The case concerning the absence at GP "Diia" a certificate of conformity of the complex of information protection system : the essence of the decision
The plaintiff complained about the lack of a certificate of conformity of the complex of the information protection system at the state enterprise of the Ministry of Finance "Action" as of the date of inclusion in the Trust List of a qualified provider of electronic trust services.
The court ruled in the case of the absence in the "Action" certificate of compliance with the complex of information protection system
On April 12, 2021, the District Administrative Court of Kyiv ruled in the case, the circumstances of which concerned the absence of the State Enterprise "Action" Mincifra on the date of inclusion in the Trust List of qualified providers of electronic trust services certificate of compliance with the information security system.
The plaintiff also raised the issue of the lack of a certificate of conformity of the complex of the protection system of the information and telecommunication system of the central certification body at the State Enterprise "Action" in the period from 12/19/2019 to 06/10/2020.
This is a case for № 640/13909/20 on the claim of a person to the Ministry of Digital Transformation of Ukraine and the state enterprise "Action", which asked the court:
to oblige the Ministry to exclude from the Trust List the qualified provider of electronic trust services of SE "Action";
to oblige the Ministry of Culture to cancel the qualified public key certificates of the qualified provider of electronic trust services of the State Enterprise "Action" issued in the period till 10.06.2020 by the central certifying body;
cancel the self-signed certificate of electronic seal of the Central Certification Authority, issued before 10.06.2020.
In support of the claims, the plaintiff stated that examining the open access materials posted on the electronic resources of the Ministry of Digital Transformation, it was established that the defendant violated the law, which grossly violates the rights and legitimate interests and freedoms of the plaintiff, as well as rights and legitimate interests or freedoms. citizens of Ukraine, users of electronic trust services.
The plaintiff noted that contrary to the requirements of the Law "On Electronic Trust Services" the defendant in the Trust List posted on the website of the Central Certifying Authority of the Ministry of Digital Transformation and in the Register of Qualified Providers of Electronic Trust Services was entered State Enterprise "Action". the list did not have a certificate of conformity of the complex of information protection system and did not submit a certified copy in the manner prescribed by law.
The plaintiff also drew attention to the lack of a certificate of conformity of the complex of protection system of information and telecommunication protection system of the central certification body (hereinafter - KSZI ITC CPB) in SE "Action" in the period from 19.12.2019 to 10.06.2020, which is a violation of the Law "On electronic trust services ”and the Law“ On Information Protection in Information and Telecommunication Systems ”, and, as a consequence, could lead to unauthorized access to private keys and root certificates of the central certification authority.
A copy of the Certificate of Conformity of the ITC CPC of the State Enterprise "Diya" dated June 10, 2020 for № 21585 was placed on the respondent's electronic resources in open access. , issued to the State Enterprise "Action", which is a violation of these requirements, as the law does not provide for inclusion in the Trust List for partial submission of documents listed in paragraph 30 of the Law "On electronic trust services".
In its response to the lawsuit, the Ministry of Finance stressed that the plaintiff is not empowered to establish violations of legislation in the field of electronic trust services and file a lawsuit against the actions of the central certification body - the Ministry of Statistics and the administrator of the information and telecommunications system of the Central Certification Authority , as only the State Special Communications Administration is empowered to identify and qualify violations in the field of electronic trust services, issue instructions and apply to the court for the application of response measures.
The defendant also noted that the acquisition of the status of a qualified provider of electronic trust services of SE "Diya" took place in the manner prescribed by law by transferring property from the Ministry of Justice of Ukraine from the balance of SE "National Information Systems" to the Ministry of Digital Transformation on the balance of SE "Diya" .
The plaintiff filed a response to the court, stating the following.
Thus, according to the plaintiff, the consequences of the defendant's violation of the Constitution of Ukraine and the Law "On Electronic Trust Services" and not the consequences of revoking the self-signed electronic seal certificate of the Central Certification Authority may be inevitable for each user of electronic trust services.
According to the plaintiff, the defendant was included in the Trust List of SE "Action" in gross violation of current legislation of Ukraine, namely the resolution of the Cabinet of Ministers "On the implementation of a pilot project to ensure continuous provision of qualified electronic trust services in case of replacement of such services" and the Law "On electronic trust services ".
Provision of electronic trust services by Dia for a long time without a certificate of conformity of a comprehensive information protection system is a violation of the requirements of legal documents on technical protection of information and Article 8 of the Law "On Information Protection in Information and Telecommunication Systems".
The court found the following.
The Order of the Ministry of Digital Transformation dated 19.12.2019 № 27 approved the Regulations of the central certification body and designated the State Enterprise "Action" administrator of the information and telecommunications system of the central certification body, which provides technical and technological support for the functions of the central certification body.
SE "Action" is included in the Trust List, which is posted on the website of the Central Certifying Authority of the Ministry of Digital Transformation and in the Register of qualified electronic service providers.
According to the plaintiff, studying the open access materials posted on the electronic resources of the Ministry of Digital Transformation, she established the facts of violation of the law by the defendant.
The case file shows that person N, who is not the plaintiff in this case, appealed to the Administration of the State Service for Special Communications and Information Protection of Ukraine with a request for public information from 18.02.2020, in which he requested the following information:
whether the State Service for Special Communications and Information Protection of Ukraine issued a Certificate of Conformity to the system of technical protection of information in the information and telecommunications system of the central certification body owned by SE "Action" of the Ministry of Digital Transformation of Ukraine or the Ministry of Digital Transformation of Ukraine;
provide a copy of the Certificate of Conformity issued by the State Service for Special Communications and Information Protection of Ukraine to the system of technical protection of information in the information and telecommunication system of the central certification body owned by SE "Action" of the Ministry of Digital Transformation of Ukraine or the Ministry of Digital Transformation of Ukraine.
By letter dated 24.02.2020, the Administration of the State Service for Special Communications and Information Protection informed that as a result of processing the request for public information, the certificate of conformity specified in the request was not issued by the State Special Communications Administration.
According to the plaintiff, SE "Action" on the date of inclusion in the Trust List did not have a certificate of conformity KSZI and did not submit a certified copy in the manner prescribed by law, and therefore SE "Action", contrary to the Law "On electronic trust services", was included in Trust list.
A copy of the Certificate of Conformity of the ITC CPC of the State Enterprise “Action” dated 10.06.2020 for № 21585 was placed in the public access on the electronic resources of the Ministry of Digital Transformation. , issued by SE "Action", which is a violation of the law, as the law does not provide for inclusion in the Trust List for partial submission of documents listed in paragraph 2 of Article 30 of the Law "On electronic trust services".
Thus, the plaintiff came to the conclusion that these facts regarding the absence of KSZI ITC CPB SE "Action" and confirmed the absence of the Certificate of Conformity KSZI ITC CPO in the period from 12/19/2019 to 06/10/2020 On the protection of information in information and telecommunications systems "on security policy and is a real factual event that has led or may lead to unauthorized access to private keys and root certificates of the CPB.
The court concluded that the claims were unfounded on the basis of the following.
In the statement of claim, the plaintiff did not indicate specific rights, freedoms or interests that were allegedly violated by the defendant as a result of the inclusion of SE "Action" in the Trust List.
An analysis of the Law on Electronic Trust Services and the CAS of Ukraine shows that violated rights, freedoms and legitimate interests of users of electronic trust services are subject to judicial protection, which occurs only when their rights are violated due to actions or inaction of certain electronic providers. trust services and bodies that carry out state regulation in the field of electronic trust services.
At the same time, the plaintiff does not state and, accordingly, the case file does not show that the latter is a user of electronic trust services of the provider of electronic trust services SE "Action", as a result of which its rights and interests are violated.
Thus, from the available case file it is impossible to establish that the plaintiff is a user of electronic trust services of SE "Action" and how the defendant violated the rights of the plaintiff. Thus, the plaintiff has not proved the fact of violation of their rights, freedoms or interests by the actions of the Ministry of Digital Transformation of Ukraine related to the inclusion of SE "Action" in the Trust List of providers of electronic trust services, which is a prerequisite for filing a lawsuit. , accordingly, testifies to the groundlessness of the claimed claims.
Therefore, the court denied the claim.
Date of publication: 23.05.2021