On January 7, 2024, China’s Cyberspace Administration (“CAC”) closed the public consultation period for its new cybersecurity incident reporting rules, which were released in December.
If the draft rules are adopted as written, companies would be required to report certain cybersecurity incidents to the relevant Chinese regulator within one hour. The relevant regulator depends on the nature of the IT system compromised, the industry, and other factors and may be the local CAC, the public security bureau or the industry regulator.
The draft rules also provide a severity scale, based on the impact to national security and social stability, the duration of the incident, the financial losses and other factors. Grade 1 incidents, which are the most extreme, are those that involve 100 million or more individuals or financial losses of RMB 100 million or more (which converts to approximately USD 14 million at the time of publication). However, even “relatively significant incidents” are subject to the one hour requirement – these involve one to ten million data subjects or RMB 5 million to RMB 20 million (USD 700,000 to USD 1.4 million).
The draft rules provide a template for reporting incidents. Under the draft rules the reports of an incident should include:
Within one hour:
- Details about the incident, including type, impact, time and location, and measures taken. For extortion cases, companies must also include details about the ransom demand.
- Name of company and information about systems impacted.
Within 24 hours (if not available within 1 hour):
- Preliminary analysis of the root cause of the incident and investigation plan.
- Plan for remediation and any requests for support.
Similar to the European General Data Protection Regulation (“GDPR”), reporting responsibility falls to the data controller. However, if a data processor knows about an event that the controller has not reported, it must report the incident to the regulator.
Violators are subject to the legal consequences of the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the Personal Information Protection Law (“PIPL”), which include significant monetary fines and personal and criminal liability for individuals responsible for cybersecurity. The draft rules provide that companies who adopt preventive measures, properly report incidents, and take remedial measures to minimize the impact may reduce or even eliminate their legal liability.
The trio of China privacy and security laws – the PIPL, CSL, and DSL – all have incident reporting requirements, but these provisions are vague and sometimes inconsistent. In anticipation of the adoption of the final rules, businesses should determine the applicability of the reporting requirements to their organizations, assess whether their existing reporting procedures are suitable to comply with the rules as currently drafted, and prepare to amend their playbooks and internal guidance as may be required when the final rules are eventually promulgated.
