A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.
On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.
1. Regulatory Authorities of CII
Under the CII Regulation the CAC will be responsible for the planning of, and the coordination for, security protection of critical information infrastructure (CII). The Public Security Authority, the National Security Authority, the State Secrets Authority and the National Cryptography Authority of China’s State Council will be the regulatory authorities of CII in their respective capacities. The relevant departments of local people’s governments at or above the county level will be responsible for carrying out the security protection works in relation to CII.
2. Expansive Scope of CII
The sectoral scope of what CII encompasses under the CII Regulation is wider compared with the scope of CII under the Cyber Security Law. The following sectors have been specifically referred to in the CII Regulation:
- Government agencies, energy, finance, transportation, water conservation, healthcare, education, social security, environmental protection and public utilities;
- Telecommunications networks, radio and television networks, the Internet and other information networks, cloud computing, big data and other large-scale public information network services;
- National defense science and technology, large-scale equipment, chemical, food and drugs; and
- Radio stations, television stations and news agencies.
Many sectors listed above were not mentioned in the Cyber Security Law, such as healthcare, education, environmental protection, cloud computing and big data. The expansive scope of CII under the CII Regulation could increase the chances that some businesses in China could be: (1) considered to be CII operators; and (2) subject to the stringent legal requirements for CII operators under Chinese laws.
Importantly, the CAC, the Telecommunications Authority and the Public Security Authority will jointly formulate and publish the guidelines for the identification of CII. Industrial regulators will then identify the CII in their respective sectors based on those guidelines, and will report the identification results to the relevant authorities. Industry experts will be consulted during the process.
3. Additional Requirements for Products/Services Purchased by CII Operators
The CII Regulation repeats the requirements of the Cyber Security Law in terms of a cyber security review of the products/services purchased by CII operators that are deemed to pose a threat to China’s national security. These products are listed in a Catalogue of Key Network Equipment and Specialised Network Security Products (First Batch), published by the CAC and other authorities on 1 June 2017 (Catalogue), and any further batches to be published. A cyber security review should be conducted based on the Measures on Security Assessment for Network Products and Services (Trial Implementation) issued by the CAC on 2 May 2017.
The CII Regulation requires CII operators to conduct security examination and testing on any outsourced systems, software and donated/gifted network products used by CII operators prior to their online applications. This could potentially expand the scope of the Catalogue and render network systems and products not listed in the Catalogue subject to a cyber security review. CII operators are required to take remedial measures and to report to the competent authorities if substantial risks are identified in relation to the use of any network products/services.
The CII Regulation also requires that the operation and maintenance of CII be conducted within the territory of China. If remote maintenance is necessary for business reasons, CII operators must report this to industrial regulators and the Public Security Authority prior to undertaking remote maintenance. If the CII Regulation is issued in its current form, this localisation requirement could prohibit foreign businesses (e.g. cloud service providers) from providing services for the operation of CII because the operation must be conducted within China. However, as currently worded, this provision is not entirely clear and its implications remain to be seen.
The draft CII Regulation envisages that the CAC and the relevant departments of the State Council will jointly issue specific requirements for businesses providing the following services for CII:
- Cyber security examination, testing and assessment;
- Release of cyber security threats information, including system vulnerabilities, computer virus and cyberattacks; and
- Cloud computing services and information technology outsourcing services.
It remains unclear what these requirements will be and when they will be published.
4. Persons Responsible for Cyber Security Protection of CII
Under the CII Regulation, the responsible person of a CII operator assumes primary responsibility for the security protection of CII. A CII operator may also appoint a person responsible for the cyber security protection of CII, whose duties include the following:
- Organize the formulation of cyber security rules and systems, operational procedures and supervise the implementation of the same;
- Organize the skills assessment of the personnel of key positions;
- Organize the formulation and implementation of cyber security education and training program;
- Organize cyber security inspections and emergency drills, handle cyber security incidents; and
- Report important cyber security matters and events to the relevant authorities.
The CII Regulation also introduces licensing requirements for the technical staff of key positions of cyber security of CII. The CAC and China’s Human Resources and Social Insurance Department will further issue specific rules on these licensing requirements.
5. Frameworks of Monitoring, Emergency Response and Examination of CII
The CII Regulation outlines the frameworks for the following three major systems for the security protection CII:
- Monitoring, early warning and information sharing;
- Emergency response and disposal; and
- Examination, testing and assessment.
The CAC will work with industrial regulators or other supervisory authorities to establish and implement these three systems for the protection of CII.
The CII Regulation provides more detail in relation to the measures that industrial regulators may take in random inspections of CII operators to assess: (1) security risks associated with CII; and (2) legal compliance by CII operators (as provided for in Article 39 of Cyber Security Law). Such inspections include the ability to:
- Request that the relevant personnel of CII operators provide explanations;
- Review, obtain, and copy documentation and records in relation to cyber security protection;
- Examine the formulation and implementation of cyber security management systems and the planning, construction and operation of cyber security technical measures of CII;
- Utilise inspection tools or authorise cyber security service providers to conduct technical inspections; and
- Conduct other necessary measures as agreed with CII operators.
6. Compliance with State Secrets and Cryptography Regulations
The CII Regulation specifically notes that the storage and processing of State secret information in a CII must comply with China’s state secrets laws, and that the use and management of cryptography in a CII shall be governed by China’s cryptography laws (a draft Cryptography Law was published by the Office of the State Commercial Cryptography Administration on 13 April 2017 for public comment). In addition, regulation for the protection of military CII will be issued separately by the Central Military Commission of China.
The CII Regulation is another crucial step towards implementing the Cyber Security Law by providing further details concerning its CII-related provisions.
However, under the CII Regulation the scope of CII extends to a wide range of sectors, and the CII Regulation specifically refers to: (1) CII identification guidelines to be formulated and issued by the Chinese authorities; and (2) CII identification processes to be conducted by industrial regulators or other supervisory authorities. Leaving such detail to later like this could create ambiguity and uncertainty in determining what constitutes CII. Moreover, it is unlikely that the CII Regulation and the CII-related provisions of the Cyber Security Law can actually be implemented until the CII identification process is completed.
The CII Regulation also imposes certain additional requirements for the products/services purchased by CII operators. This could have a significant impact on the service providers of CII operators. Accordingly businesses in China are advised to review their current products, services and Chinese clients and to assess the risks of being subject to these additional obligations/requirements under the CII Regulation.
The CII Regulation remains a draft for public comment at the moment and may be subject to further amendments. We will continue to monitor the situation and provide updates on any developments.
This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology. This first post focuses on potential privacy issues, while the second post – coming next week – will address security issues.
As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predict that autonomous vehicles will be commercially available within the next five to ten years. A 2016 federal budget proposal, slated to provide nearly $4 billion in funding for testing connected vehicle systems, could accelerate this time frame. In addition, the National Highway Traffic Safety Administration (NHTSA) set a goal to work with stakeholders to “accelerate the deployment” of autonomous technologies.
This post will explore some of the privacy issues that should be addressed before these vehicles are fully commercialized.
Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year (see our publication on the amendments).
Comment: Singapore’s strategy of being a smart nation and financial centre has at its core a resilient and strong foundation in cybersecurity. This Bill helps ensure that this objective is achieved by focusing on the continuity of essential services in Singapore. It also comes at a time when the business world is reeling from the impact of the WannaCry and NotPetya attacks.
The Bill takes an holistic approach to the regulation of cybersecurity by: giving the CSA oversight of the regime and enforcement powers to police the regime; providing a framework for regulation of critical information infrastructure systems, including mandatory breach notification; and establishing a licensing framework for cybersecurity service providers.
The consultation paper notes that the regulatory framework will be flexible to take account of the unique circumstances of each sector. It will also require a proactive approach to enhance cybersecurity before threats and incidents happen – based on the risk profile of the sector. Offences and penalties are to ensure compliance with the Bill rather than punish those that suffer from cyberattacks.
Who is covered – Critical Information Infrastructure
A key thrust of the Bill is the identification of 11 critical sectors as providing “essential services” and the ability to of the CSA to designate as CII any computer or computer system necessary for the continuous delivery of essential services as CII. It applies to both the public and the private sector.
The 11 critical sectors identified are:
- Banking and finance
- Security and emergency services
- Land transport
Computers and computer systems that are necessary during times of national emergency may also be designated as CIIs – and so it could potentially cover any sector.
The CSA may also designate a person as the owner of a CII (a CIIO). The Bill proposes to define an “owner of a CII” as a person who has effective control over the operations of the CII and has the ability and right to carry out changes to, or is responsible for, the continuous functioning of the CII. The CSA may require certain information in advance from the owner to determine if a system is a CII. The designation of systems as CII will be treated as an “official secret” under the Official Secrets Act, and will not be divulged to the public.
Duties of CII owners
CII owners are subject to the following statutory duties to:
- provide information
- comply with codes and directions
- report incidents – ie breach notification to the CSA
- conduct audits by an auditor approved by the Commissioner of Cybersecurity (the Commissioner)
- conduct risk assessments
- participate in exercises
In addition, CII owners are required to comply with any code of practice or relevant standard issued under the Bill.
Failure to comply with these duties is a criminal offence – due to the national security implications of non-compliance.
CSA is the central cybersecurity authority
The Bill proposes to vest the extensive supervisory and regulatory powers on a Commissioner of Cybersecurity (the Commissioner), which is a position that will be held by the Chief Executive of the CSA.
CSA – Extensive Enforcement Powers
Apart from its supervisory powers over CIIs, the Bill also confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents. These powers include the power to examine persons, produce evidence, and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities, take steps to assist in the investigation and perform a scan of a computer or computer system to detect cybersecurity vulnerabilities. Property may also be seized. This applies to all computer or computer systems in Singapore, and is not limited to CIIs.
The Minister has the power to impose extraordinary emergency cybersecurity measures and requirements if the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the essential services or national security, defence, foreign relation, economy, public health, public safety or public order of Singapore. This includes the power to authorize a specified person to direct another person to provide information “relating to the design, configuration or operation of any computer, computer program or computer [service][system]” if it is necessary to identify, detect or counter any such threat.
Companies and institutions should therefore be prepared for such actions, and have the necessary protocols in place to facilitate and respond to these investigations and regulatory actions.
Assistant Commissioners – from other Regulators
The Bill grants the Minister the power to appoint as Assistant Commissioner public officers from other Ministries or from other regulators. This is an unusual feature as certain public officials would be double-hatting as an Assistant Commissioner of Cybersecurity and as an official from another Ministry or statutory body performing a similar regulatory/supervisory function.
Assistant Commissioners are, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each sector. Therefore, CIIOs will know the Assistant Commissioners from existing regulatory relationships. For example, the Assistant Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CIIOs on dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.
Regulating Cybersecurity Service Providers
There is a proposal to license and regulate cybersecurity service providers. It is recognized that since cybersecurity service providers are given access to customer systems and networks, they gain a deep understanding of system vulnerabilities, and that there should be some assurance concerning ethics and standards these providers should meet. The Bill proposes a licensing framework for cybersecurity service providers for two types of licences – investigative cybersecurity services (penetration testing) and non-investigative cybersecurity services (managed security operations). The list of licensable services is set out in the Second Schedule, which may be amended by the Minister.
Licensed providers will need to meet certain basic requirements concerning: key executive officers to be fit and proper; retention of service records for 5 years; compliance with a code of ethics; and ensuring that employees performing the services are fit and proper. These requirements will also apply to overseas providers.
At this stage, it is not clear how the CSA would evaluate applicants for licensing, and the CSA will have a further consultation with industry on detailed requirements before it is implemented.
What this Bill may mean for you
- Organizations operating in a critical sector and potentially owning CIIs should put in place an overarching cybersecurity policy tailored to the organization’s needs and the requirements of the regime. This policy should set out the organization’s approach to meeting its legal and regulatory obligations, and specify who is accountable for the CII within the organization. Ideally, this person should be at C-suite level.
- As a result of the Commissioner’s powers to respond to, and prevent, cybersecurity incidents, we recommend that all organizations should have in place a comprehensive cyber-response plan that includes protocols for responding to, and cooperating with, requests from the Commissioner on cybersecurity. This will minimize disruption to operations and ensure compliance with regulatory obligations.
- Cost of compliance will increase – in particular in respect of the new licensing regime for cybersecurity service providers that will likely be passed onto customers, but given the impact of recent cyberattacks on business such as WannaCry and the NotPetya Ransomware, this is likely the new reality and cost of doing business in a technology enabled world.
We are happy to discuss if you have any queries on the Bill or the public consultation.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
Expanding on their prior article, Norton Rose Fulbright and the global risk advisory company Willis Towers Watson have created an interactive guide to the legal and insurance-based tools that can be used to manage data privacy risks in vendor contracts.
This unique guide allows users to navigate between subjects, and explore the details of five overarching data privacy issues in vendor contracts:
- Required security standards and data handling limitations to be imposed on the vendor;
- Security assessment rights;
- Incident response;
- Risk transfer (including indemnity, consequential damages exclusions, and damage caps); and
A new strain of malware began infecting computer systems across the globe on Tuesday. Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key.
Reports of infection began in Ukraine, where computer systems belonging to government ministries, financial institutions, transportation systems, and major energy companies began malfunctioning. The attack was first believed to be caused by a variant of the “Petya” strain of ransomware, however recent reports from security experts indicate that the malware used during this week’s attack was altered so that, even with a decryption key, encrypted files cannot be recovered. This fact has lead several sources to dub the malware “ExPetr” and speculate that the attacker’s motivations were destructive instead of financial.
The board demands answers on cybersecurity. We discuss how executives can effectively respond to and collaborate with the board.
Boards have now recognized that their companies, and board members themselves, face operational, financial, legal, and reputational consequences if they fail to address cybersecurity risk. Now, boards are asking company executives to explain the company’s current state of readiness and a plan of action – presenting both a challenge and an opportunity.
Join us on July 11 in New York for an engaging discussion on how to meet the challenge of explaining cybersecurity to boards and leverage the conversation to empower company executives with focus and resources to address cybersecurity risks.
Challenging questions. Practical, insightful answers.
Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain. On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices. The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.
On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General of 47 states and the District of Columbia resulting from its 2013 data security incident. Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions. Continue reading
We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures). Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is likely to be the final version of the Measures. The Measures are to take effect on the same day as China’s Cyber Security Law (Cyber Security Law) on 1 June 2017.