July 27, 2018 was the deadline to comment on the draft Regulation on Cybersecurity Multi-Level Protection Scheme (MLPS) issued by China’s Ministry of Public Security (MPS) in June this year. The draft MLPS amends the existing MLPS, initially released in 2007, and is incorporated by reference to China’s Cybersecurity Law (CSL) that took effect on June 1, 2017, requiring, among other things, that “network operators” comply with cybersecurity requirements based on the level of risk assigned to them. Because network operators, broadly defined in the CSL as “owners, administrators of the network and network service providers,” could in practice cover any entity operating a computer network in China including an intranet, the draft will, once finalized, present another compliance challenge for multinational corporations.
The classification
The draft MLPS classifies information networks operating in China into five levels (from least to most critical) based on the network’s relative impact on national security, social order, public interest, and individuals’ rights if compromised. For example, the level 1 classification is defined to include networks that, once compromised, could cause damage to individuals’ rights but would not cause damage to public interest, social order, or national security. The level 5 classification is defined as including those networks that, once compromised, could cause severe damage to national security. The network operator will be required to propose a classification based on a self-assessment made during the network design phase. The MPS will confirm the classification or propose a new classification within 10 business days of the date of the submission. Networks with a level 3 classification (critical networks that, once compromised, could cause severe damage to individuals’ rights, serious damage to public interest or social order, or damage to national security) or above classification are subject to heightened special cybersecurity requirements, while all network operators are subject to the routine cybersecurity requirements.
Routine cybersecurity protection obligations
Under the draft MLPS, all network operators must comply with the routine cybersecurity protection obligations, including:
- Designating personnel responsible and accountable for cybersecurity multi-level protection scheme
- Establishing a cybersecurity management system and operational procedures for data centers and computer rooms
- Retaining records for network operations, incidents, and criminal activities for at least six months
- Classifying data and protecting important data through measures such as backups and encryption
- Lawfully collecting, using, and processing personal information
- Reporting cybersecurity incidents to the local MPS within 24 hours of the incident and, if state secrets are involved, to the local state secrets agency
- Although the last requirement imposes a new 24-hour timeline for breach notification, it falls short on detailing the reporting process, including what information should be included in the notification report. Network operators are also required to conduct an annual self-assessment of the implementation status of the MLPS, make timely rectifications, and report the results to the MPS.