Information security - The rights and obligations of corporate and association subscribers
A corporate or association subscriber must maintain the information security of its network and communications services by ensuring:
- operating security
- communications security
- hardware and software security
- data security.
A corporate or association subscriber may have outsourced its network and communications services, for example, to an IT service company. Even then, the corporate or association subscriber is responsible for ensuring that information security is maintained and that the services comply with the law.
Corporate or association subscribers are not required to take unreasonable measures for ensuring information security as long as the measures are commensurate with:
- the seriousness of threats
- the level of technical development
- the costs.
FICORA may issue further regulations regarding the information security of services or of data retention.
In order to prevent information security violations and to ensure information security, a corporate or association subscriber has the right to:
- prevent the conveyance and reception of messages
- remove from messages malware that pose a threat to information security
- take any other comparable technical measures in its communications network.
A corporate or association subscriber may undertake these measures only if they are necessary for safeguarding the network or communications services or the communications ability of a message recipient. The measures taken to ensure information security may not limit freedom of speech or the protection of privacy any more than is necessary.
If possible, the filtering of messages must be done without interfering with the contents of the communications. Message contents may be examined and filtered by technical means if there is reason to suspect that a message contains malware or is used for interfering with communications.