China’s MIIT Introduces Color-Coded Action Plan for Data Security Incidents

December 16, 2023NewsroomCyber ​​Security/Incident Response

Action Plan for Data Security Incidents

China’s Ministry of Industry and Information Technology (MIIT) on Friday revealed draft proposals detailing its plans to address data security incidents in the country using a color-coded system.

The effort is designed to “improve comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of risks and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and protect national security and the public interest, the department said.

The 25-page document covers all incidents where data was illegally accessed, leaked, destroyed, or tampered with, categorizing them into four hierarchical levels based on scope and level of damage caused –

  • Red: Level I (“especially significant”), which applies to widespread shutdowns, significant loss of business processing capabilities, disruptions arising from serious anomalies lasting more than 24 hours, occurrence of major interference on the radio for more than 24 hours, economic loss 1 billion yuan , or affect the personal information of more than 100 million people or sensitive personal information of more than 10 million people
  • Orange: Level II (“significant”), applicable to closures and interruptions of operation lasting more than 12 hours, event of major radio interference for more than 12 hours,, economic losses between 100 million yuan and 1 billion yuan, or affect the personal information of more than 10 million people or sensitive personal information of more than 1 million people
  • Yellow: Level III (“large”), which applies to operational interruptions lasting more than eight hours, occurrence of major radio interference for more than eight hours, economic loss between 50 million yuan and 100 million yuan, or affect personal information of more than 1 million people or sensitive personal information of more than 100,000 people
  • blue: Level IV (“general”), which applies to minor events that cause operational disruptions lasting less than eight hours, economic losses of less than 50 million yuan, or affecting the personal information of less than 1 million people or sensitive personal information of less than 100,000 people

The new rules also require affected companies to conduct an assessment to determine the severity of the incident, and if deemed serious, report it immediately to the local industrial management department without removing or concealing any facts, or provide any false information.

Cybersecurity

“If the local industry regulatory department first determines that it is a major or major data security incident, it must be reported to the Mechanism Office in accordance with the requirements of ’10 minutes by telephone and 30 minutes to write’ after learning of the incident,” the draft rules stated.

Based on the response level activated – Red or Orange – the Mechanism Office is expected to report the matter to the MIIT. The draft rules are open for public comments until January 15, 2024.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment