Introduction:
In the face of the innovation and development of the Internet economy and the lag in the formulation of Internet economic laws and regulations, a series of measures taken by the state and various industries at the policy, law and other levels this year show that the emphasis on Cyberspace Security is constantly upgrading. Since the promulgation of China's cybersecurity law in 2017, a new round of policy intensive layout of global cybersecurity will be ushered in in 2019, such as China's password law, regulations on the protection of children's personal information network, Vietnam's cybersecurity law and other relevant laws and regulations. The following is our inventory of major safety regulations issued this year.
Domestic safety policies and regulations
Code law of the people's Republic of China
On October 26, the 14th meeting of the Standing Committee of the 13th National People's Congress voted to adopt the password law of the people's Republic of China (hereinafter referred to as the "password law"), which will come into force on January 1, 2020. The purpose of password law is to standardize the application and management of password, promote the development of password business, ensure the security of network and information, and improve the level of scientific, standardized and legalized password management. It is a comprehensive and basic law in the field of password in China. The code law has five chapters and forty-four articles. It divides the code into core code, common code and commercial code, and regulates the relevant systems, legal responsibilities and authorities.
Regulations on the protection of children's personal information network
On August 23, the provisions on the protection of children's personal information network (hereinafter referred to as the "provisions") have been deliberated and approved at the office meeting of the state Internet Information Office, and will come into effect on October 1, 2019. The regulations mainly regulate the relevant activities of online children's personal information within the territory of the people's Republic of China, stipulate the responsibilities and obligations of "any organization and individual", "network operator", "child guardian", "Internet industry organization" and other subjects, cover the whole life cycle of collection, storage, use, transfer and disclosure of children's personal information, and determine the children's personal information The principles and specific handling rules of information network protection clarify the regulatory responsibilities of the network information department and other relevant departments, as well as the illegal responsibilities and credit records. There are 29 provisions in total. Network operators shall actively carry out self-examination, examine the provisions and practices related to the protection of children's personal information, establish rules and regulations, check omissions and make up for deficiencies, and ensure that the requirements of the provisions are met.
Measures for exit security assessment of personal information
(Draft for comments)
On June 13, the state Internet Information Office issued the measures for the exit security assessment of personal information (Draft for comments) (hereinafter referred to as the measures) to solicit public opinions. The measures is the implementation of Article 37 of the network security law, a total of 22 articles. From the perspective of applicable subjects, the measures are mainly aimed at network operators, covering network owners, managers and network service providers. At present, the most common is operators of various websites and apps. As far as the applicable objects are concerned, the measures are mainly aimed at the personal information collected by websites and apps in the previous network operation and to be transmitted abroad.
Data security management measures
(Draft for comments)
On May 28, the state Internet Information Office issued the measures for data security management (Draft for comments) (hereinafter referred to as the "measures"). The measures are divided into five chapters: general provisions, data collection, data processing and use, data security supervision and management, and supplementary provisions, with 40 provisions in total. In the measures, the practice of some industries has been raised to a legal standard, and clear provisions have been made on such frequently privacy related issues as personal information collection, crawling, accurate advertising push, excessive access to app, and difficulty in account cancellation. It is proposed that network operators should not force or mislead the subject of personal information to agree to collect personal information in the form of default authorization and function bundling on the grounds of improving service quality, improving user experience, directional push information, developing new products, etc.
Measures for network security review
(Draft for comments)
On May 24, in order to improve the safety control level of key information infrastructure and maintain national security, in accordance with the national security law of the people's Republic of China, the network security law of the people's Republic of China and other laws and regulations, the state Internet Information Office, together with the National Development and Reform Commission, the Ministry of industry and information technology, the Ministry of public security, the Ministry of national security and other 12 departments jointly drafted Measures for network security review (Draft for comments) (hereinafter referred to as the "measures"), a total of 21 provisions. For the procurement activities applying for network security review, the operator shall require the product and service provider to cooperate with the network security review through procurement documents, contracts or other binding means, and agree with the product and service provider that the contract can take effect only after the network security review is passed. The approach review focuses on assessing the potential national security risks that may arise from procurement activities. Since the implementation of the measures, the measures for security review of network products and services (for Trial Implementation) shall be repealed at the same time.
Regulations on management of network security vulnerabilities
(Draft for comments)
On June 18, in accordance with the national security law and the network security law, in order to strengthen the management of network security vulnerabilities, the Ministry of industry and information technology, together with relevant departments, drafted the regulations on the management of network security vulnerabilities (Draft for comments) (hereinafter referred to as the "Regulations"), a total of 12 regulations. These Provisions shall come into force as of the date of issuance, and shall apply to all domestic enterprises, organizations and individuals. The provisions include the limitation of the time for repairing the loopholes, prohibition of publishing and utilizing the loopholes without permission, prohibition of publishing the loophole verification tools without permission, and provisions of the responsibilities of the regulatory authorities, etc. Any organization or individual shall have the right to report to the Ministry of industry and information technology and the Ministry of public security any suspected violation of these provisions.
Management measures for release of network security threat information
(Draft for comments)
On November 20, in order to standardize the behavior of releasing the information of network security threat, effectively respond to the threats and risks of network security, and ensure the safety of network operation, in accordance with the law of the people's Republic of China on network security and other relevant laws and regulations, the state Internet information office, together with the Ministry of public security and other relevant departments, drafted the administrative measures for the release of information of network security threat (Draft for comments) (the following brief) "Method", a total of 13 provisions. The measures shall be implemented as of the date of promulgation. The measures include standardizing the issuance of network security threat information, adhering to the principles of objectivity, authenticity, prudence and responsibility, not using the network security threat information to hype, seek illegitimate interests or engage in unfair business competition, standardizing the content of issuance, and reporting comprehensive analysis report to the network information departments and public security organs at or above the local level in advance Content.
Measures of the Ministry of water resources for the administration of water conservancy network security
(Trial)
On August 17, according to the network security law of the people's Republic of China, the network information office of the Ministry of water resources organized the formulation of the management measures for network security of water conservancy (Trial) (hereinafter referred to as the measures), which was recently reviewed and issued. The measures include six chapters: General principles, network security planning and construction, network operation security, monitoring, early warning and emergency response, supervision, assessment and accountability, and supplementary provisions. The measures pointed out that the water conservancy network security follows the policy of "active utilization, scientific development, management according to law, and safety assurance", establishes three mechanisms: timely detection of loopholes, timely and effective disposal of loopholes and strict accountability, ensures that the network security level protection system is implemented simultaneously in the water conservancy informatization planning and construction, and defines the network security responsibility in the operation stage.
Special action plan for enhancing network data security protection capacity of telecommunication and Internet industry
On July 1, the general office of the Ministry of industry and information technology issued the special action plan for enhancing the network data security protection capacity of the telecommunication and Internet industries (hereinafter referred to as the plan). The plan proposes to carry out a one-year special action to improve the network data security protection capacity of the industry. This special action focuses on the data security protection of major activities such as the 70th anniversary of the founding of new China and the construction of the network data security system of the industry, defines the work objectives of the two stages, and from accelerating the improvement of the network data security system standards, carrying out compliance assessment and special governance In addition, 14 key tasks are put forward in five aspects: strengthening industry network data security management, promoting network data security technology protection capacity building through innovation, and strengthening social supervision and communication.
Guidance on strengthening industrial Internet Security
On August 28, the Ministry of industry and information technology, the Ministry of education, the Ministry of human resources and social security and other ten departments jointly issued the guiding opinions on strengthening industrial Internet Security (hereinafter referred to as the opinions). In the opinion, it is required to comprehensively improve the security guarantee ability and service level of industrial Internet innovation and development, put forward 17 key tasks in 7 aspects, strictly implement the relevant requirements of laws and regulations such as the network security law of the people's Republic of China, and basically establish a relatively complete and reliable industrial Internet security guarantee system by 2025. After the promulgation of the opinions, it will provide basis and guidance for local competent departments and relevant enterprises and institutions to carry out industrial Internet security work.
Industrial Internet network construction and promotion guide
On January 19, the Ministry of industry and information technology officially issued the guide for the construction and promotion of industrial Internet Network (hereinafter referred to as the guide), aiming to accelerate the establishment of industrial Internet platform system and the promotion of industrial Internet platform. According to the guide, industrial Internet network is the key infrastructure to build the comprehensive interconnection of people, machines and things in the industrial environment. Through industrial Internet network, the ubiquitous interconnection of all elements of industrial industry can be realized. The main tasks include formulating standards, cultivating platforms, promoting platforms, building ecology and strengthening management. It also puts forward the overall goal of forming a relatively complete top-level design of industrial Internet Network in 2020, and initially establishing industrial Internet infrastructure and technology industry system, and points out four key development directions.
Guide for classification and classification of network security of industrial Internet enterprises (Trial)
(Draft for comments)
On December 17, in order to implement the guiding opinions on strengthening industrial Internet Security (hereinafter referred to as the opinions), promote the implementation of industrial Internet security responsibilities, implement classified and hierarchical management of industrial Internet enterprise network security, and improve the ability and level of industrial Internet security, the Ministry of industry and information technology studied and drafted the classification of industrial Internet enterprise network security Classification guide (Trial) (hereinafter referred to as the guide). The basic principles proposed in the guide include the association between enterprise classification and the impact of industry network security, the combination of industry guidance and local supervision, and the combination of enterprise self-assessment and territorial verification. To standardize the network security classification of networked industrial enterprises. The industrial Internet platform enterprises and infrastructure operation enterprises shall be standardized in accordance with the classification method of management measures for communication network security protection.
Regulations on Ecological Governance of network information content
On December 15, the office meeting of the state Internet Information Office deliberated and approved the provisions on Ecological Governance of network information content (hereinafter referred to as the provisions), which will come into effect on March 1, 2020. There are eight chapters and 42 articles in the regulations. The ecological governance of network information content in the Regulations refers to the promotion of positive energy and disposal of illegal activities carried out by the government, enterprises, society, netizens and other subjects, with the cultivation and practice of socialist core values as the foundation, the main governance object of network information content as the main governance object, the goal of establishing and improving the comprehensive governance system of network, creating a clear network space and building a good network ecology Activities related to bad information. The regulations clarify the legal responsibilities of the producers, service platforms and users of network information content, and improve the systematic regulations on the connection of civil, administrative and criminal legal responsibilities.
International safety policies and regulations
Us: Energy Infrastructure Protection Act
On August 16, the U.S. Senate passed the energy infrastructure protection bill (hereinafter referred to as the bill). The bill will establish a two-year pilot program in the DOE national laboratory, with the goal of identifying security vulnerabilities in DOE entities and isolating critical grid systems. The evaluation techniques and standards include analog and non digital control system, special control system and physical control scheme. The act also calls for the establishment of a working group with the task of analysing solutions proposed by the National Laboratory and developing a national strategy for the protection of the energy network.
Us: DHS network search and incident response team act
On April 8, the U.S. Senate passed the DHS cyber search and incident response team act (s.315) (hereinafter referred to as the act), which authorizes the Department of Homeland Security (DHS) to help private and public sectors resist cyber attacks through the cyber search and incident response team. The Act states that the responsibilities of the DHS team include: assisting asset owners and operators to restore services after network events; identifying network security risks and unauthorized network attack activities; developing defense strategies to prevent, prevent and prevent network security risks; and recommending asset owners and operators to improve the security of the overall network and control system to reduce network security Full risk and make other recommendations as appropriate.
U.S.: no hacking and improve electronic data security (shield) Act
On July 25, the governor of the state of New York signed the act on banning hackers and improving electronic data security (hereinafter referred to as the "act"), which came into force 240 days after signing. The act expanded the scope of application of the New York State's disclosure notification legislation, imposed new notification and security obligations, and further increased the collection or collection of personal information about New York residents from New York residents Personal information in sense, excluding the disclosed information) is the obligation of the enterprise. At the same time, an amendment to the identity theft act was signed, which came into force 60 days later. It is also required that the credit reporting agencies that have been involved in violations of social security numbers should provide the affected information subjects with 5-year identity theft prevention services and identity mitigation services under specific circumstances.
India: draft personal data protection act 2019
On December 11, India released the draft personal data protection act 2019 (hereinafter referred to as the draft). The draft not only allows the government to order enterprises to hand over anonymous personal data and non personal data of citizens, but also gives the government the right to collect citizen data directly without the consent of citizens on the premise of serving the public interest, and gives the government the discretion to decide whether to exempt an entity or department from any legal constraints. The draft also requires businesses to verify the age of the child and obtain the consent of the child's parents or guardians in order to collect the child's personal data. India will also establish a data protection authority (DPA) to enhance data protection compliance.
Australia: draft code of practice for Internet of things security
On December 11, Australia released the draft code of practice for security of the Internet of things (hereinafter referred to as the draft), and asked for public opinions before March 1, 2020. The draft will apply to all available IOT devices in Australia, including everyday smart devices connected to the Internet, such as smart TVs, watches and smart speakers. The draft contains 13 principles, the first three of which are the highest priority, including: do not use duplicate default passwords or weak passwords; provide vulnerability disclosure policies to device manufacturers, service providers and app developers, establish public access sites; and ensure the security update of software and firmware.
Australia: Network Security Guide for small and medium-sized enterprises
On October 10, the Australian Network Security Center (ACSC) issued the network security guide for small and medium-sized enterprises (hereinafter referred to as the guide), which describes the common network threats and what measures enterprises can take to protect themselves from damage. Designed for small and medium-sized enterprises, the guide aims to make them understand, take action and enhance their network security defense capabilities to cope with the growing network security threats. The guide introduces common threats such as malware, phishing email and ransomware, and lists a variety of preventive measures against threats. This guide does not recommend that enterprises pay ransom because there is no guarantee that access rights can be regained; it recommends that enterprises take measures such as automatic update, automatic backup and multi factor authentication; it recommends that access control, passphrase and employee training be taken in personnel and processes; it also includes a glossary of security terms for reference.
Russia: Sovereign network law
On November 1, the highly watched Russian sovereign network law (hereinafter referred to as "the network law") came into force. The network law endows the Russian government with the ability to disconnect the whole country from the global Internet. The law, signed by President Putin in May, requires ISPs to install technical equipment provided by the authorities for traffic checks, which may open the door to large-scale surveillance. According to the Russian government, the law aims to ensure access to Russian sites even when disconnected from the global Internet, in response to disruption caused by cyber attacks or security incidents. The law will allow Russian authorities to censor online content and monitor Internet users.
Vietnam: Network Security Law
According to AFP on January 1, Vietnam has implemented the extremely strict network security law (hereinafter referred to as the "security law") since that day. According to the security law, Internet companies must delete the online content deemed as "toxic" by the government, and Vietnamese Internet users must not spread anti-government information or distort history on the Internet. In addition, international technology companies such as Facebook and Google must set up offices in Vietnam to carry out business in Vietnam, and submit user data to the government when required by the Vietnamese government. The cyber security law was passed by Congress in June last year. In October last year, the Ministry of public security of Vietnam pointed out in response to questions from representatives of the Congress that the promulgation and implementation of the cyber security law is to prevent cyber attacks and to avoid "hostile reactionary forces" using the Internet to incite differences and violence. In November last year, the Ministry of public security of Vietnam issued the measures for the implementation of the network security law, which requires relevant Internet companies to fully implement compliance within 12 months at the latest.