Home » Archives by category » Safety and Security Technology
New Data Privacy Law Will Soon Take Effect in China

New Data Privacy Law Will Soon Take Effect in China

China’s new data privacy law, the Personal Information Protection Law (PIPL), was passed on Aug. 20 and will go into effect on Nov. 1. It’s the latest in a series of laws designed to protect the personal data of individuals and increase data security in China. Companies, especially multinationals, should make sure they are in compliance with the new law when it goes into effect. “The key takeaway of the Personal Information Protection Law is to lay out the comprehensive framework regarding how companies, both inside China and also outside of China—given its extraterritorial jurisdiction—should collect and process personal data, including also the cross-border transfer of data,” said Todd Liao, an attorney with Morgan Lewis in Shanghai. “It’s a comprehensive legal framework to regulate the processing and collection and cross-border transfer of personal information.”HR Included in New LawUnlike previous iterations of similar laws, Article 13 of the PIPL includes employees and HR management under the scope of protected personal information. This means personal information related to employment and HR, including compensation and performance review information, cannot be sent out of China unless it is anonymized or informed consent has been given by the employee. This has implications for companies that might have a parent company and an HR department based outside of China.”We’ve seen situations where clients are looking to put their regional HR outside of China,” said Lesli Ligorner, an attorney with Morgan Lewis in Beijing and Shanghai. “And now they’re actually thinking, because China is their biggest market with their biggest employee population, that they should put that person in China, because it’s easier to have that person review everything in China than to have that person be external to China.”One way companies can prepare for this change is to update their employee handbooks and consent forms to make sure informed consent is covered in these situations.PIPL vs. GDPRThe PIPL is similar to the General Data Protection Regulation (GDPR) in the European Union but differs in important ways. Like the GDPR, the PIPL has broad extraterritorial jurisdiction, so even companies with no presence in China could be affected by the new law if they are collecting data from people who are in China.”Some of the big differences is that GDPR is a little bit more forgiving, in that if the recipient country, for example, has a robust data protection regime, there is the ability to transfer the data without adding in additional protections,” Ligorner said. “China doesn’t have that. … If you are going to send data outside of China, that’s personal data and there are prerequisites before the transfer can legally take place.” One other difference is that the PIPL “doesn’t do a great deal in terms of restricting government access to information,” said Lester Ross, an attorney with WilmerHale in Beijing. “There are clear provisions which state that government departments cannot go beyond their bounds, but there are exceptions for public security and national security, which lack the requirements for warrants found in the United States or other …

Will More Resignations Lead to Increased Data Theft?

Comments Off on Will More Resignations Lead to Increased Data Theft?
Will More Resignations Lead to Increased Data Theft?

​Some say the “Great Resignation” is upon us. According to the Microsoft 2021 Work Trend Index, 40 percent of people plan to change jobs this year. One consequence of all this turnover could be a surge in corporate data loss and exfiltration.Despite high-profile examples of former employees being sued for data theft, some think nothing of taking data with them to their next employer, according to a report by research firm Aberdeen Group in Waltham, Mass.Valuable enterprise data is passed around in support of productivity, collaboration and digital transformation, said Derek Brink, an analyst at Aberdeen. “The past three years have shown that potential data loss or exposure is more likely to succeed on endpoints like desktops and laptops than on servers, and it’s getting worse.”The Aberdeen report found: The cost of breaches from insiders can be up to 20 percent of annual revenue per year. 75 percent of organizations don’t have consistent, centralized visibility into their environments. Most lack the tools necessary for visibility into how much enterprise file movement the organization has, and how frequently valuable files are exposed by legitimate users carrying out their day-to-day activities.The average number of daily data exposure events is 13 per user. This is not surprising, given the widespread adoption by insiders of personal cloud-based applications, as well as employee turnover, authorized access by contractors and third parties, and an increasingly hybrid workforce.At least 1 in 3 (33 percent) of reported data breaches involve an insider.Digging into the Numbers Joe Payne, CEO and president of Minneapolis-based insider risk management firm Code42, dug deeper into the issue, reviewing data loss detected by his software against Department of Labor statistics.  “Data exposure directly correlated to when people leave jobs,” he said. “We saw 61 percent more data exposure events between April and June 2021 than the previous quarter. Data exposure peaked at the same time as a massive shift in employment turnover. This is not a coincidence and needs to be taken seriously by organizations.” Looking closer, source code exposure was three times higher during this period than in previous quarters. It accounted for 11 percent of all data exposure events detected in the second quarter of 2021, an 83 percent increase compared to the previous two quarters.Payne gave the example of a Code42 customer who spotted source code valued at $5 million being taken by a software developer who was in the process of resigning. In this case, the IP theft was prevented by noticing the movement of data in the person’s last days. It’s much easier to take mitigation steps prior to someone’s departure than after an employee has left the organization.The number of data breaches attributable to insiders is in dispute. Aberdeen says one-third, Payne says two-thirds, and others trot out different numbers. Regardless, everyone can agree that the number is certainly well above 10 percent. Yet 90 percent or more of security budgets are focused on mitigating external attacks. Thus it isn’t always difficult for quitting employees or contractors to …

Continue reading …