As we mentioned in the first article of this two-part series, foreign cyber regulations are important to understand when conducting international business. In this article, we highlight cyber laws in parts of Asia and the Pacific Rim.
The country’s initial Privacy Act was enacted in 1988 and amended in 2010. Through the amendment, the country is building a sophisticated data protection infrastructure echoing the U.K. model that includes a commissioner and data protection department. The legislation focuses on financial services and emerging industries. Foremost among data concerns is the security of regional cloud services, which generally have weak internal controls and are under regulated.
In February 2011, the country circulated a draft of proposed personal data protection guidelines. If implemented, the protections would affect the gathering and use of personal data, as well as prohibit the export of data unless approved by the government. Because of incidents over the past five years involving Google and other Internet service providers, many Western businesses are wary of Chinese governmental prying, as well as interference in data collection and use. Moreover, China lacks a venerated tradition in tort law, so there are few privacy cases to act as legal precedent for third party liability suits over data breaches and privacy.
This semi-autonomous province of China is working to remain a viable European outpost and capitalistic enclave. It updated its Personal Data (Privacy) Ordinance in 2011 and aimed it primarily at direct marketers. The ordinance includes:
- Ability of data owners to opt out of data collection and data transfer by businesses;
- Declaration of the use of data before it is collected;
- Restrictions on trans-border data transfer;
- Penalties for privacy violations ranging from $50,000 to $100,000, as well as imprisonment;
- Breach notification.
The country’s Information Technology Rules (or “Indian Rules”) were enacted in 2011. They impose numerous data controls including:
- Written consent from data owners for use of their personal information;
- Restrictions on both in country and trans-border transfers of data;
- Reasonable data protection controls.
Western companies who use India as a low cost location of call center outsourcing are generally not subject to these rules yet, unless the data they collect is on Indian citizens. However, India is not considered by the European Union to be a secure country for data protection purposes, which prevents many European companies from even considering India as a potential outsourcing location. Transfer of data to India may require costly notifications and prior consent by data owners.
The island nation has been developing data protection legislation for two years but the legislature tabled its embryonic bill in September. The legislation would have protected both digital and voice information, including phone numbers, and would have boosted Singapore as a business hub compatible with European expectations. Global businesses believe that appropriate controls would generate a stable commercial environment for companies that deal with consumers, such as those in the banking, telecommunications, and insurance industries.
Cyber insurance programs are available through a number of insurers that issue foreign local policies as well as U.S. policies that respond to lawsuits worldwide.
Steve Haase, president of INSUREtrust, has 25 years of experience in risk management and insurance and B.A. and M.S. degrees in risk management and insurance from Georgia State University. He also holds CPCU and ARM designations. He is a frequent speaker at industry events on e-business risk management. In 1997 he launched the first insurance product focused on “breach of security” exposures for companies doing business over the Internet. This initiative eventually became INSUREtrust LLC, a leading cyber liability wholesaler in Norcross, Ga.