Criminal Liability And Corporate Compliance Obligations For Data Breaches Under China’S Cybersecurity Law
1. Wei Menglong & Xue Dongdong (Illegal Acquisition of Data)
Case Overview:
In this case, Wei Menglong and Xue Dongdong were involved in an illegal data acquisition scheme. Wei Menglong worked for a company that had access to sensitive data. He illegally accessed and copied data from the company's servers, which included personal data and confidential information. Xue Dongdong, in turn, sold the data to a third party for a profit.
Criminal Charges:
The court convicted Wei and Xue under Article 285 of China’s Criminal Law, which criminalizes the illegal acquisition of data from a computer information system. In particular, the law penalizes individuals who intentionally obtain data without authorization, which includes both data theft and the unauthorized dissemination of such data.
Article 285(2): This section specifically criminalizes the unauthorized access to computer systems and the acquisition of data by hacking or other means.
Outcome:
Wei Menglong received a sentence of 4 years in prison and was fined for his role in acquiring the data and making it available for sale.
Xue Dongdong was similarly sentenced to prison for his role in distributing the data.
Legal Significance:
This case highlights how China takes the unauthorized access and distribution of data very seriously. It underscores the criminal penalties associated with the illegal acquisition of sensitive information and shows the risk of insider threats — even employees with legitimate access to company data can face serious criminal penalties if they misuse this access.
Corporate Compliance Implications:
Companies need to implement strict access controls to limit which employees can access sensitive data.
Employee monitoring and audit trails are critical to detect unauthorized access.
Data governance and internal reporting channels should be in place to handle suspicious activity.
Training for employees on the legal consequences of data theft and misuse should be mandatory.
2. Cheng Mao (Web Scraping and Unauthorized Data Acquisition)
Case Overview:
Cheng Mao, a web scraper, used automated tools to extract data from several popular websites without permission. He used IP proxies to bypass anti-bot protections and accessed vast amounts of sensitive data, including user accounts and financial information. Cheng then monetized the data by selling it on the dark web.
Criminal Charges:
This case was prosecuted under Article 285(2) of China’s Criminal Law, dealing with the illegal acquisition of data from computer information systems. The use of automated tools, such as web crawlers, to scrape personal or proprietary data from websites is considered illegal if done without consent, especially when it violates security measures (e.g., bypassing CAPTCHA systems).
Article 285(2): This provision penalizes the unauthorized acquisition of data from a computer information system, which Cheng Mao’s actions clearly violated.
Additionally, his actions were seen as fraudulent because he sold the data for profit, and Article 285(3) (providing tools for intrusions) could have applied to those who assist others in data breaches.
Outcome:
Cheng Mao was sentenced to 4 years in prison and fined 500,000 RMB for his illegal activities.
The court also seized assets obtained from the sale of the stolen data.
Legal Significance:
This case illustrates that automated data scraping and bypassing security features (such as CAPTCHA or rate limits) are not only civil violations but can also lead to criminal prosecution in China. The severity of the charges demonstrates China’s increasing efforts to tackle cybercrimes, including unauthorized access and misuse of personal data.
Corporate Compliance Implications:
Companies need to deploy anti-bot technologies and ensure they have terms of service that prohibit scraping.
Regular monitoring of traffic for suspicious behavior, such as unusual patterns of data access, can prevent scraping and hacking attempts.
Websites should use techniques like IP blocking and advanced CAPTCHA to prevent unauthorized access to sensitive information.
3. Dong and Li (Hacking and Data Breach)
Case Overview:
Dong and Li were involved in a hacking operation targeting several financial institutions in China. They used sophisticated techniques to breach the security of these institutions’ networks and accessed private financial data. They extracted sensitive information, including bank account details, personal identification numbers (PINs), and transaction histories.
Criminal Charges:
The case was prosecuted under Article 285(1) of the Criminal Law, which criminalizes hacking into a computer information system. The law applies when the hacking is done with the intent to acquire sensitive information and causes significant financial or reputational damage.
Article 285(1) specifically criminalizes unauthorized access into computer systems with the intent to steal or damage data, whether for personal gain or to harm others.
Outcome:
Both Dong and Li were sentenced to 7 years in prison for their roles in the hacking scheme.
They were also fined and ordered to compensate the affected institutions for the damages caused by their illegal activities.
Legal Significance:
This case highlights the serious criminal penalties associated with hacking into computer systems, especially when the data obtained has significant commercial or financial value. It also demonstrates how China is cracking down on cybercrimes that have a direct impact on national economic security.
Corporate Compliance Implications:
Financial institutions and other companies that handle sensitive information need to invest in robust cybersecurity systems to prevent hacking.
Encryption and firewalls should be mandatory for protecting sensitive data.
Regular penetration testing and security audits should be conducted to identify vulnerabilities.
Employees and third-party vendors should be trained on recognizing and preventing hacking attempts.
4. YuanTe Telecommunications Company (Failure to Meet Security Obligations)
Case Overview:
YuanTe, a telecommunications company in China, failed to meet its obligations under the Cybersecurity Law regarding real-name registration for SIM card purchasers. The company did not properly verify customer identities, allowing fraudulent accounts to be created and misused for criminal activity (e.g., fraud, telecom-based crimes).
Criminal Charges:
YuanTe was prosecuted under Article 286(1), refusing to perform network security management obligations. Under the Cybersecurity Law, telecommunication and internet service providers are required to implement strict security protocols, such as real-name registration, to prevent criminal misuse of their services.
Article 286(1) specifically addresses failure to implement network security management measures, which directly affects the integrity of telecommunications networks and data protection.
Outcome:
The company’s executives were fined, and several managers received prison sentences ranging from 1 to 2 years for failing to adhere to cybersecurity regulations.
The company was also heavily fined and ordered to take corrective action.
Legal Significance:
This case highlights the criminal liability faced by companies that fail to comply with mandatory network security obligations under China’s Cybersecurity Law. It shows that corporate negligence, especially when it leads to criminal activity, can result in severe penalties, including imprisonment for senior executives.
Corporate Compliance Implications:
Telecommunications and internet service providers must implement comprehensive identity verification and data protection systems.
Data encryption, user authentication, and monitoring are essential to comply with the cybersecurity framework.
Companies must regularly audit their systems to ensure they comply with data security laws and avoid facing criminal penalties.
5. Zhou Wei (Corporate Data Leak)
Case Overview:
Zhou Wei, an employee of a Chinese tech company, was found guilty of selling confidential client data to competitors. Zhou had access to internal company databases and illegally copied sensitive customer information, which he then sold to a rival firm. The data included financial reports, business plans, and personal customer details.
Criminal Charges:
Zhou Wei was convicted under Article 285(2) of the Criminal Law, which criminalizes the unauthorized acquisition and sale of sensitive data from a computer system. In this case, Zhou’s actions were considered data theft.
Outcome:
Zhou Wei was sentenced to 6 years in prison and fined.
The court also ordered the rival firm to cease using the stolen data and return all copies of the information.
Legal Significance:
This case serves as a reminder of the serious criminal consequences associated with corporate espionage and internal data theft. It shows how employees who have access to sensitive company data can be criminally liable if they misuse their position for personal gain.
Corporate Compliance Implications:
Companies must implement strong internal controls to limit employee access to sensitive data based on job roles.
Regular employee background checks, training, and surveillance can deter internal theft.
Data protection and confidentiality agreements with employees should clearly define the consequences of unauthorized data access and theft.
RELATED Blog
comments