AlixPartners’ director David White has served as special e-discovery counsel for numerous multinational Fortune 100 companies and has investigated financial fraud as part of the US Department of Justice’s multi-agency bank fraud taskforce. China Business Law Journal taps his knowledge on data localization and other hot security issues
David White: Data localization refers to legal requirements that data be stored within a certain jurisdiction. These requirements come in a number of different flavours, each driven by a different motivation.
The motivations can be based on national security and defence, cyber security and crime prevention, anti-terrorism and government surveillance, data privacy and protection of citizens, etc. The types of data that are required to be maintained in the jurisdiction, and the way the data must be maintained, is typically driven by the underlying motivations.
For example, law protecting national security and defence typically prohibits the export of any data that falls within the definition of the regulations. China’s state secret laws, which make the export of any state secret a criminal act, are a well-known example. A lesser known example is the South Korean prohibition on the export of map data, though any foreigner who has tried to use Google maps when navigating Seoul has felt their impact.
Where surveillance and law enforcement gain access to information is the driving motivation, be it for anti-terrorism, stopping cybercrime or other reasons, and the laws typically apply to telecoms and internet service provider data. Rather than prohibiting export, they also tend to only require that a copy remain within the jurisdiction. Laws focused on data privacy and consumer protection tend to allow export, but with caveats that data will be properly protected after they are transported out of the country.
CBLJ: How do Asian jurisdictions compare with the US or elsewhere with regard to data localization requirements?
David White: In China, for example, the definition of exactly what constitutes a state secret is very vague. The law does provide a very narrow list of items that could potentially be considered state secrets, but then follows with a catch-all provision that includes all “other matters that are classified as state secrets by the national State Secrets Bureau”, with no limitation on what those matters might in fact be.
The outcome is that this vague “state secrets” label allows the government to choose which potential violations to prosecute and which to ignore. In addition to state secrets laws, China also has a wide range of sectoral laws at both the national and regional level that prohibit the exports of all sorts of data types. These range from bank account records, health information, accounting records, online payments, credit references and financial transactions, to name but a few.
These latter types of topical localization laws are commonly found across Asia, but are not found in the US. They also include the previously mentioned requirements that copies of certain telecoms and ISP data remain in the country, bans on the removal of mapping data, data relating to critical infrastructure, and even ride-share data.
Finally, we are also seeing an uptick in some countries trying to protect their technology sectors by requiring that certain hardware and infrastructure systems remain in the country if providing services there, and effectively limiting the use of foreign cloud service infrastructure. These are not localization laws, so to speak, but in the end they have the same impact. If the servers must be maintained in country, so too must the data stored on them.
CBLJ: Tell us about asset recovery in relation to cyber fraud, in particular in relation to recovering assets out of China.
David White: Stealing credit cards and personal information to support identity theft is becoming harder and harder for fraudsters. Advances in chip and pin technology, better security protocols, and better fraud detection by banks have all made this type of hacking less lucrative. This has caused criminals to look for payouts in other places, especially where these can lead to direct cash payments. Two areas that are growing are business email compromises (where spoofed or hacked emails are sent mimicking suppliers or vendors in an attempt to lure cash payments from unsuspecting companies), and cryptocurrency exchange hacks (where the actual cryptocurrency coins are stolen from exchanges and then liquidated). Related are the Ponzi fraud-like schemes seen in relation to many initial coin offerings (ICOs) where the operators of the ICO abscond with investor funds for their own enrichment.
All of these schemes typically have an international component to them since both the internet and cryptocurrencies are borderless technologies. This can make asset recovery quite complex.
Typical roadblocks to recovery include:
- Identification and location of assets
– Limited records or information not available in some countries
– Data privacy, bank secrecy laws and data localization laws make investigations and tracking difficult
– Assets held by proxies (relatives, friends, offshore entities, fake companies)
– Classification of asset types and legal status differs across jurisdictions
- Securing assets during proceedings for recovery via freezing orders (burden of proof and standing issues in different jurisdictions)
- Local law enforcement procedures and priorities differ
- Obtaining judgements against unknown or foreign persons
– Enforcement of judgments across multiple jurisdictions (treaties and reciprocity are key)
CBLJ: As of 1 January 2018, all companies with a Chinese business licence – a necessity for operating in the country – were brought into a social credit system through the new licence requirement to have an 18-digit “unified social credit code”. Does this monitoring system, which relies on big data and AI-enabled processes, differ from other nations? And do Chinese/foreign businesses need to be concerned about data security/misuse, in China or elsewhere?
David White: Scoring systems have been around for centuries to help people rate things, including businesses. Around the globe we have many different scoring systems to help measure the health and reliability of companies. Some of these are sponsored by private entities like Michelin Guides and their famous restaurant star system, or websites that use crowdsourced rankings like Pando or Da Zhong Dian Ping.
The unified social credit code is the most comprehensive attempt, however, of scoring all businesses by a national government across all agencies, and is unique to China. While it is called a credit score, and one of its primary functions is eligibility for issuing financial credit, it is very different than more traditional credit reporting systems that solely rely on financial data and payment history to assess a credit applicant’s ability to pay. Here the goal is to have a centralized reporting and tracking mechanism that is cross-functional and ranks companies based on their legal compliance history and social health. Certainly, the system promotes a lot of efficiency.
Before the system was enacted, companies would often have a long list of unique registration numbers each issued by a different regulatory body. They may have a tax registration ID, an import and export registration ID, an industry registration ID and so forth. Each ID then had its own records associated with it, and it was difficult when doing due diligence to cross-reference these if you didn’t know them all. Now each company, foreign or domestic, will have a singular publicly available ID in a singular system that can be referenced and retrieved with ease.
Fundamentally, this system was set up to improve the business environment. For example, a blacklist mechanism was introduced for companies that have large numbers of small violations across the many different regulatory areas. Violations such as unfair trade practices, counterfeiting, fraud and false advertising will be correlated, scored and made public. So long as the measurement criteria remains objective and transparent, the system may reach its intended goals.
The problem with most social soring systems, however, is their lack of transparency as to the criteria for measurement, and potential for the introduction of bias into the score calculations. If the system lacks transparency, businesses cannot be assured of the reliability, fairness or legitimacy of the scoring models. Inaccurate, incomplete and illegitimate factors may be used to make decisions about businesses without any oversight or redress, which can have serious long-term consequences.
There is also concern about identity theft. Companies that have their registration numbers hijacked may have significant and stubbornly ongoing errors or omissions affecting their scores. ID theft victims can be seriously affected by social credit scoring because their scores may be incorrect as a direct result of criminal activity. This can cause a range of problems, from being denied services to being tagged as a potential fraudster themselves. Yet even this vulnerable group may have no ability to correct any of their scores.
It is a bit too early to know how transparent and secure the system will be overall once it comes into full implementation in 2020. But these are areas of primary concern for many and upon which the success of the system will depend.
CBLJ: Under China’s new E-commerce Law, in addition to the obligations on all network operators under the Cyber Security Law, e-commerce providers must implement specific technical measures to ensure the security and normal operation of an e-commerce network, and to respond effectively to cyber incidents. What is your opinion of the new law? And how effective is it likely to be with regard to data security/fraud?
David White: China has the world’s largest e-commerce market. According to eMarketer, a leading marketing research group, e-commerce sales in China are expected to surpass US$1.1 billion this year, accounting for almost half of global retail e-commerce sales. E-commerce is also known to be a prime target for hackers who are looking to steal personal data such as credit card and bank account details, addresses, and contact information for identity theft purposes.
Given the confluence of these two factors, it is very good that Chinese lawmakers are so focused on protecting consumers who purchase goods online. They also didn’t rush into this legislation. The law went through multiple draft revisions between being introduced in 2013 and becoming final in August this year. Many companies lack adequate data security controls and breach response plans. This is not only true in China, but everywhere.
So, it is a good thing that legislatures and regulators are starting to require tighter controls and better reporting, and that they are reinforcing this with enforcement. In the US and EU, we are seeing an increase in regulatory enforcement of cybersecurity laws this year, as we are across Asia. For example, recently South Korean regulators conducted an audit of the cybersecurity frameworks of many registered cryptocurrency exchanges with the same goals of consumer protection in mind.
Similarly, last autumn in China an enforcement inspection group was formed under the standing committee of the National People’s Congress to oversee the enforcement of the Cyber Security Law and the Decision on Strengthening Network Information Protection. Six inspection teams were dispatched to carry out inspections in provinces and cities across China, in September and October 2017. They then issued a report and remedial measures were taken. We also saw the first series of fines and reprimands issued under this law late last year for cybersecurity violations.
The new law requires e-commerce platforms to adopt technical or other measures to protect network security and adopt contingency plans for cybersecurity incidents. If a company’s cybersecurity is compromised, it must immediately activate its contingency plan and report the incident to the authorities. In addition, the new law specifically requires that the platform operators must submit relevant e-commerce business data and information when the administrative authorities make such a request in accordance with applicable laws and regulations.
These provisions are generally consistent with those in the Cyber Security Law, both of which should help improve cybersecurity controls and reduce the number of breaches. And where breaches do still occur, consumers should learn about them sooner, so they can react faster to stop potential harm. These measures are all very positive and should help protect e-commerce overall.
The more controversial portions are the data localization measures that require e-commerce platforms to retain all consumer data and transaction records on database systems within China for at least three years. This not only presents challenges for foreign e-commerce companies that process transaction and other data abroad, and for companies that use cloud services to store data, but it can also lead to a reduction in cybersecurity protections in some situations.
Many of the world’s largest e-commerce companies have invested millions and millions of dollars to build highly secure data storage systems. Some of these rely on their ability to fragment data around the globe in an effort to better protect it, as opposed to storing all data in one location. So, forcing these companies to store a copy of this data in China can actually have a detrimental effect on its security.
Smaller companies that cannot afford to set up dedicated infrastructure to support their China operations will be forced to outsource to third parties, which may not have the same level of protection offered by these companies’ purpose-built in-house e-commerce systems. The localization measures may be helpful to provide law enforcement authorities with information they need to crack down on illegal activities such as counterfeiting, fraud, and false advertising, but they will not likely help improve cybersecurity in any way, and may hurt it in some instances.
CBLJ: What kinds of Chinese companies may be subject to GDPR regulation, and how many may not be aware of their obligations with respect to GDPR?
David White: Like many privacy laws across the world, the GDPR was written in a way to ensure that it would not only protect subject data while it is stored in the EU, but that it will also protect data that is moved across boarders outside the EU, or that is originally collected outside of the EU was well. Otherwise the law would be toothless and we would see a mass export of all personal data to countries with less strict regulations.
Across most of Europe, the right to the protection of your personal information is seen as a fundamental human right that extends to everyone, regardless of their nationality or physical location, or that of the data. But the jurisdiction of the EU Commission has limits, and it cannot unilaterally make laws that trespass on the sovereignty of other nations without a treaty or other agreement.
Therefore, the GDPR is also limited, and only applies to the private data of natural persons collected in relation to domestic business activities conducted in the EU, or in relation to foreign business activities that specifically target people located in the EU. It also applies to data collected in the EU but transferred to a third country for processing purposes. So, it is possible that multiple different types of Chinese companies may hold data that are subject to these regulations.
If a Chinese company has operations in the EU, the resulting personal data collected are probably subject to the GDPR even if stored on systems in China. If the company specifically targets people in the EU through foreign-language marketing or websites, then the resulting personal data may be subject to the GDPR even if the company has no business operations located in the EU. So, while simply having EU residents come to your hotel, store, or website in China would probably not trigger jurisdiction. Actively enticing them to come through targeted marketing or tracking their behaviour in mass might do so.
These are just a few examples of the extraterritorial application of the law. There are many others. This is also not unique to GDPR. Most countries’ laws are written this way. So it is very possible to have a customer database on a server in one country and have it be subject to the privacy laws of many different countries all at the same time.
Companies should take time to assess the data in their systems in advance to know which jurisdictions they need to comply with. This analysis can be tricky and time consuming, as it is not just based on the residence of the data subjects but also needs to consider the location of the business activities for which the data were collated. Given the tight timelines of most breach notification requirements found in these laws, it’s advantageous to do this analysis long before a data breach happens, or else you may not have time to respond at all.
CBLJ: How likely is it that data regulations in different jurisdictions will conflict with each other? And if such conflicts happen, how should companies deal with it?
David White: I have seen very few examples where data privacy laws themselves conflict between jurisdictions. Where this most often comes up is in data retention and disposition requirements. One jurisdiction may require data to be kept for a certain period, while another may require that it be deleted after a certain period, and these periods can sometimes conflict. Typically, the deletion requirements contain limitations that excuse deletion if there is another legal obligation to retain the information, however, so companies can easily work around these conflicts.
Where the more troublesome conflicts arise are between data localization laws in one jurisdiction and laws that require data to be transferred to another jurisdiction. This comes up regularly in legal investigations and disputes, where the regulators or courts in one country are demanding copies of certain information, and the laws of the jurisdiction where the data are located prohibit its export. Often companies are stuck between choosing whose laws to break, as compliance with both is impossible.
CBLJ: What advices can you give to Chinese companies in terms of building an effective in-house mechanism for data compliance?
David White: The best advice I can provide to any company, and the place I always start with my clients, is to know your data. The primary driver behind nearly all data privacy and compliance laws is increasing accountability around the collection, use, management, and protection of personal data. Companies cannot begin to be accountable if they do not know what data they are responsible for.
This sounds simple, but the truth is that most companies do not have a full understanding of this across their enterprise. They may understand the core systems and primary data holdings in them, but often have very little insight into all the ways the various business lines are using and sharing this information, and where they are storing it.
We regularly find multiple shadow IT systems set up with cloud service providers by business managers to process data in ways that the IT department never knows about when we conduct assessments. Companies also struggle to identify all the partners they are sharing data with, and where the data are being stored.
In order to comply with the localization requirements, companies have to fully understand where their partners are hosting and transferring data. Going through the exercise of investigating and documenting all the various personal data collection, use, storage and sharing activities across the company can be an eye-opening experience and is the single-best step toward improved and effective compliance.
You cannot properly manage what you don’t know exists, and the bulk of the cyber and privacy compliance issues we see throughout the region and the globe are the result of data sets or business activities that the compliance and legal teams were wholly unaware of before the issues arose. To avoid this, proactive accountability is required.
CBLJ: With hacking and cyberattacks now so commonplace and at times incredibly well structured, are there any real guarantees that sensitive data can be protected with safety?
David White: Of course there are no guarantees that any data can be protected. Some of the most sophisticated systems in the world have already been hacked. However, there are real steps companies can take to reduce the availability of sensitive data to malicious attackers who get into their systems, and to reduce the likelihood of harm and liability.
One such step is improvement in their information lifecycle governance by ensuring the company does not retain personal information any longer than is required for its current business activities or by law. The large bulk of cyberattacks are successful because the attackers were able to access old sensitive data that were left lying about on shared drives or local computers.
There is no use in spending millions of dollars to lock down and routinely test the security of your core data systems, such as your HR database, if you are going to routinely let users download massive exports from these systems and store those on less protected open environments, especially when they are retained long after their useful lifespan.
Many companies have large caches of backup tapes that go back many years, are not encrypted, and that store highly sensitive core business data and personal information. GDPR, and local privacy frameworks modelled after it, attempt to address these issues by requiring that companies only keep personal data for as long as needed for the original purpose for which it was collected, and no longer. This alone will have a very large impact on improving security.
David White is a director at AlixPartners in New York. He specializes in information life cycle governance, with a focus on electronic discovery, data privacy and security, litigation analytics, and regulatory compliance.