Information Technology Security Law

Original Language Title: Informācijas tehnoloģiju drošības likums

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here:

The Saeima has adopted and the President promulgated the following laws: information technology security law article 1. The purpose of the law (1) of the Act is designed to improve information technology security, defining the essential requirements to ensure essential services, which are used to provide this technology.
(2) information technology security is reserved so that you can tap into to predict and prevent, as well as to overcome these security threats and to eliminate its consequences.
(3) the information technology is a technology of this law, which rated the performance of the tasks carried out in the electronic processing of information, including creation, deletion, storage, display or transfer.
2. article. The operation of the law (1) of the Act applies to State and local authorities, as well as to merchants and other private-law legal person (hereinafter private law legal persons).
(2) of the Act do not apply to electronic communications networks transmitted the information content (for example, on information society services and audiovisual works).
3. article. Information technology critical infrastructure (1) information technology critical infrastructure is infrastructure, which according to the national security law approved by the Cabinet of Ministers.
(2) information technology protects critical infrastructure to ensure that the State and society of the essential functions. In addition, the information technology are critical infrastructure integrity, availability and confidentiality.
(3) information technology security measures for critical infrastructure planning and implementation modalities shall be determined by the Cabinet of Ministers.
4. article. Information technology security incident prevention institution (1) information technology security incident prevention institution (hereinafter security incident prevention institution) contribute to security of information technology in the Republic of Latvia. Security incident prevention institutions provided by the leading State authority communications sector. Its operational tasks and rights are delegated to the Agency of the University of Latvia "of the University of Latvia, Institute of mathematics and Informatics" in these tasks and to implement a national regulatory authority under the State budget and of the provisions of the Treaty. The leading national regulatory authority communications sector exposure to implement appropriate laws and regulations and the provisions of the Treaty, the delegation, including controlling the effective performance of the delegated tasks, giving orders for their execution and requesting the necessary information.
(2) security incident prevention institution is a person employed in the service or labour relations, if they are eligible to receive special permission to access State secrets and comply with other statutory requirements. Security incident prevention institution employed persons, carrying out the delegated tasks shall comply with the principles of law and be responsible for their actions or inaction of the rule of law.
(3) security incident prevention institution is not entitled to request any payment for activities related to this statutory functions.
(4) State and local government institutions and private law legal persons have the obligation to cooperate with the security incident prevention institutions, providing the necessary information and the performance of its legal requirements.
(5) in the case of threats to the country, the Cabinet of Ministers may decide on security incident prevention, law institutions and resources to national armed forces.
(6) in this statutory law issued for the implementation of direct national security or information technology security threats intended to prevent the administrative challenge or appeal shall not suspend the operation of this Act. This does not apply to administrative provisions concerning the imposition of administrative penalties.
(7) when taking managerial decisions, security incident prevention institution comply with the equipment of government law.
5. article. Security incident prevention institutions and law (1) security incidents prevention institution: 1) maintains a single electronic information activities portrayed in the room;
2) provides support for information technology security incident or coordinate their prevention;
3) maintains a public way according to current threats designed recommendations on current information technology risk prevention;
4) carried out research work, organizing awareness-raising activities, training, and training in information technology in the field of security;
5) provides support to national institutions in the protection of national security, as well as crime and other offenses in the opening (the investigation) in the field of information technology, subject to the regulations laid down by the limitations of the data processing;
6) monitors State and local institutions and electronic communications operators perform the obligations laid down in this Act;
7) partnered with the internationally recognized information technology security incident prevention bodies (units);
8) carrying out other legal obligations.
(2) security incident prevention institution is entitled to: 1), to request and receive from State and local government bodies and private entities technical information or have an ongoing information technology security incidents (information about the amount of incidents, the incident was caused by a malware file, vulnerability description, prevention of incidents made the technical measures, information on the activities or other wrecker technical information, including the IP address);
2) obtained from State and local government institutions and private law legal persons if bilaterally agreed, the online data flow specifications;
3) make information technology critical infrastructure;
4) make decisions (to issue the administrative provisions), to ensure this law State and local institutions, as well as private law legal persons obligations.
6. article. Action information technology security incident (1) information technology security incidents (hereinafter security incident) is a harmful event or act that results in the compromised the integrity of information technology, accessibility or privacy.

(2) a State or municipal institution, information technology critical infrastructure owner or legal possessor in the case of a security incident shall take all the necessary steps to prevent (especially security incident prevention enforcement agencies recommendations on preferred initial actions in the event of a security incident) and immediately inform the underlying security incident prevention. Security incident prevention institutions agree with the applicant on the security incident support security incident prevention.
(3) private law legal persons not covered by the second paragraph of this article, the obligations laid down in the case of a security incident, take all the necessary steps to prevent and may, on its own initiative to inform on the underlying security incident prevention. Security incident prevention institutions agree with the applicant on the security incident support security incident prevention.
(4) security incident prevention authority, found security incidents that threaten national security, inform the Minister about the traffic sector Ministers responsible and competent national safety authority, as well as submit proposals for necessary action, but found a breach of security or integrity that had a significant impact on the electronic communications networks or services, it may inform the Member States of the European Union, national regulatory authorities and the European network and information security agency. Security incident prevention authority may inform the public or require to do the relevant electronic communications operators, if it considers that the disclosure of the breach is in the public interest.
7. article. The processing of personal data (1) security incidents prevention institution is entitled to receive and process personal data to support or rule out a suspected security incidents or prevent it, if the personal data it is not possible to anonimizē and there is at least one of the following conditions: 1) harmful software can contain personal data;
2) personal data are transmitted using the malware;
3) personal data can provide important information about malware.
(2) If a security incident is detected, the processing of personal data is allowed to provide protection against harmful software or its consequences, as well as uncovering other malware and ensure protection against it.
(3) personal data security incident prevention institution may transfer this law article 5 first paragraph 5 and paragraph 7 of the said institutions (units) to recognize and avoid harmful software action that can cause or pose a threat to national or public security.
(4) the processing of personal data that is not related to the incident, due to which the data obtained, security incident prevention institution is permitted only if it prepares and sends the data to the national inspection of the processing of personal data and the protection of the description. Security incident prevention institution until the next January 20, draw up and submit national data inspection report on the previous year, the processing of personal data.
8. article. State and local authority information technology security (1) State and local government bodies in the information technology security management provides each institution concerned.
(2) a State or local government institution Manager determine the responsible person who implements the information technology security management institution concerned (hereinafter referred to in this article, the responsible person). The determination of the person liable for a maximum period of five working days shall be informed of security incidents prevention institutions.
(3) the person in charge, in addition to other legislation has laid down the following responsibilities: 1) organize institutions information technology security management;
2) at least once a year to make information technology security check and organize the results of detected deficiencies;
3) at least once a year to visit the security incident prevention institutions organize training information technology security;
4) at least once a year to make the institution staff briefing on information technology security.
(4) each State or local government authority, in the light of this law and other laws and regulations, ensure that this institution is regulated information technology security rules that contain at least the information technology descriptions and diagrams, information technology risk analysis, information technology risk and security incident management plan, information technology maintenance obligations of persons engaged in, as well as shall ensure that monitored and controlled execution of these rules.
9. article. A public electronic communications network security (1) electronic communications operators have the following responsibilities: 1) if the merchant providing public electronic communications networks, to ensure the integrity of the network, thereby ensuring the continuity of service provision, as well as to draw up the plan of action of the electronic communications network to ensure continuous operation, showing the technical and organisational measures designed to overcome the network and provide services of security threats;
2) report security incident prevention institution security or integrity violations that significantly affected the operation of electronic communications networks or the provision of services. Essential security or integrity violation considered the incident as a result of which the electronic communications network not working at least 24 hours;
3) after security incident prevention authority to provide it services and network security or integrity of the information required for the evaluation, including documented security policies;
4) after security incident prevention authority, if a significant breach of security or integrity, to organize security audit performed by the security incident prevention agreed institutions qualified and independent of the parties involved entity. The audit results are informed of security incidents prevention institutions. The audit identified irregularities prevent and audit costs are covered by the electronic communications operator;

5) after security incident prevention authority temporarily, but no longer than 24 hours, close to the end user access to electronic communication network, if the end user is vulnerable to other user rights or information system, or electronic communications network security. Requiring such action, security incident prevention institutions indicates the reason for the request.
(2) the cabinet shall determine the action plan of the electronic communications network to ensure the continuous operation of the information to be included, this plan of execution control arrangements and the order in which end users are temporarily closed access to the electronic communications network.
10. article. Information technology in the National Security Council to coordinate with the information technology security related tasks and event planning and execution, the Prime Minister establish a national information technology security tips, provided by the leading State authority communications sector.
Transitional provisions 1 article 9 of this law shall enter into force on 1 May 2011.
2. the Cabinet of Ministers by 2011. the February 1 issue of this law article 3, third paragraph, the rules laid down.
3. The Cabinet of Ministers until 1 May 2011 manages this law, article 9, second paragraph, the rules laid down.
4. The Prime Minister by 2011. February 1, creates this law laid down in article 10 of the national information technology safety tips.
Informative reference to European Union directive included provisions in the law arising from the European Parliament and of the Council of 25 November 2009. directive 2009/140/EC, amending Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, Directive 2002/19/EC on access to electronic communications networks and associated facilities connection and Directive 2002/20/EC on the authorisation of electronic communications networks and services.
The law shall enter into force on February 1, 2011.
The law in the Parliament adopted the 2010 October 28.
President Valdis Zatlers in Riga V. 10.2010 November