Use the Lexology achieving the deal Tool to compare the answers of this article with those of other jurisdictions.
Summarize the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The Cyber Security Law of the People's Republic of China (PRC) (effective as of June 1, 2017) is the first comprehensive legislation governing the cybersecurity sector in China. This law, which institutionalizes a series of pre-existing regulatory measures, establishes a general regulatory framework for the construction, operation, maintenance and use of information networks in China, and for its supervision and administration through cooperation between the Cyberspace Administration from China. (CAC), the state telecommunications authorities, the Ministry of Public Security (MPS) and other relevant authorities, including industrial regulators. Individuals and entities subject to this law include users, "network operators" (broadly defined to include network owners and administrators, as well as network service providers), network product providers and industrial organizations related to cyberspace, among others.
The Cybersecurity Act itself is a general document that is intended to be supported by a large number of implementing regulations, mandatory and voluntary technical standards and other guidance, as promulgated by the relevant authorities (see questions 3 and 15) . The precise application of certain provisions of this law is somewhat confusing and could vary depending on the final form of the implementation measures that should be published separately by the respective relevant authorities (see "Update and trends").
Among other key features, the Cybersecurity Act conceptualizes in general terms the resources and activities of cyberspace according to its degree of sensitivity, evaluated by means of a classified protection system (see questions 6, 8 and "Update and trends"). In particular, the law establishes more stringent requirements for the subset of cyberspace resources and activities that are considered to constitute a "critical information infrastructure" (CII), while accommodating a range of less stringent requirements for less sensitive resources and activities. of cyberspace.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Several industrial sectors are heavily affected by China's cybersecurity laws, in particular those that are closely linked to online operations and include an important component of public services, including telecommunications, health and medical services, and financial services (for example, banking, insurance and credit reports). ). The regulatory authorities responsible for the supervision of these sectors have made significant progress towards the promotion of cybersecurity. For example, regulators in the financial services industry have established a series of policies, requirements and guidelines related to information technology (IT) security. For example, the China Banking and Insurance Regulatory Commission (CBIRC) has promulgated the Opinions on the use of secure and controllable information technology to strengthen the security of the banking industry's network and information (effective as of Dec. 3). September 2014) and the Notice on 2014- The Guidelines for the application of safe and controllable information technology of 2015 in the banking industry (effective as of December 26, 2014), and the National Health Commission (NHC) issued the administrative Measures on standards, security and national health service and medical data. ) on September 14, 2018, which establishes the main responsibilities of government authorities, medical institutions in the management of health safety and data related to medicine.
In accordance with the Cybersecurity Act, it is expected that relevant regulatory authorities, including those that have knowledge of specific industry sectors, will enact more detailed implementation measures, including the enhanced security protection that is required for any network that is classified as CII (see "Update and trends").
Has your jurisdiction adopted any international standards related to cybersecurity?
In accordance with the requirements of the Cybersecurity Act, China participates in the development and has adopted certain international standards related to cybersecurity (including the standards of the International Organization for Standardization (ISO)) and the International Electrotechnical Commission (IEC) , among others, which are integrated into China's national standards system in accordance with the Law on Standardization (in force as of April 1, 1989) and its implementing regulations, which include both mandatory standards (GB standards) and voluntary standards (GB / T standards). In addition, the National Technical Committee for Information Security Standardization (NISSTC) under the Chinese Standards Administration (SAC) has developed and promulgated non-binding guidance on information security technology based on the ISO and IEC standards (guidance GB / Z). The main information security technology standards and guidelines applicable in China are codified as standards TC260 & # 39;, formulated by the NISSTC and jointly published by the SAC and the General Administration of Quality Supervision, Inspection and Quarantine of China (AQSIQ) (see question 15). ).
What are the obligations of responsible staff and directors to stay informed about the adequacy of network and organizational data protection, and how can they be held responsible for inadequate cybersecurity?
In accordance with the Cybersecurity Law and other relevant laws and regulations, responsible management personnel may be responsible for non-compliance with cybersecurity requirements. In particular, the Cybersecurity Act requires that each network operator must designate an official with the central responsibility for supervising the cybersecurity program of the organization. Failure to comply with the requirements of the Cybersecurity Act can be punished with fines and other penalties that can be imposed both on the network operator and on the responsible individuals.
China has not established a general legal requirement to hold directors accountable for lack of knowledge or inadequate preparation of cybersecurity by the company. In accordance with applicable law, any director of a Chinese company generally has duties of fiduciary responsibility and due diligence towards the company. Depending on the size of the company, its industrial sector and the assessed importance of cybersecurity risks, such managerial functions can be interpreted as requiring the board to ensure that the company establishes and maintains a robust cybersecurity system. Recently, drafts of industry-specific regulations have proposed strengthening the link between the board of directors and the organizational preparation on cybersecurity. For example, the CBIRC published the Draft Provisions on Insurance Institutions Information Management (Draft for Comments) (published on October 9, 2015), according to which insurance institutions would have to establish an information committee that report to the board of directors. The chairman of the committee would be the chairman of the board or the general manager, and the committee membership would include the information director and representatives of IT and other major business departments.
How does your jurisdiction define cybersecurity and cybercrime?
The Cybersecurity Act defines "cybersecurity" as "maintaining the network in stable and reliable conditions and protecting the integrity, confidentiality and availability of network data, taking the necessary measures to protect the network from attacks, intrusions, interferences, damages or illegal use or other incidents & # 39;
"Cybercrime" is not defined in the law of the People's Republic of China; however, the Criminal Code of the People's Republic of China (effective as of October 1, 1997) addresses various crimes related to computers and computer networks, commonly referred to as "cybercrime." Such crimes include the following:
- illegally intruding into a computer system;
- illegally access or manipulate data residing in a computer system;
- provide computer programs or tools to illegally invade or control a computer system;
- inflicting damage to a computer system;
- failure to comply with security management obligations for an information network;
- illegally using an information network;
- assistance to a crime in relation to an information network;
- the traditional types of crimes that are committed in relation to computer systems (for example, theft or online fraud); Y
- Other related infractions of a serious nature.
What are the minimum protection measures that organizations must implement to protect data and information technology systems from cyber threats?
In accordance with the Regulation on the classified protection of information security (effective as of June 22, 2007), all information networks operating in China are classified according to one of the five degrees of security (IV ) and are subject to graduated levels of security protection according to the assigned security. Grade Classification (see & # 39; Updates & Trends & # 39;). The classification of a network is determined by the owner of the system based on an assessment that includes the owner's assessment of the degree of importance perceived by the system for national security, economic development and society, as well as an assessment of the potential impact on the system. case the network was to be destroyed.
Grades IV, & # 39; Grade I & # 39; it constitutes the most basic level, in which damage to the network causes damage to the legal rights of citizens, legal persons and other organizations, but does not harm national security, social order or public interest. & # 39 ;, while & # 39; Grade V is the highest level, where & # 39; The damage to the network results in very serious damage to the national security & # 39;
The minimum protection measures applicable to Grade I are identified in the non-binding standard (GB / T 22239-2008): Information security technology – Baseline for classified security protection of the information system (GB / T 22239-2008). The general requirements for such protective measures include:
- physical protection, which covers the physical access control and the protection of the equipment against theft or manipulation;
- network security, which covers the general structure and control of access to the network;
- server security protection;
- security protection of applications;
- data security and backup;
- establishment and maintenance of a safety management system and related procedures and policies;
- establishment and maintenance of security management positions, clearly defining the responsibilities of each position, as well as examining the identity and professional qualifications of each staff;
- regular training to improve safety awareness; Y
- Purchase process with respect to relevant IT products and services, etc.
Scope and jurisdiction
Does your jurisdiction have any law or regulation that specifically addresses computer threats to intellectual property?
China has not established any specific laws or regulations that specifically address cyber threats to intellectual property.
Does your jurisdiction have any laws or regulations that specifically address computer threats to critical infrastructure or specific sectors?
Among other key features, the Cybersecurity Act establishes more stringent requirements related to the subset of cyberspace resources and activities that are considered CII, which is broadly defined to encompass the information infrastructure within certain industry sectors (including, among others , public telecommunications and information services). , energy, transportation, water, banking services and other financial services, public services and electronic government) for which the damage, malfunction or data breach of the system would seriously damage national security or the public interest (see questions 1, 8 and & # 39; Update and trends & # 39;). The specific scope of the IIC and the applicable security measures will be described in greater detail in future implementation regulations. More recently, on July 10, 2017, the Draft Regulation for the protection of critical information infrastructure security was issued for public comment, and proposed additional measures with respect to the protection of the IIC (see "Update and trends").
Does your jurisdiction have any cybersecurity law or regulation that specifically restricts the exchange of information about cyber threats?
In accordance with the Cybersecurity Act, China supports cooperation between network operators in areas such as the collection, analysis and reporting of information on cybersecurity and the elimination of emergencies, assigning responsibility to relevant industrial organizations for the establishment of coordination mechanisms and implementation regulations. However, carry out activities such as authentication of cybersecurity, risk detection and evaluation, and dissemination of information on cybersecurity, such as system errors, computer viruses, network attacks and intrusions, they must comply with the relevant regulations (see question 17).
What are the main cyber activities that are penalized by the law of your jurisdiction?
In accordance with the Criminal Law of the People's Republic of China, various cyber activities constitute criminal offenses that are punishable by law. See question 5.
How has the information security challenges associated with cloud computing addressed your jurisdiction?
The information security challenges associated with cloud computing is an emerging issue that has recently received significant attention in China. For example, on December 30, 2014, the CAC promulgated the Opinion on Strengthening the Cybersecurity Management of Cloud Computing Services by the Government Department and the Party of China (the Computer Opinion in the cloud of 2014), which specifies, among other things, that there is no public cloud computing. The services can be used for any government information or services that involve state security. For example, any cloud computing platform or data center that provides services to the Chinese Communist Party or Chinese government agencies must be established within China, and any confidential information is prohibited from being transmitted, processed or stored abroad without permission.
China has also promulgated two national voluntary standards with the aim of providing guidance to government and third-party service providers with respect to the management of cybersecurity for cloud computing (ie, & # 39; Security technology of the Information – Security Guide for Cloud Computing Services & # 39; (GB / T 31167-2014) and Information Security Technology – Security Guide for Cloud Computing Services (GB / T 31167-2014) ) (2014 Cloud Computing Security Guide), which establishes a framework for security requirements related to the cloud.In particular, the Cloud Computing Security Guide 2014 identifies five fundamental principles that govern customer behavior and providers of the cloud computing service, as indicated below.
The "Information Security Technology – Security Guide to Cloud Computing Services" (GB / T 31167-2014) identifies five fundamental principles that govern the conduct of cloud computing customers and service providers, which are listed below.
- No change of responsibilities in security management: the client will be the party ultimately responsible for the security of the information; The responsibility for information security will not be transferred to any other party, whether the data and the business are located internally or on a cloud computing platform.
- No change in the ownership of resources: all data, equipment and other resources, and any data or document that is collected, generated and stored on the cloud computing platform will be owned by the client. The client's right to access, use and control said resources should not be restricted.
- No change of jurisdiction: the jurisdiction over the data and the client's business will not be changed due to cloud computing. Unless expressly provided by the PRC law, providers of cloud computing services are not authorized to provide customer data and information related to any government agency or other organization in other countries.
- No change in the level of security management: the cloud computing platform and the providers of cloud computing services must comply with the relevant security requirements applicable to the client.
- Security capability assessment: all cloud computing service providers will have the ability to safeguard the security of customer data and business systems and must pass the required security assessment. The client can only use service providers that pass said security assessment.
With respect to the cloud computing services that will be provided in relation to government data or services, the Cloud Computing Opinion of 2014 specifies that public cloud computing services can not be used for any information or government service. that involves state or official security. Any cloud computing platform or data center that provides services to the Communist Party of China or Chinese government agencies must be established within China, and any confidential information is prohibited from being transmitted, processed or stored abroad without permission.
How do the cybersecurity laws in your jurisdiction affect foreign organizations that do business in your jurisdiction? Are the regulatory obligations the same for foreign organizations?
In general, foreign organizations doing business in China are subject to the same cybersecurity obligations and responsibilities as national entities, but the relative impact of such obligations may differ considerably. For example, the Cybersecurity Act and the proposed implementing regulations establish improved requirements with respect to the location of data, as well as supplementary requirements for mandatory security assessments in relation to any cross-border transfer of personal identification information (PII) of citizens. Chinese or important data. Specifically, CII operators must store in China any PII or important data collected or generated in China. In the event that a legitimate need requires that such data be transferred out of China, then, before any transfer, a security assessment must be satisfactorily completed. In many circumstances, an organization can complete a self-assessment; however, in the case of a large-scale PII transfer operation, the evaluation must be completed by a competent government authority.
In addition to the Cybersecurity Act, industry-specific examples of relevant regulations include the Circular on Doing Good Work of Banking Financial Institutions of the People's Bank of China (PBOC) (effective as of March 27, 2012). ) and the Judgment Measures for the administration of health information of the population (effective as of May 5, 2014), which prohibit transboundary transfers of personal financial information or personal health information, respectively.
China's cybersecurity laws affect foreign organizations by imposing greater obligations, including with respect to "data location", "pre-transfer security assessments", restrictions on cross-border transfers and the use of network communications virtual private. Such measures can have as a consequence a series of impacts on the operations of foreign organizations in China that promote, for example, the use of national infrastructure for data hosting and the participation of local providers of data processing services, and that regulate Strictly overseas data transfers, any of which can substantially increase the cost of doing business in China for a foreign organization.
Do authorities recommend additional cybersecurity protections beyond what is required by law?
In addition to laws and regulations, China publishes and maintains comprehensive national standards that address cybersecurity and information security requirements. See question 15.
How does the government encourage organizations to improve their cybersecurity?
China has not established any formal government program specifically designed to incentivize organizations to improve preparedness for cybersecurity. However, the Cybersecurity Act contains general principles that state that the government should prepare plans and increase investment to support key industries and network security technology projects, support research and development of network security technology, and Encourage relevant companies or organizations to provide certification, testing and Risk Assessment Services. The Chinese government is also obliged to organize training in network security to promote awareness among the general public.
Identify and delineate the main industry standards and codes of practice that promote cybersecurity. Where can you access these?
National standards and technical guidance documents have been published under the umbrella of "Information Security Technology", including GB standards, GB / T standards and technical guidance (GB / Z guidance). These standards and technical guidance cover a wide range of topics related to cybersecurity, including, for example, encryption specifications, security standards for cloud computing, online banking, industrial control systems and electronic government. One example is the recently published draft, Information Security Technology – Guidelines for assessing the security of cross-border data transfer, which proposes substantially more detailed guidance with respect to the implementation of a security assessment program ( see "Update and trends"). A complete library of the national PRC standards can be accessed through the following URL: www.sac.gov.cn/was5/web//outlinetemplet/gjbzcx.jsp.
The main information security technology standards and guidelines applicable in China are codified as "TC260" standards, which are formulated by the NISSTC and jointly published by the SAC and the AQSIQ. The TC260 key standards can be accessed on the NISSTC website at: www.tc260.org.cn. However, there are no English versions of the TC260 standards available on this site.
Are there generally recommended recommendations and procedures for responding to violations?
In the Information Security Incident Management Guide (GB / Z 20985-2007), which is largely based on the international ISO / IEC TR standard, you can find guidance on best practices and procedures for responding to the violations of cybersecurity. 18044: 2004 (Information technology – Security techniques – Information security incident management), with relevant revisions. This guide provides an overview of information security incident management and processes and recommendations on response activities, which generally encompass the steps listed below:
- initial detection and report of the occurrence of the information security incident;
- collection of information to evaluate and determine if the circumstances constitute an information security incident;
- respond to the incident by taking immediate action and, if the incident is not under control, seek assistance in case of crisis;
- communication of details of the incident to internal and external people and organizations;
- perform forensic analysis;
- record of completed steps and decisions for further analysis; Y
- Once an information security incident has been resolved:
- conduct an additional forensic analysis and identify the lessons that can be learned from the handling of said incident; Y
- Make improvements to existing policies and processes.
The exchange of information
Describe practices and procedures for the voluntary exchange of information about cyber threats in your jurisdiction. Are there legal or policy incentives?
In accordance with the Cybersecurity Act, China supports cooperation between network operators in areas such as the collection, analysis and reporting of information on cybersecurity and the elimination of emergencies, assigning responsibility to relevant industrial organizations for the establishment of coordination mechanisms and implementation regulations (see question 9). However, China has not yet established any specific program to promote the voluntary exchange of information about cyber threats. Affected entities and individuals are required to report information about cyber threats to the relevant regulatory authorities, which can publish a public report and provide recommendations to address those threats.
China maintains a centralized reporting program, according to which all telecommunication authorities, telecommunication business operators, registrars and domain name administrators and the China Internet Society are required to report cybersecurity incidents (eg malware). , disfigurement, backdoor intrusion, phishing, vulnerability). , destruction of information, denial of service attack, abnormal domain, router hijacking, unauthorized access, spam, mixed cybersecurity incidents and other cybersecurity incidents) to the telecommunications regulatory authority or to the Emergency Response Team of the National Computer Network / Coordination Center of China (CNCERT). After verification of the incident report, CNCERT will issue a public notice to the relevant organizations and coordinate the participation of relevant government agencies, industry associations, network operators, research institutes and security organizations, as necessary (see question 28).
How do the government and the private sector cooperate to develop cybersecurity rules and procedures?
The Cybersecurity Act prescribes a general principle according to which the government should support companies, research institutions, universities and other organizations to participate in the formulation of national standards and industrial standards for network security. Private companies, research institutions, universities and other organizations are often involved in the development process of security standards. Experts from the relevant industry can be invited to participate in the technical committee to draft and revise these safety standards and, in some cases, draft standards to solicit comments are published.
Is insurance available for cybersecurity infractions in your jurisdiction and is this type of insurance common?
Cybersecurity insurance is available in China; however, it is a relatively new product and only a limited number of insurers offer insurance with coverage for losses due to cyber attacks, data loss and other events related to cybersecurity.
What regulatory authorities are primarily responsible for enforcing cybersecurity rules?
De conformidad con la Ley de Ciberseguridad, los organismos reguladores con responsabilidades generales con respecto a la supervisión de la ciberseguridad en China incluyen:
- el CAC;
- el Ministerio de Industria y Tecnología de la Información (MIIT);
- el Centro de Información de la Red de Internet de China;
- el Ministerio de Seguridad Pública; Y
- El SAC.
Con respecto a sectores industriales particulares, las autoridades reguladoras individuales tienen autoridad sustancial con respecto a la supervisión de actividades relacionadas con negocios, que abarca la preparación de seguridad cibernética, que incluye:
- el CBIRC;
- la Comisión Reguladora de Valores de China;
- el PBOC; Y
- El NHC.
Otras autoridades relevantes incluyen el NISSTC, que se formó en 2002 bajo la Administración de Normalización de China y es responsable del desarrollo de estándares técnicos para la seguridad de la información (consulte la pregunta 3 y la pregunta 15).
Describa los poderes de las autoridades para monitorear el cumplimiento, realizar investigaciones y procesar las infracciones.
Las autoridades gubernamentales chinas tienen amplios poderes para supervisar el cumplimiento por parte de los operadores de redes, iniciar investigaciones y, si corresponde, emitir advertencias e imponer sanciones a entidades y personas responsables. La autoridad reguladora aplicable durante las investigaciones incluye la facultad de solicitar documentos, ingresar a las instalaciones para su inspección y entrevistar a personas relevantes para recopilar pruebas.
¿Cuáles son los problemas de aplicación más comunes y cómo los han abordado los reguladores y el sector privado?
Durante varios años, las acciones de cumplimiento relacionadas con las leyes penales contra el robo de la PII se han registrado y siguen siendo frecuentes en los medios de comunicación públicos, lo que a menudo conlleva campañas a gran escala contra el robo y el tráfico de PII malversadas. Aunque la mayoría de estas acciones de cumplimiento han involucrado a perpetradores domésticos, los actores no chinos a veces también se han visto afectados, lo que ha resultado en multas y encarcelamiento.
Con respecto a la aplicación de las regulaciones administrativas, la supervisión de ciertos sectores industriales (por ejemplo, los sectores financieros y de telecomunicaciones) refleja un historial de aplicación estricta de los requisitos técnicos y de procedimiento. Las regulaciones aplicables contemplan un examen detallado de las entidades autorizadas, incluidas las certificaciones iniciales y las inspecciones periódicas y ad hoc, así como la exigencia de informes periódicos y basados en eventos. El incumplimiento de los requisitos reglamentarios puede desencadenar advertencias, censuras y multas para la entidad o las personas responsables. Si las circunstancias se consideran serias, una autoridad reguladora puede revocar la aprobación de la entidad relevante y las calificaciones personales, e incluso remitir asuntos para una investigación criminal.
Recientemente, se han establecido o propuesto nuevos estándares y obligaciones para regular una franja más amplia de actividades comerciales relacionadas con la seguridad cibernética. Estos esfuerzos normalmente son liderados por el gobierno y respaldados por la comunidad técnica china, con oportunidades de aportes de empresas y agencias gubernamentales extranjeras. Esto sigue siendo un área altamente dinámica, y los desarrollos en curso están siendo monitoreados de cerca por empresas potencialmente afectadas, la comunidad legal y otras partes interesadas.
¿Qué sanciones se pueden imponer por el incumplimiento de las regulaciones destinadas a prevenir las infracciones de la ciberseguridad?
El incumplimiento de las obligaciones de implementar medidas de seguridad cibernética relevantes puede dar lugar a sanciones reglamentarias, incluidas las demandas de rectificación y advertencias. En el caso de una negativa a implementar medidas de rectificación y si tal falla tiene consecuencias de seguridad, la parte relevante puede estar sujeta a multas, confiscación de ganancias ilegales, suspensión de operaciones y revocación de licencias. Con respecto a una compañía u otra organización, los funcionarios responsables de tal falla también pueden ser multados. En el caso de una infracción grave, las partes relevantes pueden estar sujetas a una investigación criminal de conformidad con la Ley Penal.
¿Qué sanciones se pueden imponer por incumplimiento de las normas sobre denuncia de amenazas y violaciones?
En general, las leyes y regulaciones de la República Popular China exigen la notificación oportuna de amenazas y violaciones a las autoridades reguladoras pertinentes. El incumplimiento de tales requisitos puede dar lugar a sanciones administrativas. La nueva Ley de seguridad cibernética también exige que se proporcione notificación a los interesados y a la autoridad reguladora competente de acuerdo con las regulaciones, sin proporcionar más detalles.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Pursuant to Chinese law, the liability of companies and individuals and opportunities for private redress are essentially limited to the extent of contractual liability. In some cases, in the absence of a contractual relationship (eg, as between a network operator and an organisation or individual whose data has been lost or leaked), such organisation or individual may be entitled to assert tort liability. In such case, a network operator could be required to indemnify the aggrieved party for actual losses. In theory, the law also recognises the principle of compensation for serious mental suffering arising from infringement. However, in practice, the court has adopted a conservative approach in such determination and compensation for mental damage has rarely, if ever, been granted. Liability arising from such incidents has not received meaningful attention with respect to legislation, litigation or judicial interpretation in China. Accordingly, in the absence of specific contractual provisions, the relevant threshold for a determination of legal liability owing to unauthorised cyberactivity or failure to adequately protect systems and data would be uncertain.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Pursuant to the Regulations on Classified Protection of Information Security (effective since 22 June 2007), every information network operating in China is classified into one of five security grades (I-V), and is subject to graduated levels of security protection according to the security grade classification (see question 6 and ‘Updates and trends’).
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
The Cybersecurity Law requires all network operators to implement technical measures to monitor and record network operation status and cybersecurity incidents, and to preserve relevant web logs for at least six months.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
China maintains a centralised reporting programme (see question 17).
Cybersecurity incidents reporting includes the reporting of security incidents and security threats:
- a ‘security incident’ refers to any incident that has already occurred, which is further classified into four grades (ie, ‘extremely serious’, ‘serious’, ‘relatively serious’ and ‘general’); Y
- a ‘security threat’ refers any information that relates to potential security threats but has not given rise to actual harm and effect, or certain information about prevention based on incident analysis (classified into Grades I to IV, with Grade I representing the most serious category).
An entity that has a reporting obligation is required to classify the relevant cybersecurity incidents or threats into the proper classifications and report to the MIIT or CNCERT within the time limit specified by law, namely:
- ‘extremely serious’ or ‘serious’ incidents or the existence of Grade I or II security threats must be reported to MIIT and the relevant provincial branch within two hours, with a copy to CNCERT;
- ‘relatively serious’ incidents or the existence of Grade III security threats must be reported to MIIT and the relevant provincial branch within four hours, with a copy to CNCERT;
- the existence of Grade IV security threats must be reported within five business days of the discovery to CNCERT, with a copy to the relevant provincial MIIT branch; Y
- ‘general’ security incidents must be reported monthly to CNCERT, with a copy to the relevant MIIT provincial branch.
Incident reporting is required to include the following information:
- basic information about the entity;
- the time when the incident took place;
- a summary of the incident;
- preliminary estimate of harm and effect;
- measures that have been taken; Y
- other related information.
Threat reporting is required to include the following information:
- description of the threat information;
- estimation of the potential harm;
- identification of the users and scope of possible effect;
- identification of the entity or person who is aware of such information as of the reporting; Y
- recommended responses and measures.
Following the verification of the incident reporting, MIIT or CNCERT is to issue a public notice to the relevant organisations and coordinate various government agencies, industry associations, network operators, research institutes and security organisations, as required.
What is the timeline for reporting to the authorities?
See question 28.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
The new Cybersecurity Law mandates that notification be provided to the data subjects and the competent regulatory authority in accordance with regulations, without providing further detail. Except for the Cybersecurity Law, China has not established any measure requiring the reporting of cybersecurity threats or breaches to others in the industry, to customers or to the general public. See questions 24 and 28.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Recent key developments in cybersecurity include the publication of the following draft and final laws and regulations for public review and comment:
- April 2017 – draft Cryptography Law of the People’s Republic of China (Cryptography Law);
- April/May 2017 – draft Measures for the Security Assessment of Outbound Transfer of Personal Information and Important Data (Data Transfer Measures);
- May/August 2017 – draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (Data Transfer Guidelines);
- July 2017 – draft Regulations on the Security Protection of Critical Information Infrastructure (CII Regulations);
- January/May 2018 – Personal Information Security Specification (GB/T 352730-2017) (PI Specification); Y
- June 2018 – draft Regulations on the Classified Network Security Protection (Graded Network Classification Regulations).
On 13 April 2017, the Office of the State Commercial Cryptography Administration (OSCCA) published the draft Cryptography Law for review and comment. Significant highlights of the draft law include:
- The Cryptography Law categorises cryptography into ‘core cryptography’, ‘ordinary cryptography’ and ‘commercial cryptography’. Core cryptography or ordinary cryptography may be used to protect state secrets, and commercial cryptography may only be used to protect information that does not fall within state secrets. Export of core cryptography or ordinary cryptography outside of China is prohibited, and the import or export of ‘commercial cryptography’ is subject to the government approval. The Cryptography Law empowers the Ministry of Commerce, OSCCA and the PRC General Administration of Customs to jointly formulate and publish the Import/Export Catalogue of Commercial Cryptography for Administration.
- CII should employ cryptography to protect systems in accordance with applicable laws and regulations and national mandatory standards relating to cryptography, and cryptography protection systems must be planned, built and operated simultaneously with other systems of CII.
- If required for national security or for criminal investigations, the MPS, the Ministry of State Security and the relevant People’s Procuratorates may require telecommunications operators and internet service providers to provide technical support for decryption.
Data Transfer Measures
On 11 April 2017, the CAC released the draft Transfer Measures for review and comment, which were revised and republished on 19 May 2017. The draft measures are principally concerned with ordering a system for assessing the security of cross-border data transfers and establishing a two-tier assessment framework comprised of network operator self-assessments and, where required, governmental assessments. A network operator self-assessment would include pre-transmission assessments and periodic assessments to be conducted annually. In particular, the Data Transfer Measures are especially significant because, for the first time, a specific framework has been put forward to guide the conduct of mandated security assessments, which would be expanded to encompass every ‘network operator’ and, by reference, any other person or entity involved with the provision of regulated data to an overseas destination.
Data Transfer Guidelines
Following the publication of the draft Transfer Measures, on 27 May 2017, the NISSTC released the Draft Transfer Guidelines for review and comment, which were revised and republished on 30 August 2017. As compared with the Data Transfer Measures, these draft guidelines propose more detailed guidance with respect to the implementation of a security assessment programme. The network operator initiates the self-assessment by formulating a data export plan, which is required to set out the purpose, scope, type and scale of the data export, the IT system involved, the transit country and the destination, and the security control measures to be taken. The security assessment is intended to demonstrate that the proposed outbound transfer is lawful and justified, and that the risks are controllable. The degree of risk is to be assessed by taking into account both the characteristics of the data (eg, the volume, scope, type, sensitivity and technical measures) and the possibility of security breach incidents, which requires an evaluation of the technical safeguards and management capabilities of both the data exporter and the recipient, as well as the legal and political environment of the destination country.
On 10 July 2017, the CAC published the draft CII Regulations for review and comment. Significant highlights of the draft regulations include expanding the conceptual scope of CII to encompass the additional industrial sectors and establishment of specified responsibilities of a CII operator’s ‘responsible person’ and establishment of prerequisite qualification requirements with respect to key technical personnel.
On 25 January 2018, the SAC published the PI Specification with effectiveness from 1 May 2018. Significant highlights of the specification include expanded definition of PI (including the establishment of the sub subcategory of ‘sensitive PI’) and ‘PI controller’; establishment heightened requirements with respect to the collection, preservation, usage, disposition and other related PI-processing activities; enumeration of PI subject rights; and identification of expanded obligations for PI controllers.
Graded Network Classification Regulation
On 27 June 2018, the MPS published the draft Graded Network Classification Regulations for public comment. Significant highlights of the draft regulations include:
- establishment of a revised graded network classification system;
- requirement for all networks to establish a comprehensive network cybersecurity protection systems;
- networks Grade II or above must satisfy a network expert review, with results to be provided to the industry regulator for approval. In addition, any Grade II and above network must be satisfactorily tested prior to use; Y
- networks Grade III and above must satisfy additional specified measures, including provision of an annual report to the MPS and limitation of its maintenance work in the PRC.