China highlighted Beijing’s concerns about widespread data leaks and hacking within its borders on Friday by proposing a four-tier classification to aid in responding to data security incidents.
The emergency plan was developed in the wake of an incident last year in which a hacker claimed to have obtained a vast amount of personal data on one billion Chinese people from the Shanghai police, and it coincides with heightened geopolitical tensions with the US and its allies.
A comprehensive draft plan outlining the procedures that local governments and businesses should follow in evaluating and handling incidents was released by China’s Ministry of Industry and Information Technology (MIIT).
The plan, which is presently seeking public input, suggests a four-tiered, color-coded system based on the extent of harm done to the economy, a company’s online and information network, or national security.
A red warning must be issued in the event that an incident affects the “sensitive” information of over 10 million people or the personal information of over 100 million people, with losses exceeding 1 billion yuan ($141 million). These incidents are classified as “especially grave” under the plan.
The plan stipulates, among other things, that in the event of red or orange warnings, the concerned companies and pertinent local regulatory authorities must set up a 24-hour work schedule to handle the incident and notify MIIT of the data breach within ten minutes of the incident occurring. “If the incident is judged to be grave… it should be immediately reported to the local industry regulatory department, no late reporting, false reporting, concealment or omission of reporting is allowed”, said the MIIT.
China’s MIIT Unveils a Color-Coded Data Security Incident Response Plan
The Chinese Ministry of Industry and Information Technology (MIIT) released draft proposals on Friday that outlined how the nation would use a color-coded system to address data security incidents.
Specifically, the department stated that the goal of the effort is to “improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests.”
Based on the extent and severity of the harm caused, the 25-page document classifies all incidents involving illegal access to, disclosure of, destruction of, or tampering with data into four hierarchical tiers:
- Red: Level I (“especially significant”), which refers to extensive shutdowns, a significant loss of the ability to process business data, disruptions brought on by serious anomalies that last longer than 24 hours, the occurrence of major radio interference that lasts longer than 24 hours, economic losses of one billion yuan, or incidents that affect more than 100 million people’s personal information or more than 10 million people’s sensitive personal information.
- Orange: Level II (“significant”), which pertains to major radio interference that lasts longer than 12 hours, shutdowns and operational interruptions that last longer than 12 hours, economic losses ranging from 100 million to 1 billion yuan, or impacts more than 10 million people’s personal information or more than 1 million people’s sensitive personal information.
- Yellow: Level III (“large”), which pertains to major radio interference that lasts longer than eight hours, operational disruptions that last longer than eight hours, economic losses ranging from 50 million to 100 million yuan, or information that impacts the private or sensitive personal information of more than 100,000 individuals.
- Blue: Level IV (“general”), which covers minor occurrences that result in economic losses of less than 50 million yuan, operational disruptions lasting less than eight hours, or impacts the sensitive personal data of less than 100,000 people or less than one million people.
The new regulations also mandate that impacted businesses evaluate the incident’s seriousness and promptly report it to the local industry supervision department, providing accurate information and not withholding any information.
“If the local industry regulatory department initially determines that it is a particularly major or major data security incident, it should report it to the Mechanism Office in accordance with the requirements of ’10 minutes by phone and 30 minutes in writing’ after discovering the incident,” the proposed regulations state.
The Mechanism Office is supposed to report the issue to the MIIT based on the response level that was activated, either Red or Orange. Public comments on the draft rules can be submitted until January 15, 2024.