Ken-Ying Tseng currently heads Lee and Li’s digital, TMT and data privacy practice group. Before 2018, she was the head of Lee and Li’s M&A practice group for 12 years. She received an LLM from Harvard Law School. Ken-Ying advises on various forms of mergers and acquisitions, and is experienced in resolving both legal and commercial issues. She assisted and represented several multinational corporations in their M&A activities, including Affinity, TPG, Aleees, McDonald’s, Sony, Energy Absolute and Qualcomm.
In addition to M&A, Ken-Ying constantly advises various tech companies that are in the businesses of social networks, instant messengers, search engines, portal sites, sharing economy, e-commerce, OTT, online games, P2P lending, e-payments and cloud computing. Ken-Ying also frequently advises clients, including multinational companies, on privacy and data protection (GDPR), e-marketing, big data, e-signature, domain name, telecommunications, satellite, fintech, artificial intelligence, cybersecurity, internet governance and other legal issues.
Ken-Ying is admitted to practise law in both Taiwan and New York.
She has been honoured in Taiwan’s Top 100 Lawyer, 2022, Asia Business Law Journal, Asialaw Distinguished Practitioner 2022 in Corporate and M&A, IFLR 1000, Leading Lawyer, Highly Regarded, 31st Edition and Most Influential Woman in Personal Data Protection Law 2019 – Taiwan, Acquisition INTL.
Ken-Ying holds other positions, namely the managing director, Taiwan Internet Government Forum (TWIGF), member of the International Affairs Committee of TWNICSupervisor, Taiwan Internet and E-commerce Association, supervisor of the National Information Infrastructure Enterprise Promotion Association and director of Secure On-line Shopping Association of Taipei City.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
The Cybersecurity Management Act (the Cybersecurity Act), the Enforcement Rules of the Cybersecurity Act (the Enforcement Rules), as well as may other regulations promulgated under the Cybersecurity Act, became effective on 1 January 2019. Pursuant to the Cybersecurity Act and the relevant regulations, such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibility is further classified into five levels (from Level A to Level E). Each government agency must stipulate its own cybersecurity maintenance plan and also set forth the guidelines on the cybersecurity matters for the ‘specific non-governmental agencies’ that it regulates. Many government agencies have promulgated such guidelines to regulate the ‘specific non-governmental agencies’ subject to their jurisdiction.
At the end of March 2021, the Executive Yuan passed a series of bills to establish a new ministry, the Digital Development Ministry, which will be in charge of cybersecurity matters as well as other digital development-related matters in the future. The new ministry was expected to be established in June 2022 and will commence operation soon.
Meanwhile, with regard to the financial industry, in August 2020, the regulator of the financial industry, the Financial Supervisory Commission (the FSC), announced its new agenda to improve cybersecurity of the financial industry. Pursuant to the new agenda, the FSC plans to amend the existing internal rules and self-regulations of the various financial institutions so as to include new cybersecurity standards into the existing rules. Following the FSC’s above initiatives, in April 2021, the Taiwan Stock Exchange announced a new requirement under which listed companies are mandatorily required to make public announcement or hold press conference in the event of a material cybersecurity incident that may cause material harm to the listed company or impair the operation of the listed company. In December 2021, the FSC further amended the Regulations Governing Establishment of Internal Control Systems by Public Companies requiring a listed company with paid-in capital of NT$10 billion or more or with a market value among one of the top 50 in the Taiwan stock market to hire a chief information security officer.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
Pursuant to the Cybersecurity Act, the agencies subject to the Cybersecurity Act shall report to its supervisory agency, or to the competent authority of the industry that the private agency is engaging in, as applicable when the agency becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident under which the system or information may have been accessed without authorisation, used, controlled, disclosed, damaged, altered, deleted or otherwise infringed, affecting the function of the information communication system, and thereby threatening the cybersecurity policy. Hence, as long as there is a security breach incident, even if no ‘personal data’ is involved, the incident may be subject to reporting requirements.
The Regulations for Reporting and Responding Cybersecurity Incidents set forth further details about the reporting of cybersecurity incident as required under the Cybersecurity Act. A ‘specific non-government agency’ shall report to its regulator at the central government within ‘one hour’ after it becomes aware of the cybersecurity incident, and the regulator shall respond within two to eight hours depending on the classification of the cybersecurity incident. In the meantime, the specific non-government agency shall complete damages control or recovery of the system within 36 to 72 hours depending on the classification of the cybersecurity incident.
Meanwhile, if personal data is involved in a data breach incident, pursuant to the Personal Data Protection Act (the PDPA), either a public agency or a non-public agency shall inform the affected data subjects of the data breach incident as soon as it inspects the relevant incident. In the notice to the data subjects, the relevant facts concerning the incidents, such as what data was stolen, when the incident happened, the potential suspect that breached the data and the remedial actions that have been taken shall be described. The PDPA does not set forth any threshold of the notification to the affected data subjects.
On the notification to the regulator, the PDPA does not specify any obligations to report a data breach incident to the regulator. However, in the personal data security maintenance plans stipulated by the competent authorities of each industry, the regulator may require the private sector to report a data breach incident to it within a 72-hour period. As of the end of 2021, the competent authorities of many industries have included the data breach incident reporting requirement in the personal data security maintenance plans that they stipulated. As a result, many industries in Taiwan are now subject to a 72-hour reporting requirement under which they shall report to their competent authority a data breach incident within 72 hours of becoming aware of the occurrence a data breach incident. In most of the cases, the reporting will only become mandatory when the data breach incident is deemed ‘material’. Some of the competent authority has adopted its own definition of ‘material’, such as ‘affecting the daily operation’ of the private business.
Furthermore, financial institutions shall asses if the incident materially impacts their operations. If so, they will need to report to their respective primary regulators and take responsive actions as required by the relevant regulations.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
The most important issue for a company facing a data security incident shall be how to prevent further damage or harm that may be caused by such an incident. If possible, a company shall notify the affected data subjects as soon as possible so that they are alerted and have the chance to take precautionary measures (for example, resetting their passwords) in time. A company shall also take immediate actions to detect and fix the loophole in its system, if any, to prevent any further breach or damages.
In many of the data security incidents that are locally reported, the cause of the incident is not system failure or hackers’ activity but the misconduct of the relevant employees, contractors or the employees of the contractors. Hence, it is very important for a company to adopt proper security measures and internal control rules, awareness training and standards for employees/contractor selection. Often, the data breach incident could be caused by the mistake made by the staff of small service vendors, but the large companies retaining their services would be forced to deal with the customers who may suffer damages. At the end, cases would be settled because the small service vendors may not be financially capable of bearing the relevant liabilities but the large companies need to protect their brand names. Hence, a company needs to carefully select its service vendor, and in the service agreements, clauses addressing to personal data protection and indemnification liabilities shall be included.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
In Taiwan, most of the businesses are cost-sensitive small or medium-sized enterprises, and they tend to believe that adopting a certain ‘one-stop’ solution (ie, installing a certain ‘package software’) can handle the cybersecurity issues as well as compliance of the applicable privacy laws, including GDPR. This is, of course, not the case. Even purely from an IT perspective, installing package software may not be sufficient in protecting the businesses from cyberattacks.
Large corporations are more cautious and normally will hire IT specialists or consultants/lawyers to implement security measures, to conduct internal training and to design standard operating procedures (SOPs), etc. They will also seek internationally recognised certifications, such as ISO27001. Some of the industries are required to pass ISO27001 certifications, such as the telecommunications industry.
Companies may also consider joining certain alliances, such as TWCERT, to obtain or share intelligence in relation to recent cybersecurity threats and relevant resources.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
Pursuant to the PDPA, a cloud service provider will most likely be deemed as a data processor while the business using the cloud service will be deemed as the data controller. Pursuant to the PDPA, the data controller shall be held liable to its customers if the cloud service provider/data processor does not comply with the PDPA or the instruction of the data controller. The data controller may also have administrative fines imposed for any breach of the PDPA by the data processor. Hence, it is important to select a trustworthy cloud service provider when a business decides to move its data to the cloud.
The business shall also check whether it is subject to any special sector regulations for outsourcing data processing or storage or even storing data outside of Taiwan. For example, financial institutions are subject to the prior approval of the competent authorities for outsourcing activities even locally. The regulatory approval in this regard is rather burdensome. Furthermore, for some industries, customers’ data are prohibited from being stored in China, such as telecommunications operators and TV channels, cable TV system operators and social worker firms.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
The websites and systems of the Taiwan government, as well as large corporations, have been frequently hacked or attacked by attackers outside of Taiwan, such as from China. The cyber army of China was blamed for most of the attacks and incidents. Meanwhile, recent incidents involving ‘fake news’ or misinformation that have been alleged to be posted by Chinese on Taiwanese websites also triggered the attention of the Taiwan government. To protect the cybersecurity of Taiwan, the Executive Yuan initiated a series of actions, including the implementation of the Cybersecurity Act. By imposing the relevant requirements under the Cybersecurity Act, such as strengthening the regulated agencies’ internal procedures and SOPs, the government was hoping to raise the cybersecurity standards in Taiwan as well as the ability to fight against cyberattack. The government also hopes to foster the growth of the local cybersecurity industry through the implementation of the Cybersecurity Act as there will be more audit tasks to be conducted by the regulated agencies.
Given that now cybersecurity is national security, the National Security Act was amended in 2019, which claims and explicitly states that the protection of national security shall include the protection of the security of cyberspace, as well as physical space, in the territory of Taiwan. This means that the application of the National Security Act to the activities conducted on the internet is now officially confirmed, without the need for further interpretation.
With regard to the prevention of criminal activities, the Taiwan government has long established a special task force, the 9th Investigation Corp of the Criminal Investigation Bureau (CIB), to combat criminal activities conducted via high-tech or information technology, such as computer crime, cybercrime, and so on. All of the cyber-related crime activities reports will be forwarded to the 9th Investigation Corp for further investigation. The 9th Investigation Corp is equipped with police officers with technology backgrounds as well as high-tech hardware and software. It has established channels with police authorities in other countries to investigate cross-border crimes. To combat ‘phone fraud’ activities, the National Police Agency further established a special phone line, ‘165’, to assist the general public in fighting against the fraudsters.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
An acquirer or surviving entity in an M&A deal needs to evaluate the potential risks from the following perspectives.
The first perspective is the track record of the target. The past records of data breach incidents, and notable non-compliance of privacy laws, can be used to calculate the existing or contingent liabilities of the target, as well as the pattern for future liabilities in the event that the target continues its operation in the same manner after the M&A.
The second is data ethics. If the target constantly ignores cybersecurity threats or disrespects privacy or data ethics, there may be unpredictable contingent liabilities already.
The third is costs for future reform. In addition to the liabilities evaluation stated above, the acquirer or surviving entity shall also estimate the costs to fix the existing issues and to reform the operation. This will include the costs for: (i) IT technology, (ii) obtaining proper consents from the data subjects, and (iii) performing notification obligations to the data subjects.
The forth is the losses to be incurred due to reduction of customer database. Customer data without proper consents would need to be eliminated and the losses of business opportunities shall also be considered and calculated.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
The lawyer must have sufficient experience, knowledge and training to think and act fast. Meanwhile, a cybersecurity incident may not be handled merely from a legal perspective, and sometimes, the client would need to deal with government relationship as well as public reputation or relationship. The lawyer needs to be able to take all of the relevant factors into consideration when rendering legal advice.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
I found cybersecurity and privacy practice fascinating because I would encounter cutting-edge legal and commercial issues and need to respond simultaneously, while addressing all of the potential legal liabilities and consequences to the clients. I need to be creative in order for the client to obtain the required consents from the data subjects.
How is the privacy landscape changing in your jurisdiction?
Taiwan adopted a legal framework of personal data protection that is similar to the EU data protection laws. Some of the provisions are even stricter, and Taiwan is one of the very few countries without a centralised data protection authority. Taiwan has submitted its application for a GDPR adequacy decision in 2018 and is in the process of negotiating with EU. The Taiwan government may reform the privacy law to be more GDPR compliant and take the same position as the EU for similar issues.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
In April 2021, international news media revealed that Quanta Computer, the key supplier of Apple, was hacked by the ransomware group REvil, also known as Sodinokibi. It was reported that REvil requested a ransom of around US$50 million. Taiwan is the leading country manufacturing semiconductors, and there are also many other tech companies playing important roles in the global supplier chain, so is very important to make the extra effort to prevent cybersecurity incidents.