Where is the


  difficulty of

company data compliance?    The

"cat and mouse game" is hidden in the data code; there are difficulties in coordination between laws for data export

  According to data released by the National Internet Emergency Response Center of China, in October 2021, in terms of website security, the number of tampered websites in China was 9,532, an increase of nearly 30% over September; the number of websites with backdoor implanted in China was 2,932, which is more It increased by 2.4% in September.

According to the statistics of website types, the most implanted backdoors are .COM domain name websites.

According to regional distribution statistics, the top three websites with implanted backdoors are Beijing, Guangdong and Zhejiang.

  The problem may be much more than that.

In October, regarding the malicious activities of Trojan horses or botnets, the hosts corresponding to nearly 4.42 million IP addresses in China were controlled by Trojan horses or bots, an increase of 40% compared with September.

The top three provinces in terms of the number of infections by region are Guangdong, Jiangsu and Henan.

  Data security issues continue to occur.

  On November 8, the person in charge of Robinhood, an app in the United States, stated that an intruder entered the company’s system last week (November 3) and stole the personal information of millions of users.

Including the leaking of the email addresses of about 5 million users, and the leaking of the full names of another 2 million users.

The intruder also obtained more extensive personal information from more than 300 users.

  Robinhood declared on its official website after investigation, "We still believe that the list does not contain social security numbers, bank account numbers, or debit card numbers, and there is no economic loss to any customers due to the incident."

  Personal information is an important manifestation of data security. Robinhood’s personal information leakage incident is just a microcosm of data security issues.

Not only is there a risk of leakage within companies and institutions, but external attacks are also an important threat to data security issues.

  In response to potential data security issues, my country has successively promulgated and implemented relevant laws.

On November 1, the "Personal Information Protection Law of the People's Republic of China" was formally implemented.

Yang Heqing, deputy director of the Economic Law Office of the Legal Work Committee of the Standing Committee of the National People’s Congress, explained that the Personal Information Protection Law establishes the basic principles to be followed in the handling of personal information, and establishes a processing rule with "information-consent" as the core to regulate personal information processing behaviors. , Provides an open, transparent and predictable legal environment for the use of personal information.

  In fact, in the face of ubiquitous network data security risks, my country has promulgated relevant laws and regulations in recent years.

For example, on September 1 this year, the "Data Security Law of the People's Republic of China" was formally implemented.

Four years ago, the "Cyber ​​Security Law" has been implemented.

  As an important source of risk, are those Internet companies, courier companies, and financial technology companies that have a large amount of data ready to face the implementation of the new law?

What challenges may be faced by doing a good job in risk prevention?

  "Lack of data security awareness"

  Wang Yanfei is the co-founder of Beijing Jingshi (Shenzhen) Law Firm and the Executive Dean of the Institute of Data Compliance.

The clients he has contacted include leading platform companies, small and medium-sized Internet companies, and some entity companies.

  Wang Yanfei told Xinjing Think Tank that they recently took on a new project for a listed manufacturing company. The amount of personal information involved in this company is very small, mainly internal employee information, but the company proposed that personal information must be protected. "Their compliance awareness is very strong, but they are a little too worried."

  In fact, many companies, including some giants, still have a weak awareness of data compliance.

The business models of these companies have been in operation for so many years, and their extensive data operations and information usage models will be difficult to change for a while.

"Bosses, executives and company employees have not yet reached this level of legal awareness of personal information protection. This may be related to law enforcement has not kept up," Wang Yanfei said.

  Taking the express delivery industry as an example, Article 34 of the "Interim Regulations on Express Delivery" that came into effect on May 1, 2018 stipulates that companies operating express delivery services should establish express delivery bills and electronic data management systems, properly keep electronic data such as user information, and destroy them regularly Express waybill, adopt effective technical means to ensure the safety of user information.

  The Xinjing Think Tank observed that some courier companies have concealed the middle four digits of the mobile phone numbers of both the sender and the receiver, but some courier companies still show the detailed mobile phone numbers of the sender and receiver on their courier bills.

  Article 34 also stipulates that companies operating express delivery services and their employees shall not sell, disclose or illegally provide user information that they have learned in the course of express delivery services.

In the event that user information is leaked or may occur, the enterprise operating express delivery services shall immediately take remedial measures and report to the local postal administration.

  The Xinjing think tank found out that there are still some courier companies’ user information being trafficked.

On November 7, 2021, the Southern Metropolis Daily reported that a reporter from the newspaper contacted multiple buyers through an instant messaging software, one of whom was named "Orange" quoted, and the real-time face-to-face order exceeded 1,000 at a price of 3.5. Yuan, the fine noodles are 4 Yuan each; while the historical noodles only accept cars, children's clothes and shoes, cosmetics, and 1.5 Yuan each.

  Another seller named "Wukong" claimed that he had hundreds of thousands of historical express delivery orders in his hand, and the source of the goods was a logistics "Yuncang"; in order to prove his strength, he also sent a document to the reporter, according to Cosmetics, mothers and children, clothing, etc. are classified into categories, including private information such as the names of hundreds of consumers, purchased products, home addresses and telephone numbers, and even the prices of the products.

  Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law, told Xinjing Think Tank that before the implementation of the "Personal Information Protection Law", the encryption and de-identification of privacy sheets can also be regarded as industry advocacy, but with the law Effective, security technical measures such as encryption and de-identification have become statutory obligations that the express platform must perform, so the privacy face-to-face function must be enforced.

  Zhang Rui, a professor at the School of Cyberspace Security of the University of Chinese Academy of Sciences, told Xinjing Think Tank that in fact, it can be done technically. It only needs to add a few lines of relevant program code to the source code, and it is "really simple."

  The reality is that “the big boss doesn’t know it, this thing must be done badly”, Liu Wenyin, a distinguished professor of the School of Computer Science at Guangdong University of Technology, told Xinjing Think Tank how companies can strengthen the legality of company data, employee data, and product user data in the management process. As well as integrated management, sometimes it is found that investing a lot of human resources may have some problems that cannot be solved.

  The "cat and mouse game" in the code

  Xinjing Think Tank found that with the entry into force of the "Personal Information Protection Law", almost all apps and websites have updated their "Privacy Policy"-corresponding pop-up windows require users to press the "Agree" button.

The embarrassing thing is that many people may simply choose to "agree" without taking the time to read the privacy policies of these websites or apps.

  "I don't read it either. Because if you don't agree, he will just withdraw, and he will not be able to'normal use'", You Yunting, a senior partner of Shanghai Dabang Law Firm, told Xinjing Think Tank that it is the user's business that users do not see, but application development Operators must inform users of their rights and obligations, which is their responsibility.

Due to the diversity of business models, this kind of thing cannot be particularly simplified. The current model should be said to be a better way that can be done under the current circumstances.

  Under the implementation of the new law, there are still similar technical problems in how companies can achieve "flawless" compliance with the law.

Liu Wenyin stated that the "Personal Information Protection Law" promulgated by my country is called "one of the strictest privacy laws in the world" by foreign media.

Prior to this, the EU’s General Data Protection Regulation (GDPR) was known as the most stringent privacy law in history.

  The "Personal Information Protection Law" stipulates that the collection and processing of personal information should obtain the full consent of the individual. In Articles 23, 29, and 39, there are 5 special scenarios that require "to obtain the individual consent of the individual" to give users sufficient " "The right to know" and "the right to decide", individuals have the right to request the algorithm to explain specific information, and have the right to know what personal information is being used between two third parties. Without my personal authorization, they have no right to use my personal information. information".

  "In many scenarios, it is very difficult to obtain'individual consent'," said Liu Wenyin. "Send an email, sign it with your own hands, or authenticate yourself? How to automatically resolve this information communication? How to ensure accuracy and efficiency", these are all major issues. problem.

However, if you use the already developed ecosystem architecture based on "Easy-Login", the website will send a request for "individual consent" to the Easy-to-Login App, that is, a trusted user agent, or personal information management terminal, and the user clicks After "Agree", call the API (application program interface) deployed at the destination with the account password of the destination website. After the destination website receives it, verify that the account password is "right", which means that the user really "agrees". , It's easy to do it automatically.

  Liu Wenyin said that if you "reject", you can even automatically file a complaint to the regulatory agency.

If the conditions for automatic authorization "agree" are set in the easy login, and the information request is automatically checked whether the information request is satisfied, it can be automatically authorized to improve efficiency, and at the same time leave a log record of "single notification informed-single consent" as evidence.

  However, “many companies still don’t know how to automatically comply with the rules and realize the above-mentioned rules, especially how the separate “consent” rule will be implemented in practice.” Liu Wenyin said, because this is a brand new rule, which is better than ordinary “consent”. It is difficult to obtain. A separate notice is required to let users know and clearly authorize "agree". You cannot tick the user agreement or privacy policy at the beginning even if you permanently "agree" and "authorize".

  Because of the number and technical difficulties, You Yunting said that in most cases, Internet companies will "step on the line", such as designing it to be easily confusing when designing products, so that they can be subject to review.

  There is a retreat structure during the investigation, and it is processed into a model that seems to be compliant and reasonable.

  Why do you do this?

You Yunting said that because this involves a regulatory agency's auditing capabilities.

Because our regulatory agencies currently lack the corresponding audit capabilities, that is, how to determine whether a certain design of an Internet company is illegal, or once a data security violation occurs, how to determine the violation also requires viewing the corresponding product design plan and program source code.

  "If law enforcement is to be strengthened, in fact, the corresponding data auditing capabilities have to be improved. Who will bear the cost?" You Yunting said that if the platform company is to bear it, it will become a "cat and mouse game", and the "mouse" will be Scratch all, and the "cat" won't have to live anymore.

  How to export data out of the country

  A possibly more thorny issue is how to solve the problem of data export of foreign-related enterprises?

  Wang Yanfei said that what he feels is that companies still have many blind spots that urgently need the popularization of laws regarding the issue of data export.

"Many companies don't know how to do it for the time being, and some are multinational companies."

  As a college teacher, Liu Wenyin's network security circle often encounters similar confusion from the corporate world.

This is because many companies that have businesses at home and abroad (or domestic operations, with users mainly overseas) will encounter the dual problems of "data outbound" and "personal information protection".

  Not only foreign-funded enterprises but also Chinese-funded enterprises are involved in this type of business, such as those with subsidiaries overseas or those with only trading business overseas.

Taking foreign-funded enterprises as an example, data from the China Statistical Yearbook 2021 of the National Bureau of Statistics shows that in 2020, there will be a total of 635,400 foreign-invested enterprises in my country, a year-on-year increase of 1.3%.

  With the advancement of the globalization of the digital economy, digital trade has increasingly become an important content of regional economic and trade agreements, and the amount of digital trade in my country has also grown larger.

According to data from the Ministry of Commerce, during the 13th Five-Year Plan period, my country's digital trade volume has increased from US$200 billion in 2015 to US$294.76 billion (approximately RMB 2 trillion) in 2020, an increase of 47.4%, accounting for the proportion of trade in services. Increased from 30.6% to 44.5%.

  "For example, there is an online education app called'XX Thinking'. Because it collects too much personal information, it receives notices from the regulatory authorities for rectification every three days." Liu Wenyin said, because many users of the app are overseas, not only In compliance with Chinese laws, overseas compliance is also required, including compliance with EU GDPR.

  For financial companies, there are also some problems that need to be solved urgently.

Wang Yanfei introduced that financial companies not only have to perform anti-money laundering legal responsibilities. If a commercial bank is registered overseas, it must not only do anti-money laundering compliance work, but also hedge information based on the laws of its place of ownership. How to coordinate and deal with the issue of data exportation among different laws.

"I think it's a difficult point."

  The problem that needs to be solved is not only here.

You Yunting said that when companies are confused about data export, our supervisory authorities cannot match the strengths.

That is, when all companies involved in the export of data are required to file with the regulatory authorities, can the regulatory authorities review and approve them in a timely manner?

If not, how can the enterprise data outbound business be carried out?

  You Yunting said that the popularization of the new law has indeed increased the operating costs of companies, and some companies have also experienced some panic, especially for domestic and foreign investments.

Now the companies that are looking for their lawyers to consult or do compliance work are companies with money. If it is a company with meager profits and no cash flow in its hands, "it may not do it."

  Challenges faced by enterprises in data compliance

  In the face of new regulations, companies are doing a good job of protecting personal information. What challenges may they face in data compliance?

  Wei Haihan, an expert in data management in the listed company Suoxinda Holdings Co., Ltd. (hereinafter referred to as "Suoxinda"), told Xinjing Think Tank that new regulatory trends and industry trends have put forward higher requirements for data security management, but like the banking industry Doing a good job of data security still faces many challenges.

For example, it requires richer management content, which is reflected in the fact that unstructured data is included in the management category, customer privacy data protection has become the focus, data security hierarchical management has become necessary, mass data desensitization is more concerned, distributed infrastructure disaster recovery, and more Relevant laws and regulations guarantee, etc.

  At the same time, higher management capabilities are also required for financial companies.

Wei Haihan introduced that, for example, the data security requirements are higher, and the impact of data leakage is also greater, and comprehensive security hierarchical management is carried out in the face of massive amounts of data.

Some new big data products have flaws in data security design, relying more on the company's own data security management capabilities, and there are more and more distributed disaster preparedness and recovery requirements.

  If there is no corresponding "upgrade" in management capabilities, the one you may face is a sharp rise in management costs.

According to data from the "2021 Data Breach Cost Report" released by IBM at the end of July this year, the average cost of data breaches rose from $3.86 million in the previous year to $4.24 million, a year-on-year increase of nearly 10%.

This is the largest single-year cost increase in the past seven years.

It is also the highest cost in 17 years since IBM released the report.

  The report further pointed out that, compared with data breaches related to remote work, the average cost of data breaches related to remote work is $1.07 million higher.

The percentage of companies with data breaches due to remote work is 17.5%.

In addition, organizations with more than 50% teleworkers need 58 more days to identify and contain data breaches than organizations with 50% teleworkers at most.

  From an industry perspective, the report pointed out that the average total cost of data breaches in the healthcare industry has increased from USD 7.13 million in 2020 to USD 9.23 million in 2021, an increase of nearly 30%.

The cost of data breaches in the healthcare industry has ranked first for 11 consecutive years.

  "This requires more advanced management technology," Wei Haihan said, such as using big data technology to obtain different types of enterprise security data, identifying potential data security risks and threats, and implementing unstructured data security protection strategies and technologies. Solutions, distributed data encryption technology, data desensitization technology, more comprehensive and flexible data file access technology, infrastructure disaster recovery and recovery technology, etc.

  Therefore, Wei Haihan believes that the work of data security management runs through the entire data management system and is related to the establishment of the entire data management system.

From the perspective of overall data management, data security management includes data security management standards, data security incident handling, data security classification, and data security auditing.

  "Data security classification is the core of the construction of a data security management system, and data classification is the basis and basis for data security classification." Wei Haihan suggested that based on the technical support of the system, the data security classification management system can be embedded into similar metadata. Platform and data asset management platform.

  And Zhang Rui said that many platform companies, even if the technology companies invest too little in technology, their systems are not too advanced.

Many companies actually have far less advanced technology R&D personnel than they claim, "maybe most of them do physical work."

  Enterprises not only face challenges internally but also externally when doing data compliance work well.

  You Yunting said that under the new laws and regulations such as the "Data Security Law" and the "Individual Insurance Law", the weak law enforcement capabilities have also limited the development of enterprises to a certain extent.

For example, some companies have cross-border data needs, but when they consult or ask relevant departments for guidance, the relevant departments tell them that "this area is temporarily ignored" because this is the scope of "optimizing the business environment".

  According to You Yunting, this is his real experience two or three days after the "Data Security Law" came into effect.

He believes that this shows that the relevant regulatory authorities cannot say that they are not prepared, but that after the new law comes into effect, so many companies suddenly need to handle data compliance related business, they can't accept it.

"They won't pick up the (enterprise) pot. What if you (enterprise) have problems with these data?"

  Enterprises must have national security thinking

  So how can companies achieve compliance operations?

  Fang Yu, director of the Internet Law Research Center of China Academy of Information and Communications Technology, told Xinjing Think Tank that companies must first strengthen their awareness of data compliance.

Many rules established by the "Personal Information Protection Law" are, to a certain extent, to "make up lessons" for enterprises. In the past, the business philosophy of "emphasizing development and neglecting protection" needs to be adjusted significantly, and the starting point of the adjustment is the awareness of personal information protection. The formation and strengthening of.

  "Continue to comply with regulations," Fang Yu said. Personal information protection itself is dynamic, and compliance is also a continuous action. After companies determine the overall framework for personal information protection, they need to continue to implement compliance in conjunction with technological development and business changes. Work to comply with the security status of personal information protection.

  From the perspective of technical operations, Liu Wenyin suggested that companies should prioritize sorting out and inventory their own data assets.

You must first know what you have (data) in order to propose management and compliance strategies in a targeted manner.

At the same time, through compliance testing to determine their own problems, and then formulate appropriate and effective governance methods and risk management methods and target plans, so as to effectively implement and achieve compliance.

  "Each step of network security governance and risk management is to reduce security threats." Liu Wenyin believes that after effective combing, companies conduct centralized governance and regularly cyclically upgrade, thereby forming an ecological model.

The chain of network security is very long, mainly involving three elements, namely personnel, process and technology.

Therefore, when companies are training and optimizing processes, they also need to improve their technology, especially focusing on improving technologies that can optimize and reduce human error processes and technologies that can automatically execute compliance.

  For financial institutions, Wei Qiang, a data governance expert at Suoxinda, told Xinjing Think Tank that it is necessary to establish a personal information protection system, clarify work responsibilities, standardize work processes, improve IT systems, and design and implement personal information covering the entire life. Periodic security protection strategies require measures to be taken from the entire process of processing sensitive personal financial information, such as collection, transmission, storage, use, deletion, and destruction, to protect the entire life cycle.

"For example, follow clear and minimum necessary principles to regulate the collection of personal information; use encryption and other security measures to transmit and store sensitive personal information to avoid leakage, etc.".

  Wang Yanfei believes that for data compliance in the new era, companies still need to establish two kinds of thinking.

The first is to establish a national security mindset, which is very important for many companies, but most companies do not.

Because the information collected by platform companies includes not only user personal information, but also data such as weather and geography, only by establishing a national security mindset can they avoid stepping on the national security "red line" when data is exported.

  The second is to establish a criminal risk thinking.

Many entrepreneurs may think that if they can earn 1 billion yuan but only fine 30 million yuan, then he is willing to take the risk of breaking the law.

But they overlooked a problem, that is, there are several crimes involving personal information protection and data security in the Criminal Law.

  Some illegal acts may not just be fines. "The several criminal cases we took over last year involved data exchange between employees of various financial companies. They were completely unaware and thought it was reasonable," Wang Yanfei said.

  Xue Jun, a professor at the School of Law of Peking University, told Xinjing Think Tank that when companies comply with the "Personal Information Protection Law", including the "Data Security Law", they need to have a certain level of awareness, that is, to promote the formation of uniform law enforcement standards, such as some The issuance of guiding opinions or industry standards.

Only in this way can everyone compete on a "water mark" and on the same and compliant standards, so as to truly promote the healthy and sound development of the industry.

"Especially in terms of the intensity of compliance supervision and standards for personal information protection, is it possible to achieve an integrated and unified law enforcement standard."

  Fang Yu suggested that from a regulatory perspective, administrative guidance is particularly important.

Most countries and regions have established specialized agencies for the protection of personal information, one of its key roles is to guide the protection of personal information.

The relative flexibility of administrative guidance can be organically combined with the relative rigidity of the law to promote the resolution of the complexity of personal information protection.

Based on the guidance experience, some mature practices and generally accepted practices are consolidated into regulatory rules.

  Beijing News reporter Xiao Longping and Cha Zhiyuan