International businesses that process information from China should obtain user consent and establish a data map, so they do not run afoul of the country’s Personal Information Protection Law (PIPL). Specifically, they should look closely at cross-border data flow and residency, even as more clarity still is needed on some components in the new legislation. Organisations that already are set up to comply with Europe’s General Data Protection Regulation (GDPR), though, have a good foundation on which to work towards PIPL adherence.Passed in August, the Chinese legislation came into force last month, laying out ground rules around how data should be collected, used, and stored. It outlines data processing requirements for companies based outside of China, which included passing a security assessment conducted by state authorities.Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions. The Chinese government described the legislation as necessary to address the “chaos” created, in which online platforms had been excessively collecting personal data.  

Because it was modelled broadly after GDPR, enterprises that had readied themselves for the EU data protection legislation would be better placed to prepare for PIPL compliance. For instance, both bills spell out the need to get user consent and rules around data sovereignty, according to Xin Leo, a Shanghai-based senior associate with law firm Pinsent Masons.Like GDPR, companies would need to obtain consent before collecting and using data from customers under PIPL. The Chinese legislation also outlined standard clauses that should be included in service contracts or agreements between both parties–one that provided the data and the other that received it–that were similar to those detailed under GDPR.

This ensured organisations that collected and processed data would provide similar levels of protection under PIPL as they would with GDPR, Xin said in an interview with ZDNet. Being GDPR-compliant put  enterprises on the right path towards PIPL adherence as well as other associated Chinese legislations, specifically, the country’s 2017 cybersecurity and 2021 data security bills, said JoHannah Harrington, chief legal officer at Elements Global Services, which specialises in HR technology and compliance. The company works with local law firms in China, where it also has corporate secretariat partners. Harrington, too, pointed to the need for user consent before data can be processed or transferred out of China as a common component that PIPL and GDPR shared. In addition, both laws required organisations to meet certain requirements, such as clear and reasonable purpose, for processing data they collected and have processes in place to maintain data protection. These included deploying data security tools and conducting risk mitigation processes, such as firewall and online privacy notices. Like GDPR, PIPL outlines the need to ensure user opt-in and the reclassification of data, said Sovan Bin, CEO of Odaseva. The data management vendor offers tools touted to ensure data is compliant, including with GDPR and PIPL, as it moves across an organisation’s global network.Consumers protected under both legislations also have the right to ask to be deleted or removed from an organisation’s database, Bin told ZDNet. Concerted efforts to define data ownership and return consent to consumers, regardless of where their data sat, began with GDPR, which was released in 2016. He said the EU legislation had put forward the concept of cross-border data transfers, so rules requiring organisations to obtain consent whenever they moved data outside the user’s home country were not unique to PIPL.Chinese regulators, though, had the benefit of time to assess the impact of such laws and adopt a modern approach, he noted. Data had become a key asset for every organisation over the years, while technologies also had evolved. Regulations established in the 1990s, for one, were no longer relevant with the emergence of cloud technologies, he said, adding that several countries were modernising their data regulations so these were more compatible with the cloud era.Questions remain about user consent, conflict with international lawsBut while PIPL shared several similarities with GDPR, there were some significant differences between both legislations that organisations should take note of. According to Harrington, PIPL does not include legitimate interests or purposes as a condition for data processing, while GDPR does. This, for instance, enables organisations to process their employees’ personal data, as it is deemed of legitimate reason. The exclusion of legitimate purposes could mean that MNCs would have to seek the consent of all employees in China, if they had not already done so, before their HR departments were permitted to process the employee’s personal information. Uncertainties over the concept of user consent, which was not well defined yet in PIPL, was one likely reason major technology companies had opted to leave the Chinese market, Harrington said.Clarity around consent was paramount because, under the Chinese legislation, it must be applied before data could be processed. She added that as the law was new and untested, clearer definitions in some areas still needed to be established.According to Xin, the legislation outlined three areas organisations should address with regards to cross-border data transfers. These included the need for a government security assessment, to gain approval, if the data processed exceeded a threshold specified by the legislation. Some requirements called for certain certifications to be established, under specific instances, between the data exporter and data receiver, but how such procedures should be carried out remained unclear, he said.

Both parties also would need to agree to a model, or template, contract to be stipulated by the regulator. This contract terms, however, had yet to be released. There was further uncertainty over PIPL rules pertaining to data sovereignty, Xin said, under which personal data stored in China could not be provided to foreign jurisdictions or organisations without the Chinese government’s consent. While this policy is not new, as it already is stated in the country’s data security and international corporate criminal laws, there are questions about how this will play out alongside international laws. The US CLOUD (Clarifying Lawful Overseas Use of Data) Act, in particular, gives US law enforcement power to demand access to data stored by cloud providers, including data held outside the US.Doing so in China would be in breach of PIPL, Xin said, which could create a dilemma for MNCs operating in the country. He added that provisions, if any, and procedures organisations should follow under such circumstances currently were unclear.Bin noted that organisations were spending more effort, in particular, on ensuring compliance with specifications related to cross-border data and data residency. PIPL outlined certain thresholds under which organisations would have to adhere to guidelines on how to process cross-border data, he said. Businesses handling personal data of more than 1 million users, for instance, or that had to transfer personal data of more than 100,000 users would have to abide to specific policies.Additional policies regarding data residency also would apply to certain types of data, he said. For instance, companies processing data deemed to be more sensitive must pass a security assessment by Cyberspace Administration of China (CAC).He advised businesses to exercise more care in handling such data across borders, to ensure compliance with PIPL.He further noted that, unlike GDPR where there was a two-year grace period during which organisations could ready themselves before enforcement and fines were implemented, PIPL did not have a similar allowance. In addition, the Chinese legislation was passed and came into force in a shorter time period, giving enterprises less time to prepare for compliance. Seek local representative, consent as first stepsWhile the legislation is new and some definitions remain unclear, there are some first steps organisations can take towards PIPL compliance. These include appointing a local representative and registering, where required, with the relevant authorities. Asking for user consent for all forms of data would be a good baseline from which to start, as well as ensuring there was a clear purpose for collecting user data, said Harrington. She also recommended organisations appoint local representatives to handle data-related processes in China and carry out security assessment of their data management. Xin advised companies to establish a data map, including determining the types of personal data they held, and perform a compliance review to identify gaps between their current data practices and PIPL requirements. They then would need to enhance their data policies as well as IT infrastructure and organisational structure accordingly to plug any gaps, he said. With different business units processing data differently, he stressed the need for organisations to ensure they had a comprehensive understanding of how all these departments collected and processed data. He also underscored the importance of training employees and beefing up overall awareness of data management policies. Businesses could consider appointing a representative for each business unit who was focused on data protection and reported to the company’s data privacy officer, he added.With regards to handling employees’ personal data, Xin also suggested organisations formulated their labour rules to incorporate data collection and protection practices. In accepting their employment with the organisation, employees then would have provided consent to the collection and management of personal data as stipulated under the company’s employment contract or handbook.This then would not require businesses to separately obtain employee consent for PIPL, he said. However, most MNCs that processed data of employees in China likely would need to do a separate privacy impact assessment, he noted.Any organisation that wished to transfer data out of China also would be required to carry out such assessments, he said, adding that those providing sensitive personal data to a third party would need to do likewise.According to PIPL, violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For “serious” cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. RELATED COVERAGE More

Amazfit BIP 5 <!–> ZDNET’s key takeaways The Amazfit BIP 5 is typically sold on Amazon for $89. It’s a solid budget smartwatch that integrates with the Zepp app, providing a breadth of health and fitness data. It’s not the most precise health tracker on the market, and its competitive price is most evident in […] More

“To everyone. I f*cked up. And I am sorry.”
These are the words of “Chef Nomi,” the creator of the SushiSwap project, after suddenly liquidating his stock, causing a massive price crash of over 70% to the SushiSwap token. 

SushiSwap is a Decentralized Finance (DeFi) project created by Chef Nomi based on a UniSwap decentralized exchange (DEX) fork for bootstrapping liquidity. 
See also: PayPal hiring push hints at future cryptocurrency support
When Chef Nomi liquidated funds from the development wallet last week — cashing in roughly $14 million in ETH in the process by swapping out SushiSwap tokens (SUSHI) — the community and investors in the project immediately felt the impact.
At its peak, SushiSwap was worth $10.76. At the time of writing, the token is now valued at $2.32. As reported by Coin Desk, once Chef Nomi liquidated their holdings, prices plummeted from $4.44 to $1.20. 
CNET: Hackers out of Russia, China, Iran are targeting US election, Microsoft finds
The community response was immediate, with accusations of an exit scam battering the young project’s reputation. Chef Nomi took to Twitter to defend their actions, insisting that the move was comparable to the creator of Litecoin cashing out funds. However, as users pointed out, the SushiSwap project was only several weeks old. 

It was not long before the backlash caused a U-turn by the anonymous creator, who transferred ownership to FTX CEO Sam Bankman-Fried and then decided to return the funds cashed out from the developer wallet. 
“I have returned all the $14M worth of ETH back to the treasury,” Chef Nomi said in a tweet dated September 11. “And I will let the community decide how much I deserve as the original creator of SushiSwap. In any currency (ETH/SUSHI/etc). With any lockup schedule you wish.”
TechRepublic: 22 cybersecurity courses for aspiring and in-demand IT security pros
Seemingly apologetic, the developer said “I f*cked up. And I am sorry,” adding:

“I hope that SushiSwap continues to evolve. Don’t let my mistake deter it from being a 100% community-run AMM. The success of SushiSwap will set a precedent for many more community-run projects.”

The project creator said that they will continue to “participate in the discussion and technical implementation of SushiSwap” as a background figure, but whether or not the community will forgive, forget, and accept their future contributions remains to be seen. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers’ work.A “phishing kit” is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a ‘Franken-Phish’ because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.

ZDNet Recommends

Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacksMicrosoft says the attackers have been creating malicious AWS WorkMail accounts “at scale” but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it’s a crude phishing product likely made on a thin budget, but large enough to be noticeable. It caught Microsoft’s attention because it impersonated Microsoft’s brand and used a technique called “zero-point font obfuscation” – HTML text with a zero font size in an email – to dodge human detection. Microsoft detected an uptick in zero-font attacks in July.  TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials. 

Microsoft’s threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean. Those pages were identical to the Microsoft 365 signin page.Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataBut Microsoft researchers believe this phishing group is a single operation rather than a network of agents. “While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said. Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS “promptly took action”.  More

thodonal88 — Shutterstock A new survey shows that cybersecurity is the hot skill area being sought across enterprises in today’s environment. That’s where the opportunities are. Let’s face it, though — learning and gaining proficiency in cybersecurity requires hours, days, and months of study and hands-on experimentation. There are entire college majors focusing on cybersecurity. […] More