When public security officials in Shenzhen spotted 19 cybersecurity loopholes in Walmart’s China operation, they issued an official warning, claiming the world’s largest retailer had violated the country’s cybersecurity laws. Chinese officials levied no fines, but they did order Walmart to close the loopholes. That order was a warning, and not just to Walmart.
Multinationals operating in the world’s second-largest economy are now on high alert that they face greater scrutiny to comply with new cybersecurity and personal privacy laws.
New data-privacy regulations took effect in the fall of 2021, but Beijing has yet to release many details, observers say. The controversial Data Security Law (DSL) and Personal Information Protection Law (PIPL) lay out some high-level data management and protection methodologies and rules for government agencies, companies, and organizations—in particular limiting transfers of data out of China. The last time a similar effort was rolled out was in 2017 with the Cybersecurity Law of the People’s Republic of China, which required data to be stored locally in China and put in place security checks of firms. It led to widespread confusion due to its ambiguity.
For multinationals, the issue isn’t simply what happens to them in China. It’s the fact that juggling disparate global compliance and data-integrity regulations has become increasingly complicated
“It’s a real jigsaw puzzle to come up with a program that will be globally compliant,” says Kenneth Citarella, senior managing director of investigations at Guidepost Solutions, which offers compliance solutions and security and technology consulting. Since the European Union passed its seminal General Data Protection Regulation (GDPR) in 2016, robust data protection laws have also debuted in the U.S., Russia, and China.
Data-privacy “regulation sprawl” is escalating the price of conducting global business and highlighting the need for a robust, real-time view of a company’s entire risk posture in order to effectively manage compliance with the latest international standards.
It’s a real jigsaw puzzle to come up with a program that will be globally compliant.
“If you look at compliance the way security practitioners are starting to look at it, it’s a threat,” says J.R. Cunningham, CSO of Nuspire, a U.S.-based security services provider for multinationals. “If you’re not compliant, it’s a threat to your brand. It presents revenue-loss potential and financial liability.”
The scale of global compliance
In recent years, high-tech giants such as Facebook, Google, and
Apple have faced intense scrutiny and fines from European regulators because of the way they handle people’s data. Recently, Austrian data authorities accused Google Analytics of violating the GDPR for reportedly transferring website data to the U.S. without proper protections.
Of course, the pressure to comply with privacy and cybersecurity regulations doesn’t just impact big Western firms. All the world’s companies have to comply with GDPR if they operate in Europe. They must also comply with regulations elsewhere, like the California Consumer Privacy Act (CCPA), which places data-handling restrictions on every company operating in a state where many of the world’s biggest tech companies are headquartered.
If you’re not compliant, it’s a threat to your brand. It presents revenue-loss potential and financial liability.
There’s no way of knowing if China’s focus on multinationals like Walmart comes partly in retaliation for U.S. government investigations of TikTok, the fast-growing Chinese social media company, with more than 1 billion users worldwide.
So far it’s unclear whether multinationals in China will be penalized in the event of successful zero day attacks that arise from the Log4j hack, or the numerous ransomware attacks that have affected operations at companies worldwide. “Those regulations have not been spelled out in any detail—people are waiting for that shoe to drop,” says Guidepost’s Citarella.
Citarella’s organization investigates trading and transactions on behalf of international bank clients, for example, and legal jurisdictions play a big part in what data his firm can collect and where they can share it. He says the compliance process begins by asking what a company is doing with data and whether data is moving across borders. “You have to get incredibly granular,” he says.
There’s no off-the-shelf software to automate such decisions, but there are steps companies can take to monitor real-time risk to ensure compliance. Citarella recommends these strategies:
- Understand security standards from the point of origin to the end of the data supply chain, especially if you’re shifting data to another company.
- Know who your authorized users are and audit them.
- Limit access to only the data a user requires.
Achieving real-time risk compliance depends on additional elements of data security, including real-time endpoint risk scoring, remote authenticated scanning of network devices, a segmented approach to risk benchmarking within a company, robust role-based access controls, and automated patching.
Compliance challenges and problems “scale with the size of the enterprise,” says Cunningham of Nuspire. “The more complex use you have for personal information, the more resources you’re expending to be compliant with privacy laws.”
No privacy without cybersecurity
The global trend is clear: Governments are no longer leaving privacy and cybersecurity strictly in the hands of business. Too much is at stake. Following the 2021 Colonial Pipeline attack, the U.S. Transportation Security Administration issued new standards governing pipeline cybersecurity and audits. Compliance is no longer voluntary, and companies risk penalties for failing to adhere to the new regulations.
Beyond incurring fines, mismanaging consumer and customer data, for instance, may imperil a company’s cybersecurity insurance, says Cunningham. “The insurance industry is starting to pay attention and ask some very detailed questions of companies before they will underwrite cyber insurance policies,” he says. What’s more, insurers want to see “cybersecurity and privacy controls in place before they write a policy.”
[We] need to get serious about data privacy. We’re not getting away from this.
After all, Cunningham argues, “there is no privacy without cybersecurity.” This symbiotic relationship has led to a “net improvement in the security posture of organizations that have personal information that needs to be protected. But, again, it certainly comes at a cost.”
One big cost is legal.
“Additional legal costs are being incurred by organizations that have to have an understanding of these strict data-privacy laws,” says Charles Denyer, a former Department of Defense cybersecurity consultant and national security expert based in Austin, Texas. “The complexity has to do with understanding regulations and the costs involved, both one-time and recurring costs.”
Ultimately, cautions Denyer, organizations “need to get serious about data privacy in today’s world.” A data-privacy program must cover how a company uses, stores, shares, and disposes of data that comes from inside and outside its walls. Scrutiny, he says, will only increase. “We’re not getting away from this.”