China’s New Cybersecurity Law
By Nick Akerman, Ray Liu (Beijing), Dan Goldberger (New York), and Peter Corne (Shanghai)
On November 7, 2016, the Standing Committee of China’s National People’s Congress promulgated the Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the “CSL”) to become effective on June 1, 2017. While the law purports to create an overall national cyber security plan, its provisions, some of which are still vague, create significant potential uncertainties for companies doing business in China.
Among other ground-breaking requirements, Chapter 3 of the CSL introduces the concept of “Critical Information Infrastructure (CII)” and imposes enhanced security obligations for operators of CII. The CSL does not give a clear definition of CSR. However, Article 31 does provide that “for critical information infrastructure in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once vandalized, disabled or data disclosed, may severely threaten national security, national economy, people’s livelihood and public interests, the State gives them extra protection on the basis of the graded network security protection system.”
Notably, Article 37 of the law requires “an operator of critical information infrastructure” to “store, within the territory of the People’s Republic of China, the personal information and important data collected and generated during their operations.” In the event that such information has to be provided cross-border, it is required to be for “business reasons” only and a “security assessment shall be conducted pursuant to the measures developed by the national internet information authority together with relevant departments of the State Council.” This new rules makes local storage mandatory and eliminates the option of storing business data outside of China, if 1) the company falls within the definition of an operator of CII, and 2) there are personal information and “important data” 3) collected and generated in China. The only exception for mandatory local storage would be submitting to the relevant government agencies and passing the “security assessment.”
A number of the terminologies remains vague and ambiguous; and needs to be further interpreted by the national internet information authority (or the Cyberspace Administration of China (“CAC”)) and other competent agencies of the State Council. For instance, what is the specific scope of the CII? How to define “important data”? Under what circumstances, shall the cross-border transfer application be deemed as “business need”? CAC and the State Council will hopefully clarify these issues and promulgate guidance and procedure on the security assessment.
The law is also rife with broad and ambiguous terms that provide the Chinese government with the potential to restrict Internet freedom and pose practical problems for companies conducting business in China. For example, the law provides in various places that the security of any network is subject to the review and supervision of the government. It is also unclear what department in the government is responsible for administering various aspects of this program as it refers simply to “other relevant departments” or what rules apply as it refers to “applicable laws and administrative regulations” and “mandatory requirements of national standards.” However, it is clear that the CAC and the State Council at the central level will play a significant role, and the security standard shall be interpreted under the context of the State Security Law of the People’s Republic of China, which took effect on July 1, 2015.
Despite these concerns, the CSL shares many of the same fundamentals adopted in the United States, including, most importantly, a strong data compliance program and a series of privacy protection requirements. While the Cybersecurity Law is new to China, the Law’s framework and concepts should not be new to multinational corporations that have been dealing with these issues for years in the United States. This is a good thing, as it will allow companies to more easily vary their cybersecurity in China to comply with this new law. In the United States, governmental regulation of data security is trending to the requirements of a seven-step effective data compliance program. Below, we provide a comparison between the seven steps mandated under United States’ law for an effective data security compliance program and similar measures set forth in the new Cybersecurity Law.
COMPARISON OF THE CYBERSECURITY LAW TO U.S. DATA COMPLIANCE STANDARDS
SEVEN COMPLIANCE STEPS MANDATED BY US LAW AND CORRESPONDING REQUIREMENTS IN THE CYBERSECURITY LAW
1. Promulgate standards and procedures.
Article 21: “The State adopts graded system for cybersecurity protection, under which network operators are required to perform” … “security protection obligations to protect the network from interference, disruption or unauthorized access and protect network data from disclosure or theft or alteration”
Article 22: “Network products and services shall satisfy the mandatory requirements set forth in applicable national standards.”
Article 40: “Network operators shall keep the user information they collect in strict confidence, and shall establish and improve user information protection system.”
Takeaway: Companies will be required to have clear policies and procedures to protect data and information, and those policies and procedures must comply with national standards.
2. Establish high-level corporate oversight, including the board of directors that must provide adequate funding of the program in proportion to the size of the company and the risk
Article 21: “Formulate internal security management systems and operating rules, determine persons responsible for network security, and implement network security protection responsibility.”
Takeaway: Companies must identify and empower the relevant stakeholders and place overall control of data security in the hands of an individual or a small group of individuals.
3. Place responsibility with individuals who do not pose a risk for unethical behavior.
Article 15: “The State establishes and perfects the standard system for cybersecurity. The competent administrative department of the State Council for standardization and other relevant departments of the State Council shall, within their respective duties, organize development and appropriate revision of national and industrial standards regarding cybersecurity administration and network products, services and operation security”
Article 34: “set a dedicated security management body and person in charge, and review the security backgrounds of such person and those in key posts.”
Takeaway: Companies must carefully select and scrutinize the individuals in charge of data security compliance. Not only must they not pose a risk for unethical behavior, but they must be trained and certified with a cybersecurity expertise.
4. Communicate standards and procedures to the entire workforce.
Article 54: “When the risk of network security incidents increases, the relevant departments of people’s governments at the provincial level and above shall follow the scope of authority and procedures provided, and employ the following measures on the basis of the network security risk’s characteristics and the harms it might cause:
(1) Require that relevant departments, institutions and personnel promptly gather and report relevant information and strengthen monitoring of the occurrence of network security risks;
(2) Organize relevant departments, institutions and specialist personnel to conduct analysis and assessment of information on the network security risk, and predict the likelihood of an incident’s occurrence, the scope of its impact and its level of harm;
(3) Publish network security risk warnings to the public, and publish measures for avoiding or reducing harms.”
Takeaway: Data security affects everyone and companies must have clear standards and procedures that are communicated effectively to the entire workforce.
5. Conduct periodic audits of the effectiveness of the data security compliance program.
Article 15: “The State establishes and perfects the standard system for cybersecurity. The competent administrative department of the State Council for standardization and other relevant departments of the State Council shall, within their respective duties, organize development and appropriate revision of national and industrial standards regarding cybersecurity administration and network products, services and operation security.”
Article 38: “The operators of critical information infrastructures shall conduct, at least once a year, examination and assessment on their network security status and potential risks, or authorize network security service providers to do so, and submit the results and rectification plans to competent authorities in charge of the security of critical information infrastructures.”
Article 39 provides for spot testing.
Takeaway: Audits are extremely important. Without testing the efficacy of the compliance program, companies will not be able to assess its effectiveness until it is too late—i.e., after breach of data has occurred.
6. Consistently enforce the policies.
Article 39: “periodically organize critical information infrastructure operators to conduct emergency network security response drills, increasing the level, coordination, and capacity of responses to network security incidents.”
Takeaway: Without consistent enforcement, policies have minimal effectiveness. To ensure a robust data security compliance program, policies must be enforced at every level of the company.
7. Establish mechanisms for reporting violations.
Article 47: “Network operators shall strengthen management of information published by users, and upon discovering information that the law or administrative regulations prohibits the publication or transmission of, they shall immediately stop transmission of that information, employ handling measures such as deleting it, to prevent the information from spreading, save relevant records, and report it to the relevant competent departments.”
Takeaway: Companies must rely on their employees to carry out and enforce data security policies. However, without established mechanisms to identify and report violations, data security can lapse.
OTHER COMPARISONS TO U.S. LAW
• A primary key to an effective compliance program is involving and coordinating all stakeholders in the protection of data. The CSL references establishing “a network governance system that is multilateral, democratic and transparent.”
• Similar to the regulations in the United States, the Cyber Security Law protects both individual “privacy” and a company’s “intellectual property.” See Articles 12 and 15.
• Article 22 of the CSL states that, “When a network product or service has ability to collect user information, its supplier shall clearly inform users and get user consent; when collecting personal information of citizens, the collectors shall abide by the provisions of this Law and relevant laws and administrative regulations on protection of personal information of citizens.” This is the case in nearly every state in the United States.
• In the United States, regulations adopted in Massachusetts for personal data set the standard for encrypting and storing personal data. The CSL has a similar approach, but it occurs at the national level: “The State will set up and improve the cybersecurity standards system.” See Article 15.
• Article 23 provides “Critical network equipment and special purpose cybersecurity products can be sold only after they are accredited by a qualified institution through a security certification or found compliant with security test requirements per the mandatory requirements of relevant national standards or industry standards.”
• Similarly, Article 21 of the CSL provides that a network operator is required to “adopt technological measures for monitoring and recording network operational statuses and network security incidents, and store network logs for at least six months.”
CROSS BORDER MOVEMENT OF DATA
• As above mentioned, Article 37 provides that “An operator of critical information infrastructure shall store within the territory of the People’s Republic of China personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the national internet information authority together with competent departments of the State Council, unless otherwise provided in laws and administrative regulations, in which case such laws and administrative regulations shall prevail.”
• While there is no identifiable standard in the United States for cross-border movement of data, the European Union has strict standards that all United States multinational corporations must follow.
• In the United States, nearly every state has laws that require companies to notify consumers if there is reason to believe there has been an unauthorized breach of personal data, i.e. social security numbers, bank account numbers, and credit card numbers. The purpose of these laws is to provide consumers with this information so they can take the necessary steps to protect their personal data, such as changing accounts numbers, to avoid being the victims of identity theft.
• Article 42 of the CSL has similar requirements: “The network operators shall not disclose, falsify, or damage personal information of citizens they collect. Without consent of information owners, the operators shall not provide such personal information to others, except where information after processed cannot identify specific persons and cannot be restored. The network operators shall take technical measures and other necessary measures to ensure the security of personal information of citizens, and prevent the divulgence, damage or loss of personal information of citizens they collect. When the divulgence, damage or loss of such information occurs or will possibly occur, remedial measures shall be taken immediately while informing the users possibly affected, and informing the competent department per the rules.”
• Article 76 also defines personal information: “personal information refers to various information which is recorded in electronic or other forms and used alone or in combination with other information to recognize identity of natural person, including but not limited to name, date of birth, ID number, personal biological identification information, address and telephone number of such natural person.”
• It should also be noted that there are also numerous existing laws and regulations protecting data privacy, customer and personal information, either stemming from or general rules or sector-specific legislation, such as financial, telecom and internet and health and postal industries.
UNAUTHORIZED ACCESS STANDARD
• In the United States, a key issue in addressing data and security breaches is access to the computer system. In particular, whether an individual had authorized, or unauthorized, access. Article 27 of the CSL squarely addresses this issue: “Individuals and/or organizations shall not engage in any activities that threaten network security, including but not limited to unauthorized intrusion into networks, interfering normal network functions or stealing network data, or provide programs or implements for such intrusion, interference or stealing, or, if they are aware of such threatening activities, provide any help including but not limited to technical support, advertisement, payment or settlement.”
AGREEMENTS WITH THIRD PARTIES
• In the United States, we regularly encourage companies to enter into agreements with third party data vendors such as cloud providers to securely store sensitive data and information. Article 36 of the CSL takes the same approach: “The operators of critical information infrastructures shall, in the purchase of network products and services, sign agreements with the product/service providers in which obligations for security and confidentiality shall be specified.”