |
Public Notices
523/2005 Col., On the security of information and communication systems and other electronic devices dealing with secret information, and on the certification of screening chambers |
524/2005 Col., On providing cryptographic protection of secret information |
525/2005 Col., On procedures of certification in securing cryptographic protection of secret information |
526/2005 Col., On defining specimens used in industrial security and on lists of written documents and their requisites needed to issue certificates for entrepreneurs and on how an entrepreneur submits an application (public order on industrial security), as amended by public order No. 11/2008 Col. |
527/2005 Col., On defining specimens in the personal security area and on security clearances and on the lists of written documents needed for a physical person’s application for certificate and for the application for the license of a physical person and the ways of submitting the said applications (public order on personal security) |
528/2005 Col., On physical security and certification of technical means, as amended by public order No. 19/2008 Col. |
529/2005 Col., On administrative security and on registers of secret information, as amended by public order No. 55/2008 Col. |
All information are subject to change. Last update by: 1.11.2017