Contributed By Chen & Lin
The Executive Yuan (ie, the highest administrative organ of Taiwan) issued Information Security Management Directions for the Executive Yuan and its Subordinate Agencies in 1999. However, before the enactment of the Cyber Security Management Act (CSMA) in 2018, there was no specific law in Taiwan directly addressing the general and primary standard of cybersecurity and regulating cybersecurity matters that was applicable to all industries for around two decades. During that period, cybersecurity was incidentally addressed in certain sector-specific laws and regulations that regulated the data protection requirement. In June 2018, the CSMA was enacted. This act, effective from 1 January 2019, establishes a primary and general law regulating the cybersecurity system of governmental agencies and specific private sectors.
The specific non-governmental agencies regulated under the CSMA include critical infrastructure providers, government-owned enterprises and government-endowed foundations. Besides the CSMA, there are several subordinated regulations enacted to govern the detailed matter regarding cybersecurity, such as the procedure of notification and response to cybersecurity incidents, classification of cybersecurity levels for governmental and specific non-governmental agencies, the audit of implementation of a cybersecurity maintenance plan for specific non-governmental agencies, cybersecurity information sharing, and reward and punishment of cybersecurity personnel of governmental agencies.
Under the CSMA, the regulator for governmental agencies will be the competent agency at a higher level or the supervisory agency. If there is no such agency, the regulator will be the Executive Yuan. The regulator for specific non-governmental agencies will be the relevant central governmental authorities. In the event of the cybersecurity requirement addressed in sector-specific laws and regulations, the regulator will be the relevant governmental authority specified thereunder.
For governmental agencies, the enforcement of the CSMA is administered by the competent agency at a higher level or the supervisory agency. If there is no such agency, the enforcement is administered by the Executive Yuan. On the other hand, for specific non-governmental agencies, the enforcement is administered by the central governmental authorities that supervise the business operation of these non-governmental agencies.
The central governmental authorities have the power to:
A government agency shall submit to the competent agency at a higher level or to the supervisory agency (or the Executive Yuan if there is no such supervising governmental authority) about the implementation of the cybersecurity maintenance plan (the Information Security Plan) annually.
Furthermore, the central governmental authorities have the power to audit a specific non-government agency in its implementation of the Information Security Plan. An audited specific non-governmental agency that is found defective or needing improvement in the Information Security Plan shall submit the improvement report to the central governmental authority.
To cope with a cybersecurity incident, both governmental and the specific non-governmental agencies shall stipulate the reporting and responding mechanism, and shall report to the competent agency at a higher level, the supervisory agency, the Executive Yuan, or the central governmental authority upon the knowledge of a cybersecurity incident, and shall file a report on the investigation, handling and improvement on the cybersecurity incident and submit the report to the competent agency at a higher level, the supervisory agency, the Executive Yuan, or the central governmental authority.
Upon acknowledgement of a severe cybersecurity incident, the central governmental authorities or the Executive Yuan may, in a timely manner, promulgate the essential contents and corresponding measures for such incident as well as render relevant support.
If a specific non-governmental agency fails to perform the above-mentioned obligations, the central governmental authority may order the specific non-governmental agency to complete corrective actions within the specified time limit. If the specific non-governmental agency fails to complete corrective actions within such specified time limit, it shall be subject to a fine imposed by the central governmental authority.
On the other hand, if the personnel of a government agency fail to comply with the CSMA, they shall be subject to discipline or penalty in accordance with the relevant regulation enacted by the Executive Yuan.
During the above-mentioned procedure, the general administrative laws – such as the Administrative Procedure Act, the Administrative Appeal Act and the Code of Administrative Procedure – will govern.
In the legislative explanation of the CSMA, it is stated that certain provisions of the CSMA draw upon the experience of foreign legislatures. For example, several definitions under the CSMA closely track similar definitions in relevant US law, and some of the provisions adopt the concepts of the EU Directive on Security of Network and Information Systems, Japan law and Korea law.
All major laws regulating cybersecurity are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the differently functioning bureaus of local government.
The Executive Yuan has enacted Cyber Security Information Sharing Regulations governing the sharing of cybersecurity information such as malicious detections or collections activity of an information and communication system, security vulnerabilities of an information and communication system, and the actual damage or possible negative impact caused by a cybersecurity incident. Under this regulation, the Executive Yuan and the governmental agencies should promptly share cybersecurity information with each other. The central governmental authorities shall share cybersecurity information with the non-governmental agencies (including private companies) under its supervision in a timely manner. In conducting cybersecurity information sharing, the government agency or the specific non-government agency (including private companies) shall:
If any individual or entity would like to voluntarily share information with respect to cyberthreat, they should obtain the consent of the competent authority or the central authority in charge of the relevant industry, and they should comply with the laws that would restrict such sharing, such as the Personal Data Protection Act (PDPA) or the Trade Secrets Act.
Given the current regulation status, as above, the data protection and cybersecurity system is developing in Taiwan.
Taiwan adopts the civil law system and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations in respect of modern technology follow US laws and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereto. Given such, it is difficult to state that Taiwan data protection and cybersecurity follows any single specific model.
As noted above, the enforcement of cybersecurity is administered by different governmental authorities, rather than by a single governmental authority. It is difficult to have a clear overall picture in respect of the enforcement status of different central and local governmental authorities, since it is not subject to mandatory public disclosure requirements. Given the absence of sufficient public information available, Taiwan does not have a proper basis to note that the enforcement is relatively aggressive or less so. However, based on the current limited public information available, enforcement in respect of cybersecurity by the Financial Supervisory Commission (FSC) will be relatively aggressive compared with other governmental authorities.
Rules to Ban Chinese Products with Security Threats
In 2019, the Executive Yuan planned to publish a detailed blacklist of Chinese technology companies due to security concerns. Although such blacklist has not been published, the Executive Yuan has in fact banned the products with internet connection function made or assembled in China. That is, the Executive Yuan requested all governmental authorities to replace all such products they used or procured before the end of 2020. Since many governmental authorities used the monitoring equipment of Hikvision (a Chinese enterprise) or projectors of Chinese brands, these products shall be banned and replaced.
Cyber Security Investigation Office Launched to Combat Fake News
During August 2019, the Disinformation Prevention Centre was established to combat fake news. Since the COVID-19 pandemic began, fake news has continued to appear, ranging from reports on toilet paper shortages to fabricated official statements. The Cyber Security Investigation Office, launched during April 2020 and upgraded from the Disinformation Prevention Centre, is charged with prosecuting such cases, as well as cracking down on information security threats and computer crime. The Department of Cyber Security, which is the supervising authority of the Cyber Security Investigation Office, would provide the investigator of the Cyber Security Investigation Office with administrative support. If there is a need to submit forensic reports to the court with regard to computer crime cases, the Cybersecurity Forensics Laboratory of the Department of Cyber Security would be in charge.
National Communications Commission Designates 102 Telecommunication Service Providers and Media Businesses as “Critical Infrastructure Providers”
The National Communications Commission (NCC) designates 102 telecommunications service providers and media businesses as “critical infrastructure providers”. These service providers include local telecom, international telecom, satellite communication, internet access, cable television, broadcast television and radio broadcasting. The list will be proposed to the Executive Yuan, and published after approval of the Executive Yuan. These designated critical infrastructure providers shall bear certain legal obligations under the CSMA, such as adopting and implementing the Information Security Plan, submitting an improvement report to NCC, and reporting to the NCC in the event of a cybersecurity incident.
Establishment of the Ministry of Digital Development
The Executive Yuan is expected to soon approve the establishment of the Ministry of Digital Development as part of its organisational reform plan. The role and function of the new ministry has attracted attention, as its main duties would involve digital industry development, internet supervision and cybersecurity.
The Executive Yuan plans to merge the Department of Cyber Security with this new Ministry, as well as shift the National Communications Commission’s internet supervision and digital streaming oversight to the new Ministry. Cybersecurity will be an important function of the Ministry of Digital Development. This new Ministry will provide overall planning for cybersecurity, and assist with other authorities in the protection of cybersecurity.
Taiwanese Electronics Company Suffered a Ransomware Attack
A Taiwanese electronics company, Compal, which is also the second-largest laptop manufacturer in the world, suffered a ransomware attack in November 2020. The DoppelPaymer ransomware gang was implicated in the cyber-attack, based on a screenshot of the ransom note shared with Yahoo Taiwan reporters. This incident was believed to have impacted around 30% of Compal's computer fleet. Employees arriving at work were greeted by a memo from Compal's IT staff, asking workers to check the status of their workstations and back up important files on systems that were not impacted. Compal's Deputy Manager Director admitted that the company suffered a security breach but denied that the company's recent downtime was caused by ransomware. Furthermore, he said the incident only impacted the company's internal office network and that Compal production lines, which build laptops for other companies, have not been impacted.
Bank of Taiwan Suffered Business Email Compromise
During April 2020, the Los Angeles branch of Bank of Taiwan reported a cybersecurity incident to the FSC. The personnel of the Los Angeles Branch received an email requesting remittance transfers. There was a one letter difference in the requesting email and the true email address of the client. The branch conducted the remittance transfers requested by the fake email account without confirming the correctness of the information, resulting in being defrauded to the amount of about USD450,000. The Bank of Taiwan listed this cybersecurity incident as a human error, and the IT department ruled out the possibility that the bank was hacked or that there was a customer data breach after examining the IT equipment of the branch.
After receiving the report from the Bank of Taiwan, the FSC requested banks to implement relevant cybersecurity internal control measure, such as social engineering training and strengthening the cybersecurity knowledge of the users.
Response to SolarWinds Attack
The SolarWinds hack – one of the biggest cyber-attacks targeting US government agencies and private companies – is being seen as a likely global effort. The Department of Cyber Security has investigated whether Taiwan’s governmental agencies are likely to be impacted. According to the preliminary investigation, although the governmental agencies do procure products from SolarWinds, they are not using the impacted product of SolarWinds. The Department of Cyber Security would not request governmental agencies to stop using the products of SolarWinds, but would remind them to pay attention to the risks.
In Taiwan, besides the CSMA, cybersecurity is also involved when it comes to the application of certain current laws or regulations. Also, current laws and regulations (apart for the CSMA and its relevant laws and regulations) that would be related to cybersecurity adopt the ex post approach instead of the ex ante approach, except for the field of personal data protection.
In the Criminal Code, Chapter 36 is dedicated to offences against computer security, containing the legal provisions that are most directly related to cybersecurity. The relevant offences are as follows.
Article 358 of the Criminal Code: a person who, without reason, by entering another’s account code and password, breaking his or her computer protection, or taking advantage of a system loophole of such accesses his or her computer or related equipment shall be sentenced to imprisonment for up to three years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of up to TWD300,000 may be imposed.
Article 359 of the Criminal Code: a person who, without reason obtains, deletes or alters the magnetic record of another’s computer or related equipment and causes injury to the public or others shall be sentenced to imprisonment of up to five years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of up to TWD600,000 may be imposed.
Article 360 of the Criminal Code: a person who, without reason, interferes, through the use of computer programs or other electromagnetic methods, with the computer or related equipment of another person and causes injury to the public or another shall be sentenced to imprisonment for up to three years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of up to TWD300,000 may be imposed.
In the event that the above three offences are committed against the computers and related equipment of a public office, the punishment shall be increased by up to one half (Article 361 of the Criminal Code). The criminal prosecution of the offences under the above articles shall be initiated by complaint (Article 363 of the Criminal Code); without such complaint, a criminal investigation will not be opened.
Furthermore, a person who makes computer programs specifically to commit the offences under Article 358 to Article 360 of the Criminal Code and cause injury to the public or another shall be punished by imprisonment for up to five years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of up to TWD600,000 may be imposed (Article 362 of the Criminal Code). Unlike the offences under Article 358 to Article 360, the investigation authority can open the criminal investigation on its own initiative.
If the computer or related equipment is not only used for security breach but also to exercise unlawful control over other people’s assets, the following offences apply.
Article 339-1 of the Criminal Code: a person who, for the purpose of exercising unlawful control over another’s property or to obtain illegal benefit in property for himself or herself or for a third person, takes the property of another via a fees-collecting apparatus shall be sentenced to imprisonment for up to one year, short-term imprisonment, or a fine of up to TWD100,000.
Article 339-2 of the Criminal Code: a person who, for the purpose of exercising unlawful control over another’s property or to obtain illegal benefit in property for himself or herself or for a third person, takes the property of another through an ATM machine shall be sentenced to imprisonment for up to three years, short-term imprisonment, or a fine of up to TWD300,000.
Article 339-3 of the Criminal Code: a person who, for the purpose of exercising unlawful control over another’s property or to obtain illegal benefit in property for himself or herself or for a third person, takes the property of another by entering false data or wrongful directives into a computer or related equipment to create the records of acquisition, loss or alteration of property ownership shall be sentenced to imprisonment for up to seven years; in addition thereto, a fine of up to TWD700,000 may be imposed.
If frauds under Article 339 of the Criminal Code are committed by dissemination of false information to the general public through broadcasting TV, electronic communication, internet or other media, the wrongdoer shall be sentenced to imprisonment for no less than one year and no more than seven years; in addition thereto, a fine of up to TWD1 million may be imposed (Article 339-4 of the Criminal Code).
In addition, Article 220, paragraph 2 of the Criminal Code considers electronic records as documents for the purpose of applying the provisions under the Criminal Code. Therefore, for example:
The above offences in connection with forgery of electronic records could be investigated on the initiative of the investigation authority. No complaint from the victim is required.
Depending on the information protected, other laws may apply. If the target of the security breach is personal information then civil, criminal or administrative liability under the PDPA would apply. The legal consequences for the infringement of trade secrets are governed by the Trade Secrets Act. In the event that classified national security information is involved, the Classified National Security Information Protection Act would apply.
As mentioned above, the CSMA took effect from 1 January 2019. The CSMA regulates the security management of information and communication, which will include cybersecurity (see below).
As stated in 2.1 Key Laws, under the CSMA, in addition to the Executive Yuan (ie, the overarching regulator), the regulators would be the competent agency at a higher level or the supervisory agency of a governmental agency or the competent central governmental authorities, depending on the regulated subjects.
In the CSMA, various governmental agencies are charged with different tasks. Generally speaking, it will be the responsibility of the Executive Yuan to establish the underlying policy with respect to security of information and communication; the relevant business authority will be the authorities to implement the CSMA.
Under the CSMA, the overarching cybersecurity agency is the Executive Yuan. The Executive Yuan will establish the high-level cybersecurity goal, policy and directions and it has the review and final approval authority in respect of the cybersecurity rules, standards and requirements promulgated by the relevant business regulators.
The Ministry of Justice (MOJ) is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, promulgating the Enforcement Rules of the PDPA and issuing various interpretations to answer questions in respect of compliance with the PDPA.
The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies and local government authorities. Both central and local governmental authorities have the power to:
The sectorial regulators are the competent central governmental authorities. The competent central governmental authorities include, for example, the Ministry of Interior, the Financial Supervisory Commission and the National Communications Commission. Depending on the relevancy to IT, the activeness of such central governmental authorities varies. For example, the financial authority, the FSC, adopts several guidelines in connection with the information security of financial institutions; the communication authority, the National Communications Commission, also promulgates guidance for the telecommunication business on information security.
There are no other relevant regulators and agencies.
There are currently no key frameworks that are de jure or de facto standards, or provide commonly deployed guidance. However, the Bureau of Standards, Metrology and Inspection of the Ministry of Economic Affairs, referring to ISO 27001, establishes standards for the information security management system in the Chinese National Standards of 27001 (the CNS 27001). Although it is not a legally binding standard, this firm believes that the CNS 27001 would serve as an important reference to evaluate the soundness of an information security management system.
The Regulations on Classification of Cyber Security Responsibility Levels categorise governmental and specific non-governmental agencies into five levels. Each governmental and specific non-governmental agency shall conduct the matters specified in the schedules of the regulation, depending on its cybersecurity responsibility levels. The minimum standard of security for these governmental and specific non-governmental agencies would be: (i) restriction of using the products threatening national cybersecurity; (ii) cybersecurity education and training (each general user and officer shall receive general cybersecurity education training for not less than three hours each year).
The Executive Yuan has a regulation to set up an information security policy, division of labour in connection with information security, management and training of staff for information security, security management of the computer system and the internet, management of access to system, security management of the development and maintenance of the system, security management of information assets, security management of physical objects and the environment, and other matters regarding the management of information security. However, such regulation is an internal rule and only governs the Executive Yuan and its subordinates. Non-governmental agencies are not covered by the above regulation.
The CSMA has set up more complete statutory requirements for preventative planning to be adopted to deal with cybersecurity issues. The target of the CSMA includes governmental agencies and specific private sectors designated by the relevant governmental agencies. Under the CSMA, all governmental agencies, other than the military and intelligence agencies, are required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security.
A governmental agency is required to appoint a security officer, to be responsible for the promotion and inspection of information and security. Whoever assumes the position of security officer should be the deputy of such agency or other proper staff of such agency. A governmental agency is required to report the implementation of the Information Security Plan to the competent agency at a higher level or to the supervisory agency (or to the Executive Yuan if there is no such agency). This competent/supervisory agency is in charge of auditing the implementation of the Information Security Plan by the agency that is its subordinate or is supervised by it.
As for the private sector, the CSMA authorises the relevant business authority to assign the status of critical infrastructure provider after consulting with relevant governmental agencies, NGOs, experts or scholars. Such assignment shall be approved by the Executive Yuan. The critical infrastructure provider is required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security.
The relevant business authority shall audit the implementation of the Information Security Plan by the critical infrastructure provider. In the event of deficiencies found in the Information Security Plan, the critical infrastructure provider shall submit an improvement report to the relevant business authority. The CSMA does not specify the items to be included in the Information Security Report and the coverage of the critical infrastructure provider, which are left to be elaborated in the rules and regulations adopted by the relevant business authority.
For certain non-governmental agencies other than the critical infrastructure provider (the Non-CIP Agency), they are required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed as well as the scale and nature of the system of information and security. The CSMA authorises the relevant business authority to ask the Non-CIP Agency to report the implementation of the Information Security Plan as well as audit the Non-CIP Agency in connection with its implementation of the Information Security Plan.
In the event of deficiencies found in the Information Security Plan, the relevant business authority shall ask the Non-CIP Agency to provide an improvement report. Similarly, further details are left to be elaborated in the rules and regulations adopted by the relevant business authority.
In the context of cybersecurity, there are currently no multinational treaties or agreements that would directly apply to the individual or entity in Taiwan. Rather, such treaties or agreements need to be incorporated into the laws, rules or regulations so as to be legally binding.
In the context of personal data, the PDPA requests non-governmental agencies to adopt security measures to prevent the personal data they keep from being stolen, damaged, destroyed or disclosed. In addition to the PDPA, the Legislative Yuan also enacted certain special data protection requirements in some sector-specific laws, such as the Insurance Act, the Financial Holding Company Act, the Banking Act, etc.
Further, certain industry self-regulatory organisations in respect of a specific industry, particularly the financial industry, provide guidance to their members in connection with data protection, confidentiality and cybersecurity. For example, the Bankers Association of the Republic of China provides guidance that advises members to take certain data protection measures, including maintaining the confidentiality of clients’ information, establishing safety control mechanisms for data protection and reporting any data breaches to the competent authority pursuant to the laws and regulations.
The PDPA authorises the relevant business authority to designate non-governmental agencies to set up the plan of security measures for the personal data file or the disposal measures for the personal data after termination of business. The details of such a plan are not specified in the PDPA but left to the relevant business authority to craft the details.
For critical infrastructure, the competent authority has promulgated certain special guidance for their cybersecurity. For example, the Atomic Energy Council sets up a guideline for the review of the plan of information and communication security in connection with the critical digital assets of nuclear plants. This guideline provides instructions to establish the Information Security Plan for nuclear plants and the process to set up, implement and maintain such a plan.
Under the CSMA, “cybersecurity” refers to the effort to prevent information and communication systems or information from unauthorised access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and systems. Therefore, if there is any attack that endangers the information and communication system, CSMA and the relevant regulations will govern, regardless of the hacking techniques or the type of cybersecurity attack.
The CSMA governs all information and communication systems (including IoT or supply chain). In addition to the governmental agency and the CIP agencies, the Non-CIP Agencies shall also comply with the cybersecurity requirement under the CSMA and the relevant regulations promulgated by relevant business authority, such as satisfying the requirements of the cybersecurity responsibility level, and taking into account the category, quantity and attribute of the information reserved or processed, along with the scale and attribute of the information and communication system, to stipulate, amend and implement its information security plan.
“Cybersecurity incident” refers to an event where the state of the system, service or network, through identification, shows likely violation of the cybersecurity policy, or failure of the security protective measures, thus adversely affecting performance of information and communication system function, and constituting a threat against the cybersecurity policy.
Under authorisation of the CSMA, the Executive Yuan has enacted a regulation that further elaborates the details of the report and reaction with respect to cybersecurity incidents. In this regulation, cybersecurity incidents are categorised into four levels:
The above regulation also provides the process to report a cybersecurity incident. In brief, in the event of a cybersecurity incident, such an incident should, within one hour from its occurrence, be reported in the manner and to the objects as designated by the central governmental authorities or the Executive Yuan.
Upon awareness of the cybersecurity incident, the governmental and specific non-governmental agencies shall complete the damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner and to the objects as designated by the Executive Yuan or the central governmental authorities: (i) within 72 hours of the awareness of a Level 1 or Level 2 cybersecurity incident; (ii) within 36 hours of the awareness of a Level 3 or Level 4 cybersecurity incident.
In addition, listed companies under Taiwan law are required to make timely disclosure for events having a material effect on shareholders’ equity or securities prices through the Market Observation Post System (MOPS). Therefore, if a data breach happens to a listed company, such company would need to disclose such an event to the investors through the MOPS. In the two data breach incidents identified in 8.1 Regulatory Enforcement or Litigation, the two companies whose systems were hacked made their MOPS disclosures.
Under the CSMA, any data processed, used or shared in the information and communication system of an entity is covered; see also 5.3 Systems Covered.
Under the CSMA, the information and communication system of an entity is covered. The “information and communication system” refers to the system used to collect, control, transmit, store, circulate, delete information or to make other processing, using and sharing of such information.
For medical devices containing software and connecting to the internet and hospital networks to share information, the Ministry of Health and Welfare urges hospitals to monitor and assess cybersecurity vulnerability risks. The Ministry of Health and Welfare established a list of 17 kinds of medical devices connecting to the internet, such as CT and MRI scanners and nuclear machines, and a procedure to evaluate the potential cybersecurity risk of such medical devices. The procedure includes conducting exploitability assessment, impact assessment and then making a risk management decision.
The Cybersecurity Bureau of the Executive Yuan issued a report to suggest that the relevant governmental agencies shall, by reference to international standards, establish the security requirements for industrial control system of critical infrastructure providers in 2018. Besides, more and more industries were also aware of the need to protect the industrial control system and SCADA to avoid the loophole of cybersecurity attack. In response to such, several central governmental authorities have enacted the regulations governing the essentials and implementation of the Information Security Plan set up by critical infrastructure providers and the Non-CIP Agencies to include the corresponding security requirements promulgated or suggested by the authority.
In Taiwan, the Ministry of Economic Affairs is responsible for the regulation of IoT security of products with cable interfaces, and the National Communications Committee is responsible for telecommunication/communication terminal devices with wireless interfaces. These two authorities have enacted regulations pertaining to cybersecurity of IoT products. For example, the National Communications Committee has promulgated guidance on “Cybersecurity inspection techniques for wireless webcam”. The manufacturers may apply for certification for its products according to this guidance. There are several important infrastructure units adopting this certification as their acceptance criteria.
The CSMA provides that the governmental agency shall establish the report and response mechanism for any “cybersecurity incident”. Upon acknowledgement of a cybersecurity incident, the governmental agency shall report to the competent agency at a higher level or the supervisory agency, and the Executive Yuan. The governmental agency is also required to submit the investigation report and the process and the improvement report to the competent agency at a higher level or the supervisory agency, or the Executive Yuan if there is no such agency. The above requirements also apply to the critical infrastructure provider and the Non-CIP Agency, which should report to central governmental authorities.
As stated in 5.7 Reporting Triggers, the critical infrastructure provider and the Non-CIP Agency shall submit the investigation report and the process and the improvement report upon acknowledgement of a cybersecurity incident to central governmental authorities. Such reports shall be also submitted to the Executive Yuan if it is a severe cybersecurity incident. “Severe cybersecurity incident" refers to incidents categorised as Level 3 or Level 4 incidents as stated in 5.1 Definition of Data Security Incident or Breach.
To adopt cybersecurity defensive measures, compliance of the PDPA is required if the collection, process, use or international transmission of personal data is involved. Also, compliance with the Trade Secrets Act needs to be verified; otherwise, adopting such measure may lead to legal liabilities thereunder.
Under the PDPA, a non-government agency in possession of personal data shall implement “proper security measures” to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed. Nevertheless, there is no specific definition or minimum standards that explain exactly what “proper security measures” are expected or defined. For certain non-government agencies, the supervising governmental authority have enacted more detailed regulations outlining the procedure to be complied with. However, these regulations sometimes only provide examples of what may be deemed “proper security measures”, such as using pseudonymisation, data encryption and regularly testing security.
Nonetheless, given how quickly cybersecurity practices change and cyberthreats evolve, there is no unified and clear standard on what qualifies as “proper security measures” for non-government agencies, let alone that for certain types of industries, and there is no detailed regulation of protection procedures. When there is a data breach resulting from a cybersecurity incident, there is no clear standard on whether the non-government agencies have taken “proper security measures” to protect the collected data, leaving uncertainty for non-government agencies as to whether they have complied with the PDPA.
Since it is impossible for the legislation to provide an exhaustive list for every security measure for different kinds of cyberthreats, the issues would be how the non-government agencies conduct procedures such as pseudonymisation or data encryption to establish that they have in fact taken “proper security measures” to secure their computer and network systems.
As noted in 1.5 Information Sharing Organisations, the statutory requirement or authorisation of information sharing in connection with cyberthreat is regulated in the CSMA according to the reporting obligation imposed on governmental agencies and non-governmental agencies, with a regulation promulgated by the Executive Yuan for further details.
If any individual or entity would like to share information voluntarily with respect to cyberthreat, they should comply with the laws that would restrict such sharing, such as the PDPA or the Trade Secrets Act.
There have been two major data breach regulatory enforcements in Taiwan, in 2016 and 2017.
First Commercial Bank Data Breach
From May 2016, a criminal group made use of loopholes in the call recording system of First Commercial Bank’s London branch to hack into its ATM system and insert malicious software therein. From 10-12 July 2016, members of the criminal group approached 21 ATMs in 22 branches of First Commercial Bank that had been targeted, collaborating with their accomplices overseas to withdraw cash of more than TWD83.27 million.
The investigating authority arrested three foreign suspects who were still in Taiwan and retrieved TWD77.48 million that had been withdrawn. The three suspects were indicted and – based on the violation of Article 359 and Article 339-2 of the Criminal Code – sentenced to four years and ten months, four years and eight months, and four years and six months, with criminal fines of TWD50,000, TWD40,000 and TWD30,000, respectively.
According to Article 45-1, paragraph 1 of the Banking Act, a bank shall establish an internal control system and audit system; regulations governing the objectives, principles, policies, operating procedures, qualifications and conditions for internal auditors, the scope of internal control audits that a certified public accountant shall be engaged to undertake and other matters requiring compliance shall be prescribed by the competent authority. Due to the security flaw that led to the above abnormal withdrawal activities, on 13 September 2016, the FSC fined First Commercial Bank TWD10 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act and ordered the bank to suspend ATM cardless withdrawal temporarily in accordance with sub-paragraph 2, paragraph 1, Article 61-1 of the Banking Law; this facility was later resumed from 7 June 2017.
Far Eastern International Bank Data Breach
On 3 and 5 October 2017, malicious software was reported to have been inserted into the system of Far Eastern International Bank and USD60 million was transferred to accounts in Cambodia, Sri Lanka and the USA through the international SWIFT banking network. All but USD160,000 of the stolen funds were retrieved by the bank.
On 12 December 2017, the FSC indicated that the bank’s information security defence system was not completely sound, the account management was inappropriate, the bank had not strengthened its SWIFT safety system, the bank had not effectively conveyed the relevant rules and regulations to be complied with, and the bank’s internal control was not effectively implemented, thus fining Far Eastern International Bank TWD8 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act. The FSC also requested the bank to raise the expertise level of its information security unit, increase the number of members in its information security team, enhance its awareness of information security risk and strengthen the function of its information security system.
Cyber-Attack Towards Oil Refiners and Semiconductor Firm
During May 2020, the state-run oil refiner CPC Corp Taiwan confirmed that it has suffered a malware attack, resulting in gas stations across the country being unable to accept payment by CPC VIP cards or electronic transaction apps. A day after this incident, another oil refiner, Formosa Petrochemical Corp., suffered a similar ordeal. A semiconductor firm, Powertech Technology Inc., also reported a ransomware attack. The attack led one of its factories to halt operations temporarily.
The Investigation Bureau of the Ministry of Justice later announced its investigation result, stating the cyber-attack was launched by a Chinese hacker gang, the Winnti Group, and such gang was planning to launch further cyber-attacks towards another ten enterprises in Taiwan.
According to the Investigation Bureau of the Ministry of Justice, the targeted ten enterprises may have been hacked for several months. Therefore, the Investigation Bureau of the Ministry of Justice advised the companies to examine their computer internet systems, checking whether there was abnormal log in or abnormal network traffic, to update the virus patterns, to strengthen monitoring on the privileged accounts and to establish backup mechanism.
The Investigation Bureau of the Ministry of Justice also worked with the judicial authority of the USA. According to the judicial authority of the USA, this hacker gang is suspected of running an internet security technology company as a cover for its malicious cyber-attacks. Besides illegal invasion of others’ computers, stealing confidential information and committing wire fraud, such gang is suspected to be closely related to the national security authority of China. This gang launched cyber-attacks towards CPC Corp Taiwan, US real estate companies and non-governmental organisations, using a virtual private server in the USA as a relay station to invade computer networks. Five suspicious members of the Winnti Group were indicted in August 2020 by US prosecutors.
There are administrative liabilities under the CSMA. As for the PDPA, there are both criminal liabilities and administrative liabilities. The standard for conviction in a criminal proceeding is “beyond a reasonable doubt” – that is, the prosecutor must present evidence that is credible and sufficient to prove no reasonable doubt existing against the guilty judgment to the defendant.
In regard to administrative sanction, the governing authority must prove that an act in breach of duty under the CSMA or the PDPA is committed intentionally or negligently.
In the first personal data infringement class action brought by the Consumers’ Foundation against a travel agency in March 2018, the court made its decision in October 2019.
In this case, the Consumers’ Foundation, on behalf of 25 consumers, claimed for compensation of TWD4.5 million on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency defended that the data breach was caused by a malicious hacking attack, and that it notified the data subjects of the data breach after the occurrence of the hacking attack and that, therefore, it should not be held liable for the data breach.
The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and had conducted internal audits, education and training for cybersecurity personnel, and periodically changed passwords of the computer system. Therefore, although there was a data breach caused by a hacking attack, the travel agency was not in violation of the PDPA and so should not be held liable for the data breach.
The Consumer Foundation has filed an appeal against this judgment and this case was tried by the Taiwan High Court. During the procedure in the Taiwan High Court, the Consumers’ Foundation and the travel agency reached a settlement.
Class actions are allowed in Taiwan. For the data breach cases caused by the same cause and fact, and where there are multiple data subjects infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects to bring a lawsuit to the competent court by its own name.
The first data breach class action lawsuit was brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018. Please refer to 8.4 Significant Private Litigation for more details about this case.
In general legal due diligence, cybersecurity compliance will be included in the overall legal compliance section, under which it is established whether the due diligence target has any judgment record or administrative punishment due to a non-compliance issue, including the cybersecurity non-compliance. Besides this, cybersecurity internal rules will also include focus on legal due diligence.
Further, due diligence coverage and density in respect of cybersecurity will be enlarged for certain types of industry, such as the CIP (critical infrastructure provider). The scope of due diligence will further include but will not be limited to the compliance of applicable laws, regulations and rules, such as setting up the required cybersecurity system, the fulfilment of periodic inspection and the implementation of required training programmes, etc.
Usually, the due diligence process will be as follows:
(1) a tailored requested list to the target company;
(2) documents review of documents and information for a certain previous period of time provided by the target company;
(3) interview with in-charge staff of the target company;
(4) public search on public channel to understand whether there is any relevant judgment or punishment record.
The sequence may be flexibly adjusted on a case-by-case basis. For example, public search may be conducted prior to the interview in (3) or even prior to the requested list in (1) is provided. Furthermore, if cybersecurity is the key matter in a proposed transaction, a technical due diligence by a cybersecurity professional may also be recommended.
Under Taiwan law, a listing company shall disclose material information regarding the company on the website designated and maintained by the authority. “Material information” includes: (i) any material effect on company finances or business resulting from an administrative disposition; and (ii) occurrence of any material event, resulting in the circumstance where the administrative fines for one single event have accumulated to TWD1 million or more, or causing a material loss to the company.
If there are administrative fines imposed for one single event accumulating to TWD1 million or more in one single event due to violation of CSMA (eg, failing to report to the central governmental authority upon the knowledge of a cybersecurity incident), any cybersecurity incident causing material loss, or any administrative dispositions in accordance with the CSMA by the authority leading to material effect on company finances or business, the listing company shall disclose such information. The disclosure shall include the information and content required by the format required by the authority.
There are further disclosure requirements for certain special industries, such as electronic payment enterprises, financial enterprises and travel agencies. Such enterprises shall report the cybersecurity or data breach event to the competent authority pursuant to the applicable laws and regulations within the time limit requested thereunder.
CSMA and Its Subordinated Act to Be Amended
In response to growing cybersecurity threats, the draft law on amendment to the CSMA is expected to be proposed and reviewed by the Legislative Yuan during the first quarter of 2021, to strengthen the implementation of protection of cybersecurity. The Executive Yuan has released the draft law on amendment to the CSMA and its six subordinated regulations. Under the draft law on amendment to the CSMA, military agencies and intelligence agencies shall also enact an Information Security Plan.
The most influential amendment is the draft law on amendment to Regulations on Classification of Cyber Security Responsibility Levels. For example, the agencies assigned a security level of A, B or C shall accomplish the “vulnerability alert and notification system” of cybersecurity within a certain period; the agencies assigned a security level of A or B shall also accomplish the “end-point detection system” within a certain period.
In addition, the “defence standards of information and communication system” under the Regulations on Classification of Cyber Security Responsibility Levels is also amended in the draft with consideration of practical needs. For example, the audit records shall be examined periodically, and shall be retained for at least six months.