The draft of the Network Data Security Management Regulations provides for the leakage of important data or the personal information of more than one person.

The "Draft for Comments on Network Data Security Management Regulations" stipulates that when important data or personal information of more than 100,000 people is leaked, damaged, lost or other data security incidents, data processors should also perform the following obligations:

(1) Report the basic information of the incident to the districted municipal network information department and relevant competent authorities within eight hours of the occurrence of the security incident, including the amount, type, possible impact of the data involved, and the measures taken or planned to be taken Disposal measures, etc.;

(2) Report to the districted municipal network information department and relevant competent authorities within five working days after the incident is handled, including the cause of the incident, harmful consequences, responsibility handling, improvement measures, etc. A report on the investigation and assessment of the situation.

Article 11 of the "Draft for Comments on Network Data Security Management Regulations": Data processors should establish a data security emergency response mechanism, promptly activate the emergency response mechanism when a data security incident occurs, and take measures to prevent the expansion of harm. Eliminate safety hazards. If a security incident causes harm to individuals or organizations, the data processor shall report the security incident and risk situation, harm consequences, remedial measures that have been taken, etc. by phone, text message, instant message, etc. within three working days. Notify interested parties through communication tools, e-mails, etc. If notification is not possible, announcements may be made. If laws and administrative regulations stipulate that notification is not required, such provisions shall prevail. If a security incident is suspected of being a crime, the data processor shall report the case to the public security agency in accordance with regulations.

In the event of a data security incident such as leakage, damage, or loss of important data or personal information of more than 100,000 people, the data processor shall also perform the following obligations:

(1) In the event of a security incident Report the basic information of the incident to the districted municipal network information department and relevant competent authorities within eight hours of the incident, including the amount and type of data involved, possible impacts, disposal measures that have been or are planned to be taken, etc.;

(2) Report an investigation and evaluation report including the cause of the incident, harmful consequences, responsibility handling, improvement measures, etc. to the districted municipal network information department and relevant competent authorities within five working days after the incident is handled.