Upgrading data breach prevention and response

Data security incidents occur frequently these days. To enhance protection of data security – and reduce losses and hazards caused by data breaches – the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) all require enterprises to take protective measures by establishing and implementing contingency plans.

On 8 December 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Cybersecurity Incidents Reporting (Exposure Draft), which intends to unify specifications for regulatory reports of cybersecurity incidents.

Based on these laws and regulations, along with recent regulatory updates and practical experience, this article introduces key compliance points in handling data security incidents from two aspects, namely pre-emptive measures and post-incident response.

Pre-emptive measures

The CSL, DSL and PIPL stipulate the protective measures to be taken by enterprises, which include but are not limited to data encryption, protection against computer viruses, cyberattacks and intrusions, and log retention.

These measures not only enhance data security protection of enterprises, but also facilitate detecting and monitoring security incidents early. To prevent data breaches, the three laws require enterprises to draw up a contingency plan – a prerequisite for enterprises to handle data security incidents promptly – and strengthen risk monitoring.

Multinationals may need to develop a “localised” plan that fulfils requirements of Chinese law based on management systems applicable globally. In addition, to put the contingency plan into real practice, companies also need to carry out regular response drills to familiarise personnel in various departments with response procedures and adjust the plan according to identified problems promptly.

Post-incident response

Timely remedy.
Concerning national standards such as the Information Security Technology – Guidelines for Category and Classification of Cybersecurity Incidents; and the Information Security Technology – Specifications of Emergency Response Plan for Information Security, technicians of enterprises can develop measures and processes in the contingency plan to handle different levels and types of data security incidents and, after the incident, activate the plan and take timely remedies.

Notifying individuals.
According to paragraph 1, article 57 of the PIPL, if the leaked, falsified or lost data involves personal information, the enterprise shall inform individuals of the type of personal information, reasons for and hazards of the leakage, measures already taken by the enterprise, and measures that can be taken by the individual to mitigate hazards, as well as its contact information.

According to the Information Security Technology – Personal Information Security Specification, enterprises are advised to inform individuals one by one through email, letter, phone call and push notification, or take a reasonable and effective approach to disseminating warning information.

Although the PIPL also provides for exemptions from notification, there are no clear criteria for defining and evaluating “effective avoidance of hazards”, and enterprises should be prudent and comply with regulatory requirements.

Reporting to regulators.

1. Reporting thresholds. Existing laws and regulations do not set clear criteria, so theoretically all data security incidents should be reported to the regulator. However, regulations such as the National Emergency Response Plan for Cybersecurity Incidents require reporting of security incidents that “pose a threat to, or cause an impact on, national security, social order, economic construction and public interests”. Enterprises can assess whether a case meets the criteria by considering the type of data, scope and number of people affected, and economic loss.
2. Reporting objects. The provisions of the CSL, DSL and PIPL in this regard are rather general. In practice, the cyberspace administration is the regulator primarily responsible for receiving reports from enterprises, while the Ministry of Industry and Information Technology and Ministry of Emergency Management, and industry authorities, also receive such reports within their scope. When a data security incident involves criminal offences, enterprises should also report it to the public security authorities. As the co-ordination mechanism between regulators is unclear, enterprises are advised to proactively consult relevant authorities when reporting and fulfil their obligations based on regulatory instructions.
3. Details of the report. In addition to notifying individuals of the incident’s basic information, article 5 of the CAC exposure draft further stipulates that enterprises should provide information on: the facilities, systems and platforms involved; the developing trend of the situation; possible further impacts and hazards; clues required for further investigation and analysis; requests for support; and protection of the incident spot. As to how the report is presented, the draft and some local regulations require enterprises to provide relevant content based on a standardised form.
4. Time limits. The existing law requires enterprises to fulfil their reporting obligations “promptly” or “immediately” after an incident. The CAC exposure draft requires enterprises to report large, significant or exceptionally significant cybersecurity incidents within an hour. If it takes formal effect, enterprises will have very limited time to prepare. Relevant departments and personnel will need to be fully aware of their contingency plans, collect information quickly and maintain close communication with the regulator within the specified time limits.

Reflection and improvement.
To prevent similar incidents from happening again, article 10.1 of the PI security specification suggests that enterprises should collate and retain incident records, summarise lessons learnt from security incident prevention and emergency response, and carry out necessary improvements accordingly to further enhance data security protection.

Summary

Enterprises failing to fulfil their obligations for data security protection and violating compliance requirements in handling incidents may face a fine of up to RMB50 million (USD7 million) or 5% of the previous year’s revenue. Directly responsible supervisors and personnel may also face a fine of up to RMB1 million.

In practice, cases of enterprises being penalised for failing to fulfil their data protection obligations after encountering relevant incidents are commonplace, a justifiable alarm for enterprises to tighten personal information protection and emergency response to incidents.

Enterprises are advised to strictly implement data protection requirements in their daily operations, prevent and prepare for security incidents, and fulfil their compliance obligations under applicable laws after incidents.