Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
The Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2017) includes recommendations in the event of a personal data breach, including prompt notification to data subjects with:
- a description of the incident and the impact;
- measures being taken to address the incident;
- advice on how data subjects can prevent and reduce the risk associated with the incident;
- remedies provided to impacted individuals;
- the contact information of the employees in charge of protecting personal information.
Under the Specification, employers should also report the incident to authorities as outlined in the National Network Security Incident Emergency Plan. The report should include: the type, quantity and nature of personal data involved; the potential impact; measures that have been taken or are being taken to address the incident; and, the contact information of those involved in handling the incident.
Under the Cybersecurity Law, network operators must promptly inform data subjects if their personal data is disclosed, tampered with or destroyed. The relevant authorities must also be promptly notified.