Hungary’s new law on information security will plug a hole in existing legislation, but may prove to be excessive in addressing security issues.
In December 2012, a municipal district in Budapest reached an agreement with Google to apply cloud-based solutions to the entire sphere of the municipality’s IT systems. At first glance, this solution may seem "cool" and progressive. However, the mayor of the municipality may not have considered the information security and data protection risks resulting from the fact that Google is covered by the scope of U.S. laws. As a result, U.S. authorities may directly request any of the municipality’s data handled by Google without the application of international legal assistance.
To date, Hungary has been lacking relevant legislation that could prohibit similar practices. This situation will change as of 1 July 2013, when a new act on electronic information security, the Information Security Act, will enter into force and apply to most of the governmental, administrative and municipal authorities and entities.
The Information Security Act introduces a new a concept of integrated and unified protection of electronic information systems (i.e. hardware and software necessary for data and information management) in the so-called public sector. As an initial measure, public entities and authorities falling under the scope of the new act will be obligated to inspect their electronic information systems until 1 July 2014 in or-der to assess whether those systems meet the security criteria laid down by a min-isterial decree that the National Development Ministry (NFM) will issue by 1 July 2013.
An authority operating under the control of the NFM will verify the findings of the respective public sector entities and ensure that the electronic information systems comply with the relevant security requirements. A governmental incident-handling centre, to be set up until the law enters into force, will deal with security incidents that threaten the secrecy, integrity, authenticity or functionality of the information stored in the electronic systems of public sector entities.
The introduction of the above-mentioned measures is more than timely in a country that so far has not had proper control over information security in the public sector. However, the following geographic prescriptions of the Information Security Act may be considered as rather excessive:
- Major administrative authorities and public entities (e.g. the offices of the Prosecution Service of Hungary or the National Bank of Hungary) identified by the Information Security Act may only manage information on electronic information systems that are located in the territory of Hungary. Alterna-tively, the electronic information systems of these authorities and public entities may be operated in the territory of the EU on the basis of (i) a sep-arate permission issued by the NFM, or (ii) an international treaty.
- Likewise, entities appointed as the exclusive processors of data stored in national data registers (e.g. the commercial register) may only manage public information, information of public interest and personal data exclu-sively on electronic information systems located in the territory of Hunga-ry. The above alternative regarding EU locations does not apply to these kinds of entities.
- Electronic information systems supporting the operation of assets qualified by law as national or European critical infrastructure1 (irrespective of the fact whether these assets are privately or publicly-owned) will also need to be located in the territory of the European Union.
Private IT service providers that handle the data of public authorities or entities will also fall under the scope of the new legislation.
The measure will likely result in several companies having to take extensive measures in order to relocate the servers, computers and other IT devices hosting services that they provide to public authorities and entities.