Article 111 of China’s“Civil Law”, which presents a new legislative approach to personal information protection, requires that acquirer and keeper of the personal information, such as Internet Service Provider (ISP), should bear the duty of security protection. The duty above includes two parts: general duty and period duty. And the context of the duties can be found in other related laws and regulations. It’s difficult to find the faults and reasons. Theoretically, the breach of the duty of security protection leads to fault. In terms of way of accountability, determination of fault should be made by statutes, guidelines, and so on. There are two types of responsibilities in the Chinese civil law. One is notification-delete model, the other is supplementary model. And supplementary responsibility should be adopted in these cases.