Although its technology operations have become more transparent in the 21stcentury, cybersecurity in the Middle Kingdom, that is China, continues to be an enigma to many companies attempting to do business there. On one hand, Chinese scientists are at the forefront of exciting new quantum communication technology that promises unbreakable encryption possibilities. On the other hand, China’s new cybersecurity law has left global business leaders puzzled over their compliance obligations and the safety and cybersecurity of their data and technology infrastructure in China.
Experts in Chinese law and business have remarked that the wording of the new law is vague and open to different interpretations. The business prospects presented by a country with almost 1.4 billion people will generally outweigh those uncertainties for global technology giants such as Apple, which announced that its Chinese data center will be in full compliance with the new Chinese law. Smaller companies that do not have Apple’s resources can only attempt to surmise the meaning and effects of the new law to determine what benefits and drawbacks they face when they do business in China.
On the plus side, the overall purpose of the new Chinese law is to improve privacy protections over personal information and to step up efforts to fight online fraud. The law accomplishes this by imposing obligations on network operators to obtain consents from individuals when their personal data is collected, to maintain logs of cybersecurity incidents and implement plans to address them, to remediate cybersecurity flaws immediately upon discovering them, and to back up and encrypt all data in secure facilities.
One of the major down sides of the law is that it authorizes regulators to conduct security audits of technology products and data storage sites if China’s national security interests are implicated. The law also requires companies to submit network products and services to prior review and authorization before they are sold or provided to consumers in China.Critics argue that these provisions will allow Chinese authorities an unprecedented prior ability to monitor or insert themselves into private transactions.Even more chilling, the law requires that “critical information infrastructure” (“CII”) operators and suppliers maintain a data storage facility within Chinese borders to store all personal information and important data that the CII collects or generates while conducting business within the country. Data transfers outside of the country will be subjected to special security assessments.
From the perspective of an American technology company that seeks to do business in China, the overall unsettling aspect of these features of the new Chinese law is that they remove an element of control that the company might have over electronic data and information that it maintains in its own internal systems. In 2010, for example, Google accused the Chinese government of hacking into its networks to misappropriate sensitive data. From a cynical perspective, the new Chinese law does little more than eliminate the need for any hacking activity. If Chinese authorities want the data, the new law provides almost immediate access to it.
This places American companies in a quandary of wanting to take advantage of the seemingly endless business opportunities in China while remaining able to protect the personal and financial information of their clients, customers, and trading partners. Any misappropriation of data can lead to significant financial losses and liabilities for the entity that lost the data, even if the catalyst for that loss was compliance with the laws of the country in which the company is doing business.
Companies that have decided to conduct business in spite of this quandary can best shield themselves from losses and liabilities with cyber protection insurance. An experienced insurance provider can review the company’s operations in China and frame an insurance policy that specifically covers losses and liabilities from data breaches and cyberattacks that originate with overseas use and storage of data. Cyber protection insurance providers will also be better positioned to monitor how the new Chinese cybersecurity law is implemented and to customize their policies to offer the optimum protection from problems that inadvertently arise as the law takes hold.