User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million pieces of person
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Data must stay in China to get classified protection under Cyber Security Law?
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
▪ Civil Fraud v. Criminal Fraud: Criminal Proceedings Not a Silver Bullet to Resolve
▪ Corrupt Chinese drug administrators jailed or executed, whose family members ended
▪ Tone from the middle cannot be ignored
▪ Is bribing a Chinese doctor bribing an FCPA governmental official?
▪ Criminal and Administrative Liability under China's Competition Laws
▪ Model Standards for Trade Association Compliance with China's AML
▪ Double Exposure to Legal Risk Under China's Competition Laws: Comments Upon the Ex
▪ New Privacy Standards for New Data
▪ Chinese Police Are Foxhunting Corrupt Officials
▪ Transfer of Personal Data Overseas from Singapore: Recent Enhanced Provisions
▪ New Guidance on Antitrust Notifications in China
▪ China Issued the Standards on the Quality Management of Using Medical Devices (Dra
▪ China Imposes Harsher Liabilities for Environmental Non-Compliance
▪ GSK Faces Two Corruption Fights in East and West
▪ European Court of Justice Abrogates Data Retention and Allows Data Detention
▪ China Is to Adopt Risk-based Supervisory Rules on Medical Devices
▪ China to Set Food & Drug Police
▪ Don't Put All Medical Eggs into One Blacklisted Basket
 
Home > CyberSecurity
Data must stay in China to get classified protection under Cyber Security Law?

Compliance could be an obligations or a privilege.  Obligation means the basic requirements to meet, any short of which may subject you to punishment.  Privilege means the extra benefits nice to have, any short of which could make you less competitive.  


Classified protection (“CP”) is an obligation and a privilege under China’s Cybersecurity Law (“CSL”).  If certified under CP, a company would have prima facie evidence that its network system meets some basic safety obligations under the CSL.  The loopholes that are ever red-flagged could be then plugged up.  With the obligations satisfied, the company could fend off some possible investigations or punishments resulting from the loopholes in cybersecurity.  However, CP does not go without “shortcomings”, one of which is that you may need to store your data in China, which could be worrisome for non-Chinese enterprises.


How is CP conducted?


Under CP, network systems are graded from Level 1 to Level 5.  The higher the level is, the more requirements to comply.  The certification entities (which need certification licenses) would do testing and decide which level a network system is at, and advise where are vulnerabilities.  However, a certification entity is not allowed to provide rectification services just like a referee cannot be a player simultaneously – the rectification services will have to be provided by rectification entities so as to tackle the vulnerabilities in IT, processes and control measures of the network system.  Although a rectification entity does not need a license for its rectification services, the rectification entity has to have capacity in both IT and risk management.



Why is CP important?


Simply, CP can help plug loopholes and tackle vulnerabilities in network systems.  We may learn the importance of CP from the opposite cases below.


Case #1:


In February of 2018, Code repository GitHub was hit by a distributed denial of service (DDoS) attack which peaked at 1.35 Tbps via 126.9 million packets per second.


According to a statement the incident occurred on February 28 and persisted for around nine minutes and originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.  


“The first portion of the attack peaked at 1.35 Tbps [between 17:21 and 17:30 UTC] and there was a second 400 Gbps spike a little after 18:00 UTC,” said Sam Kottler, manager of Site Reliability Engineering.


This attack registered even larger than the peak of the attack on Dyn in 2016, according to Wired.


By the end of February of 2018, there were 25,000 Memcached servers in China exposed on the Internet.  


If the systems in China in use of Memcached servers had gone through CP under CSL, the incidents could have been most probably avoided.


Case #2:


In 2015, Fiat Chrysler issued a safety recall affecting 1.4 million vehicles in the US, after security researchers showed that one of its cars could be hacked.  The hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system.  As a result, Chrysler issued a voluntary recall to update the software in affected vehicles.


From the cases above, you may realize that TP or similar risk management system is not just something nice to have.  It is an insurance or a golden shield to manage risks and fend off liabilities.  


CP is a compliance threshold for network safety.  Different network systems may have some peculiar features.  CP for a code repository like GitHub should be different from CP for autonomous driving in many dimensions, such as how to determine levels and how to deal with vulnerabilities.  It is suggested to develop some CP guidance for some particular industrial sectors such as autonomous driving.



Is CP compulsory?


The answer is yes for any network operator – basically every business operator with network is a network operator no matter whether it is a critical information infrastructure operator (“CIIO”) or not.  CSL provides for a compulsory CP test for a CIIO once a year.


CSL defines CIIO as the network system in the sectors of public telecommunication and information service, energy, communication, water resource, finance, public service and electronic public service.  Once sabotaged, the CIIO could cause great and irreparable damages to itself and the entities around.  China is drafting implementation rules for CSL to give a clear definition and description of CIIO.


CP is compulsory as well for non-CIIOs.  If graded Level 3 or about, CP must be conducted at least once a year.  Although many non-CIIOs did not undertake CP yet in spite of the legal requirements under the CSL, some did it to get the privilege for extra protection from being hacked and from being punished especially for those which rely on the Internet in delivery of products and services.  It could be foreseen that law enforcement would be tightened on non-CIIOs when law enforcers are more experienced and implementations rules are more sophisticated and practical.



Case #3:


On July 22, 2017, the website of “teacher development platform” in Sichuan was hacked.  Local cybersecurity department found that the website had not carried out CP compliance since launched – obviously, the cybersecurity department thinks that the hacking could have been stopped if the platform had adopted appropriate control measures.   As such, the local authority issued the administrative punishment to the website operator with a fine of 10,000 RMB.  


If the platform refuses to carry out the remedial actions as suggested by certification and rectification bodies, the refusal could bring criminal liabilities to the platform and its executives.


In some industries such as hoteling and logistics, CP is compulsory on a de facto basis.  CP certification is a prerequisite condition to obtain the business license in the industry of hoteling and logistics.


Where is the place to store data?


According to CSL, CIIO must store its personal identifiable information (“PII”) and important data in nowhere but China.  CSL does not provide such requests to non-CIIOs.  However, in order to get certified under CP, a company has to store its data in China, which seems a bad news for MNCs.  However, in practice, there could be some leeway, which mostly depends on how necessary the data will have to be transferred and stored outside China.  


Case #4:


A global hotel group consisting of tens of thousands of hotels will have to centralize the management of data in the headquarters that is not located in China.  The concerned certification body still gives green light to the CP certification of the hotels that are located in China.  However, a company that is certified by the same certification body (and rectified by us) was requested to take back their data from the server located outside China – the reason is simple – the company does not have to transfer and store its data outside China.


Therefore, a multinational company will have to manage well how and where to collect and store its data in order to get certified for classified protection under China’s Cybersecurity Law.  What is more important, a multinational company should seriously consider getting classified protection to have its network vulnerabilities checked and plugged up.  As such, the company could reduce the risk exposure and liabilities (which could be both administrative and criminal) under Cybersecurity Law and the Criminal Law.  



- Henry Chen, licensed to practice law in China and New York, is a senior partner of Dentons Shanghai Office.  Before joining Dentons, Henry was AP Compliance Director of Ford.  Henry is the legal counsel of one of the biggest Internet search engine companies for its autonomous driving projects covering data integrity and security, protection of commercial secrets under the context of cyber security, compliance with Cyber Security Law, autonomous survey and mapping, privacy, risk management on autonomous driving accidents and car call-back, risk management on network penetration and safety.  In addition to TMT areas, Henry also handles traditional compliance issues on FCPA, anti-fraud investigation, compliance management system, corporate matters and dispute resolutions.


Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Author:   
Email:    (optional)
URL:    (optional)
Content:  
Code: *
    
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8

31010502002477