China, the world’s second largest economy, recently implemented its new Cybersecurity Law (CSL). Designed to combat ever-growing information security threats and create a safer internet environment, the CSL calls for mandatory information security maintenance by businesses with computer systems linked to China.
The CSL, which went into effect on June 1, 2017, introduces major changes to the global cybersecurity landscape. The law is part of a new initiative to protect Chinese data from the prying eyes of foreign companies, an issue directly related to leaks from local governments in multinational organizations.
The CSL is intended to protect China and its citizens but, globally, the law has raised some real concerns. Vague provisions, broadly-defined terms, and the potential for new security risks and significant additional expense — these have a broad range of companies concerned about how the law will impact their IT systems, and therefore their operations, in China and elsewhere.
Protecting and accessing personal information
The CSL requires companies doing business in China to standardize and store their data in China and to provide the government with information about the business' network infrastructure. The law also requires controls for identifying and protecting personal and other sensitive information.
Specifically, the law focuses on how information is protected and how sensitive information about Chinese citizens is used. Such information must be stored on domestic servers, and companies using or requesting that information must undergo security checks before the data can leave the country. If companies store or retrieve the data in an unauthorized manner, they’re subject to fines and criminal charges.
Cost concerns
Many businesses also are concerned about the costs to improve the robustness of their IT systems and to implement newer technologies that better support data security. In addition, penalties for noncompliance can reach up to 1,000,000 RMB, (or nearly $150,000 USD) and, since China is trying to take precautions against foreign espionage with the law, failure to comply may also result in criminal charges.
The bottom line
The table below outlines key aspects of the new CSL in comparison to U.S. data compliance standards. Organizations should review their critical infrastructure and identify where individual private information lies. If all goes well and this new law is practiced and followed properly, sensitive data should be protected and have less risk of being exposed in the wrong hands.