On Friday, China’s Ministry of Industry and Information Technology (MIIT) introduced draft proposals aimed at enhancing data security response protocols through a structured color-coded classification system. This initiative responds to the increasing complexity and frequency of data-related incidents within the country.
The new framework is intended to bolster the national ability to effectively manage data security crises. It aims to ensure rapid control, mitigation, and resolution of incidents arising from unauthorized access, leaks, destruction, or manipulation of data. Moreover, it addresses the protection of both individual and organizational rights while also supporting broader national security interests.
The comprehensive 25-page document outlines various categories of data incidents, placing them into four distinct levels based on severity and impact. This stratified approach includes incidents that lead to extensive operational failures, significant economic losses, or compromise sensitive personal data. Each tier ensures that the response aligns with the potential damage caused.
Under the new classification, Level I incidents, marked in red as “especially significant,” encompass scenarios such as widespread service outages, substantial disruptions to business operations exceeding 24 hours, or significant economic repercussions that surpass one billion yuan. Furthermore, incidents affecting the personal information of over 100 million individuals would also trigger this highest alert.
Level II incidents, categorized as orange, cover moderate shutdowns lasting more than 12 hours and economic losses between 100 million and one billion yuan, along with breaches impacting the personal data of over ten million individuals. Following this, Level III, designated as yellow, indicates operational interruptions exceeding eight hours and losses ranging from 50 million to 100 million yuan.
The document classifies lesser incidents under Level IV, depicted in blue, which focuses on minor events that cause disruptions lasting less than eight hours and result in economic losses of under 50 million yuan.
To comply with these regulations, affected businesses must conduct thorough assessments of the incidents. If classified as severe, a prompt report must be submitted to the local industry oversight body without omitting or falsifying information. Should the regulatory body identify an incident as particularly significant, a stringent reporting protocol mandates initial communication within ten minutes, followed by a detailed written report within 30 minutes.
Additionally, based on the determined response level—either red or orange—the Mechanism Office is tasked with notifying the MIIT. The proposals are currently open for public feedback until January 15, 2024.
This development coincides with Zoom’s initiative to introduce an open-source vulnerability impact scoring system aimed at standardizing the evaluation of vulnerabilities linked to software, hardware, and firmware. The framework’s robust structure mirrors the strategic intent behind MIIT’s proposals as both seek to enhance overarching cybersecurity practices.
