[BreachExchange] What Business Leaders Need To Know About Cybersecurity Law In China

Fri Nov 3 14:18:12 EDT 2017

https://www.forbes.com/sites/centurylink/2017/10/30/what-
business-leaders-need-to-know-about-cybersecurity-law-in-china/#92bbc6056541

Regulations aimed at tightening cybersecurity in China have taken effect,
and businesses with interests there need to be aware of them.

The PRC Cybersecurity Law that took effect in June 2017 makes most aspects
of the modern, digital enterprise subject to scrutiny and control.

Manuel Maisog, chief representative of the Beijing office of law firm
Hunton & Williams, explained the consequences and interpretations of the
new Chinese law at this year’s Gartner Security & Risk Management Summit in
National Harbor, Maryland.

Here are three key takeaways:

1. Most international businesses operating in China will be affected. The
PRC Cybersecurity Law affects information infrastructure, network
operators, and providers of network products and services. The broad
definitions of “network operators” and “providers of network products and
services” in the law plausibly cover any modern business concern in China
that sends information from one computer to another. The components of the
law that govern information infrastructure operators, however, apply to few
international organizations. This is because most of China’s information
infrastructure is owned and controlled domestically.

2. Personally identifiable data collected in China must stay in China. Most
personal data collected in China must be stored only there. If not,
effective year end 2018, data subjects must be notified about the details
of the data transferred. This data localization requirement is a
significant blow to organizations accustomed to a cloud mentality and being
agnostic about the location of their data.“You can transfer a copy of the
data outside China, but only if there is a genuine need for that to happen
— and (only if) you conduct a security assessment,” Maisog said. “This will
be an important, stringent requirement.

”The regulation that will define the exact form of this assessment is still
in draft form. As of Maisog’s presentation, the draft calls for a report of
the cybersecurity capabilities of the receiving party, and an assessment of
the legal and political situation in the receiver’s jurisdiction. The
objective of the law, he said, is to ensure that data leaving the country
remains secure.

3. Law may suppress business gains. The many restrictions and hurdles built
into the PRC Cybersecurity Law will almost certainly raise the cost of
doing business in China, both for domestic and international companies. It
may even drive some businesses away. But the Chinese government is willing
to accept those losses, according to Maisog. The reason, he said, is that
the Chinese government isn’t thinking about cybersecurity in terms of
high-profile business breaches like those of Target and Sony, but rather in
terms of leaks like those perpetrated by Edward Snowden and Chelsea
Manning. “This is intended as national securityregulation,” he said.

The most important takeaway from the new law: Do not operate an unprotected
server in China.

“There are penalties for not putting protections into effect,” Maisog said.
“There can be fines; in very extreme cases, businesses could be shut down.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171103/fd1543f9/attachment.html>