What Business Leaders Need To Know About Cybersecurity Law In China

CERT-LatestNews ThreatsStrategic

Your Link To What’s Next

Jason ComptonJason Compton , CenturyLink

Regulations aimed at tightening cybersecurity in China have taken effect, and businesses with interests there need to be aware of them.

The most important takeaway from the new law: Do not operate an unprotected server in China.

The PRC Cybersecurity Law that took effect in June 2017 makes most aspects of the modern, digital enterprise subject to scrutiny and control.

Manuel Maisog, chief representative of the Beijing office of law firm Hunton & Williams, explained the consequences and interpretations of the new Chinese law at this year’s Gartner Security & Risk Management Summit in National Harbor, Maryland.

Here are three key takeaways:

  1. Most international businesses operating in China will be affected. The PRC Cybersecurity Law affects information infrastructure, network operators, and providers of network products and services. The broad definitions of “network operators” and “providers of network products and services” in the law plausibly cover any modern business concern in China that sends information from one computer to another. The components of the law that govern information infrastructure operators, however, apply to few international organizations. This is because most of China’s information infrastructure is owned and controlled domestically.
  1. Personally identifiable data collected in China must stay in China. Most personal data collected in China must be stored only there. If not, effective year end 2018, data subjects must be notified about the details of the data transferred. This data localization requirement is a significant blow to organizations accustomed to a cloud mentality and being agnostic about the location of their data.“You can transfer a copy of the data outside China, but only if there is a genuine need for that to happen — and (only if) you conduct a security assessment,” Maisog said. “This will be an important, stringent requirement.

    ”The regulation that will define the exact form of this assessment is still in draft form. As of Maisog’s presentation, the draft calls for a report of the cybersecurity capabilities of the receiving party, and an assessment of the legal and political situation in the receiver’s jurisdiction. The objective of the law, he said, is to ensure that data leaving the country remains secure.

  1. Law may suppress business gains. The many restrictions and hurdles built into the PRC Cybersecurity Law will almost certainly raise the cost of doing business in China, both for domestic and international companies. It may even drive some businesses away. But the Chinese government is willing to accept those losses, according to Maisog. The reason, he said, is that the Chinese government isn’t thinking about cybersecurity in terms of high-profile business breaches like those of Target and Sony, but rather in terms of leaks like those perpetrated by Edward Snowden and Chelsea Manning. “This is intended as national securityregulation,” he said.

The most important takeaway from the new law: Do not operate an unprotected server in China.

“There are penalties for not putting protections into effect,” Maisog said. “There can be fines; in very extreme cases, businesses could be shut down.”

To better understand how these changes might affect your business, or for guidance on how to protect your company’s critical business data, talk with a CenturyLink security expert today.