China Issues Draft Contingency Plan for Data Security Incidents (reuters.com) 5
China on Friday proposed a four-tier classification to help it respond to data security incidents, highlighting Beijing's concern with large-scale data leaks and hacking within its borders. From a report: The plan, which is currently soliciting opinions from the public, proposes a four-tier, colour-coded system depending on the degree of harm inflicted upon national security, a company's online and information network, or the running of the economy.
According to the plan, incidents that involve losses surpassing 1 billion yuan ($141 million) and affect the personal information of over 100 million people, or the "sensitive" information of over 10 million people, will be classed as "especially grave," to which a red warning must be issued. The plan demands that in response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24-hour work rota to address the incident and MIIT must be notified of the data breach within ten minutes of the incident happening, among other measures.
According to the plan, incidents that involve losses surpassing 1 billion yuan ($141 million) and affect the personal information of over 100 million people, or the "sensitive" information of over 10 million people, will be classed as "especially grave," to which a red warning must be issued. The plan demands that in response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24-hour work rota to address the incident and MIIT must be notified of the data breach within ten minutes of the incident happening, among other measures.
YOLO (Score:2)
America's financial sector also has a data security process with 4 parts, called YOLO.
They understand what is comming (Score:2)
The rest of the world, not so much. EU KRITIS is a start, but too little too late. We are now entering the phase where software engineering as done up to now (cheap & crappy) is not going to cut it anymore and anybody that cannot upgrade to real engineering will face massive negative economic consequences.
Reporting in 10 minutes? haha no (Score:2)
Good hackers - like the ones employed by the Chinese Communist Party but also some working freelance or for other states - don't get found out in 10 minutes. Maybe in 10 hours... or maybe in 10 months.
Requiring reporting of incidents within 10 minutes of occurrence is ridiculous and impossible. It's a criterion that everyone is guaranteed to fail and therefore gives leeway to prosecute anyone who has an info leak for something, if the CCP wants to prosecute them. Look for plenty of prosecutions, on this par
Re: (Score:2)
I agree 10 minutes is not enough to gather hard facts. Even 24 hours is often too short for that.
But I doubt it is designed as a prosecution tool. Do they really need that to proceed with unfair prosecution?