Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

The Cybersecurity Management Act (the Cybersecurity Act), the Enforcement Rules of the Cybersecurity Act (the Enforcement Rules), as well as may other regulations promulgated under the Cybersecurity Act, became effective on 1 January 2019. The Taiwan government now deems cybersecurity as ‘national security’ and it has been anticipated that the Cybersecurity Act will reshape the protection of cybersecurity in Taiwan. The government also expects to promote the growth and development of the cybersecurity industry in Taiwan by imposing the various regulatory obligations under the Cybersecurity Act.

Pursuant to the Cybersecurity Act and the relevant regulations, such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibility is further classified into five levels (from level A to level E). Each government agency must stipulate its own cybersecurity maintenance plan and also set out guidelines on cybersecurity matters for the ‘specific non-governmental agencies’ that it regulates. Many government agencies have promulgated such guidelines to regulate the ‘specific non-governmental agencies’ subject to their jurisdiction. For example, the regulator of the telecommunications and broadcasting industries, the National Communication Commission, promulgated the Regulations of Specific Non-governmental Agencies’ Cybersecurity Management by the National Communications Commission on 1 April 2019.

There have been no other major developments with regard to cybersecurity standards.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Pursuant to the Cybersecurity Act, the agencies subject to the Cybersecurity Act shall report to its supervisory agency or to the competent authority of the industry that the private agency is engaging in, as applicable when the agency becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident under which the system or information may have been accessed without authorisation, used, controlled, disclosed, damaged, altered, deleted or otherwise infringed, affecting the function of the information communication system, and thereby threatening the cybersecurity policy. Hence, as long as there is a security breach incident, even if no personal data is involved, the incident may be subject to the reporting requirements.

The Regulations for Reporting and Responding Cybersecurity Incidents set forth further details about the reporting of a cybersecurity incident as required under the Cybersecurity Act. A specific non-government agency shall report to its regulator at the central government within one hour of becoming aware of the cybersecurity incident and the regulator shall respond within two to eight hours, depending on the classification of the cybersecurity incident. In the meantime, the specificnon-government agency shall complete damages control or recovery of the system within 36 to 72 hours depending on the classification of the cybersecurity incident.

Meanwhile, if personal data is involved in a data breach incident, pursuant to the Personal Data Protection Act (the PDPA), either a public agency or a non-public agency shall inform the affected data subjects of the data breach incident as soon as it inspects the relevant incident. In the notice to the data subjects, the relevant facts concerning the incidents, such as what data was stolen, when the incident happened, the potential suspect that breach the data, as well as the remedial actions that have been taken, shall be described. The PDPA does not set forth any threshold for notification to the affected data subjects.

On the notification to the regulator, the PDPA does not specify any obligations to report a data breach incident to the regulator. As long as there is one data subject affected, the data subject must be notified of the data breach incident. However, in the personal data security maintenance plans stipulated by the competent authorities of certain industries, the private sector is required to report a data breach incident to the competent authority in charge of the industry. In most cases, the reporting will only become mandatory when the data breach incident is deemed ‘material’. Some of the competent authorities have adopted their own definition of ‘material’, such as ‘affecting the daily operation’ of the private business. The industries that shall report to their regulators include online retailers and financial institutions and so on.

Lastly, for financial institutions, they shall assess if the incident materially impact its operation. If so, they will need to report to their respective primary regulators and take responsive actions as required by the relevant regulations.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

I believe that the most important issue for a company facing a data security incident shall be how to prevent further damage or harm that may be caused by such an incident. If possible, a company shall notify the affected data subjects as soon as possible so that they are alerted and have the chances to take precautionary measures (for example, resetting their passwords) in time. A company shall also take immediate actions to detect and fix the loophole in its system, if any, to prevent any further breach or damages.

In many of the data security incidents reported locally, the cause of the incident is not system failure or hacker activity but misconduct by employees, contractors, or the employees of the contractors. Hence, it is very important for a company to adopt proper security measures and internal control rules, awareness training and standards for employees or contractor selection. Meanwhile, often the data breach incident can be caused by a mistake made by the staff of small service vendors but the large companies retaining their services would be the ones forced to deal with the customers who may suffer damage. At the end, cases would be settled because the small service vendors may not be financially capable of bearing the relevant liabilities but the large companies need to protect their brand names. Hence, a company needs to carefully select its service vendor and clauses addressing to personal data protection and indemnification liabilities should be included in the service agreements.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

In Taiwan, most businesses are cost-sensitive small or medium-sized enterprises and they tend to believe that adopting a certain one-stop solution (ie, that installing a certain software package can handle the cybersecurity issues as well as compliance of the applicable privacy laws, including the General Data Protection Regulation (GDPR)). This is, of course, not the case. Even purely from the IT perspective, installing certain software packages may not be sufficient to protect businesses from cyberattacks.

For large corporations, they are more cautious and normally will hire IT specialists or consultants or lawyers to implement security measures, to conduct internal trainings or to design standard operating procedures (SOPs). They will also seek internationally recognised certifications, such as ISO 27001. Some industries, such as telecommunications, are required to pass ISO 27001 certification.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Pursuant to the PDPA, a cloud service provider will most likely be deemed as a data processor, while the business using the cloud service will be deemed as the data controller. Pursuant to the PDPA, the data controller shall be held liable to its customers if the cloud service provider or data processor does not comply with the PDPA or the instruction of the data controller. The data controller may also have administrative fines imposed for any breach of the PDPA by the data processor. Hence, it is important to select a trustworthy cloud service provider when a business decides to move its data to the cloud.

The business must also check whether it is subject to any special sector regulations for outsourcing data processing or storage or even storing data outside of Taiwan. For example, financial institutions are subject to the prior approval of the competent authorities for outsourcing activities even locally. The thresholds (one of which is customer consent for outsourcing activities) to obtain the regulatory approval for moving the data to a public cloud are difficult to reach. The regulator of the financial institutions, the Financial Supervisory Commission, is contemplating relaxing the restrictions so as to allow banks in Taiwan to adopt the public cloud services provided by third party service providers, such as Google, AWS Microsoft, etc, but the relevant rules have not been finalised. Furthermore, for some industries, customers’ data are prohibited from being storing in China, such as telecommunications operators and TV channels and cable TV system operators.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The websites and systems of the Taiwan government, as well as large corporations, have been frequently hacked or attacked by attackers outside Taiwan, such as from China. The ‘cyber-army’ of China was blamed for most of the attacks and incidents. Meanwhile, recent incidents involving fake news or misinformation that have been alleged to be posted by the Chinese on Taiwanese websites also triggered the attention of the Taiwan government. To protect the country’s cybersecurity, the Executive Yuan initiated a series of actions, including the implementation of the Cybersecurity Act. By imposing the relevant requirements under the Cybersecurity Act, such as strengthening the regulated agencies’ internal procedures and SOPs, the government was hoping to raise cybersecurity standards in Taiwan, as well as the ability to fight against a cyberattack. The government also hopes to forester the growth of the local cybersecurity industry through the implementation of the Cybersecurity Act as there will be more audit tasks to be conducted by the regulated agencies.

Given that cybersecurity is now a national security issue, the National Security Act was amended in 2019, which claims and explicitly states that the protection of national security shall include the protection of the security of the cyberspace, as well as physical space, in the territory of Republic of China. This means that the application of the National Security Act to the activities conducted on the internet is now officially confirmed, without the need for further interpretation.

With regard to the prevention of criminal activities, the Taiwan government has a long-established a special task force, the Ninth Investigation Corp of the Criminal Investigation Bureau (CIB), to combat criminal activities conducted via high-tech or information technology, such as computer crime, cybercrime, and so on. All of the cyber-related crime activities reports will be forwarded to the Ninth Investigation Corp for further investigation. The Ninth Investigation Corp is equipped with police officers with technology backgrounds, as well as high-tech hardware and software. It has established channels with police authorities in offshore countries to investigate cross-border crimes. To combat phone fraud activities, the National Police Agency further established a special phone line, 165, to assist the general public in fighting against the fraud gangsters.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

An acquirer or surviving entity in an M&A deal needs to evaluate the potential risks from the following perspectives:

  • The track records of the target. The past records of data breach incident or notable non-compliance of privacy laws can be used to calculate the existing or contingent liabilities of the target, as well as the pattern for future liabilities in the event that the target continues its operation in the same manner after the M&A.
  • Data ethics. If the target constantly ignores cybersecurity threats or disrespects privacy or data ethics, there may be unpredictable contingent liabilities already;
  • costs for future reform. In addition to the liabilities evaluation stated above, the acquirer or surviving entity shall also estimate the costs to fix the existing issues and to reform the operation. This will include the costs for (i) IT, (ii) obtaining proper consents from the data subjects and (iii) performing notification obligations to the data subjects.
  • The losses to be incurred due to reduction of customer database. Customer data without proper consent would need to be eliminated and the losses of business opportunities should also be considered and calculated.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

The client definitely must hire an experienced lawyer because it will have no time to train the lawyer while dealing with cybersecurity incident. Sometimes, the client would need to deal with government relationship as well as public reputation or relationship. Hence, the lawyer needs to take all the relevant factors into consideration.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

I would encounter cutting-edge legal and commercial issues and need to respond simultaneously, while addressing all of the potential legal liabilities and consequences to the clients. In Taiwan, although the PDPA does not specify a specific timeline for the notice to the affected data subjects and the report to the authority, the client can waste no time in finding solution to fix its security problems. In addition, since the PDPA is relatively rigid in regulating marketing activities and cross-border data sharing, sometimes lawyers need to be creative.

How is the privacy landscape changing in your jurisdiction?

Taiwan adopted a legal framework of personal data protection that is similar to the data protection laws of the EU. Some of the provisions are even stricter than GDPR. However, the position and enforcement are quite different. Taiwan is one of the very few countries that does not have a centralised data protection authority. Taiwan has submitted its application for GDPR adequacy decision in 2018 and is in the process of negotiating with the EU.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

In early 2020, there were quite a few cybersecurity incidents reported, one noteworthy trend is the series of attack that hackers launched against certain ‘critical infrastructures’, for example, CPC Corporation, the largest petroleum company in Taiwna attacked by ransomware, while the Formosa Pertrochemical Station was attacked by malware.