With the global digital transformation, data has become a core asset of companies, and cybersecurity risks have shifted from occasional to systemic threats. Chinese laws provide a complete regulatory chain to address cybersecurity incidents consisting of ‘pre-incident compliance, mid-incident response, and post-incident review and correction’, and companies are obligated to take remedial action, notify users and report to authorities. Failure to comply will result in legal consequences.
Legal framework related to cybersecurity incidents
Following the promulgation of the Cybersecurity Law of the PRC (CSL), the Data Security Law of the PRC (DSL), the Personal Information Protection Law of the PRC (PIPL), and the Regulation on Network Data Security Management, China has gradually established a more comprehensive regulatory framework for cybersecurity. This means increasingly stringent requirements on companies in their response to cybersecurity incidents.
The process of responding to cybersecurity incidents encompasses not only the implementation of technical defence measures, but also the assumption of legal liabilities and the fulfilment of corresponding management obligations. Consequently, companies seeking to establish an effective cybersecurity compliance system shall precisely understand the legal connotation of ‘cybersecurity incidents’ and predominant types.
The legal connotation of ‘cybersecurity incidents’
China has not yet made a unified legal definition of ‘cybersecurity incidents’. In Article 1.3 of the National Contingency Plan for Cybersecurity Incidents, ‘cybersecurity incident’ is referred as ‘incidents that cause harm to the network and information systems or data therein and adversely affect society due to human factors, hardware or software defects or failures, natural disasters, etc.’
Based on the CSL, the National Contingency Plan for Cybersecurity Incidents, and other relevant regulatory regulations, cybersecurity incidents in China can be categorised into the following major types:
- Cyberattack incidents, involving acts by hackers or malicious entities who exploit technological means to disrupt systems or steal information. Common forms include network scanning, phishing attacks and vulnerability exploitation, often accompanied by ransomware or illicit data trading.
- Malicious software incidents, referring to the deliberate creation or dissemination of programmes such as viruses, worms, trojans or ransomware, which are designed to damage data, systems or network functionality.
- Data security incidents, involving the tampering, leakage, or theft of data, which are realised through technical intrusions or social engineering techniques, such as data interception or impersonation.
- Device and infrastructure failure incidents arising from network malfunctions, equipment damage or physical interference. These may include technical failures, physical destruction or electromagnetic disturbances.
- Information content security incidents, primarily involving the dissemination of harmful information that endangers national security or social stability such as subversive propaganda, terrorist content or online fraud.
In addition to the above-mentioned security incidents, other categories include incidents arising from non-compliant operations, potential security vulnerabilities, anomalous behaviours and force majeure events.
Applicable laws and regulations
General provisions
The CSL, DSL and PIPL form a multidimensional compliance framework from the perspectives of cybersecurity protection, data security management and personal information protection. These instruments require companies, as network operators, data processors or personal information processors, to develop contingency mechanisms, conduct risk monitoring and implement measures appropriate to respond to cybersecurity incidents. The Regulation on Network Data Security Management specifies more detailed obligations, such as the content and means of notifying about cybersecurity incidents, as well as the duty to report to public security authorities upon discovering evidence of illegal or criminal conduct. The Administrative Measures for Cybersecurity Incident Reporting (Draft for Comment) establishes classification and grading standards for cybersecurity incidents and the reporting procedures, requiring operators to file a preliminary report within one hour after the incident.
Other laws and regulations also provide protection for individuals whose rights and interests are impaired by cybersecurity incidents. For example, the Civil Code of the PRC (the Civil Code) establishes the foundational civil protection regime for personal information rights, clarifying privacy rights and rules for the processing of personal information, and providing a legal basis for determining liability in cases of data-related torts. The Criminal Law of the PRC (the Criminal Law) prescribes criminal sanctions for offences such as the unlawful acquisition of personal information and the destruction of data.
Sector-specific provisions
- Financial sector: The Administrative Measures for Data Security of Banking and Insurance Institutions requires the monitoring of data security threats and mandates annual data security risk assessments. In the event of major data security incidents, institutions shall conduct special audits. The Administrative Measures for Cybersecurity Incident Reporting in the Business Areas of the PRC (Draft for comment) provides a classification system tailored to the financial sector and specify the reporting content.
- Industrial and information technology sector: The Administrative Measures on Data Security in the Field of Industry and Information Technology (Trial) tasks the Ministry of Industry and Information Technology with formulating contingency plans for data security incidents in the industrial domain and delineate the reporting hierarchical structure for data security incidents of varying risk levels.
- Additionally, the Security Protection Regulations for Critical Information Infrastructure impose requirements on entities in key sectors such as public communications and information services, energy, transportation, water resources, finance, public services, e-government and national defence technology industries. These include obligations related to security threat detection, risk assessments and incident reporting for network facilities and information systems.
Legal obligations of companies to respond to cybersecurity incidents
Pre-incident compliance
Formulation ofcontingency plans for cybersecurity incidents
Companies are obliged to formulate contingency plans for cybersecurity incidents. The contents include, but are not limited to: defining the types of cybersecurity incidents with high relevance to the business of the company, constructing the internal contingency organisation and workflow, clarifying the requirements of internal confidentiality and external release of information, the procedure for reporting and notification of the incident, and the requirements for post-incident review and document recording. The National Contingency Plan for Cybersecurity Incidents classifies warnings into four levels (especially major, major, relatively major and general). Companies can also devise corresponding plans in accordance with the severity of the incident.
Requirements for emergency drills
Companies need to optimise their contingency plans through regular drills to ensure rapid response, effective disposal and system recovery when an incident occurs. In terms of form, companies can adopt desktop rehearsal, simulation rehearsal and practical exercise to design scripts for cybersecurity events. These events are led by the emergency response organisation and can be carried out jointly with a third-party consultant unit if necessary. During the process, companies can simulate scenarios of cybersecurity incidents and related sub-scenarios, such as vulnerabilities in the system, ransom demanded, consumer complaints and inquiries from regulatory authorities. Members of the emergency response organisation activate their respective workflows (such as taking remedial measures, reporting to regulatory authorities, notifying users and others) and form text materials. Companies are required to record the exercise process, review and summarise, and make improvements to the contingency plan after the exercise.
Periodic risk assessments
Important data processors shall, in accordance with the relevant provisions, carry out risk assessment on their data processing activities on a regular basis and submit a risk assessment report to the relevant competent authority.
Establishment of complaints and reporting mechanisms
A network operator shall establish network information security complaint and reporting mechanisms and shall release the complaint and reporting channels to promptly accept and settle complaints and reports concerning network information security.
Mid-incident response
Adoption of remedial measures
Companies are obliged to undertake remedial measures in accordance with the type of cybersecurity incident, which involves tracking the cause, assessing the technical solution that need to be taken, and so on. For instance, in the event of unauthorised access to an information system by a third party, it is imperative to immediately terminate the third party’s access privileges, query the affected user accounts, modify user privileges and monitor other access records in the system.
Fulfilment of incident reporting obligations
Reporting recipients
The territorial and higher-level cyberspace administration authorities (when necessary); public security departments (if necessary); and relevant industry regulators (if necessary, for example, banking and insurance institutions shall report to the National Financial Regulatory Administration or its local offices.).
Time frame requirements
The differences of time limits are dependent upon the severity of the incident. In instances where a network data processor is engaged in activities pertaining to national security or the public interest, the competent authorities shall be notified of this fact within a 24-hour period.
Content of reports
The specific requirements provided by the regulatory authorities shall include: contact details of the entity involved; basic information regarding relevant facilities and systems; the time, location, type and impact of the incident; measures already taken (with ransom details attached for ransomware attacks); anticipated developments (e.g., the nature and potential harm of any leaked information); the preliminary cause of the incident; investigative leads (e.g., information about the attacker, etc.); follow-up response measures; on-site preservation of evidence; and any other relevant information.
Fulfilment of users’ notification obligations
NIO, a Chinese EV company, was once subjected to extortion by hackers following a data breach. Although its statement explained the cause of the incident, reporting regulation and the scope of the leaked data (including personal information of some users and vehicle sales information before August 2021), users were dissatisfied with its failure to disclose the details of the leaked information (e.g., whether the name, phone number, ID card and other precise identification information were involved). Companies should fulfil their notification obligations based on users’ perspectives, clearly explain the impact of the incident, countermeasures, compensation mechanisms (if any) and follow-up prevention programmes, in order to enhance users’ trust.
Evidence collection and investigation
Companies have a statutory obligation to cooperate with forensics in cybersecurity incident response, including the preservation of incident-related releases and log information, and the truthful provision of evidence when necessary.
Post-incident review
Incident investigation and cause analysis
Companies should organise professional teams and use technical means to identify the causes of cybersecurity incidents, including factors such as system vulnerabilities, employee operational errors or external attacks.
Restoration of the cybersecurity system and staff training
In response to the system vulnerabilities and security flaws found in the incident, companies should make timely repairs and update the software and hardware of their cybersecurity systems to strictly prevent the recurrence of such incidents. Furthermore, it is imperative to organise regular training and drills to enhance employees’ cybersecurity awareness and response ability towards cybersecurity incidents.
Summary reports and accountability
Companies should review and summarise the entire incident, prepare a detailed incident report for submission to the regulatory authorities, review the response to the incident and revise the contingency plans if necessary. At the same time, internal accountability and external judicial remedies should be initiated to define the responsibilities of all parties.
Administrative regulation of cybersecurity incidents
Administrative oversight plays a crucial role in cybersecurity governance by regulating market entities’ behaviour, enhancing security capabilities, minimising incidents and ensuring swift responses when breaches occur. Regulatory authorities monitor the implementation of cybersecurity management measures by companies through law enforcement inspections, administrative penalties and other means, and urge them to fulfil their legal obligations.
Regulatory authorities and duties
Administrative supervision of cybersecurity in China is a multisectoral endeavour: the Cyberspace Administration of China coordinates the development of policies and oversees the response to major cybersecurity incidents. The public security authorities investigate and deal with cybercrime. The Ministry of Industry and Information Technology and the Communications Regulatory Administration are responsible for the security of infrastructure and communications data. The relevant industry regulatory authorities of financial, medical and other sectors carry out industry supervision.
The current status of administrative supervision
Typical types of administrative sanctions
In accordance with the prevailing laws and regulations in China, companies that fail to fulfil the above obligations may face penalties such as an order to make corrections, a warning and confiscation of unlawful proceeds. Applications involving the processing of personal information in violation of the law will be ordered to suspend or terminate the provision of services, and when the company refuses to correct the situation or when it leads to consequences such as endangering cybersecurity, the company and its directly responsible supervisors and other persons directly in charge may be fined or face even more severe penalties.
Summary of reasons for sanctions
Failure to develop a cybersecurity incident contingency plan
Companies are under an obligation to develop contingency plans for cybersecurity incidents before any such events. In a 2025 enforcement case published on the ‘Qinghai Cyber Police’ subscription, an administrative warning was issued to an entity that had failed to implement adequate rectification measures and had not established a cybersecurity incident contingency plan.
Failure to fulfil data and cybersecurity management obligations
Companies often suffer from data leakage due to insufficient technical measures, such as unauthorised access to databases, failure to implement the multi-level protection scheme (MLPS), retaining logs for less than six months (deleting logs on a daily basis) and failing to carry out vulnerability scans on a regular basis. Typical cases include attackers using configuration loopholes to download sensitive data, or information being maliciously tampered with due to inadequate protection of system cybersecurity.
Inadequate regulation of content on the platform
There are relevant enforcement cases in which platforms have been penalised for inadequate fulfilment of their obligations. For example, some platforms failed to fulfil their main responsibilities by generating illegal information in violation of the law, or failing to take effective blocking measures against malicious programmes, gambling and fraud, obscene and pornographic content and phishing websites, thus directly harming the rights and interests of users.
Analysis of regulatory trends
According to ISACA’s 2024 Cybersecurity Current Status Report, surveyed organisations experienced an increased frequency of cyberattacks in 2024. Similarly, the 2024 Research Report on Data Security Risks in Government and Enterprise indicated that major global data leakage incidents in 2024 resulted in the leakage of approximately 47.16 billion data records, with a year-on-year increase of 354.3 per cent.
On the one hand, Chinese regulatory authorities continued to intensify law enforcement efforts throughout 2024 in areas such as cybersecurity, data security, and personal information protection. Unlawful or non-compliant acts, including failing to fulfil cybersecurity and data protection obligations, or failing to address system vulnerabilities in a timely manner resulting in cyberattacks or data leaks, were subject to investigation and sanction.
On the other hand, the Cybersecurity Law of the PRC (Draft Amendment for Second Comment), released on 28 March 2025, further underscores the cybersecurity protection obligations of network operators such as the implementation of preventive technical measures and the formulation of contingent plans. In addition, a consequence-based grading (e.g., data leakage or loss of functions) is introduced into the penalty mechanism for companies that fail to fulfil relevant obligations to realise differentiated penalties and increase legal liability related to cybersecurity operations. Overall, the enforcement and regulatory regime surrounding cybersecurity in China is becoming increasingly regularised and stringent.
Judicial remedies involved in cybersecurity incidents
After a company experiences a data or cybersecurity incident, the rights and interests of affected individuals may be harmed. In addition to administrative liability, laws and regulations such as the Civil Code and the PIPL provide civil remedies to protect users’ rights. For acts that constitute a crime, Chinese judicial authorities will pursue criminal liability in accordance with the Criminal Law.
Civil private remedies
When an individual’s personal information is leaked due to a company’s failure to fulfil its security obligations, resulting in harm to their personal information rights, the individual has the right to file a lawsuit against the company and seek liability for infringement.
In terms of the legal basis, prior to the implementation of the PIPL, it is largely relied on the Decision on Strengthening the Protection of Network Information and the Law of the PRC on the Protection of Consumer Rights and Interests to safeguard users’ personal information in judicial practice, with most related cases categorised as privacy disputes. After the PIPL came into effect on 1 November 2021, individuals can directly invoke this law to assert their rights when their personal information rights are harmed. The Supreme People’s Court of the PRC has also revised the relevant cause of action in relevant civil cases, changing ‘privacy disputes’ to ‘disputes over privacy and personal information protection’.
In terms of establishing tort liability, the principle of presumed negligence liability has applied both before and after the implementation of the PIPL. This means that in personal information infringement cases the individual shall initially provide evidence to show that the personal information processor engaged in unlawful conduct, that damage occurred and that there is a causal link between the unlawful conduct and the damage. The burden then shifts to the personal information processor, who shall prove that they have not committed negligence. Otherwise, they will bear the adverse consequences. The contingency plans and notification records related to the cybersecurity incident during the period in question not only serve as key evidence for processors to prove they have not committed negligence, but also as important factors to refute the causal relationship between the unlawful act and the resulting damage.
In 2014, a person named Pang commissioned Lu to purchase a China Eastern Airlines ticket through Qunar.com, operated by Beijing Quna Information Technology Co., Ltd. (Qunar). Despite not providing contact information, Pang received a phishing message claiming the flight had been cancelled. Pang filed a lawsuit against Qunar and China Eastern Airlines, alleging the leak of personal information. In 2017, the appellate court found that both Qunar and China Eastern Airlines had been frequently accused of leaking passenger information before and after the incident, which strengthened the likelihood that Pang’s personal information had been leaked by them. Additionally, under Article 29 of the Law of the PRC on the Protection of Consumer Rights and Interests, both companies had a duty to protect the personal information they possessed. However, they failed to prove that they had taken effective measures to address potential information security management vulnerabilities. Their negligence in prevention led to the leakage of Pang’s information, and thus they were found at fault.
In 2021, Xue filled in personal delivery information on an online shopping platform to purchase snacks. Soon after, Xue received a call from an overseas fraud syndicate, which knew the delivery tracking number, delivery nickname, Alipay account and other details of Xue’s purchase. Xue filed a lawsuit, claiming that the online platform had leaked his personal information. In 2023, the Hangzhou Internet Court rejected Xue’s claim. Regarding the standard of proof for the personal information processor’s lack of negligence, the Hangzhou Internet Court proposed the following:
- there was no violation of the applicable legal regulations related to personal information processing rules (i.e., the personal information processing rules in Chapter 2 of the PIPL);
- necessary measures for personal information protection relevant to the processing behaviour in question were taken, and there was no violation of legal regulations related to information security protection obligations and impact assessment duties (e.g., Article 51 of the PIPL, including whether remedial measures and notification obligations were fulfilled in the case of a personal information security incident); and
- the required security obligations directly related to the specific processing behaviour were fulfilled.
In considering the factors that lead to a high probability of a causal relationship between the unlawful conduct of the personal information processor and the resulting damage, the Hangzhou Internet Court focused on the following aspects of the leaked personal information:
- the scope and extent of the personal information controlled by the personal information processor;
- the possibility of other parties having access to the information;
- the relationship between the timing and the process stages of the information leak and the timing of the relevant individual personal information processing behaviour;
- the protective mechanisms and specific measures taken by the personal information processor at the time of the incident; and
- whether similar personal information leakage incidents occurred during the relevant period.
In addition, if a company becomes a tool for the third-party’s infringement (such as the leakage of personal information), the timely remedial measures it takes can serve as important evidence to demonstrate its fulfilment of interim response obligations. In 2022, an income certificate belonging to Yang was posted online. A user of a recruitment platform, Hao, took a screenshot of Yang’s resume and disseminated it, resulting in the exposure of Yang’s personal information. Yang filed a lawsuit for online infringement against Hao, Hao’s company and the recruitment platform. The Beijing Internet Court found that the recruitment platform had not committed negligence as it had disabled Hao’s account after discovering the infringement and had provided the relevant account information.
From the above case, in personal information protection disputes, a company’s preventive measures taken before a cybersecurity incident, as well as remedial actions, notification plans and disabling measures taken during and after the incident, can all serve as supporting materials in defending against liability. Accordingly, companies should pay close attention to maintaining records and evidence of their compliance with personal information protection obligations and their response to cybersecurity incidents, if any.
Criminal liability
If the occurrence and impact of a data leakage or other cybersecurity incidents are connected to a company’s unlawful conduct, the company, as a personal information processor, may not only be a victim, but also the perpetrator of a crime for its violations.
On the one hand, companies may bear information security management obligations due to the network services they provide, such as online storage, transmission, information publishing, e-commerce, search engines and so on. If a company fails to fulfil this obligation and refuses to make corrections after being ordered to do so by regulatory authorities, resulting in a user information leak with serious consequences, it may constitute the crime of ‘refusal to perform information security management obligations’. The specific circumstances constituting the crime depend on the nature and quantity of the leaked user information. For example, if more than 500 pieces of sensitive information, such as location data, communications, credit information or property information, are leaked, it would be considered a ‘serious consequence.’ It is important to note that this provision regulates not only companies themselves but also directly targets individuals with direct responsibility for cybersecurity and the principal persons in charge within the company.
On the other hand, if an internal employee of a company unlawfully discloses personal information or other important data processed by the company, and the company allows such a person to access this information with knowledge, the company may be held criminally liable as a legal entity (unit crime). The specific criminal offence would depend on the nature of the unlawful conduct, such as the crime of infringing on citizens’ personal information or the crime of illegally providing state secrets. Whether the act constitutes a crime will be determined based on factors such as the nature of the information involved, the nature of the conduct and the quantity of the data. For example, if a person knows or should have known that another individual is using personal information to commit a crime and still sells or provides such information to them, this would be considered a ‘serious circumstance’.
In addition, in 2025, personal information-related criminal activities, including the sale of citizens’ personal information through domestic or overseas channels, and cases involving information leakage, cyberattacks, and data theft, will be a key focus of China’s regulatory authorities. Agencies such as the Cyberspace Administration of China and the Ministry of Public Security will launch targeted campaigns to intensively address these issues.
Civil public interest litigation
When a cybersecurity incident occurs, users’ control over their personal information is, to some extent, compromised, and the company’s response plan may directly impact user rights. If the company responds passively or in a way that makes it more difficult for users to defend their rights, users may find it difficult to obtain compensation through personal litigation, despite the PIPL granting individuals the right to directly file lawsuits to hold companies accountable. This is often due to factors such as the information asymmetry between individuals and companies, which limits users’ ability to prove causation in the liability process.
To address this, the PIPL allows for civil public interest litigationto be initiated by the people’s procuratorate, consumer organisations as prescribed by law, or organisations designated by the Cyberspace Administration of China, when the illegal processing of personal information by a company harms the rights of many individuals. The consumer organisations prescribed by law refer to the China Consumers Association and the consumer associations established in provinces, autonomous regions and municipalities. As for organisations designated by the cyberspace administration of China, there are currently no clear definitions. Procuratorates may also file supplementary civil public interest litigation when handling criminal cases involving the unlawful processing of citizens’ personal information, to protect the rights of the broader public.
In current judicial practice, in the field of personal information protection, procuratorates would choose to file the civil public interest litigation in over 96 per cent of cases, with criminal cases accompanied by civil public interest litigation being the most common and administrative public interest litigation remaining rare. As for the types of cases targeted, there has not yet been a civil public interest lawsuit filed for data leakage resulting from third-party cyberattacks in China. Most cases involve employees or companies themselves engaging in personal information infringement, for which the procuratorate initiates civil public interest litigation.
Compliance solution
The response to cybersecurity incidents relies on pre-incident compliance measures, mid-incident response and post-incident review and correction. In light of the considerations that courts take into account when determining the fulfilment of companies’ compliance obligations in personal information protection disputes, companies can assess their current compliance status from the following aspects and make improvements when necessary.
Pre-incident security management
In addition to contingency plans, the establishment of a data and network security management system is a part of pre-incident cybersecurity and data security prevention actions.
On one hand, companies need to comply with laws and regulations such as the PIPL, the CSL and the DSL to establish a cybersecurity management system. For example, companies should develop data and cybersecurity management systems, operational procedures and implement relevant management institutions, responsible individuals, duties and working mechanisms. They should also reasonably define data processing permissions and obtain certificates relating to data and cybersecurity.
On the other hand, companies need to implement specific security measures related to data processing activities and ensure that these requirements are met through technical solutions. For example, companies should obtain the legal bases of data processing, encrypt data, conduct necessary de-identification, retain network logs, implement MLPS, conduct security impact assessments, review the cybersecurity compliance situation of suppliers and require them to sign commitment letters. To address frequent cybersecurity incidents of data leaks caused by employees, companies may consider setting up reward and punishment mechanisms and incorporating them into the employee handbook to enhance employees’ engagement in training and awareness of personal information protection.
Mid-incident response
Companies should strengthen risk monitoring of information security incidents such as data leakage and cyberattacks. When a cybersecurity incident occurs, the company shall promptly assess the situation and mobilise members of the emergency response team to allocate tasks. The person in charge shall have the responsibility and capability to coordinate across departments.
Throughout the emergency response process, continuous digital forensics should be conducted. It is important to preserve records of the incident and the company’s response measures. When necessary, external third-party organisations may be engaged to assist in investigation and evidence collection.
Post-incident review and correction
Once the incident has been addressed, beyond fulfilling statutory reporting and notification requirements, companies should prioritise reviewing and enhancing their internal management practices and technological frameworks related to cyber and data security, along with ensuring effective implementation. This includes taking necessary disciplinary actions against employees responsible for the incident. For example, Kuaishou issued a public announcement in 2024, stating that an employee who used their position to leak company data had been subjected to penalties, including but not limited to termination of the employment contract, cancellation of performance bonuses and a decision not to rehire.
