Contributed By Chen & Lin
The Executive Yuan issued Information Security Management Directions for the Executive Yuan and its Subordinate Agencies in 1999. However, before the enactment of the Cyber Security Management Act (CSMA) in 2018, there was no specific law in Taiwan directly addressing the general and primary standard of cybersecurity and regulating cybersecurity matters that was applicable to all industries for around two decades. During that period, cybersecurity was incidentally addressed in certain sector-specific laws and regulations that regulated the data protection requirement. In June 2018, the CSMA was enacted. This act, effective from 1 January 2019, establishes a primary and general law regulating the cybersecurity system of governmental agencies and specific private sectors.
The specific non-governmental agencies regulated under the CSMA include critical infrastructure provider, government-owned enterprises and government-endowed foundation. Besides the CSMA, there are several subordinated regulations enacted to govern the detailed matter regarding cybersecurity, such as the procedure of notification and response to cybersecurity incidents, classification of cybersecurity levels for governmental and specific non-governmental agencies, the audit of implementation of a cybersecurity maintenance plan for specific non-governmental agencies, cybersecurity information sharing, and reward and punishment of cybersecurity personnel of governmental agencies.
Under the CSMA, the regulator for governmental agencies will be the competent agency at a higher level or the supervisory agency. If there is no such agency, the regulator will be the Executive Yuan. The regulator for specific non-governmental agencies will be the relevant central governmental authorities. In the event of the cybersecurity requirement addressed in sector-specific laws and regulations, the regulator will be the relevant governmental authority specified thereunder.
For governmental agencies, the enforcement of the CSMA is administered by the competent agency at a higher level or the supervisory agency. If there is no such agency, the enforcement is administered by the Executive Yuan. On the other hand, for specific non-governmental agencies, the enforcement is administered by the central governmental authorities that supervise the business operation of these non-governmental agencies.
The central governmental authorities have the power to:
A government agency shall submit to the competent agency at a higher level or to the supervisory agency (or the Executive Yuan if there is no such supervising governmental authority) about the implementation of the cybersecurity maintenance plan (the Information Security Plan) annually.
Furthermore, the central governmental authorities have the power to audit a specific non-government agency in its implementation of the Information Security Plan. An audited specific non-governmental agency that is found defective or needing improvement in the Information Security Plan shall submit the improvement report to the central governmental authority.
To cope with a cybersecurity incident, both governmental and the specific non-governmental agencies shall stipulate the reporting and responding mechanism, and shall report to the competent agency at a higher level, the supervisory agency, the Executive Yuan, or the central governmental authority upon the knowledge of a cybersecurity incident, and shall file a report on the investigation, handling and improvement on the cybersecurity incident and submit the report to the competent agency at a higher level, the supervisory agency, the Executive Yuan, or the central governmental authority.
Upon acknowledgement of a severe cybersecurity incident, the central governmental authorities or the Executive Yuan may, in a timely manner, promulgate the essential contents and corresponding measures for such incident as well as render relevant support.
If a specific non-governmental agency fails to perform the abovementioned obligations, the central governmental authority may order the specific non-governmental agency to complete corrective actions within the specified time limit. If the specific non-governmental agency fails to complete corrective actions within such specified time limit, it shall be subject to a fine imposed by the central governmental authority.
On the other hand, if the personnel of a government agency fail to comply with the CSMA, they shall be subject to discipline or penalty in accordance with the relevant regulation enacted by the Executive Yuan.
During the abovementioned procedure, the general administrative laws – such as the Administrative Procedure Act, the Administrative Appeal Act and the Code of Administrative Procedure – will govern.
In the legislative explanation of the CSMA, it is stated that certain provisions of the CSMA draw upon the experience of foreign legislatures. For example, several definitions under the CSMA closely track similar definitions in relevant US law, and some of the provisions adopt the concepts of the EU Directive on Security of Network and Information Systems, Japan law and Korea law.
All major laws regulating cybersecurity are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the differently functioning bureaus of local government.
The Executive Yuan has enacted Cyber Security Information Sharing Regulations governing the sharing of cybersecurity information such as malicious detections or collections activity of an information and communication system, security vulnerabilities of an information and communication system, and the actual damage or possible negative impact caused by a cybersecurity incident. Under this regulation, the Executive Yuan and the governmental agencies should share cybersecurity information timely with each other. The central governmental authorities shall share cybersecurity information with the non-governmental agencies under its supervision timely.
If any individual or entity would like to voluntarily share information with respect to cyberthreat, they should comply with the laws that would restrict such sharing, such as the Personal Data Protection Act (PDPA) or the Trade Secrets Act.
Given the current regulation status, as above, the data protection and cybersecurity system is developing in Taiwan.
Taiwan adopts the civil law system and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations in respect of modern technology follow US laws and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereto. Given such, it is difficult to state that Taiwan data protection and cybersecurity follows any single specific model.
As noted above, the enforcement of cybersecurity is administered by different governmental authorities, rather than by a single governmental authority. It is difficult to have a clear overall picture in respect of the enforcement status of different central and local governmental authorities, since it is not subject to mandatory public disclosure requirements. Given the absence of sufficient public information available, Taiwan does not have a proper basis to note that the enforcement is relatively aggressive or less so. However, based on the current limited public information available, enforcement in respect of cybersecurity by the Financial Supervisory Commission (FSC) will be relatively aggressive compared with other governmental authorities.
Cyber Attack on Hospital System
During August 2019, 22 computer system servers at hospitals were attacked by ransomware. Hackers used a virtual private network to attack hospitals’ systems and blocked the hospitals’ access to their own information system, in which the personal data of patients, lists of personnel of hospitals and medical data were stored, and asked them to pay in bitcoin within a certain time or the information would be destroyed.
However, all the attacked hospitals removed the virus in a timely manner and the systems were restored within several hours. There were no medical records or patient information leaked, and the hospitals did not pay any ransoms. Furthermore, the computers of clinical and emergency rooms were not affected, so the physicians were able to continue delivering patient care without interruption.
Although there was no information leaked in this accident, the Ministry of Health and Welfare has instructed hospitals how to deal with similar situations, in principle, and hospitals have taken steps to secure and reinforce their systems to prevent possible future attacks.
This case had been reported to the National Information and Communication Security Centre and, under the investigation by the Investigation Bureau, the Ministry of Justice.
Rules to Ban Chinese Products with Security Threats
The Executive Yuan is compiling a detailed blacklist of Chinese technology companies, as security concerns fuel a campaign to restrict the use of equipment from manufacturers such as Huawei. According to the cybersecurity department of the Executive Yuan, it intended to complete and publish a list of Chinese companies that could pose security threats by the end of March 2019 and update the list from time to time. All central governmental departments supervised by the Executive Yuan, government-controlled organisations and the specific private sectors designated by relevant governmental agencies will be bound by such rules. Besides, according to the cybersecurity department of the Executive Yuan, the Executive Yuan and its subordinated agencies also prohibit their officials and staff members from using Chinese social networking apps, such as Wechat, on their business mobile phones. Nevertheless, the blacklist of Chinese companies and products is still under discussion and has not yet been published by the Executive Yuan.
Establishment of More Complete Internal Cybersecurity Rules at Governmental Agencies
According to the CSMA, non-governmental agencies shall stipulate, amend and implement the Information Security Plan, and submit an improvement report if so requested by the central governmental authorities. The regulation of essentials of the Information Security Plan, and submittal of the implementation, audit frequency, contents and methods, submittal of the improvement reports and other matters are to be enacted by respective central governmental authorities. Gradually, more and more central governmental authorities (eg, Ministry of the Interior, Financial Supervisory Commission, Ministry of National Defence) have enacted the regulation governing the abovementioned matters.
Assignment of Security Level for Central and Local Government Agencies
In May 2019, the Department of Cyber Security proposed a five-tiered information security protection system, pending the approval of the Executive Yuan. Under the proposal, central and local government agencies would be assigned a security level from A to E, with A indicating agencies with the highest cybersecurity level. The agencies assigned a security level of A may include: (i) the Ministry of Foreign Affairs, which is entrusted with people’s records of departure from the country; (ii) the Ministry of the Interior, which keeps household information data; and (iii) the Ministry of Health and Welfare, which keeps people’s national health insurance personal data.
State enterprises such as the power company, petroleum company, water company, the railways, public medical centres and science parks may also be listed as A level.
After approval, the Executive Yuan will notify the agencies of their cybersecurity level.
In Taiwan, besides the CSMA, cybersecurity is also involved when it comes to the application of certain current laws or regulations. Also, current laws and regulations (apart for the CSMA and its relevant laws and regulations) that would be related to cybersecurity adopt the ex post approach instead of the ex ante approach, except for the field of personal data protection.
In the Criminal Code, Chapter 36 is dedicated to offences against computer security, containing the legal provisions that are most directly related to cybersecurity. The relevant offences are as follows:
In the event that the above three offences are committed against the computers and related equipment of a public office, the punishment shall be increased by up to one half (Article 361 of the Criminal Code). The criminal prosecution of the offences under the above articles shall be initiated by complaint (Article 363 of the Criminal Code); without such complaint, a criminal investigation will not be opened.
Furthermore, a person who makes computer programs specifically to commit the offences under Article 358 to Article 360 of the Criminal Code and cause injury to the public or another shall be punished by imprisonment for up to five years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of up to TWD600,000 may be imposed (Article 362 of the Criminal Code). Unlike the offences under Article 358 to Article 360, the investigation authority can open the criminal investigation on its own initiative.
If the computer or related equipment is not only used for security breach but also to exercise unlawful control over other people’s assets, the following offences apply:
If frauds under Article 339 of the Criminal Code are committed by dissemination of false information to the general public through broadcasting TV, electronic communication, internet or other media, the wrongdoer shall be sentenced to imprisonment for no less than one year and no more than seven years; in addition thereto, a fine of up to TWD1 million may be imposed (Article 339-4 of the Criminal Code).
In addition, Article 220, paragraph 2 of the Criminal Code considers electronic records as documents for the purpose of applying the provisions under the Criminal Code. Therefore, for example:
The above offences in connection with forgery of electronic records could be investigated on the initiative of the investigation authority. No complaint from the victim is required.
Depending on the information protected, other laws may apply. If the target of the security breach is personal information then civil, criminal or administrative liability under the PDPA would apply. The legal consequences for the infringement of trade secrets are governed by the Trade Secrets Act. In the event that classified national security information is involved, the Classified National Security Information Protection Act would apply.
As aforementioned, the CSMA took effect from 1 January 2019. The CSMA regulates the security management of information and communication, which will include cybersecurity (see below).
As stated in 1.2 Key Laws, under the CSMA, in addition to the Executive Yuan (ie, the overarching regulator), the regulators would be the competent agency at a higher level or the supervisory agency of a governmental agency or the competent central governmental authorities, depending on the regulated subjects.
In the CSMA, various governmental agencies are charged with different tasks. Generally speaking, it will be the responsibility of the Executive Yuan to establish the underlying policy with respect to security of information and communication; the relevant business authority will be the authorities to implement the CSMA.
Under the CSMA, the overarching cybersecurity agency is the Executive Yuan. The Executive Yuan will establish the high-level cybersecurity goal, policy and directions and it has the review and final approval authority in respect of the cybersecurity rules, standards and requirements promulgated by the relevant business regulators.
The Ministry of Justice (MOJ) is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, promulgating the Enforcement Rules of the PDPA and issuing various interpretations to answer questions in respect of compliance with the PDPA.
The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies and local government authorities. Both central and local governmental authorities have the power to:
The sectorial regulators are the competent central governmental authorities. The competent central governmental authorities include, for example, the Ministry of Interior, the Financial Supervisory Commission and the National Communications Commission. Depending on the relevancy to IT, the activeness of such central governmental authorities varies. For example, the financial authority, the FSC, adopts several guidelines in connection with the information security of financial institutions; the communication authority, the National Communications Commission, also promulgates guidance for the telecommunication business on information security.
There are no other relevant regulators and agencies.
There are currently no key frameworks that are de jure or de facto standards, or provide commonly deployed guidance. However, the Bureau of Standards, Metrology and Inspection of the Ministry of Economic Affairs, referring to ISO 27001, establishes standards for the information security management system in the Chinese National Standards of 27001 (the CNS 27001). Although it is not a legally binding standard, this firm believes that the CNS 27001 would serve as an important reference to evaluate the soundness of an information security management system.
The Regulations on Classification of Cyber Security Responsibility Levels categorise governmental and specific non-governmental agencies into five levels. Each governmental and specific non-governmental agency shall conduct the matters specified in the schedules of the regulation, depending on its cybersecurity responsibility levels. The minimum standard of security for these governmental and specific non-governmental agencies would be: (i) restriction of using the products threatening national cybersecurity; (ii) cybersecurity education and training (each general user and officer shall receive general cybersecurity education training for not less than three hours each year).
The Executive Yuan has a regulation to set up an information security policy, division of labour in connection with information security, management and training of staff for information security, security management of the computer system and the internet, management of access to system, security management of the development and maintenance of the system, security management of information assets, security management of physical objects and the environment, and other matters regarding the management of information security. However, such regulation is an internal rule and only governs the Executive Yuan and its subordinates. Non-governmental agencies are not covered by the above regulation.
The CSMA has set up more complete statutory requirements for preventative planning to be adopted to deal with cybersecurity issues. The target of the CSMA includes governmental agencies and specific private sectors designated by the relevant governmental agencies. Under the CSMA, all governmental agencies, other than the military and intelligence agencies, are required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security. A governmental agency is required to appoint a security officer, to be responsible for the promotion and inspection of information and security. Whoever assumes the position of security officer should be the deputy of such agency or other proper staff of such agency. A governmental agency is required to report the implementation of the Information Security Plan to the competent agency at a higher level or to the supervisory agency (or to the Executive Yuan if there is no such agency). This competent/supervisory agency is in charge of auditing the implementation of the Information Security Plan by the agency that is its subordinate or is supervised by it.
As for the private sector, the CSMA authorises the relevant business authority to assign the status of critical infrastructure provider after consulting with relevant governmental agencies, NGOs, experts or scholars. Such assignment shall be approved by the Executive Yuan. The critical infrastructure provider is required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security. The relevant business authority shall audit the implementation of the Information Security Plan by the critical infrastructure provider. In the event of deficiencies found in the Information Security Plan, the critical infrastructure provider shall submit an improvement report to the relevant business authority. The CSMA does not specify the items to be included in the Information Security Report and the coverage of the critical infrastructure provider, which are left to be elaborated in the rules and regulations adopted by the relevant business authority.
For certain non-governmental agencies other than the critical infrastructure provider (the Non-CIP Agency), they are required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed as well as the scale and nature of the system of information and security. The CSMA authorises the relevant business authority to ask the Non-CIP Agency to report the implementation of the Information Security Plan as well as audit the Non-CIP Agency in connection with its implementation of the Information Security Plan. In the event of deficiencies found in the Information Security Plan, the relevant business authority shall ask the Non-CIP Agency to provide an improvement report. Similarly, further details are left to be elaborated in the rules and regulations adopted by the relevant business authority.
In the context of cybersecurity, there are currently no multinational treaties or agreements that would directly apply to the individual or entity in Taiwan. Rather, such treaties or agreements need to be incorporated into the laws, rules or regulations so as to be legally binding.
In the context of personal data, the PDPA requests non-governmental agencies to adopt security measures to prevent the personal data they keep from being stolen, damaged, destroyed or disclosed. I
n addition to the PDPA, the Legislative Yuan also enacted certain special data protection requirements in some sector-specific laws, such as the Insurance Act, the Financial Holding Company Act, the Banking Act, etc. Besides, certain industry self-regulatory organisations in respect of a specific industry, particularly the financial industry, provide guidance to their members in connection with data protection, confidentiality and cybersecurity. For example, the Bankers Association of the Republic of China provides guidance that advises members to take certain data protection measures, including maintaining the confidentiality of clients’ information, establishing safety control mechanisms for data protection and reporting any data breaches to the competent authority pursuant to the laws and regulations.
The PDPA authorises the relevant business authority to designate non-governmental agencies to set up the plan of security measures for the personal data file or the disposal measures for the personal data after termination of business. The details of such a plan are not specified in the PDPA but left to the relevant business authority to craft the details.
For critical infrastructure, the competent authority has promulgated certain special guidance for their cybersecurity. For example, the Atomic Energy Council sets up a guideline for the review of the plan of information and communication security in connection with the critical digital assets of nuclear plants. This guideline provides instructions to establish the Information Security Plan for nuclear plants and the process to set up, implement and maintain such a plan.
Under the CSMA, “cybersecurity” refers to the effort to prevent information and communication systems or information from unauthorised access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and systems. Therefore, if there is any attack that endangers the information and communication system, CSMA and the relevant regulations will govern, regardless of the hacking techniques or the type of cybersecurity attack.
The CSMA governs all information and communication systems. In addition to the governmental agency and the CIP agencies, the Non-CIP Agencies shall also comply with the cybersecurity requirement under under the CSMA and the relevant regulations promulgated by relevant business authority, such as satisfying the requirements of the cybersecurity responsibility level, and taking into account the category, quantity and attribute of the information reserved or processed, along with the scale and attribute of the information and communication system, to stipulate, amend and implement its information security plan.
“Cybersecurity incident” refers to an event where the state of the system, service or network, through identification, shows likely violation of the cybersecurity policy, or failure of the security protective measures, thus adversely affecting performance of information and communication system function, and constituting a threat against the cybersecurity policy.
Under authorisation of the CSMA, the Executive Yuan has enacted a regulation that further elaborates the details of the report and reaction with respect to cybersecurity incidents. In this regulation, cybersecurity incidents are categorised into four levels:
The above regulation also provides the process to report a cybersecurity incident. In brief, in the event of a cybersecurity incident, such an incident should, within one hour from its occurrence, be reported in the manner and to the objects as designated by the central governmental authorities or the Executive Yuan. Upon awareness of the cybersecurity incident, the governmental and specific non-governmental agencies shall complete the damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner and to the objects as designated by the Executive Yuan or the central governmental authorities:(i) within 72 hours of the awareness of a Level 1 or Level 2 cybersecurity incident; (ii) within 36 hours of the awareness of a Level 3 or Level 4 cybersecurity incident.
In addition, listed companies under Taiwan law are required to make timely disclosure for events having a material effect on shareholders’ equity or securities prices through the Market Observation Post System (MOPS). Therefore, if a data breach happens to a listed company, such company would need to disclose such an event to the investors through the MOPS. In the two data breach incidents identified in 8.1 Regulatory Enforcement or Litigation, the two companies whose systems were hacked made their MOPS disclosures.
Under the CSMA, any data processed, used or shared in the information and communication system of an entity is covered; see also 5.3 Systems Covered.
Under the CSMA, the information and communication system of an entity is covered. The “information and communication system” refers to the system used to collect, control, transmit, store, circulate, delete information or to make other processing, using and sharing of such information.
For medical devices containing software and connecting to the internet and hospital networks to share information, the Ministry of Health and Welfare urges hospitals to monitor and assess cybersecurity vulnerability risks. The Ministry of Health and Welfare established a list of 17 kinds of medical devices connecting to the internet, such as CT & MRI scanners and nuclear machines, and a procedure to evaluate the potential cybersecurity risk of such medical devices. The procedure includes conducting exploitability assessment, impact assessment and then making a risk management decision.
The Cybersecurity Bureau of the Executive Yuan issued a report to suggest that the relevant governmental agencies shall, by reference to international standards, establish the security requirements for industrial control system of critical infrastructure providers in 2018. Besides, more and more industries were also aware of the need to protect the industrial control system and SCADA to avoid the loophole of cybersecurity attack. In response to such, several central governmental authorities have enacted the regulations governing the essentials and implementation of the Information Security Plan set up by critical infrastructure providers and the Non-CIP Agencies to include the corresponding security requirements promulgated or suggested by the authority.
In Taiwan, the Ministry of Economic Affairs is responsible for the regulation of IoT security of products with cable interfaces, and the National Communications Committee is responsible for telecommunication/communication terminal devices with wireless interfaces. These two authorities have enacted regulations pertaining to cybersecurity of IoT products. For example, the National Communications Committee has promulgated guidance on “cybersecurity inspection techniques for wireless webcam”. The manufacturers may apply for certification for its products according to this guidance. There are several important infrastructure units adopting this certification as their acceptance criteria.
The CSMA provides that the governmental agency shall establish the report and response mechanism for any “cybersecurity incident”. Upon acknowledgement of a cybersecurity incident, the governmental agency shall report to the competent agency at a higher level or the supervisory agency, and the Executive Yuan. The governmental agency is also required to submit the investigation report and the process and the improvement report to the competent agency at a higher level or the supervisory agency, or the Executive Yuan if there is no such agency. The above requirements also apply to the critical infrastructure provider and the Non-CIP Agency, which should report to central governmental authorities.
As stated in 5.7 Reporting Triggers, the critical infrastructure provider and the Non-CIP Agency shall submit the investigation report and the process and the improvement report upon acknowledgement of a cybersecurity incident. Such reports shall be also submitted to the Executive Yuan if it is a severe cybersecurity incident. “Severe cybersecurity incident" refers to incidents categorised as Level 3 or Level 4 incidents as stated in 5.1 Definition of Data Security Incident or Breach.
To adopt cybersecurity defensive measures, compliance of the PDPA is required if the collection, process, use or international transmission of personal data is involved. Also, compliance with the Trade Secrets Act needs to be verified; otherwise, adopting such measure may lead to legal liabilities thereunder.
Under the PDPA, a non-government agency in possession of personal data shall implement “proper security measures” to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed. Nevertheless, there is no specific definition or minimum standards that explain exactly what “proper security measures” are expected or defined. For certain non-government agencies, the supervising governmental authority have enacted more detailed regulations outlining the procedure to be complied with. However, these regulations sometimes only provide examples of what may be deemed “proper security measures”, such as using pseudonymisation, data encryption and regularly testing security.
Nonetheless, given how quickly cybersecurity practices change and cyberthreats evolve, there is no unified and clear standard on what qualifies as “proper security measures” for non-government agencies, let alone that for certain types of industries, and there is no detailed regulation of protection procedures. When there is a data breach resulting from a cybersecurity incident, there is no clear standard on whether the non-government agencies have taken “proper security measures” to protect the collected data, leaving uncertainty for non-government agencies as to whether they have complied with the PDPA. Since it is impossible for the legislation to provide an exhaustive list for every security measure for different kinds of cyberthreats, the issues would be how the non-government agencies conduct procedures such as pseudonymisation or data encryption to establish that they have in fact taken “proper security measures” to secure their computer and network systems.
As noted above, the statutory requirement or authorisation of information sharing in connection with cyberthreat is regulated in the CSMA according to the reporting obligation imposed on governmental agencies and non-governmental agencies, with a regulation promulgated by the Executive Yuan for further details.
If any individual or entity would like to share information voluntarily with respect to cyberthreat, they should comply with the laws that would restrict such sharing, such as the PDPA or the Trade Secrets Act.
There have been two major data breach regulatory enforcements in Taiwan, in 2016 and 2017.
First Commercial Bank Data Breach
From May 2016, a criminal group made use of loopholes in the call recording system of First Commercial Bank’s London branch to hack into its ATM system and insert malicious software therein. From 10-12 July 2016, members of the criminal group approached 21 ATMs in 22 branches of First Commercial Bank that had been targeted, collaborating with their accomplices overseas to withdraw cash of more than TWD83.27 million. The investigating authority arrested three foreign suspects who were still in Taiwan and retrieved TWD77.48 million that had been withdrawn. The three suspects were indicted and, based on the violation of Article 359 and Article 339-2 of the Criminal Code, sentenced to four years and ten months, four years and eight months, and four years and six months, with criminal fines of TWD50,000, TWD40,000 and TWD30,000, respectively.
According to Article 45-1, paragraph 1 of the Banking Act, a bank shall establish an internal control system and audit system; regulations governing the objectives, principles, policies, operating procedures, qualifications and conditions for internal auditors, the scope of internal control audits that a certified public accountant shall be engaged to undertake and other matters requiring compliance shall be prescribed by the competent authority. Due to the security flaw that led to the above abnormal withdrawal activities, on 13 September 2016, the FSC fined First Commercial Bank TWD10 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act and ordered the bank to suspend ATM cardless withdrawal temporarily in accordance with sub-paragraph 2, paragraph 1, Article 61-1 of the Banking Law; this facility was later resumed from 7 June 2017.
Far Eastern International Bank Data Breach
On 3 and 5 October 2017, malicious software was reported to have been inserted into the system of Far Eastern International Bank and USD60 million was transferred to accounts in Cambodia, Sri Lanka and the USA through the international SWIFT banking network. All but USD160,000 of the stolen funds were retrieved by the bank.
On 12 December 2017, the FSC indicated that the bank’s information security defence system was not completely sound, the account management was inappropriate, the bank had not strengthened its SWIFT safety system, the bank had not effectively conveyed the relevant rules and regulations to be complied with, and the bank’s internal control was not effectively implemented, thus fining Far Eastern International Bank TWD8 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act. The FSC also requested the bank to raise the expertise level of its information security unit, increase the number of members in its information security team, enhance its awareness of information security risk and strengthen the function of its information security system.
Data Breach of Members of a Local Employment Agency
In July 2019, the personal data of 200,000 members of a local employment agency was allegedly stolen by foreign hackers. A hacker claimed that he held 200,000 pieces of personal data on an internet forum called “RaidForums”. To prove the authenticity, 12 pieces of the stolen personal data, which included the ID number, name, date of birth, email address, phone number, address and the company of the data subjects, were publicised on the forum. The local employment agency confirmed that the personal data dated back eight years, when the agency worked with a subcontractor. After this cybersecurity incident, the agency reported the case to the authorities, and sought the assistance of the international advisory firm KPMG for cybersecurity maintenance. The agency said that it also purchased TWD200 million third-party liability insurance from an insurance company to cover such risk for its members.
Data Breach of Ministry of Civil Service
The Ministry of Civil Service reported an information security breach incident during June 2019, with the personal data of at least 590,000 civil servants allegedly being compromised. The compromised personal data, including ID numbers, names, agency information, job designation, and the agencies the civil servants work for was publicised on a foreign website. Upon discovery, the Ministry of Civil Service reported the incident to the National Centre for Cyber Security Technology in accordance with the CSMA. After investigation, the actual number of civil servants affected was 243,376, including individuals working in both central and local government posts between 1 January 2005 and 30 June 2012. The Ministry of Civil Service took action with the data breach in accordance with the PDPA. The measures include notifying individuals whose data has been disclosed, and taking preventive measures to control access to the information system in order to prevent future hacks. Although it was confirmed that the compromised information system was taken offline in March 2015, the Ministry of Civil Service still checked for flaws in the system and took immediate measures aimed at controlling access to information and preventing future hacks.
There are administrative liabilities under the CSMA. As for the PDPA, there are both criminal liabilities and administrative liabilities. The standard for conviction in a criminal proceeding is “beyond a reasonable doubt”. That is, the prosecutor must present evidence that is credible and sufficient to prove no reasonable doubt existing against the guilty judgment to the defendant.
In regard to administrative sanction, governing authority must prove that an act in breach of duty under the CSMA or the PDPA is committed intentionally or negligently.
In the first personal data infringement class action brought by the Consumers’ Foundation against a travel agency in March 2018, the court has made its decision in October 2019.
In this case, the Consumers’ Foundation, on behalf of 25 consumers, claimed for compensation of TWD4.5 million on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency defended that the data breach was caused by a malicious hacking attack, and that it notified the data subjects of the data breach after the occurrence of the hacking attack and that, therefore, it should not be held liable for the data breach.
The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and had conducted internal audits, education and training for cybersecurity personnel, and periodically changed passwords of the computer system. Therefore, although there was a data breach caused by a hacking attack, the travel agency was not in violation of the PDPA and therefore should not be held liable for the data breach. The Consumer Foundation has filed an appeal against this judgment and this case is now tried by the Taiwan High Court.
Class actions are allowed in Taiwan. For the data breach cases caused by the same cause and fact, and where there are multiple data subjects infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects to bring a lawsuit to the competent court by its own name.
The first data breach class action lawsuit was brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018. Please refer to 8.4 Significant Private Litigation for more details about this case.
In general legal due diligence, the cybersecurity compliance will be included in the overall legal compliance section, under which it is established whether the due diligence target has any judgment record or administrative punishment due to a non-compliance issue, including the cybersecurity non-compliance. Besides this, cybersecurity internal rules will also include focus on legal due diligence.
Further, due diligence coverage and density in respect of cybersecurity will be enlarged for certain type of industry, such as the CIP (critical infrastructure provider). The scope of due diligence will further include but will not be limited to the compliance of applicable laws, regulations and rules, such as setting up the required cybersecurity system, the fulfilment of periodic inspection and the implementation of required training programmes, etc.
Usually, the due diligence process will be as follows:
The sequence may be flexibly adjusted on a case-by-case basis. For example, public search may be conducted prior to the interview in (3) or even prior to the requested list in (1) is provided. Furthermore, if cybersecurity is the key matter in a proposed transaction, a technical due diligence by a cybersecurity professional may also be recommended.
Under Taiwan law, a listing company shall disclose material information regarding the company on the website designated and maintained by the authority. “Material information” includes: (i) any material effect on company finances or business resulting from an administrative disposition; and (ii) occurrence of any material event, resulting in the circumstance where the administrative fines for one single event have accumulated to TWD1 million or more, or causing a material loss to the company. Therefore, if there are administrative fines imposed for one single event accumulating to TWD1 million or more in one single event due to violation of CSMA (eg, failing to report to the central governmental authority upon the knowledge of a cybersecurity incident), any cybersecurity incident causing material loss, or any administrative dispositions in accordance with the CSMA by the authority leading to material effect on company finances or business, the listing company shall disclose such information. The disclosure shall include the information and content required by the format required by the authority.
There are further disclosure requirements for certain special industries, such as electronic payment enterprises, financial enterprises and travel agencies. Such enterprises shall report the cybersecurity or data breach event to the competent authority pursuant to the applicable laws and regulations within the time limit requested thereunder.
All significant issues have been covered above.