As the world grapples with rampant cyberattacks, policymakers in the region have toughened their data security measures and business compliance is crucial
Websites of major Taiwanese government agencies and large companies frequently face cyberattacks and, in response, the Executive Yuan (cabinet) has just established a brand new agency overseeing and regulating cybersecurity, the Ministry of Digital Affairs (MoDA).
Commencing operations on 27 August, the MoDA also oversees overall digital developments including e-commerce, electronic signatures, e-government and data governance, among others.
Cybersecurity Laws
The Cybersecurity Management Act is the primary legislation governing cybersecurity in Taiwan. But the act only applies to government agencies and specific non-government agencies including critical infrastructure providers, state-owned businesses and government-sponsored foundations.
Other than specific cybersecurity requirements applicable to specific industry sectors such as financial institutions or telecommunications operators, there are no cybersecurity requirements generally applicable to all non-government entities.
All agencies subject to the act must establish and implement their own cybersecurity maintenance plans according to their cybersecurity responsibility levels, and set up a reporting and response mechanism for cybersecurity incidents.
Cybersecurity incidents must be reported within one hour of discovery, and all measures for damage control or recovery must be completed within 36 to 72 hours of discovery, depending on the severity level.
The act further authorises central competent authorities in charge of the relevant industries to promulgate regulatory guidelines on cybersecurity matters for specific non-government agencies under their supervision, in which relevant requirements under ISO/IEC 27001 international standards on information security management are referred to and recommended.
To strengthen cybersecurity safeguards, the Executive Yuan also stipulated guidelines restricting government agencies, public schools, state-owned businesses and administrative legal persons from using information and communications technology products that may endanger national cybersecurity. Government agencies are also required to urge critical infrastructure providers and government-sponsored foundations under their supervision to comply with the guidelines.
Under points 3 and 4 of the guidelines, the Executive Yuan may announce a list of banned brands of information and communications technology products and services that relevant entities shall not procure or use.
Following a recent hacking incident involving electronic signage, the Ministry of Economic Affairs promulgated guidelines on the cybersecurity management of on-premises electronic signage that prohibit electronic signage from using any Chinese-developed software and require that business operators avoid using Chinese-made electronic signage.
Cybercrime
Different cybercrime acts violate different Taiwanese laws, mainly including but not limited to the following:
Any activity that adversely affects or threatens cybersecurity may be deemed as constituting one or more criminal offences, as listed above, depending on the actual facts concerning such activity.
The criminal offences apply to conduct and/or persons, or place of cybercrime, within the territory of Taiwan, and Taiwan courts have jurisdiction.
Personal Data Protection
The Personal Data Protection Act is the general statute regulating the collection, processing and use of personal data in Taiwan.
On data breach notification, article 12 of the act stipulates that if there is an incident under which personal data is stolen, disclosed, altered or infringed, the data controller is required to notify the affected data subjects in an appropriate manner after investigating the incident.
As for data security obligations, paragraph 1, article 27 of the act requires data controllers to have appropriate measures in place to prevent personal data from being stolen, altered, damaged, destroyed, lost or disclosed.
Paragraph 2, article 12 of the enforcement rules of the act further provides certain technical and organisational measures that data controllers may consider adopting based on the principle of proportionality, i.e., based on the quality and quantity of the personal data involved.
Strictly speaking, neither the PDPA nor its enforcement rules mandatorily require data controllers to have certain security measures in place. It is up to a data controller’s discretion whether to adopt a specific security measure.
Nonetheless, according to paragraph 2, article 27 of the act, the central competent authorities may designate one or more industry sectors under their supervision, and require them to set up a security maintenance plan for personal data files.
To urge ministries and commissions to implement supervision of non-government agencies under their watch, the Executive Yuan has convened and hosted regular collaborative meetings since 2020.
A meeting resolution dated 3 February 2021, to ensure consistent reporting and the timeline for data breaches, explicitly required ministries and commissions to amend their existing data protection regulations for specific industry sectors under their supervision, thereby requiring non-government agencies to report data breaches to central competent authorities within 72 hours, by using reporting forms provided.
In August 2021, the Executive Yuan further stipulated collaborative practice guidelines on the implementation of personal data protection that required ministries and commissions to amend their existing data protection regulations for specific industry sectors under their supervision, thereby requiring non-government agencies using IT systems to collect, process or use personal data to adopt additional measures to ensure information security.
The guidelines also required ministries and commissions to review the necessity of stipulating new data protection regulations for specific industry sectors under their supervision regularly, taking into consideration the scale of non-government agencies, the quantity or nature of personal data they retain, the potential impact on data subjects as a result of data breach, the frequency of cross-border data transfer, and other factors.
Corporate Governance
In Taiwan, directors bear a fiduciary duty to the company and will be held liable if they breach this duty. But a company’s failure to prevent, mitigate, manage or respond to a cybersecurity incident may not necessarily conclude that its directors have breached their fiduciary duty.
Rather, it would depend on whether the incident should have been reported to the board of directors, and whether the board would be required to take any action.
On the other hand, Taiwan law does not require a company to appoint a chief information security officer (CISO), except in specific industry sectors such as financial institutions.
However, the Financial Supervisory Commission now requires the following companies listed on the Taiwan Stock Exchange (TWSE) or the Taipei Exchange (TPEx) to designate a CISO, responsible for implementing information security policy and establish a department with at least an officer and two staff members dedicated to information security before 31 December 2022: Companies with paid-in capital of NTD10 billion (USD325.2 million) or more; those constituting the TWSE Taiwan 50 Index at the end of the previous year; and companies mainly conducting e-commerce.
Other TWSE or TPEx listed companies are given more leeway, requiring them to have a CISO with at least one staff member dedicated to information security before 31 December 2023 unless they have sustained losses in the past three years, or their net value per share is lower than the par value per share.
Source: Asia Business Law Journal