Share This:

Idyllic fields of corn and soybeans spread out in all directions from a small midwestern manufacturing campus. Tucked within a town of around 20,000 people, the facility seems worlds away.

But a recent data breach on the company’s servers illustrates the rural reach of hackers and shows just how small the world has become. The company, which didn’t want to be identified, imports an internal engine component from a province in China and has a roster of other vendors it does business with in the country.

Had this data breach occurred several months into the future, this firm could have been subjected to financial penalties, not from the United States, but from China.

China introduces the PIPL

Most MSPs are familiar with the GDPR or California’s CCPA. These acts ushered in a new era of data security and awareness. But now, say hello to the Personal Information Protection Law (PIPL) launched by the People’s Republic of China. The PIPL is meant to be China’s answer to GDPR, but its reach is even more far-reaching. Unlike the GDPR, penalties for non-compliance stretch beyond the borders of China and can impact the wallets of overseas companies.

“PIPL wins the award for the most muscular data privacy law,” says Terry Knox, an independent cybersecurity consultant in Sydney, Australia. China’s PIPL goes into effect on November 1, 2021.

“Even though China has been working on it legislatively for a while, the law’s quick passage on August 20 caught a lot of companies off guard,” Knox notes.

The quick timeline the law is on does not give companies much time to prepare. Those that already follow GDPR practices, primarily if they’ve implemented them globally, will have an easier time complying with China’s new requirements.

But firms that have not implemented GDPR practices must consider adopting a similar approach. Additionally, U.S. companies will need to consider the new restrictions on transferring personally identifiable information (PII) from China to the U.S.

“This law is new, and it is still not in effect, but companies that do business with China, even peripherally, should familiarize themselves with PIPL,” Knox advises.

For instance, Article 50 of PIPL (there are 70 articles!) states:  PII processors are to adopt security measures to prevent unauthorized access and protect the PII from data leakage, theft, distortion of deletion. To comply with Article 50, PII processors should adopt security measures to protect the PII collected (e.g., applying data encryption, providing security training and education to employees). Deloitte has many of the provisions of PIPL posted here.

Potential penalties for failing to meet cybersecurity standards

Penalties for not having adequate provisions in place can result in a lawsuit filed against an offender seeking damages.

“We just don’t know how hard the law will be applied yet, but you don’t want to be one of the first places to find out,” Knox states. Penalties include fines up to 5 percent of a business’s total revenue.

“How realistic it is for penalties to be collected remains to be seen, but, again, you don’t want one of your clients being a test case,” Knox continues.

An MSP doing business with a company with a lot of trade with China needs to ensure that any PII is safeguarded with the utmost care as PIPL comes into effect as it’s possible an MSP could get dragged into PIPL’s wide net.

“I definitely could see scenarios where PII is not safeguarded properly, a breach occurs, and the enforcers of PIPL decide to take action against the MSP as well as the company,” Knox predicts.

In addition to stringent cybersecurity safeguards, Articles 51 and 52 stipulate that companies need to designate PII processors (both in or outside of China) to appoint responsible persons to supervise PII processing and protection activities. “The wording of `responsible persons’ is open to interpretation,” Knox says.

The Cybersecurity Administration of China (CAC) will oversee much of PIPL’s implementation right now, to eventually administering security assessments to companies that meet a specific business threshold with China. The PIPL’s exact wording on this is:

“CIOs and PII Processors who meet data volume threshold (to be determined) set by CAC shall pass the security assessment before crossborder data transfer can take place.”

An MSP can implement the most stringent security possible for a China-facing client, but until the law is in place, it is unknown what the security assessment will consist of.”

“The bottom line, there are just a bunch of unknowns right now about PIPL, but MSPs that have China-connected clients should begin to study the law’s provisions now and move quickly to complete any relevant task before the law’s implementation in November,” Knox advises.

Failure to do so could be costly for the MSP.

Photo: ANDRANIK HAKOBYAN / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *