Lunch & Learn: Recent Challenges for International Technology Companies in China 19 January 2015 Presented By Paul McKenzie and Gordon Milner

Similar documents
Contract Law Highlights of 2014

China pushes change in IT infrastructure by strengthening regulation of cyber security

Cyber Security and the Impact on Banks in China

engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

National Security Considerations in China s Financial Sectors an International Perspective.

How To Respect The Agreement On Trade In Cyberspace

China Cloud-based Services Structure Options

Testimony before the U.S.-China Economic and Security Review Commission: Regulatory Barriers to Digital Trade in China, and Costs to US Firms

CHINA S EXPORT CONTROLS AND ENCRYPTION REGULATIONS

Lunch & Learn: Legal Issues For Mobile Apps 09 June 2014 Presented By Chris Coulter

Online Sales in China: Opportunities amidst Regulatory Confusion

China s 12th Five-Year Plan: Healthcare sector

Position Paper: Berlin, 31 March Legislative intentions to increase IT Security

The Cloud and Cross-Border Risks - Singapore

Lunch & Learn: Big Data Analytics

Trends and Tactics in Cyber- Terrorism

Ship finance leasing in China

Application of the Electronic Communications and Transactions Act to Online Merchants From Other Jurisdictions

Australia s proposed accession to the Council of Europe Convention on Cybercrime

Software as a Service in China: Legal Requirements and Solutions for U.S. Software Businesses

MIIT PROMULGATES TWO REGULATIONS FOR REPORTING AND HANDLING CYBERCRIME

INFORMATION and COMMUNICATION TECHNOLOGIES AUTHORITY NOTICE OF VACANCIES

IT Security Evaluation in China

ACT. Of On Cyber Security and Change of Related Acts (Act on Cyber Security)

Accounting in China. I. Legal Framework

Establishment of a Representative Office

November 03, Via Electronic Mail to

Under the Cybersecurity Law, network operators are obligated to consider the following security

China s Anti-Spam Works

Provisional Measures for Construction Project Management

ACC San Diego Chapter

Anti-counterfeiting Situation in China

Update on Company Law. Hong Kong Arts Administrators Association 10 th March :00pm 4:00pm

ANNUAL REPORT ON DISCRIMINATION IN FOREIGN GOVERNMENT PROCUREMENT April 30, 2001

Information security due diligence

Ensuring Data Protection in the Cloud

PRIVACY POLICY. Mil y Un Consejos Network. Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of

CNNIC Implementing Rules of Domain Name Registration

IP Considerations in Outsourcing Agreements

Regulations on Administration of Internet News Information Services

E-commerce liberalization in China: State Council and MIIT push forward

Internet investment scams in China

Information Security

CONTRACT MANAGEMENT POLICY

Getting Serious about Privacy and Cyber Security in Asia Pacific

Legislative Council Secretariat INFORMATION NOTE. Regulation of advertising and sponsorship for commercial radio broadcasting in selected places

DEFINITIONS. "this web site" means "user" means any person accessing any part of this web site DISCLAIMER

Share with a colleague. 16 July 2012 Hong Kong. Awards. Background. International TMT Team of the Year China Law & Practice Awards, 2011

Information Security Law: Control of Digital Assets.

How To Protect The Internet In The Germany

Georgia. Progress Report

Personal Data & Privacy Policy Statement

COMPANY WINDING UP AND LIQUIDATION IN CHINA by Editorial Staff writer

Securities Exchange Certificate Transaction Law (2013, Pyidaungsu Hluttaw Law No. 20) The 9 th Waning of Waso M.E (30 th July 2013)

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

International Safeguards Infrastructure Development

Hardware. Maintenance

Efficient alternative dispute resolution (ADR) for intellectual property disputes

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

4/21/2015. Jim Reavis CEO, Cloud Security Alliance. Cloud Security Alliance, Agenda

The Architecture of Control: Internet Surveillance in China James A. Lewis, Center for Strategic and International Studies July 2006

Terms for the Treestle LiquiD SaaS Agreement

Apply Industrial Cloud to Accelerate IT and Industry Convergence in Chengdu. Pan Yang Deputy Director of Promotion Division, Chengdu, PRC

INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM

Intellectual Property Rights In China

TELECOMMUNICATIONS ORDINANCE (Chapter 106) CLASS LICENCE. Section 8(1)(aa) of the Telecommunications Ordinance OFFER OF TELECOMMUNICATIONS SERVICES

CYBER SECURITY - CYBER RISK MANAGEMENT AND MITIGATION. Scott Thiel, Partner June 2015

Financial Services Update June 11, 2013

Intellectual Property Rights in the USA

AN INTRODUCTION TO OUR SERVICES

China opens up its bank card payment clearing market

SFKS Xi an Electronic Newspaper Issue One Hundred and Twenty-Three June 2013

Software as a Service (SaaS) Contract. I. Subject matter of the Contract. II. Software provision

APEC General Elements of Effective Voluntary Corporate Compliance Programs

Foreign Investor s Chance to Invest in RMB EIE/EIFs by Means of RFDI

What Every Business Lawyer Should Know About International Transactions

BMS e-tendering manual

FINAL May Guideline on Security Systems for Safeguarding Customer Information

1.02 Authorized Recipient means an entity authorized by statute to receive background check information for noncriminal justice purposes.

Hong Kong Information Technology Federation

GOVERNMENT CONTRACT. Westlaw Journal

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

DISCLOSURE STATEMENT PREPARED BY

Ad blocker: A new right for users or a threat for the internet? Relevance & State of the Law in Asia

Bloomberg BNA Professional Learning Legal Course Catalog OnDemand Programs

Becoming a Sustainable Brand in China. By Jordi Martin Business Development Manager at Koehler Group November 2014

International Franchise & Business Opportunities May 28, VCI Legal Award-winning expertise with practical insights

INFORMATION NOTE. Regulation of gambling-related advertisements in public areas

DVN s Business Model 20

Third party Web hosting services security Policy

insurance bulletin unlicensed insurance in Canada

China's new national security law creates more insecurity for foreign businesses

AGREEMENT AS AMENDED ON 06 DECEMBER 2002

Microsoft Cloud Computing Research Centre

SSE Newsletter. October Vol. 29. Highlights:

Promoting Cross Border Data Flows Priorities for the Business Community

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Transcription:

Lunch & Learn: Recent Challenges for International Technology Companies in China 19 January 2015 Presented By Paul McKenzie and Gordon Milner mofo.com

Lunch & Learn 2 nd Monday of each month 45 minutes via webinar Unaccredited CPD points Upcoming topics Monday, 9 February 2015: Anti-corruption Compliance: Minimizing the Supply Chain Risk Speakers: Alistair Maughan & Kevin Roberts Monday, 9 March 2015: Drafting Effective Arbitration & Dispute Resolution Agreements Speaker: Gemma Anderson 2

Today Questions at the end. Or e-mail us afterwards. Phones are muted to reduce background noise. We ll unmute at the end.

Background mofo.com

Background 2011-2013 March, 2011: China s National People s Congress approves 5 Year Plan Sets information security as key priority for 2011-2015; domestic control of hardware and software May, 2011: State Internet Information Office set up October, 2012: US congressional report on national security risks posed by Huawei January, 2013: China s National Information Security Standards Technical Committee (TC260) includes in annual workplan to support information security review process June 2013: Snowden disclosures 5

Background 2014 January, 2014: Xi sets up Cybersecurity Administration of China (CAC) through restructuring of SIIO May 2014: US indictment of PLA officers Market rumour that SOEs told not to use US IT consulting firms Healthcare measures reference national cybersecurity review regime Windows 8 banned from GP market CAC announces coming cybersecurity review rules August 2014: Symantec, Kaspersky banned from China GP market Ministry of Industry and Information Security (MIIT) issues Guiding Opinions 6

Why now? Media revelations on activities of security services Snowden disclosures seem to have accelerated Chinese efforts and made Chinese government more vocal Tit for tat Huawei / ZTE challenges in US market PLA indictments Emergence of local heroes Development of domestic IT companies has made China less dependent on foreign IT. And yet. 7

Existing Regime mofo.com

Existing Regime Heavy media focus on potential new laws But current action taken under existing statutory regime Existing patchwork of laws, regulations and measures issued by various overlapping authorities including: Cybersecurity Administration of China (CAC) Ministry of Public Security (MSP) / Public Security Bureau (PSB) China Information Security Center (CISSC) State Cryptography Administration (SCA) Regulations on the Protection of Computer Information Systems (PCIS Regulations) issued in 1994 provide key framework 9

Administrative Measures for the Graded Protection of Information Security Issued under the PCIS Regulations by MPS in 2007 Applies to company s own computer systems Establishes five grades of information systems based on potential damage a failure could cause Different grades have different consequences: Grade 2+ require assessment of risk against national standards and filings with PSB Grade 3+ products need PRC domestic producer and IP rights, declaration of no back doors, and regular inspections by authorized agency Examples of impact: Intrusive inspection requests by PSB Chinese entities requiring suppliers to provide source code 10

Measures on the Administration of Product Testing and Sales Permit of Computer Information System Security Special Products Issued under the PCIS Regulations by MPS in 1997 Covers hardware and software ( Security Products ) used for: Physical Security Operational Security Information Security China producer or distributor must apply for per product sales permit Requires submission of product for testing by Chinese lab Need to retest whenever security functions change Sale without permit is unlawful Inclusion of any harmful data which endangers security of information systems may be a criminal offence Easy to miss compliance for non-core functionality and addons 11

Notice on Establishing the National Information Security Product Certification and Accreditation System Issued by CISCC and other regulators in 2004 Covers13 types of product, including: firewalls backup intrusion detection Overlaps with MPS Security Products Measures But technically distinct regime Must be certified by CISCC before sale in China Technically applies to all sales But no penalties and historically only enforced in Government tendering 12

New Laws mofo.com

Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors Issued by MIIT, September 1, 2014 Calls for strengthening of network security, including through enhanced enforcement of 2010 Measures Calls for promotion of use of secure and controllable hardware and software Encourages establishment of network security certification systems 14

Guiding Opinions regarding Application of Secure and Controllable Information Technologies to Strengthen Network Security and Informization of Banking Sector Issued by CBRC, MIIT, NDRC, MOST, September 3, 2014 Priority to secure and controllable information technologies in processing sensitive customer data. Initial focus on network equipment, storage, middle-end and low-end servers, information security, maintenance services and word processing software Sets goals for individual banks in use of secure and controllable technologies: 15% in 15%; 75% in 2019 Calls for establishment of cyber security review standards for banking sector The Guiding Opinions include general language encouraging indigenous innovation, without providing detail as to how it will be encouraged. At the same time they call for open cooperation 15

DRAFT Information Security Techniques Basic Requirements Of Security For Cloud Computing Service Provider Of Government Department Issued by GAQSIQ and SAC, July 2012 Applies to provision of cloud computing services to government procurement market Sets out various requirements for service providers, including: must be locally incorporated must have passed information security certification data processing, transmission and storage must be undertaken in China Stipulates various conditions that must be met by the security technology utilized in provision of cloud services 16

Other developments (1) Administrative Measures on Management of Population Health Information, issued May, 2014 by National Health and Family Planning Commission Requires products utilized in healthcare IT systems to comply with the national cybersecurity review regime Security Code of Conduct for Information Security Technology of Information Technology Products Suppliers for Information Technology Products, issued by TC260 for comment, spring 2014 Draft Self-discipline Convention on Safeguarding User's Network Security by Information Technology Product Suppliers, distributed December 2, 2014 by TC260 and CISCC Limits scope of remote control; requires that users be given ability to disable Prohibits inclusion of backdoor covert interfaces Calls for testing of functions such as data collection and remote control functions in appropriate cases 17

Other developments (2) Cybersecurity review regime Alluded to in various regulations and government pronouncements May 22, 2014 news broadcast by SIIO officials describing basic parameters: focus on data security and controllability of key IT. November 27, 2014: SIIO head comments that the cybersecurity review system will be announced soon likely not a single document but a system with elements that include legal provisions, policies, national standards and a bureaucratic organization. January 19, 2015: SIIO official comments at an industry meeting that cybersecurity review measures will be submitted for government review in February. 18

Strategies mofo.com

Things to Consider Business as usual? Review existing business practices and products for compliance Even without new legislation, BAU may not be advisable Remote access functionality Query whether to include/disable? Avoid discriminatory pricing practices Be prepared to disclose Builds trust Will likely be necessary under new Cybersecurity rules Consider PRC specific code base 20

Structuring Strategies Go local Establish a local presence and employ staff in China Set up in Free Trade Zone? Show skin in the game Simple absentee licensee model becoming less viable Joint ventures with customers Joint ventures with local partners Work with strategic SOEs? Operational Partners Investment Partners Strategic Partners 21

Marketing Strategies Emphasize the long haul Focus on China problems Or at least market yourself as such GE Differentiate yourself from the local heroes Bring higher tier technologies to China Local branding? 22

Protect Your IP Protecting disclosed IP: Patents Difficult to obtain software patents in China Consider utility model patents for physical devices Copyright Registration? Filing with China Copyright Protection Center (CPCC) Voluntary not mandatory Provides key procedural advantages Rather bureaucratic and cumbersome procedure Historically not heavily used due to concerns over disclosure, but 23

Any questions? 24

Lunch & Learn Paul D. McKenzie Managing Partner, Beijing Corporate Practice T: +86 (10) 59093366 E: PMcKenzie@mofo.com Gordon A. Milner Partner, Hong Kong Technology Transactions Practice T: +852 25850808 E: GMilner@mofo.com Monday, 9 February 2015: Anti-corruption Compliance: Minimizing the Supply Chain Risk Speakers: Alistair Maughan & Kevin Roberts Monday, 9 March 2015: Drafting Effective Arbitration & Dispute Resolution Agreements Speaker: Gemma Anderson 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information