Cyber Security Law --- Are you ready?

Transcription

1 Cyber Security Law --- Are you ready? Xun Yang Of Counsel, Commercial IP and Technology 9 May 2017

2 1 / B_LIVE_APAC1: v1

3 Content Overview of Cyber Security Law Legislative Development Key Issues in Cyber Security Protection Practical Suggestions in Protecting Cyber Security 2 / B_LIVE_APAC1: v1

4 Overview of Cyber Security Law 3 / B_LIVE_APAC1: v1

5 Overview of Cyber Security Law Historical Review 4 / B_LIVE_APAC1: v1

6 Overview of Cyber Security Law Content (1) National Security Law Industry-specific rules Piecemeal Data Protection Rules Cyber Security Law Practice 5 / B_LIVE_APAC1: v1

7 Overview of Cyber Security Law Content (2) Development of cyber security technology Security duties of network operators Extra duties of operators of critical information infrastructure Personal data protection Obligations to cooperate with government against cyber crimes 6 / B_LIVE_APAC1: v1

8 Overview of Cyber Security Law Regulatory bodies MPS CAC MIIT Industry Regulators 7 / B_LIVE_APAC1: v1

9 Overview of Cyber Security Law Trend To bring cyber security and personal information protection onto a state interest level To enact new laws and administrative rules to implement the Cyber Security Law To carry out security inspection from time to time 8 / B_LIVE_APAC1: v1

10 Legislative Development 9 / B_LIVE_APAC1: v1

11 Legislative Development New legislations since the promulgation of Cyber Security Law 10 / B_LIVE_APAC1: v1

12 Legislative Development Key Messages Encouragement of industrial informationalisation Systematical enforcement of cyber security rules Strengthened protection of personal information Linkage of data protection with national interest 11 / B_LIVE_APAC1: v1

13 Legislative Development Encouragement of industrial informationalisation Security products Equipment Service Technology Data business Big data Cloud business 12 / B_LIVE_APAC1: v1

14 Legislative Development Systematical enforcement of cyber security rules Include cyber security into existing laws Upgrade of legislative levels Consolidation and clarification of existing rules Encryption Personal Terminal Compan y server Offshore server Access Networ k Internet Network access permission Network infrastructure 13 / B_LIVE_APAC1: v1

15 Legislative Development Strengthened protection of personal information Scope of coverage Specific coverage to comprehensive coverage Detailed rules Definition Standard Process Methodology Remedies Administrative Civil Criminal 14 / B_LIVE_APAC1: v1

16 Legislative Development Linkage of data protection with national interest Personal data Business data National interest / sovereignty State secret Business continuity 15 / B_LIVE_APAC1: v1

17 Key Issues in Cyber Security Protection 16 / B_LIVE_APAC1: v1

18 Key Issues in Cyber Security Protection Do we need to retain data in China? State secret? Administrative restrictions? Threshold Security measures National interest National sovereignty Population and healthcare Financial data Achieve CII Industry Possibility of being misused Volume Selfcensorship Government screening 17 / B_LIVE_APAC1: v1

19 Key Issues in Cyber Security Protection Is depersonalization a way to bypass data protection restrictions Anonymi -zation vs. pseudonymisati on 18 / B_LIVE_APAC1: v1

20 Key Issues in Cyber Security Protection Can we outsource data processing? Business reasons Data risks Purpose of outsourcing Legal restrictions Prohibited Restricted Technical Financial Legal Vendor due diligence Conditions Informed consent Technical restrictions 19 / B_LIVE_APAC1: v1

21 Key Issues in Cyber Security Protection Are we required to procure only domestic network products / services? Licensing Requirements Security Considerations Telecoms services Network access device Encryption Security levels Supply chain risks Back door risks Excessive Reliability 20 / B_LIVE_APAC1: v1

22 Practical suggestions in protecting cyber security 21 / B_LIVE_APAC1: v1

23 Practical suggestions in protecting cyber security Hints IT risk governance and management plan Management of business process from an information governance aspect Privacy policy and informed consent Managing external service providers Incident management Cyber security as an ongoing process 22 / B_LIVE_APAC1: v1

24 Practical suggestions in protecting cyber security IT risk governance and management plan (1) External service provider Directors and senior management IT Business Legal HR 23 / B_LIVE_APAC1: v1

25 Practical suggestions in protecting cyber security IT risk management plan (2) Understand the business process Data classification Information flow Human inference Risk identification Technical risks Behavioural risks Risk mitigating measures Proactive measures Remedial measures Policy implementation Consultation and publication Policy management Training Policy Documentation To be consistent with global policy Translation Policy Review To address business concerns To meet statutory requirements 24 / B_LIVE_APAC1: v1

26 Practical suggestions in protecting cyber security Management of business process from an information governance aspect Informed consent, consistence with purpose? Need to know? Business usage Information collection /acquisition Information processing Outsourcing Data storage Management of service levels / IP rights Data disposal IT Infrastructure IT risk management Storage requirement 25 / B_LIVE_APAC1: v1

27 Practical suggestions in protecting cyber security Privacy policy and informed consent Content to be informed Necessity for current and future use Clarity and flexibility Manner of description and display Scope; Manner Technology communication channels Do we need to cover all possible future use? Depersonalization including but not limited to all other legitimate purpose Accuracy vs. plain language Manner of display and consent 26 / B_LIVE_APAC1: v1

28 Practical suggestions in protecting cyber security Managing external service providers When? IT outsourcing: call centres, data processers, IDC, cloud, developers Business vendors: distributors, subcontractors How? Due diligence Contract Auditing What? Legal restrictions SLs: responding vs. resolution Warranties and liabilities Intellectual properties Interim measures 27 / B_LIVE_APAC1: v1

29 Practical suggestions in protecting cyber security Incident management Incident appraisal Communication management Adoption of remedial measures Allocation of resulting liabilities Team formation 28 / B_LIVE_APAC1: v1

30 Practical suggestions in protecting cyber security Cyber security as an ongoing matter Development of the law Change of industrial practice Evolution of new business processes 29 / B_LIVE_APAC1: v1

31 Q&A Xun Yang Of Counsel, Shanghai T: M: E: Xun advises on commercial, regulatory and intellectual property matters with a particular focus on life science, financial services and telecoms sectors. He has significant experience in advising on technology transactions, IT services, outsourcing, IP protections, data privacy, and investment in sensitive sectors. 30 / B_LIVE_APAC1: v1

32 31 / B_LIVE_APAC1: v1

33 simmons-simmons.com elexica.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. 32 / B_LIVE_APAC1: v1