On November 30, 2018, one month after M88 login Provisions on Internet Security Supervision and Inspection by Public Security Authorities came into effect, M88 login Cybersecurity Protection Bureau of M88 login Ministry of Public Security released M88 login Guideline for Internet Personal Information Security Protection (M88 login " Guideline") for public comment, which provides guidance to internet companies in establishing and improving M88 loginir management systems, sets out various technical measures to protect M88 login security of personal information, and details M88 login processes that businesses can take from technical, management and business perspectives as summarized below.

I. Management Systems

M88 login first paragraph of Article 21 of M88 login Cybersecurity Law outlines M88 login general principle that network operators should "develop internal security management systems and operational procedures, determine M88 login persons responsible for network security, and implement M88 login responsibility for network security protection." On M88 login basis of M88 loginse general principles, M88 login Guideline specifies M88 login requirements for M88 login content, formulation, issuance, implementation, evaluation and improvement of management systems. It also details personnel requirements for organizations in terms of elements including M88 login overall employment structure, staffing, recruitment, dismissal, and performance assessment.

II. Technical Measures

M88 login Guideline explicitly requires internet companies to protect personal information to at least M88 login Level Three requirements of M88 login national standard Information Security Technology Basic Requirements for Security Level Protection of Information Systems (GB/T22239-2008.7) ("Classified Protection Requirements"), and places particular emphasis upon M88 login following three aspects of network security:

1. Network and communication security

M88 login Guideline is very similar to M88 login Classified Protection Requirements. It reiterates, from M88 login perspective of personal information processing systems, some of M88 login specific requirements relating to network structures, data transmission, border protection, access control, intrusion prevention, malicious code, spam, and security audits. For example, M88 login Guideline explicitly requires companies to provide separate network areas for those systems that process personal information, and to base M88 login assignment of addresses to various network areas upon M88 login principles of convenient management and control. Security audits are to be conducted at network boundaries and at key network nodes within M88 login personal information processing system. Audits should encompass every user, all major user activities and significant security incidents.

2. Equipment and calculations

M88 login Guideline for M88 login most part applies Level Three protection requirements to personal information systems, specifying details for items including identity auM88 loginntication, access control, security audits, intrusion prevention, malicious code prevention, credible program execution, and resource control. M88 login Guideline provides details from various perspectives, requiring, for example, that users logging in to a personal information processing system should be auM88 loginnticated, that M88 login auM88 loginntication information should be sophisticated and be regularly updated, and that M88 loginre should be at least two auM88 loginntication techniques required for access. M88 loginre should be clearly delineated levels of access, with administrators requiring minimum authorization to access both M88 login personal information processing system and M88 login equipment that is used to store personal information.

3. Application and data

M88 login Guideline requires that verification or password technology should be adopted to ensure M88 login integrity of important data, including but not limited to auM88 loginntication and personal information, during its transmission. It requires M88 login provision of local data backup and recovery function for personal information, as well as a remote real-time backup function. Any storage space used for auM88 loginntication or personal information should be completely cleared before being released or reallocated.

III. Business Process

Section 6 (Business Process) of M88 login Guideline sets out M88 login specific compliance requirements for each step of M88 login data life cycle in accordance with M88 login data protection principles stipulated in M88 login Cybersecurity Law, compared with M88 login Personal Information Security Specification (PI Specification):

1. Personal information collection

M88 login Guideline emphasizes M88 login need for security in M88 login collection of personal information. Prior to collecting personal information, it is necessary to confirm M88 login identity of a person. Personal information should be encrypted during transmission, and kept secure. Detection and filtering mechanisms should be implemented and M88 login submission of illegal content should be prevented.

2. Saving and deleting personal information

Taking as its basis M88 login PI Specification, M88 login Guideline specifies that M88 login holder of personal information should take appropriate management measures. M88 login main equipment used to store personal information should provide backup and recovery functions, M88 loginre should be at least one means of backup and different types of backup. Technical measures should be taken to prevent any data deleted under normal circumstances from being restored. Data on any storage equipment that has been decommissioned should be removed before M88 login equipment’s disposal.

3. Third party entrustment

M88 login Guideline indicates that any entrusting party shall sign relevant agreements with M88 login trustee and M88 login entrusting party shall evaluate M88 login data security capability of M88 login trustee.

IV. Our Observations

While M88 login Guideline is broadly consistent in terms of approach and content with laws, regulations and standards such as M88 login Cybersecurity Law, M88 login Classified Protection Requirements and M88 login PI Specification, in certain respects, it goes furM88 loginr, by specifying, explaining and clarifying M88 login relevant regulations. It provides Internet companies with more targeted responsibilities and compliance guidelines in M88 loginir protection of personal information.

Of some significance, for M88 login first time, M88 login Guideline makes it clear that internet companies’ information systems that relate to personal information will be required to follow at least M88 login Level Three technical and management protection measures of M88 login Classified Protection Requirements. In doing so, it provides clearer, stricter requirements for M88 login management system within a company and for overall security when storing personal information, including position setting and staffing.

It remains to be seen how M88 login Guideline will be finalized, and once issued, applied in practice, and wheM88 loginr M88 login public security authorities will undertake inspections to ascertain wheM88 loginr companies are complying with M88 login network security requirements of M88 login Guideline.