Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

The Cybersecurity Management Act (the Cybersecurity Act) and its implementing Enforcement Rules (the Enforcement Rules), as well as many other regulations promulgated under this Act, became effective from 1 January 2019. Under the Cybersecurity Act and relevant regulations such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibility is further classified into five levels (from Level A to Level E). Each government agency must stipulate its own cybersecurity maintenance plan and also set out guidelines on cybersecurity matters for the ‘specific non-governmental agencies’ that it regulates. Many government agencies have now issued these regulatory guidelines to the specific non-governmental agencies under their jurisdiction.

At the end of March 2021, the Executive Yuan passed a series of draft bills to establish a new ministry, the Digital Development Ministry, which will be in charge of cybersecurity matters as well as other digital development-related matters in the future. The ruling party anticipated the draft bills being enacted by the end of May 2021, with the new ministry being established as soon as possible.

In August 2020, the regulator of the financial industry, the Financial Supervisory Commission (FSC), announced its new agenda to improve cybersecurity in the financial industry. According to this agenda, the FSC plans to amend the existing internal rules and self-regulatory regimes of the various financial institutions to include new cybersecurity standards. The FSC also plans to establish new cybersecurity reporting criteria.

In April 2021, the Taiwan Stock Exchange announced a new requirement for listed companies mandatorily to make a public announcement or hold a press conference if there is a material cybersecurity incident, such as an incident that may cause material harm to or impair the operation of the listed company.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Agencies subject to the Cybersecurity Act must report to the relevant supervisory agency, or to the competent industry authority for the sector when the agency becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident in which the system or information may have been subject to unauthorised accessed, used, controlled, disclosed, damaged, altered, deleted or otherwise infringed, affecting the function of the information communication system and thereby threatening the cybersecurity policy. This means that if there has been a security breach incident, even if no personal data is involved, the incident may be subject to the reporting requirements.

The Regulations for Reporting and Responding to Cybersecurity Incidents set out further details about the reporting of cybersecurity incidents as required under the Cybersecurity Act. The affected specific non-governmental agency must report to its regulator in central government within one hour of becoming aware of a cybersecurity incident and the regulator must respond within two to eight hours, depending on the classification of the incident. In the meantime, the specific non-government agency must carry out damage control or recovery of the system within 36 to 72 hours, depending on the classification of the incident.

In addition, if personal data is involved in a data breach incident, pursuant to the Personal Data Protection Act (PDPA), both public agencies and non-public agencies must inform the affected data subjects of the data breach incident as soon as it has assessed the relevant incident. In the notice to the data subjects, relevant facts such as what data was stolen, when the incident happened and any potential suspects, as well as the actions that have been taken to remedy the breach, must be described. If at least one data subject is affected, that data subject must be notified of the data breach incident.

The PDPA does not specify a time frame for the notification to the affected data subjects, nor does it specify any obligation to report a data breach incident to the regulator. However, in the personal data security maintenance plans stipulated by the competent authorities in certain industries, entities in the private sector are required to report a data breach incident to the competent authority in charge of the industry. In most cases, reporting only becomes mandatory when the data breach incident is deemed to be a material breach. Some competent authorities have adopted their own definition of a material breach, such as ‘affecting the daily operation’ of the private business. The industries that must report to their regulators include online retailers, financial institutions and so on.

Lastly, financial institutions must assess whether an incident materially impacts their operation. If so, they will need to report to their primary regulator and take responsive actions as required by the relevant regulations.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

The most important issue for a company facing a data security incident is how to prevent further damage or harm that may be caused by such an incident. If possible, a company should notify the affected data subjects as soon as possible, so that they are alerted and have the chance to take precautionary measures promptly (for example, resetting passwords). A company must also take immediate action to detect and fix the fault in its system, if any, to prevent any further breach or damage.

In many of the data security incidents reported locally, the cause of the incident is not system failure or hacker activity but misconduct by employees, contractors or contractors’ employees. Therefore it is very important for a company to adopt proper security measures and internal control rules, conduct awareness training and set standards for employee and contractor selection. Often a data breach incident can be caused by a mistake made by the staff of small service vendors, but the large companies retaining the vendors’ services are forced to deal with the customers who may suffer damage. Ultimately, cases may be settled because although the small service vendors may not be financially capable of bearing the relevant liabilities, the large companies need to protect their brand names. This means that companies need to select their service vendors carefully and include clauses addressing personal data protection and indemnification liabilities in the corresponding service agreements.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

In Taiwan, most businesses are cost-sensitive small or medium-sized enterprises and they tend to believe that adopting a certain one-stop solution (ie, installing a particular software package) can handle both cybersecurity issues and compliance with the applicable privacy laws, including the EU General Data Protection Regulation (GDPR). Of course, this is not the case. Even purely from the information technology (IT) perspective, installing a particular software package may not be sufficient to protect a business from cyberattacks.

Large corporations are more cautious and will normally hire IT specialists or consultants, or lawyers, to implement security measures, conduct internal training and design standard operating procedures (SOPs), etc. They will also seek internationally recognised certification, such as the international standard for information security, ISO27001. Some industries are required to obtain ISO27001 certification, such as the telecommunications industry.

Companies may also consider joining certain alliances (such as the Taiwan Computer Emergency Response Team, or TWCERT), to obtain or share intelligence on recent cybersecurity threats and relevant resources, etc.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Pursuant to the PDPA, a cloud service provider will most likely be deemed a data processor, while the business using the cloud service will be deemed a data controller. The PDPA stipulates that the data controller will be held liable to its customers if the cloud service provider (the data processor) does not comply with the PDPA or with the instructions of the data controller. Administrative fines may also be imposed on the data controller for any breach of the PDPA by the data processor. It is therefore important for a business to select a trustworthy cloud service provider when it decides to move its data to the cloud.

The business must also check whether it is subject to any special sector regulations on outsourcing data processing or storage, or even on storing data outside Taiwan. For example, for outsourcing activities (even locally), financial institutions are subject to the prior approval of the competent authorities. The requirements for obtaining regulatory approval for moving data to a public cloud are difficult to fulfil (one of which is customer consent for the outsourcing activities). The regulator for the financial institutions, the Financial Supervisory Commission (SFC), is contemplating relaxing the restrictions to allow banks in Taiwan to adopt public cloud services provided by third-party service providers such as Google, AWS and Microsoft, but the relevant rules have not been finalised. Furthermore, customer data is prohibited from being stored in China, such as telecommunications operators and TV channels, and cable TV system operators.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The websites and systems of the Taiwan government, and of large corporations, have frequently been hacked or attacked from outside Taiwan (for example, from China). China’s ‘cyber-army’ has been blamed for most of the attacks and incidents. Also, recent incidents involving ‘fake news’ or misinformation alleged to have been posted by Chinese actors on Taiwanese websites have also triggered the attention of the Taiwan government. The Executive Yuan initiated a series of actions to protect Taiwanese cybersecurity, including the implementation of the Cybersecurity Act. By imposing Cybersecurity Act requirements, such as strengthening regulated agencies’ internal procedures and SOPs, the government was hoping to raise cybersecurity standards in Taiwan, as well as enhancing the country’s ability to fight off cyberattacks. The government also hopes to foster growth in the local cybersecurity industry through the implementation of the Cybersecurity Act, as regulated agencies will have to conduct more audit tasks.

Given that cybersecurity now constitutes national security, the National Security Act was amended in 2019 and it now explicitly states that protection of national security includes protection of the security of the cyberspace, as well as physical space, in the territory of the Republic of China. This now officially confirms the application of the National Security Act to activities conducted on the internet, without any need for further interpretation.

With regard to the prevention of criminal activities, the Taiwan government has long established a special task force, the Ninth Investigation Corp of the Criminal Investigation Bureau, to combat criminal activities conducted using high-tech or IT resources, such as computer crime and cybercrime. All cyber-related crime activity reports will be forwarded to the Ninth Investigation Corp for further investigation. The Corp police officers have technology backgrounds, and it is equipped with high-tech hardware and software. It has established channels with police authorities in offshore countries to investigate cross-border crimes. To combat telephone fraud activities, the National Police Agency has also established a special hotline number, 165, to assist the general public in fighting the fraudsters.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

An acquirer or surviving entity in an M&A deal needs to evaluate the potential risks from the following perspectives.

First, the track record of the target: past records of data breach incidents or notable non-compliance with privacy laws can be used to calculate the existing or contingent liabilities of the target, as well as the pattern for future liabilities in the event that the target continues its operation in the same manner after the merger.

Second, data ethics: if the target constantly ignores cybersecurity threats or disrespects privacy or data ethics, there may already be unpredictable contingent liabilities.

Third, costs for future reform: in addition to the liability evaluation already stated, the acquirer or surviving entity must also estimate the costs to fix existing issues and to reform the operation. This will include the costs for IT, obtaining proper consents from the data subjects and carrying out notification obligations to the data subjects.

Fourth, losses incurred due to reduction of customer database: customer data lacking the proper consents would need to be eliminated and the loss of business opportunities would also have to be considered and calculated.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

The client definitely must hire an experienced lawyer because there will be no time to train one while dealing with a cybersecurity incident. In cases of this kind, the client has to act immediately and an incident may involve its relationship with government and its public reputation, so the lawyer has to be able to consider all these factors.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Cybersecurity and privacy practice is fascinating because of its cutting-edge legal and commercial issues. When an incident occurs, the client faces immediate security threats, complaints from consumers and pressure from the authorities. In Taiwan, the PDPA regulates marketing and cross-border data sharing fairly rigidly, so I need to find solutions for the client to obtain consent from data subjects, etc.

How is the privacy landscape changing in your jurisdiction?

Taiwan’s legal framework for personal data protection is similar to EU law (some provisions are stricter than the GDPR), but the legal position and enforcement are quite different. Taiwan is one of the few countries without a centralised data protection authority and while some agencies protect personal data agressively, others may be reluctant even to give an opinion. Taiwan applied for a GDPR adequacy decision in 2018 and we think the government may aim to be more GDPR compliant and to align with the EU on these issues.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

In April 2021, Quanta Computer, a key Apple supplier, was hacked by a ransomware group (for a ransom of US$50 million) and around that time large tech corporations in Taiwan were subject to similar attacks. Taiwan leads in the manufacture of semiconductors and many tech companies here play important roles in the global supply chain so it is very important for them to make extra efforts to prevent cybersecurity incidents, including aligning the resources of both the public and private sectors.