With China’s passage this month of its Cyber Security Law (the “Law”; unofficial English translation on China Law Translate), much of the attention in the international business community has focused on how business obligations will change for mainland China operations and how the law will generally affect cross-border handling of customer, operations, and other data. These are all legitimate questions, and this attention is bound to create additional questions for China’s regulators to answer.
There is another area worth considering: To what extent may foreign businesses and individuals use the Law’s mandates to seek relief for data breaches and other cyber security compromises?
Recent reports have identified concerns over particular companies in China that manufacture Internet of Things (IoT) devices and distribute online application software, which implicate the security of Internet infrastructure companies outside of China and privacy for users overseas. In one account, hackers may have exploited a security vulnerability in closed circuit security cameras to co-opt those IoT devices into a botnet attack against a major Internet infrastructure company. Another report by Kryptowire identified firmware in mobile devices that collected user information from device applications. The firmware then sent that information to the firmware administrator in China. That information included user text message content, contacts lists, call history, device identification data, and in some instances, location information.
The Law does not take effect until June 1, 2017, and presumably would not affect the IoT manufacturer or firmware company at issue in these reports (that is, unless the issues identified in these reports are not rectified by that date). These incidents, however, are not likely to cease; if anything, it is more likely that they will proliferate in volume and variety.
Under the Law, an IoT manufacturer may be considered to be a “network operator” (as a “network service provider” under Art. 76) or a provider of “network products “or perhaps “critical network equipment” or “specialized network security products” (Arts. 22-23). In turn, a firmware administrator could be considered to be a “network operator” or “application software download service provider” (Art. 48). Depending on how the company is viewed, the Law imposes security obligations.
In particular, network operators are obligated to undertake measures to prevent network intrusions and immediately take remedial measures upon discovering that their products and services have security flaws or vulnerabilities (Arts. 21-22). The Law also requires a network operator to obtain consent from a person to gather data and prohibits the operator from gathering personal information unrelated to the services it provides or providing it to others without the person’s consent (Arts. 41-42).
Similarly, an application software download service provider also is required to perform security management duties (Art. 48), although the Law does not address that provider’s other obligations in the detailed way as with a network operator. A prior administrative regulation (the Ministry of Information and Industry Technology’s “Provisions on the Protection of Personal Information of Telecommunications and Internet Users”; the “Provisions”) prohibits telecommunication business operators and Internet information service providers (which may cover firmware administrators in the situation described here) from collecting user information without consent and requires those entities to inform users about that collection activity and limit it to only what is necessary for providing service (Provisions, Art. 9).
Those Provisions, unlike the Law, do not contain a private right of action. The Law contains a general civil liability provision, that is, when violations of the Law “cause harm to others,” then “civil liability is borne in accordance with law” (Art. 74). What is the scope of that civil action? The General Principles of Civil Law (the “GPCL”) (issued by the National People’s Congress) address individual liability under contract and tort theories and provide that liability may exist in the absence of fault, should the law so provide (GPCL, Art. 106). The GPCL sets forth relief that includes court orders to terminate infringing conduct and compensation for loss (GPCL, Art.134).
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 05:57PM