Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The CSL requires organisations to adopt security measures for cybersecurity and data protection. See ‘Legislation’.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

The CSL requires network operators to adopt technical measures to monitor and record network operation status, cybersecurity threat information and security incidents and to keep relevant logs for at least six months. There are other sectoral rules and circulars that require certain network operators in certain sectors to keep the logs for a minimum of one year.

The PDSS provides that records of data breach incidents must contain, at a minimum, who discovered the incident as well as when and where the incident was discovered, the categories of personal data affected, the number of affected data subjects, the names of the information systems involved and whether notification was made to the relevant regulators. The PDSS is silent on the retention period of the records of data breach incidents.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

There are various laws and measures that require network operators affected by cybersecurity incidents to report the incidents to the relevant regulators, such as the CSL, the E-commerce Law, the Provisions on the Protection of Personal Information of Telecommunication and Internet Users, and the Security Incidents Emergency Plan. The threshold for reporting to different regulators is not the same; however, the reporting obligation under different rules is generally triggered by the occurrence or potential occurrence of a cybersecurity incident. The report must be in Chinese, and it must contain at least the following information: the time of occurrence of incident; the scope of the impact and damage; remedial measures that have been taken; the details of the personal data and data subjects involved in the breach; and the contact details of the relevant responsible department or person of the network operator.

Time frames

What is the timeline for reporting to the authorities?

Upon the discovery of a cybersecurity incident, the network operator must immediately report the incident to the relevant regulators. Article 20 of the draft Regulations on the Graded Protection of Cybersecurity provides that a report of any online incidents must be made to the local public security organ within 24 hours. While there is no specific obligation to continue reporting after the initial report to the relevant regulators, in practice, once the regulators step in to investigate the incident, they will request cooperation and information from time to time until the closure of the investigation.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Network operators have specific obligations to notify the data subjects whose personal data has been breached. There is no specific data breach reporting obligation on a network operator to notify others in the same industry or sector as the reporting obligation is limited to the relevant Chinese authorities, should the cybersecurity incident meet the reporting threshold, and to the affected data subjects. The network operator can communicate with the affected data subjects using any of the following means: email, letter, telephone, in-app push notification and other proper means or announcement on the company website (if it is impractical to notify each of the affected data subjects).

Law Stated Date

Correct On

Give the date on which the information above is accurate.

19 December 2019