3 May, 2018
During 2017, cyberattacks continued to evolve and develop sophistication, exploiting both previously unidentified vulnerabilities and known vulnerabilities in new ways. Ransomware attacks such as Petya and WannaCry put critical functions across the world and across industries on hold, while the Mirai botnet attack, unleashed in late 2016, highlighted the increasing vulnerabilities of networked Internet of Things (or IoT) devices.
In this context, global regulators and legislators continue to implement new measures aimed at tightening cybersecurity and data privacy requirements for corporates. In 2017 alone, new and stringent regulations came into force in China, Australia, and New York State, with 2018 already seeing Singapore’s new cybersecurity law enacted and Europe’s GDPR set to enter into force within a few months.
The China Cybersecurity Law (“Cybersecurity Law”), which took effect on 1 June 2017, introduced obligations that apply to individuals and organisations deemed to be “network operators” and other, more stringent requirements (e.g. in relation to data localisation and cross-border transfer restrictions) on those deemed to be operators of “critical information infrastructure”.
Over one year after the Cybersecurity Law was first published, the Cyberspace Administrator of China (“CAC”) together with other industry regulators and organisations, have released a series of guidelines (some of which are still in draft form) to give clarity on the implementation of the Cybersecurity Law (link here, in Chinese only).
Enforcement activity in relation to possible breaches of the Cybersecurity Law are also underway. These include:
- a review by the CAC and other regulators of the privacy terms of ten mainstream network products and services providers, including WeChat, Taobao, Alipay, and JD.com, following which these companies also signed a manifesto on personal information protection; and
- the CAC imposing the maximum fine provided under the Cybersecurity Law (RMB 500,000) in September 2017 on China’s top three internet companies (Tencent, Baidu and Sina) for failing to fulfil their management duties in relation to pornography, violence and other banned content on their sites.
Many countries in Asia have already passed or are considering passing strict cybersecurity regulations. While many features of these regulations overlap with those in other global regulations, key differences do appear.
Since an attack in Singapore is likely also to be felt in London and in New York, for example, it will be important for multinational corporates to take a global compliance view, and have in place a holistic compliance and crisis response plan that accounts for multiple and sometimes cross-cutting regulatory requirements which apply in the jurisdictions in which they operate.
Paul Moloney, Partner, Eversheds Sutherland
paulmoloney@eversheds-sutherland.com
