New Chinese Cybersecurity Law Goes Into Effect This Summer—What Is the Impact on U.S. Companies?

 Posted by: Stephen E. SteinThe People’s Republic of China has enacted a new comprehensive cybersecurity law (CCL) that becomes effective June 1, 2017. Companies that operate in China or have significant connections to Chinese customers or clients, especially those that fall within one of the three categories described below, will likely be impacted by the new regulations. Unfortunately, there remains a fair amount of uncertainty due to its wording.  Clarification regulations have been promised by the PRC – but there is no guarantee as to when they will issue or how comprehensive they will be.The entities subject to the CCL can be divided into three broad categories:1. “Network Operator” – is defined as a “system comprising computers or other information terminals and equipment that collects, stores, transmits, exchanges and processes information based on specific rules and procedures”. Under the CCL, a “Network” may be as simple as two connected computers. Requirements for Network Operations include:The CCL imposes a number of obligations on Network Operators dealing with security policies, virus and intrusion prevention measures, maintenance of security logs and back-up and encryption of important data. Additionally, Network Operators must provide technical support for government security authorities in connection with criminal investigations.When collecting a citizen’s personal information, Network Operators must have a justifiable, lawful purpose and Network Operators may only collect information related to the service they provide.Network Operators must publish their policies on collection and use of a citizen’s personal information, and disclosure or destruction of a citizen’s personal information by a Network Operator requires prior consent (with limited exceptions).The Chinese network and IT authorities are empowered to perform regulatory responsibilities for network information security. While this does not seem too different from other governmental schemes, there is concern among commentators that this provision empowers Chinese authorities to scrutinize information held by any company deemed a Network Operator very closely, potentially endangering the confidentiality of trade secret information. 2. “Critical Information Infrastructure Operators” – are not defined in the CCL, but appear to be entities in the communications, finance, water, power and infrastructure sectors that could harm China’s security, economy or citizens. Requirements for them include:Entities deemed to operate Critical Information Infrastructures have requirements to store PRC citizen information within the territory of China and to self-assess and report the security status of the infrastructures they operate to the government at least annually.3. “Key Network Equipment & Network Security Product Providers” are defined as those supplying specified types of equipment and products.Requirements for them include:Entities selling network equipment and security products into China must arrange for the review and approval of the equipment by governmental authorities prior to it being placed in service in China.Penalties for failure to comply with these requirements include financial penalties, civil liability, suspension of related business activities, revocation of business licenses and confiscation of illegal earnings.In summary, entities operating in China should carefully review the provisions of the CCL to ensure they will be in compliance on the June 1, 2017 effective date.