PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Similar documents
Cyber Security Law --- Are you ready?

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Security Strategy

GDPR compliance: some basics & practical to do list

Cyber Risks in the Boardroom Conference

2017 INVESTMENT MANAGEMENT CONFERENCE NEW YORK Big Data: Risks and Rewards for Investment Management

China s New Cybersecurity Law

The GDPR Are you ready?

OPTIMIZING CONNECTIVITY: Updated Recommendations to Improve China s Information Technology Environment

Legal, Ethical, and Professional Issues in Information Security

Motorola Mobility Binding Corporate Rules (BCRs)

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

QBPC s Mission and Objectives

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Digital Health Cyber Security Centre

Technology and data privacy Global perspectives

Promoting Global Cybersecurity

Distribution in the New Digital World: The EU s Digital Single Market Strategy. Peter Meyer George Morris Ajit Kainth

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

LCU Privacy Breach Response Plan

Protecting your data. EY s approach to data privacy and information security

Hong Kong s Personal Data (Privacy) Ordinance

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

POSITION DESCRIPTION

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

Critical Information Infrastructure Protection Law

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Enterprise resilience and the role of Standards

The Impact of Cybersecurity, Data Privacy and Social Media

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

GDPR: A QUICK OVERVIEW

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

Top Five Privacy and Data Security Issues for Nonprofit Organizations

HPH SCC CYBERSECURITY WORKING GROUP

CHAPTER 13 ELECTRONIC COMMERCE

GDPR is coming in less than 2 months Are you ready?

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

Resolution: Advancing the National Preparedness for Cyber Security

Best Practices for Campus Security. January 26, 2017

Vulnerability Assessments and Penetration Testing

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

ISACA Cincinnati Chapter March Meeting

A comprehensive approach on personal data protection in the European Union

NYDFS Cybersecurity Regulations

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Hacking and Cyber Espionage

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Putting It All Together:

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Level 4 Diploma in Computing

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

FDIC InTREx What Documentation Are You Expected to Have?

Security Takes Center Stage

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

CIPP/E CIPT. Data Protection Technologist (DPT) Training Bundle Official IAPP Training and Certification

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Regulating Cyber: the UK s plans for the NIS Directive

Canada Life Cyber Security Statement 2018

Data Breach Preparation and Response. April 21, 2017

BHConsulting. Your trusted cybersecurity partner

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Data Protection and GDPR

M&A Cyber Security Due Diligence

Section One of the Order: The Cybersecurity of Federal Networks.

Prohire Software Systems Limited ("Prohire")

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Cyber Threat Landscape April 2013

EU data security and privacy trends

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

Cybersecurity in Higher Ed

FIRESOFT CONSULTING Privacy Policy

The Role of the Data Protection Officer

WORKSHARE SECURITY OVERVIEW

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Managing the risks of cloud computing

CHAPTER 19 DIGITAL TRADE. a covered investment as defined in 1.4 (General Definitions);

Clarity on Cyber Security. Media conference 29 May 2018

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

2014 Luxury & Fashion Industry Conference for Multinationals

Accelerate GDPR compliance with the Microsoft Cloud

General Data Protection Regulation (GDPR)

China Cybersecurity Law Interpretation. Aug 2017

SAC PA Security Frameworks - FISMA and NIST

Transcription:

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology 24 October 2017

Content Overview of Cyber Security Law Observations on Implementation of Cyber Security Law Key Issues in Cyber Security Protection Practical Suggestions in Protecting Cyber Security 1 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law 2 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law Historical Review Concept of cyber security Historical attitude towards cyber security Balance between development and control Speeding up the legislation process 3 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law Nature of the Cyber Security Law National Security Law Industry-specific rules Supporting Laws Piecemeal Data Protection Rules Practice Cyber Security Law Ministerial Rules Industrial Standards 4 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law Content Development of cyber security technology Security duties of network operators Extra duties of operators of critical information infrastructure Personal data protection Obligations to cooperate with government against cyber crimes 5 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law Features To bring cyber security and personal information protection onto a state interest level To harmonize existing rules on cyber security matters To engage and authorize government agencies to enact and implement cyber security rules To have extra-territory effect 6 / L_LIVE_APAC1:5651903v1

Overview of Cyber Security Law Regulatory bodies MPS CAC MIIT Industry Regulators 7 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law 8 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law New legislations since the promulgation of Cyber Security Law 9 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law New legislations since the promulgation of Cyber Security Law Macro-policy National Cyber Space Security Strategy Big Data Development Scheme Market Entrance for Network Product and Services Notice on Cleaning and Normalizing Internet Access Service Market Encryption Law (draft) Network Product and Service Security Examination Measures Data Exportation Security Assessment Measures for Exporting Personal Information and Important Data (draft) Guidance for Data Exportation Security Assessment (draft) 10 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law New legislations since the promulgation of Cyber Security Law (Cont d) Network Securities Regulation on Protection of Critical Information Infrastructure Measures for Monitoring and Handling Security Threats to Public Networks Personal Data Protection General Provisions of Civil Law Information Security Techniques and Personal Information Protection Guidance (draft) Guidance for Depersonlization of Personal Information (draft) Content Censorship Procedural Rules on Administrative Actions on Internet Content Administrative Rules on Internet Public Account Information Services Administrative Rules on Internet Discussion Group Information Services 11 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Key government actions To cleaning up VPN market To close down social media accounts To inspect ICP filings To prosecute against serious personal data infringement To investigate privacy policies and practice To carry out IT security inspections 12 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Key Messages Encouragement of industrial informationalisation Systematical enforcement of cyber security rules Strengthened protection of personal information Learning process for both government and business 13 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Encouragement of industrial informationalisation Security products Equipment Service Technology Data business Big data Cloud business 14 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Systematical enforcement of cyber security rules Include cyber security into existing laws Data protection requirements Network security requirement Upgrade of legislative levels Encryption requirement Consolidation and clarification of existing rules Market access permissions Rules on using VPN 15 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Strengthened protection of personal information Scope of coverage Specific coverage to comprehensive coverage Detailed rules Definition Standard Process Methodology Remedies Administrative Civil Criminal 16 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Learning Process for both the government and the business Government From principles to detailed rules Item by item legislation Multiple regulators Business Understand and following meaning of cyber security rules Lobby with government Cyber security as an ongoing matter 17 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection 18 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection Is a foreign business governed by the cyber security laws? Presence Website Source of Information WFOE Rep Office Offshore company Server location Operating term Target audience Data subjects Data collecting activities Data sovereignty 19 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection Does China prohibits data exportation? State secret? Administrative restrictions? Threshold Security measures National interest National sovereignty Population and healthcare Financial data Achieve CII Industry Possibility of being misused Volume Selfcensorship Government screening 20 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Is VPN allowed to be used for business reasons? Personal Terminal Company Server Access Network Internet 21 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Is VPN allowed to be used for business reasons? (Cont d) Personal Terminal Company Server Access Network Internet 22 / L_LIVE_APAC1:5651903v1

Observations on Implementation of Cyber Security Law Is VPN allowed to be used for business reasons? (Cont d) Personal Terminal Company server Offshore server Access Network Internet 23 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection Can we outsource data processing? Business reasons Data risks Purpose of outsourcing Legal restrictions Prohibited Restricted Technical Financial Legal Vendor due diligence Conditions Informed consent Technical restrictions 24 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection How the cyber security laws affect negotiation of outsourcing contracts? Due diligence Warranties on the compliance with licensing requirement Periodical risk assessment Service levels compliance with statutory requirements and good industrial practice Consistence among various service providers Data location Location of data processing; remote access Cloud based services Risk management Contingency plan Drills Step-in right 25 / L_LIVE_APAC1:5651903v1

Key Issues in Cyber Security Protection Are we required to procure only domestic network products / services? Licensing Requirements Security Considerations Telecoms services Network access device Encryption Security levels Supply chain risks Back door risks Excessive Reliability 26 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security 27 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security Hints To establish proper risk assessment procedures IT risk governance and management plan Management of business process from an information governance aspect Privacy policy and informed consent Incident management Cyber security as an ongoing process 28 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security To establish proper risk assessment procedures Procurement of network products and services Data exportation risk assessment Personal data risk assessmeny 29 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security IT risk governance and management plan (1) External service provider Directors and senior management IT Business Legal HR 30 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security IT risk management plan (2) Understand the business process Data classification Information flow Human inference Risk identification Technical risks Behavioural risks Risk mitigating measures Proactive measures Remedial measures Policy implementation Consultation and publication Policy management Training Policy Documentation To be consistent with global policy Translation Policy Review To address business concerns To meet statutory requirements 31 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security Management of business process from an information governance aspect Informed consent, consistence with purpose? Need to know? Business usage Information collection /acquisition Information processing Outsourcing Data storage Management of service levels / IP rights Data disposal IT Infrastructure IT risk management Storage requirement 32 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security Privacy policy and informed consent Content to be informed Scope; Manner Technology communication channels Necessity for current and future use Do we need to cover all possible future use? Depersonalization Clarity and flexibility including but not limited to all other legitimate purpose Manner of description and display Accuracy vs. plain language Manner of display and consent Communications Right to access Right to report 33 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security Incident management Incident appraisal Communication management Adoption of remedial measures Allocation of resulting liabilities Team formation 34 / L_LIVE_APAC1:5651903v1

Practical suggestions in protecting cyber security Cyber security as an ongoing matter Development of the law Change of industrial practice Evolution of new business processes 35 / L_LIVE_APAC1:5651903v1

Q&A WeChat: Xun Yang Of Counsel, Shanghai T: +86 86 21 6249 0700 M: +86 186 21001091 E: xun.yang@simmons-simmons.com Linkedin Account: https://www.linkedin.com/in/xun-yang-294b478 Xun advises on commercial, regulatory and intellectual property matters with a particular focus on life science, financial services and telecoms sectors. He has significant experience in advising on technology transactions, IT services, outsourcing, IP protections, data privacy, and investment in sensitive sectors. 36 / L_LIVE_APAC1:5651903v1

37 / L_LIVE_APAC1:5651903v1

simmons-simmons.com elexica.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC352713 and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. 38 / L_LIVE_APAC1:5651903v1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback