China introduces four-tier classification for possible data security incidents
Published: Dec 16, 2023 08:48 PM
data security File photo:VCG

File photo:VCG

China has introduced a four-tier classification mechanism in a draft regulation to address possible data security incidents. Industry observers believe the draft highlights the country's comprehensive security strategy, focusing on promoting industry development and the bottom line of ensuring security.

The draft - released by Ministry of Industry and Information Technology (MIIT) on Friday - specifies how the ministry, local industry regulatory departments, data processors and emergency supporting agencies as well as expert teams should react in the face of security incidents.

The draft is now available for soliciting public comment until January 15, 2024. The term "data security incident" refers to incidents in which data is tampered with, destroyed, leaked, or illegally obtained or used, causing harm to national security, the public interest, or the legitimate rights and interests of individuals and organizations.

The draft suggests a four-tier warning system with different colors based on harms of the incidents caused to national security, interests of public, social order and economy. Ranked from high to low, they are marked with red, orange, yellow, and blue respectively, corresponding to the possibilities of "extremely grave," "major," "moderate grave," and "general" data security incidents.

If economic losses involve more than 1 billion yuan, or data involving personal information of 100 million people or more, or sensitive personal information of 10 million people or more, the incident should be classified as "extremely grave."

The MIIT draft emphasizes China's comprehensive security strategy, which focuses on promoting industry development while giving priority to security. It is only when we ensure the security of our data that our digital economy can flourish, Li Zonghui, vice president of the Institute of Cyber and Artificial Intelligence Rule of Law affiliated from the Nanjing University of Aeronautics and Astronautics, told the Global Times on Saturday.

This draft coincides with the release of a draft three-year action plan by National Development and Reform Commission (NDRC) on Friday, which projects the annual growth rate of data industry will surpass 20 percent by the end of 2026.

The action plan outlines requirements to develop data industry from five aspects, such as activating the potential of data elements. Among them, there are 12 key actions, mentioning support for general artificial intelligence (AI) large model and AI large model training in vertical fields. By the end of 2026, the three-year draft plan requires the expansion of data element application scenarios, not only on which scale but also on their depth, creating over 300 exemplary application scenarios.

"In the era of AI and wide integration of data elements, it is difficult to find any sector in our digital economy that can be considered traditional. Even in sectors like agriculture, we've seen the emergence of smart farming. Therefore, in every aspect of our society, from production to daily life, data has become an integral part and no field can be separated from it," Li noted.

Whether in the economic, social, or industrial sectors, the possibility of encountering information security issues always exists, Wang Peng, an associate research fellow from the Beijing Academy of Social Science, told the Global Times on Saturday.

For instance, if there are loopholes in legal and regulatory frameworks, it becomes easier for criminals or unscrupulous businesses to exploit them. From a technical perspective, if the security protection technologies are inadequate, there is also a possibility of system information leakage issues, Wang said. Moreover, the advancement of the nation's hardware device could also face external blockade. Some computer software system developments may also contain backdoors, resulting in a lack of complete control, he stressed.

Li further said that the draft aligns with the Data Security Law of China and outlines the strategic approach to handling emerging security incidents, making procedures more standardized. It emphasizes the establishment of a coordination mechanism to effectively address these issues. The expert predicted that in the future more comprehensive plans from specific sectors like finance and transportation will be further consolidated.

According to the MIIT draft, once a data security incident is detected, data processors are entitled to make the judgment first and if the tier classification is "moderate grave," "major" or "extremely grave," they should report to local industry management departments immediately and in a fact-based manner.

Local industry regulatory departments should report to the data contingency mechanism office via phone in 10 minutes or written format in 30 minutes, in "extremely grave" and "major" incidents.

The draft from the MIIT also requires local industry regulatory departments to conduct drills to cope with possible data security incidents and data processors are asked to conduct at least one annual drill so as to improve their coping capabilities.

Units or individuals who fail to formulate emergency plans or organize emergency drills according to regulations, or who delay reporting, provide false reports, conceal important information, or omit reporting incidents, or who exhibit negligence or dereliction of duty in prevention, early warning, and emergency work, shall be interviewed and reported by the industry regulatory department, or be subject to administrative penalties in accordance with laws and regulations, according to the draft.