As hacking concerns proliferate globally, companies need to take data privacy and cybersecurity extremely seriously, and China is no exception.

The year 2018 saw a number of hacking attacks and data leaks around the world, major companies like Facebook, Google and Best Buy were among the targets. Apart from the embarrassment and impact on the corporate reputation, there was also the risk of monetary loss: Marriott International, for example, was hit by class-action lawsuit seeking $12.5 billion in damages after the hotel disclosed that its guest reservation system was hacked. 

And China is not immune to this phenomenon. “A recent victim was Pinduoduo, a Chinese Nasdaq-listed Internet marketplace that lets people get discounts from merchants, which lost tens of millions of yuan in discount vouchers as its internal system got a bug,” says Yunpeng Su, general counsel of software company Tsinghua Tongfang Co. Ltd. “The pervasive digital infrastructure that has sprung up in recent years has also brought with a number of new risks, underlining the fact that no enterprise can afford to neglect cybersecurity or data privacy compliance.” 

“We have entered an era of ABC: AI, Big Data and cloud computing,” says Jihong Chen, partner at Zhong Lun Law Firm. “Given that digital assets are core assets for enterprises, and the use of data has become an important way tool to beat the competition, a data security breach could financially and reputationally cripple a business.”  

Then there is the issue of compliance. Companies have to keep in mind legislation such as China’s cybersecurity law, which was passed in full on June 1, 2017, and Europe’s General Data Protection Regulation (GDPR), which came into effect on May 25 last year. 

According to Chen, “the GDPR has had a greater impact on Chinese companies than expected.  Firstly, many more Chinese companies are falling within the extraterritorial scope of the GDPR. Secondly, not adhering to a stringent set of regulations set forth by the GDPR runs the risk of a fine of up to 20 million euro ($22.5 million) or 4 percent of the company's total global revenue.”

At the start of 2019, Google was hit with a 50-million-euro fine by the French data protection watchdog, the largest fine so far under the GDPR for a company. “It is still too early to say what enforcement will look like or how aggressive the EU regulator will be, but the simplest takeaway is that breaches will be too costly for most companies,” Chen points out. 

Su adds that “Article 39 of the GDPR also specify the role of the Data Protection Officer (DPO) in an enterprise. We foresee companies hiring DPOs to oversee their data protection strategy and implementation to ensure compliance with GDPR requirements.”

CRIMINAL RISKS

China’s cybersecurity law on that other hand, criminalizes the infringement of citizens’ personal digital information, and also enhances and clarifies existing criminal codes that deal with illicit handling of citizen’s digital persona information. 

“Given China is taking on the ‘Original Sin’ of its Big data industry, top Chinese tech company executives have been arrested since the interpretation was released. A case in point is Datatang (Beijing) Technology Co.,” Chen observes. 

No company would be immune to criminal risks if a data breach happens. And big companies with solid reputations are no exception. They have to plug gaps in a timely manner, says Chen. 

So how should companies manage cyber security incidents or data breaches before they become crises? “Firstly, establish a cybersecurity and data protection mechanism in compliance with the requirements of the regulators,” says Su. “Secondly, follow the recent trends in regulatory enforcement actions. Thirdly, introduce advanced technology to innovate and improve internal security management. Fourthly, have an emergency plan in place for cybersecurity incidents.” 

Tsinghua Tongfang, as a diversified industrial group, adopts a mode of “separate operation,” which means the headquarters empowers all its subordinate companies in decision-making when it comes to their own cybersecurity and data protection programmes. “But when comes to the top-secret military-related companies and some big data-driven industries, a high degree of confidentiality is a must for all subordinate industries. Great care should also be taken when using external vendors like law firms,” Su adds. 

孰能幸免

随着黑客问题在全球蔓延，公司亟待加强网络安全与数据保护，中国自然也不例外。

2018年，全球范围内有多家企业遭遇数据泄露，比如脸书、谷歌、百思买等等。除企业名誉受损外，数据泄露事件也给企业带来巨大财务损失。前不久，万豪国际集团发表声明称其喜达屋旗下酒店的客房预订数据库遭黑客入侵，导致5亿客户数据被泄露，目前正面临集体诉讼和高达125亿美元的索赔。

中国也未能幸免。“因内部系统出现Bug，中国社交电商平台拼多多近期爆发的优惠券漏洞，造成金额达数百亿的损失。近年来，数字产业的蓬勃发展也不可避免暴露出很多新问题，网络安全与数据保护因此一直受到公司的高度重视。”同方股份有限公司总法律顾问苏云鹏指出。

“我们已经跨入ABC时代（人工智能、大数据、云计算），数据资产构成企业的核心资产，数据的应用能力决定企业的市场竞争力，而网络安全和数据安全关乎企业的声誉、价值甚至于生存。” 中伦律师事务所合伙人陈际红律师谈到。

合规是绕不开的，企业也时刻关注网络安全与数据保护相关的重要立法动向，比如2017年6月1日正式生效的《网络安全法》和2018年5月25日宣布正式实施的《欧盟数据保护通用条例》(GPDR)。

在陈际红律师看来，“GDPR对中国企业的影响程度超过原来的想象，概因：一是其扩张型的域外适用效力，众多中国企业会落入GDPR的适用范围之内；二是其规定了苛刻的法律责任，违反GDPR规定，可能导致2000万欧元或者企业全球营业额4%的处罚。”

然而刚进入2019年，法国就以谷歌违反GDPR规定给谷歌开出5000万欧元的罚单，是GDPR实施以来针对一家公司的最大罚单。“尽管如此，GDPR的具体适用细节和执法的普遍力度仍待观察，但对于企业来说，却不能暴露于因合规不足而面临巨额处罚的风险中。”陈际红律师指出。

总法苏云鹏也指出，欧盟GDPR第39条款还对“数据保护官（DPO）”提出了明确要求，企业内部需要有人专门负责数据安全保护已是大势所趋，目前同方股份正在积极研究学习此制度，以确保遵循GDPR相关规则。

刑事风险

2017年6月起施行的《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律》（“两高解释”）明确了侵犯公民个人信息罪的具体定罪量刑标准，刑事打击侵害公民个人信息行为的力度更大。

“鉴于中国的大数据产业普遍具有‘原罪’，两高解释发布之后，大数据产业风声鹤唳，经常会听闻某某数据公司高管被抓的消息，数据堂案件就是一个鲜活的案例。”陈际红律师指出。

而企业的数据刑事风险并非与大企业绝缘。一个声誉良好的大企业，一旦出现管理体制上的漏洞，也有可能陷入刑事的陷阱，需及时“补救”漏洞，陈律师提醒道。

企业应如何防范数据泄露等网络安全危机事件的发生？总法苏云鹏认为，首先要依据国内法律建立企业网络安全与数据合规体系；其次要时刻关注最新网络安全与数据保护方面的监管动态；第三要采取技术措施创新和完善企业内部安全管理制度和操作流程；第四要建立网络安全事故的应急处理方案。

同方作为多元化产业集团，采用“分业经营”模式，集团总部对下属产业的网络安全与数据保护进行充分授权，由产业本部根据各自产业特点进行相关战略布局。“其中，军民融合产业和大数据产业由于行业特殊的高度保密性，要求拥有认证的保密资质，对内需要严格遵守相应的保密制度，对外所聘请的律师事务所等专业机构也需具备保密资质，”总法苏云鹏补充道。

To contact the editorial team, please email ALBEditor@thomsonreuters.com.