PRC Issues Emergency Response Plan for Data Security Incidents for Trial Implementation

Introduction

On 31 October 2024, the People’s Republic of China (“PRC“) Ministry of Industry and Information Technology (“MIIT“) issued the Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (for Trial Implementation) (the “Emergency Plan“, 工业和信息化领域数据安全事件应急预案(试行)). MIIT also issued a statement on the key issues in the Emergency Plan (“Key Issues“).

The rapid pace of digital transformation is accompanied by the increasing scale and complexity of data flows. This has led to a drastic increase in the number and potential severity of data security risk incidents, which has necessitated an urgent focus on establishing a data security incident emergency management system to improve incident handling capabilities.

MIIT has thus formulated the Emergency Plan to implement the relevant requirements under the “Data Security Law”, “Network Data Security Management Regulations”, and “Data Security Management Measures in the Industrial and Information Technology Sector (Trial)”. The Emergency Plan aims to:

1. Establish an organisational system for data security incident emergency response in the industrial and information technology sector, clarifying the responsibilities of the relevant regulators and entities;
2. Detail the requirements for all stages of data security incident emergency response, proposing various mechanisms such as graded warnings, responses, handling, and reporting; and
3. Specify relevant preventive and safeguard measures according to the needs of data security incident emergency response work.

In this Update, we highlight the key features of the Emergency Plan.

Overview

The Emergency Plan provides guidance for the handling of data security incidents in the information technology industry. Consisting of eight chapters, it focuses on the following aspects:

1. Definitions and application: Defining the scope of application of the Emergency Plan and clarifying the relevant concepts and definitions of data security incidents and incident grading.
2. Responsibilities: Clarifying the organisational system for data security emergency response work and setting out the responsibilities of leading institutions, office institutions, local industry regulatory departments, data processors and emergency support institutions.
3. Risk monitoring: Setting out the processes and requirements for data security risk monitoring and early warning work.
4. Emergency response: Setting out the processes and requirements for emergency response work.
5. Post-incident work: Setting out the requirements for local industry regulatory departments and data processors following emergency work for data security incidents of “major” grade and above.
6. Five preventive measures: (i) Prevention and protection; (ii) emergency drills; (iii) publicity and training; (iv) means construction; and (v) guarantees during major events.
7. Seven safeguard measures: (i) Responsibility implementation; (ii) rewards and punishments; (iii) funding guarantees; (iv) work coordination; (v) material guarantees; (vi) international cooperation; and (vii) confidentiality management.
8. Revision and exclusion: Setting out the principles for revision of the Emergency Plan, as well as exclusion clauses.

The Emergency Plan also details the methods for grading data security incidents and provides a template for incident reporting and emergency response flowcharts.

The Emergency Plan provides important clarity regarding the responsibilities of parties in the data security incident response process. In particular, it is a valuable source of guidance for data processors regarding what needs to be done to prevent data security incidents and to respond to such incidents.

Roles and Responsibilities

The Emergency Plan sets out the roles and responsibilities of the relevant regulators and entities:

• MIIT: The Cybersecurity and Informatisation Leading Group of MIIT is responsible for the leadership of data security incident emergency management work, and for the coordination of major data security incidents.
• Local authorities: Local industry regulatory departments are responsible for organising and carrying out data security incident emergency response work in their respective regions and sectors, and formulating data security incident emergency plans in accordance with the Emergency Plan.
• Data processors: Data processors are responsible for the prevention, monitoring, emergency response, and reporting of data security incidents in their organisations, including the formulation of data security incident emergency plans. Parent enterprises should supervise and guide their subordinate organisations in fulfilling the requirements of local management in data security incident emergency response work, as well as coordinate the conduct and reporting of incidents as required.
• Emergency support institutions: Emergency support institutions are responsible for data security incident prevention and protection, monitoring and early warning, emergency response, and attack tracing work.

Pre-incident Work

The Emergency Plan provides details on how data processors in the industry and information technology sector should carry out early warning and monitoring work for data security incidents. This includes the following measures:

• Strengthening data security risk monitoring, assessment, and reporting based on the “Data Security Management Measures in the Industrial and Information Technology Sector (Trial)” and the relevant requirements for reporting and sharing data security risk information;
• Analysing the risk and possibility of data security incidents and their potential impact; and
• Reporting to the local industry regulatory department if they believe that an incident graded “relatively large” or above may occur.

Emergency Response Work

The Emergency Plan sets out how data processors in the industry and information technology sector should carry out emergency response work for data security incidents. This includes the following measures:

• Initial handling and reporting: Once a data security incident is discovered, data processors should immediately determine the level of the data security incident based on the impact and harm caused to national security, enterprise network facilities and information systems, production operations, and economic operations. Incidents assessed to be “relatively large” or above should be immediately reported to the local industry regulatory department.
• Initiating emergency response: After discovering a data security incident, the data processors should immediately enter a state of emergency, take response measures corresponding to the assessed incident level, and carry out data recovery or tracing work. Data processors should perform monitoring and analysis, track the development of the situation, assess the scope of impact and cause of the incident, take effective rectification measures, and report on work progress.
• Incident summary reporting: After the conclusion of emergency response work for data security incidents graded “major” and above, data processors should investigate the cause of and responsibility for the incident, assess the impact and loss caused, summarise the experience and relevant lessons, propose measures for improvement, and form a summary report for the local industry regulatory department. This should be done in a timely manner.

Next Steps

MIIT has indicated in the Key Issues that it will take steps to implement the Emergency Plan as follows:

1. Publicity and training: MIIT plans to conduct guide data processors in understanding and implementing the relevant requirements, enhance awareness and capability of emergency response to data security incidents, and foster an environment where “everyone talks about safety, and everyone knows emergency response.”
2. Guidance and support: MIIT intends to encourage organisations to innovate work models for data security incident response, and to increase work support in this regard. It will consolidate the experience and good practices of organisations for practical demonstration, as well as organise emergency drills for practical training.
3. Supervision and inspection: MIIT plans to guide organisations in refining and formulating their own emergency plans based on their specific needs. It will strengthen supervision and inspection for organisations that do not implement sufficient measures, and commend and encourage those who perform well.

We will continue to monitor the implementation of the Emergency Plan and the relevant laws. For further queries, please feel free to contact our team.