Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Transcription

1 Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology 8 December 2016

2 The Matrix (1999) 1 / L_LIVE_APAC1: v1

3 World Internet Conference (2016) 2 / L_LIVE_APAC1: v1

4 Content Overview of Cyber Security Law Duties to maintain network security Duties to prevent cyber crimes Data protection obligations Practical suggestions in managing cyber risks 3 / L_LIVE_APAC1: v1

5 Overview of Cyber Security Law 4 / L_LIVE_APAC1: v1

6 Overview of Cyber Security Law Historical Review (1) Back to 1994 Innovativeness v.s. Protectionism Sector-specific rules 5 / L_LIVE_APAC1: v1

7 Overview of Cyber Security Law Historical Review (2) 6 / L_LIVE_APAC1: v1

8 Overview of Cyber Security Law Content (1) National Security Law Industry-specific rules Piecemeal Data Protection Rules Cyber Security Law Practice 7 / L_LIVE_APAC1: v1

9 Overview of Cyber Security Law Content (2) Development of cyber security technology Security duties of network operators Extra duties of operators of critical information infrastructure Personal data protection Obligations to cooperate with government against cyber crimes 8 / L_LIVE_APAC1: v1

10 Overview of Cyber Security Law Looking into future MPS CAC MIIT Industry Regulators 9 / L_LIVE_APAC1: v1

11 Duties to maintain network security 10 / L_LIVE_APAC1: v1

12 Duties to maintain network security Definition of network operator Owner Administer Service provider 11 / L_LIVE_APAC1: v1

13 Duties to maintain network security Burdens applicable to a network operator Managerial measures Risk management policy Contingency plan Retention of network operation records Technical Measures To prevent hacks and viruses, and to monitor network operations To address known risks Report and communications To report cyber security incident to the government and affected customers To report cyber crimes 12 / L_LIVE_APAC1: v1

14 Duties to maintain network security Extra burdens applicable to critical network operator What are critical networks? public communications, information services, energy, public transportation, water conservancy, finance, public services, and electronic services from government Others Extra burdens Background check Training and drills Back-up Restrictions on procurement Requirements for outsourcing Location of data storage 13 / L_LIVE_APAC1: v1

15 Duties to prevent cyber crime 14 / L_LIVE_APAC1: v1

16 Duties to prevent cyber crime Cooperation with government on crime investigation Verification and record of real identity Record of network usage behaviours Technical support to government 15 / L_LIVE_APAC1: v1

17 Duties to prevent cyber crime Take-down on knowledge; safe-habour 16 / L_LIVE_APAC1: v1

18 Data protection obligations 17 / L_LIVE_APAC1: v1

19 Data Protection Scope of protection Data collected by network operators Electronic data User data in telecoms services Consumer data Employee data 18 / L_LIVE_APAC1: v1

20 Data Protection Data protection requirements Information Consent Necessity Security Verification of real identity Communication 19 / L_LIVE_APAC1: v1

21 Data Protection To apply the data protection requirements to practice Data collection Collection through Apps Collection through distributors Data transfer Data transfer to third party processors Data transfer outside of China Data transfer as a result of business disposal Data retention Deletion of personal information Data retention after cessation of services 20 / L_LIVE_APAC1: v1

22 Practical suggestions in managing cyber risks 21 / L_LIVE_APAC1: v1

23 Practical suggestions in managing cyber risks Hints IT risk management plan Management of distributor/supplier/contractor Legitimate IT infrastructure Incident management 22 / L_LIVE_APAC1: v1

24 Practical suggestions in managing cyber risks IT risk management plan (1) External service provider Directors and senior management IT Business Legal HR 23 / L_LIVE_APAC1: v1

25 Practical suggestions in managing cyber risks IT risk management plan (2) Understand the business process Data classification Information flow Human inference Risk identification Technical risks Behavioural risks Risk mitigating measures Proactive measures Remedial measures Policy implementation Consultation and publication Policy management Training Policy Documentation To be consistent with global policy Translation Policy Review To address business concerns To meet statutory requirements 24 / L_LIVE_APAC1: v1

26 Practical suggestions in managing cyber risks Management of distributors/suppliers/contractors Due diligence Technical Commercial Legal Compliance with statutory requirements Management of service levels Responding time Resolution time Switch of IT platform / service provider 25 / L_LIVE_APAC1: v1

27 Practical suggestions in managing cyber risks Legitimate IT infrastructure (1) Software and Hardware Network structure Network access permission Administration on encryption technology Procurement restrictions China gateway Certified ISP 26 / L_LIVE_APAC1: v1

28 Practical suggestions in managing cyber risks Legitimate IT infrastructure (2) Typical network structure Personal Terminal Company Server Access Network Internet 27 / L_LIVE_APAC1: v1

29 Practical suggestions in managing cyber risks Legitimate IT infrastructure (3) Alternative network structure --- legitimate? Personal Terminal Company server Offshore server Access Network Internet 28 / L_LIVE_APAC1: v1

30 Practical suggestions in managing cyber risks Incident management (1) Incident appraisal Communication management Adoption of remedial measures Allocation of resulting liabilities Team formation 29 / L_LIVE_APAC1: v1

31 Practical suggestions in managing cyber risks Incident management (2) IT Risk Planning Team Incident Management Team 30 / L_LIVE_APAC1: v1

32 Q&A Xun Yang Of Counsel, Shanghai T: M: E: Xun advises on commercial, regulatory and intellectual property matters with a particular focus on life science, financial services and telecoms sectors. He has significant experience in advising on technology transactions, IT services, outsourcing, IP protections, data privacy, and investment in sensitive sectors. 31 / L_LIVE_APAC1: v1

33 32 / L_LIVE_APAC1: v1

34 simmons-simmons.com elexica.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. 33 / L_LIVE_APAC1: v1