Cyber Trends in China
Cyber requirements in China
China's Cybersecurity Law (CSL), which came into effect on 1 June 2017, is the first national law for regulating cybersecurity and data privacy. The CSL expands the Chinese government's authority to regulate many activities that were previously unregulated or addressed only in a sector-by-sector fashion.
The CSL imposes a series of affirmative cybersecurity requirements on network operators, broadly defined as owners and managers of networks and network service providers. These requirements are described under the following articles:
- Article 10: Safeguard the cybersecurity and stable operations of networks; effectively respond to security incidents; prevent illegal and criminal cyber activities; and maintain the integrity, confidentiality, and availability of network data.
- Article 21: Implement specified controls to protect networks from disturbance, damage, or unauthorised access and protect data from being divulged, stolen or altered.
These controls include:
- formulating an internal security management system and operating procedures, determining the persons in charge of network security and performing network security protection obligations;
- adopting technical measures to prevent malware and network intrusions;
- adopting technical measures to monitor and record network operation status and network security incidents, including retaining the relevant network logs for at least six months;
- implementing additional controls in key areas, including data classification, backups and encryption of important data; and
- complying with other obligations prescribed by law and administrative regulations.
- Article 25: Develop incident response plans and use such plans to respond to any cybersecurity incident that occurs; respond to security risks in a timely manner; take appropriate remedial measures to respond to cybersecurity incidents; and report any incident to the competent authorities.
Under Article 27, the CSL also prohibits network operators from taking certain actions, including: engaging in or providing programs or tools for activities endangering network security, such as illegally intruding into others' networks; disturbing the normal function of others' networks or stealing network data; and knowingly providing technical support, advertising, promotion, payment settlement, or any other assistance to any individual or organisation engaging in activities that endanger network security.
On 2 July 2020, China released the draft Data Security Law for public comment. The Law focuses on the protection of important data, which is defined as data that may directly affect China's national security, economic security, social stability or public health and security once leaked. The Draft Security Law also mandates that entities carrying out data activities establish a system to ensure data security and enhance risk-monitoring capabilities.
China also released the draft Personal Information Protection Law (the Draft PIPL) on 21 October 2020, which will become China's first comprehensive law in the area of personal information protection. The Draft PIPL specifically requires individuals and organisations processing personal data to adopt organisational and technical security measures to prevent data breaches.
Multi-Level Protection Scheme
In 2007, the MPS promulgated the Administrative Measures for the Multi-Level Protection Scheme of Information Security (MLPS 1.0), a regulation designed to impose enhanced cybersecurity requirements on the most critical infrastructure information systems in China.
After the promulgation of the CSL in 2016, the MPS was tasked with updating the MLPS 1.0 to fit into the broader framework established by the CSL. On 27 June 2018, the MPS released a draft of the Regulations on Cybersecurity Multi-Level Protection Scheme (the Draft MLPS Regulation) for public comment. Based on the current Draft MLPS Regulation, once enacted, the updated regulation will impose additional specific cybersecurity requirements on network operators.
All network operators will be required to have a cybersecurity programme with a series of specified policy and technical controls, including (1) limiting access to systems and data; (2) providing cybersecurity training for relevant employees; (3) ensuring personal information is encrypted; (4) establishing various monitoring and logging capabilities; and (5) establishing processes for reporting cybersecurity incidents.
The network operators responsible for the systems identified as the most critical in China will be required to meet additional and more stringent requirements, including (1) appointing a member of senior management to be responsible for cybersecurity; (2) formulating an overarching cybersecurity plan and data integrity protection strategy that is reviewed and approved by professional technical personnel; and (3) conducting annual classification testing on networks and reporting the results of that testing and any remediation measures to the MPS and other relevant regulators.
Other MPS regulations
On 30 September 2018, the MPS released the Regulation on Internet Security Supervision and Inspection by Public Security Organs, which establishes that the MPS (and its local forces, commonly referred to as public security bureaus or PSBs) has the authority to conduct cybersecurity inspections of companies that provide a broad range of internet services in China.
These inspections are designed to determine whether the company has met the MPS' requirements for companies that provide internet services in China, including whether the company has (1) implemented internal cybersecurity programmes and appointed an officer in charge of cybersecurity; (2) recorded and retained registration information and web logs of users; (3) taken measures to prevent computer viruses and cyberattacks; (4) taken measures to prevent the transmission and publication of illegal content; and (5) cooperated and provided assistance to PSBs in investigations relating to national security, terrorism and crimes.
In addition to the requirements specified in the CSL and MPS regulations, there are sector-specific requirements relating to cybersecurity, most of which pre-date the CSL. It remains unclear if and how the post-CSL regulations implemented by the MPS will affect these requirements.
Healthcare service providers that collect and store population health information and health and medical big data are required to establish disaster recovery and data backup systems and to conduct regular backup and recovery testing. Healthcare service providers are required to implement additional measures protecting health and medical big data, including adopting verification and access control measures, standardising data access management and establishing accountability measures for data breaches or other cybersecurity incidents.
All banking financial institutions are required to implement a series of controls for data protection and cybersecurity, including establishing effective internal control systems, adopting effective technical measures to prevent data breaches, implementing training programmes and requiring all personnel who handle personal financial information to sign non-disclosure agreements and keep personal financial information confidential.
All credit reporting institutions are required to establish internal security policies and procedures and to adopt effective technical measures to protect data security.
All bank card clearing institutions are required to ensure the security of infrastructure used for bank card clearing services, comply with the MLPS regulations, use commercial encryption products that are approved by the government and not outsource core business systems. Financial institutions are required to keep confidential consumer information and take technical measures to ensure that the consumer information is not lost, damaged, leaked or tampered with. If a security incident occurs, financial institutions are obligated to take remedial measures and notify consumers.
In addition to the national and sector-specific regulations, China also has a series of cybersecurity-related national standards. Although they are not legally binding, the Chinese government has recently begun to emphasise their importance and, as such, these national standards can serve as an important barometer of the varying agencies' interpretations of laws and regulations.
The government body responsible for issuing national information security standards, the National Information Security Standardisation Technical Committee, has issued a wide range of information security technology standards (commonly known as TC260 standards) to address a wide range of data protection and cybersecurity topics, some of which provide detailed guidelines for implementing cybersecurity and data privacy requirements as specified in the CSL.
In particular, the TC260 standard GB/T 35273-2020 Information Security Technology – Personal Information Security Specification, which is commonly referred to as 'the Standard', is one of the most cited standards released after the CSL. The Standard includes detailed security protection requirements for data controllers who collect, use, store, share, transfer and publicly disclose personal information; it also includes cybersecurity guidance, including guidance relating to breach notification.
In addition, to implement the updated MLPS framework introduced under the CSL, TC260 has also released a set of new national standards, such as GB/T 22239–2019 Information Security Technology – Baseline for Cybersecurity Multi-level Protection Scheme, providing detailed technical and organisational controls that network operators at each MLPS level must implement.
Incident notification requirements
CSL personal data breach notification requirements
China's incident notification framework is still taking shape. The CSL generally requires network operators to notify competent authorities and affected individuals of any actual or suspected leakage, loss or damage of personal data. In addition, the Standard provides further guidance on the content and timing of the notifications. Under the Standard:
- notification to a government agency shall include:
- types of affected data subjects;
- the volume, content and types of the data breached;
- the potential impact of the incident;
- the measures already taken or that will be taken in response to the incident; and
- the contact information for the personnel handling the incident; and
- to the extent that the data breach may cause serious harm to the legitimate rights and interests of the affected individuals, network operators shall notify these affected individuals and such a notification shall include:
- the content breached;
- the potential impact of the incident;
- the measures already taken or that will be taken in response to the incident;
- suggestions for individuals to prevent and mitigate risks posed by the incident;
- remedial measures offered to individuals; and
- contact information for the personnel and office responsible for personal information protection.
In addition, as explained below, the MIIT and the CAC also issued separate regulations setting out incident response requirements that apply to cybersecurity incidents that do not involve personal data. Some of the requirements in these frameworks are vague and may overlap, and it is currently unclear if and how regulators will enforce these requirements.
The draft Data Security Law and the Draft PIPL also introduce certain new incident response requirements. The draft Data Security Law requires entities that carry out data activities to take remedial measures immediately after vulnerabilities are discovered and, when a security incident occurs, notify users and the competent regulator in accordance with regulatory rules in a timely manner.
For breach of personal data, the Draft PIPL specifically sets out that the notification to the affected individuals and the competent regulator shall include:
- the cause or causes of the data breach;
- the categories of the breached personal data and any potential damages caused by such a breach;
- remediation measures that have been taken;
- risk-mitigation measures that individuals may consider taking; and
- contact details of the processing entity.
Therefore, China's existing incident response rules may be subject to changes after the draft Data Security Law and Draft PIPL are enacted.
Regulations and emergency response plans
The Provisions on Protecting the Personal Information of Telecommunication and Internet Users (the MIIT Regulation) require telecommunications operators and internet information service providers to notify regulators without delay if an actual or potential data breach has resulted in or may have serious consequences.
The Emergency Response Plan for Unexpected Incidents on Public Internet (the MIIT Emergency Response Plan) requires basic telecommunications service providers, domain name registration and service providers, and internet companies to notify the provincial telecommunications regulator and the MIIT Emergency Response Office immediately when cybersecurity incidents occur.
The National Cybersecurity Emergency Response Plan (the CAC Emergency Response Plan) requires network operators to report any major cybersecurity incident to the State Cybersecurity Emergency Response Office immediately.
Conducting cyber investigations in China
Cybersecurity investigations – whether in response to data breaches, unauthorised access to information systems or networks, or product-related, cyber-physical or destructive attacks – generally involve both traditional and cyber-specific investigation techniques; many of these techniques are also applicable when conducting investigations in China.
Traditional investigation techniques
In investigations outside China, particularly those in the United States and Europe, external counsel is often retained to direct and manage investigations, resulting in many post-event communications and certain work-product being protected under applicable legal privileges to the maximum extent possible. Similarly, external counsel can help oversee the issuance of preservation and document holds to assist clients in preserving potentially relevant documents and data, including forensic images and log data relating to the cyber incident.
Although external counsel can assist clients in China in protecting post-event communications and work-product, there are additional unique challenges. Attorneys are prohibited from sharing confidential client information with third parties, but China does not otherwise recognise the attorney–client privilege or the work-product doctrine. In addition, everyone in China can be compelled to disclose information to Chinese law enforcement – including attorneys – or to testify in Chinese courts.
Note that even though involving a qualified foreign attorney working in China in investigations will not change the fact that attorney–client privilege is not recognised in China, doing so can help to ensure that legal privileges available in other jurisdictions remain protected.
In global investigations, including investigations in China, external counsel is often responsible for leading efforts to develop a clear understanding of the cyber incident to inform an appropriate response and to assess legal obligations and risks. Typically, external counsel assist with interviewing key witnesses to uncover noteworthy facts relevant to the investigation, particularly those facts that cannot be readily or adequately discovered through document review or forensic analysis. For example, witness interviews may be helpful in determining the types of data contained within a compromised email account or stored on a specific server that has been accessed by an attacker. When conducting interviews with Chinese-speaking witnesses, it is key to ensure that at least one interviewer has proficiency in Chinese, even if both the interviewer and the witness speak fluent English; otherwise, key concepts – including technical details – may inadvertently be lost in translation. External counsel also may be responsible for reviewing documents, either manually or through an e-discovery platform. Depending on the nature of the cyber incident, the volume of documents may range from small batches of information security policies to all user-generated documents belonging to multiple custodians located in many different countries.
Coordination and management
In China and globally, external counsel often serve as lead or supporting coordinators for a client's global response to an incident. Clients very often rely on external counsel to manage an entire response, including the forensic investigation, which often involves coordinating with various client departments and stakeholders globally (e.g., legal, information technology, information security, corporate governance, communications and human resources).
In addition to the standard investigation practices described above, in global cyber investigations, external counsel may use specialist techniques to investigate cybersecurity incidents.
Vendor selection, retention and management
As an initial matter, external counsel often retains appropriate third-party vendors to assist in the client's post-incident investigation, especially if the client does not have the adequate expertise or resources to respond to a specific cyber incident. Because these vendors serve as 'deputies' under external counsel's supervision, in some countries, including the United States, these vendors' work-product and communications with the client may be protected by legal privilege. Moreover, if specialist vendors are required to assist in a client's investigation, external counsel often is responsible for managing and coordinating these vendors – and, for complex cases, many vendors may be required. For instance, a client may need specialist vendors to (1) conduct forensic examinations of the client's networks and systems; (2) defend the client's networks and systems against further intrusion; (3) assist the client in preserving the affected systems; and (4) conduct open-source and dark web searches to learn more about the individuals or groups potentially responsible for the incident and to identify client data that may have been disclosed in the incident.
Depending on the location of the vendor, the external counsel and the client may also need to consider China's cross-border data transfer requirements. The CSL requires a Critical Information Infrastructure (CII) operator to store personal information and important data collected or generated in the course of operations within China. If a client is considered a CII operator, it may be restricted from transferring data to vendors outside of China. Apart from the specific requirements for CII, China has also released draft rules governing cross-border data transfer by non-CII operators. Once these rules are finalised, the data transfer to vendors outside of China will be subject to additional restrictions.
In China, external counsel can assist clients in vendor selection, retention and management. This is true even though China does not recognise legal privileges (e.g., the attorney–client privilege or the work-product doctrine), particularly because, as discussed above, involving a qualified foreign attorney working in China in investigations can help to protect the investigation under applicable legal privileges outside China.
Assessing legal requirements
In many countries, including China, counsel are also often responsible for conducting assessments of any applicable post-incident legal requirements and assessing associated legal risk. For example, external counsel may be responsible for helping a client ensure its incident response complies with any applicable jurisdiction-specific regulatory requirements (including the China-specific requirements described above); advising on potential employment consequences for employees who are ultimately deemed to have participated in or facilitated the cyber incident; and considering whether any available insurance may assist the client in recovering some of the costs of responding to the incident. In addition, external counsel are frequently involved in assessing legal risks that span multiple jurisdictions, such as the risks associated with data transfers from one jurisdiction to another; this may arise, for instance, when a client would like to conduct forensic analysis in the client's home country but the relevant data resides in another country. In that situation, external counsel can evaluate legal requirements that must be met before a cross-border data transfer can occur and advise clients on the potential risks associated with the transfer. In addition, counsel may evaluate obligations to notify the affected individuals, business customers, partners and service providers, and regulators of the incident.
Finally, and crucially, in global cybersecurity investigations in China and throughout the world, external counsel often serve as the lead contact with relevant regulators and law enforcement agencies interested in obtaining information about the incident, which can include providing an initial notification of the incident, sharing indicators of compromise and other relevant forensic data, and overseeing the client's response to follow-up requests from regulators and law enforcement. For example, in China, external counsel may assist clients in notifying any applicable regulators, including local PSBs, of a cyber incident. External counsel may also assist the client with any subsequent law enforcement investigation.
Recent notable cybersecurity incidents involving Chinese companies
Zhengzhou Sias University
In May 2020, it was reported that certain excel spreadsheets containing personal data of around 20,000 students at Zhengzhou Sias University were widely spread on social media platforms. The personal data that was leaked included name, ID number, age, major and dorm room number of the students. Some students received spam calls after this incident. The police launched an investigation after the incident.
Foxit, the developer of Foxit Pdf Reader and Editor, notified users in 2020 that its server had been hacked and certain data was assessed without authorisation. Foxit claimed that hackers may access users' personal data, such as user name, e-mail address, phone number, user account, password and IP address.
Active regulators in China
Although the regulatory environment in China is still developing, it is clear that certain regulators will have particularly active roles in data protection and cybersecurity.
Under Article 8 of the CSL, the MPS and PSBs are responsible for the protection, supervision and administration of network security. As has already been discussed, the MPS and PSBs are in charge of enforcing the requirements under MPS-issued regulations; in addition, under Article 253a of the Criminal Law, the MPS and PSBs are tasked with investigating crimes involving the illegal obtaining and use of personal information.
The CAC is expected to play a critical part in future cyber investigations. Under Article 8 of the CSL, the CAC is responsible for coordinating issues of network security. In addition, under the CAC Emergency Response Plan, the CAC is responsible for coordinating and leading the government's response to cybersecurity incidents.
As the regulator for the telecommunications industry, the MIIT traditionally focuses on the cybersecurity and data privacy protection pre-dating the CSL. However, Article 8 of the CSL clearly states that the MIIT has the authority to implement the CSL within the scope of its regulatory duty. As a result, the MIIT may actively enforce the MIIT Emergency Response Plan when security incidents affect the telecommunications industry.
1 Yan Luo and Ashden Fein are partners, Zhijing Yu and Moriah Daugherty are associates at Covington & Burling LLP.
2 'Population health information' is defined as basic demographic information, medical and healthcare services information, and other population health information generated by medical, healthcare and family planning services agencies of all types and at all levels. See Article 3, Administrative Measures for Population Health Information (Trial).
3 'Health and medical big data' is defined as health and medical data generated in the course of disease control and prevention as well as health management. See Article 4, State Administrative Measures on the Standard, Security and Service Regarding Health and Medical Big Data.
4 Article 9, Administrative Measures for Population Health Information (Trial), released by the National Health and Family Planning Commission (the current National Health Commission) on 5 May 2014. See also Article 18 of the State Administrative Measures on the Standard, Security and Service Regarding Health and Medical Big Data, released by the National Health Commission on 12 July 2018.
5 ibid., Article 23.
6 Article 3, Notice to Urge Banking Financial Institutions to Protect Personal Financial Information, released by the People's Bank of China on 21 January 2011.
7 Article 22, Administrative Regulations on the Credit Reporting Industry, released by the State Council on 21 January 2013.
8 Article 4, Administrative Measures for Bank Card Clearing Agencies, released by the People's Bank of China and the China Banking Regulatory Commission (the current China Banking and Insurance Regulatory Commission) on 8 June 2016.
9 See Implementing Measures of the People's Bank of China for the Protection of Financial Consumers' Rights and Interests, released by the People's Bank of China on 15 September 2020, and which took effect on 1 November 2020.
10 The MIIT Regulation does not define 'serious consequences' and thus the definition is presently unclear.
11 'Unexpected incidents' are defined as network interruptions, system failures, data breaches or spreading viruses caused by cyberattack, intrusion or malware that have or may result in severe social damage or other consequences and that will require the telecommunications regulator to take responsive action.
12 According to Article 1.4 of the CAC Emergency Response Plan, major cybersecurity incidents shall be determined based on damage to networks, threats to national security, and effects on social order, economic development and public interest.