Basic requirements for ensuring the security of user data from surveillance cameras in Vietnam

Basic requirements for ensuring the security of user data from surveillance cameras in Vietnam (Internet image) 

Regarding this matter, LawNet would like to answer as follows: 

On May 7th, 2024, the Minister of Information and Communications issued Decision 724/QD-BTTTT on the basic criteria for ensuring network information security for surveillance cameras.

Basic requirements for ensuring the security of user data from surveillance cameras in Vietnam

The basic requirements for ensuring the security of user data from surveillance cameras as of May 7th, 2024, are stipulated as follows:

(1) Personal data protection:

Camera devices and related services must have minimum features that allow for the establishment, configuration of locations in Vietnam for data processing, storage, and utilization (such as on memory cards/external devices, cloud computing services hosted in Vietnam, etc.) to ensure compliance with Vietnamese laws on personal data protection.

(2) Data collection sensors:

User manuals (or publicly disclosed equivalent documents) must list the inventory of sensors used by the camera devices and describe the functions and principles of operation of each sensor used by the camera device.

(3) Notifications related to personal data protection:

During the initialization, setup, and configuration of the devices, there must be an interface that notifies users of the storage and processing locations (countries) of the data collected by the camera devices and related services.

(4) Data deletion on camera devices:

- There must be a function that allows users to delete collected and stored data on the camera devices.

- There must be a function to notify users of the successful/failed data deletion on the devices when performing the deletion function.

- There must be a function to confirm user consent before executing data deletion.

(5) Data deletion on linked services:

- There must be a function that allows users to delete stored data on linked services.

- There must be a function to notify users of the successful/failed data deletion on the linked services when performing the deletion function.

- There must be a function that allows users to set automatic data deletion times on linked services. The deletion time can be set by the user on the camera or by using the default time set by the manufacturer.

- There must be a function to confirm user consent before executing data deletion.

Basic requirements for authentication management of surveillance cameras in Vietnam as of May 7th, 2024

(1) Prevention of brute force attacks:

- The system management function must allow for changing lockout times, the number of failed login attempts, and the continuous failed login time period. The default lockout should prevent login for 5 minutes after 5 consecutive failed login attempts within a 30-second period or less.

- Only provide information to users regarding successful/failed login attempts without disclosing any other content that could be used as a basis for brute force attacks.

(2) Secure password management:

- The function must require users to change the default password or initial password when using the device for the first time.

- The function must control secure passwords. The generated password must meet complexity requirements (a minimum length of 8 characters, including uppercase letters, lowercase letters, numbers, and special characters).

- Use at least SHA-256 hashing or higher.

(3) Secure initialization of default passwords:

The default initialization password on the camera devices and related services (if any) must meet the following requirements:

- Minimum length of 8 characters, including uppercase letters, lowercase letters, numbers, and special characters.

- The password initialization mechanism should use a random-value generation method.

- The password initialization mechanism should not use publicly available information (e.g., MAC address, SSID Wi-Fi identifier string, product name, product type, etc.).

- Passwords should be different for each different camera device.

(4) Authentication management:

- The authentication function must allow for the authentication of various types of entities, such as users or devices, with different authentication value types.

Passwords stored on the camera must be encrypted.

More details can be found in Decision 724/QD-BTTTT, which comes into force from May 7th, 2024.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE