Breached? You Must Report Within 10 Minutes

This post is also available in: עברית (Hebrew)

China has issued a draft for a new Contingency plan for data security incidents, which involves very strict deadlines for large breaches.

China recently proposed a four-tier classification to help it respond to data security incidents, highlighting concerns about large-scale data leaks and hacking within Beijing’s borders.

According to Cybernews, this new contingency plan comes at a time of heightened geopolitical tensions with the United States and its allies and follows an incident that occurred last year in which a hacker claimed to have procured a massive amount of personal information on one billion Chinese from the Shanghai police.

The Chinese Ministry of Industry and Information Technology reportedly published a draft plan laying out how local governments and companies should assess and respond to incidents, and it is currently soliciting varying opinions from the public. The plan proposes a four-tier, color-coded system according to the degree of harm inflicted upon national security, a company’s online and information network, or the running of the economy.

The plan states that incidents involving losses surpassing 1 billion yuan and affect either the personal information of over 100 million people or the “sensitive” information of over 10 million people- will be classed as “especially grave” and get issued a red warning.

In response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24-hour plan to address the incident. Furthermore, the Ministry of Industry and Information Technology must be notified of the data breach within ten minutes of the incident happening.

The Ministry of Industry and Information Technology said in a statement: “If the incident is judged to be grave… it should be immediately reported to the local industry regulatory department, no late reporting, false reporting, concealment or omission of reporting is allowed.”