Taiwan’s Cybersecurity Regulatory System

The Cybersecurity Management Act (“CSMA”) governs the management of information and communications security by government agencies and certain non-government agencies (ie, critical infrastructure providers, public utilities, and government-sponsored foundations). The Enforcement Rules of the CSMA further define and set forth the rules, guidelines, and key terms of the CSMA.

Reporting System for a Cybersecurity Incident

Pursuant to the CSMA, the agencies subject to the Act shall report to their supervisory agency or to the competent authority of the industry as applicable when the agency becomes aware of a cybersecurity incident (Articles 14 and 18 of the CSMA). A cybersecurity incident refers to any incident in which the system or information may have been accessed without authorisation and used, controlled, disclosed, damaged, altered, deleted, or otherwise infringed, affecting the functioning of the information communication system and thereby threatening the cybersecurity policy.

The Regulations for Reporting and Responding to Cybersecurity Incidents further detail the reporting of a cybersecurity incident as required under the CSMA. A “specified non-government agency” shall report to the central regulator within one hour of becoming aware of the cybersecurity incident and shall complete damage control or recovery of the system within 36 to 72 hours depending on the type of the cybersecurity incident.

When making such a report to the authority, information such as when the incident occurred and when the agency became aware of the incident, what had actually transpired, an assessment of the risk level, the response measures that have been taken, an evaluation of any assistance from outside resources, and other relevant matters shall be included.

There are no specific provisions with regard to exemption from the reporting requirements, and it is not necessary for the authority to make such reports publicly available.

Penalties

Specified non-government agencies may be ordered to take corrective measures by a certain deadline or be subject to an administrative fine ranging from TWD100,000 to 1 million for failure to comply with the obligations to:

• stipulate, revise or implement the cybersecurity management plan;
• submit a report on implementation of the cybersecurity maintenance plan;
• submit the improvement reports,
• stipulate the reporting and response mechanisms for cybersecurity incidents; and
• submit the cybersecurity investigation, handling and improvement reports regarding cybersecurity incidents.

They may be fined consecutively until corrective measures are taken (Article 20 of the CSMA).

Specific non-government agencies are subject to an administrative fine ranging from TWD300,000 to 5 million for failure to comply with the obligations to report a cybersecurity incident (Article 21 of the CSMA).

Taiwan’s Data Breach Regulatory System

The Personal Data Protection Act (“PDPA”) governs the management and the protection of personal data by government agencies and private organisations which hold such data.

Under the PDPA, if there is any data breach incident where personal data is stolen, altered, damaged, or lost, a data controller shall notify the affected data subjects after it has the opportunity to inspect the relevant incident. In the notification to the data subjects, the data controller shall briefly describe the data breach incident and the corrective measures that it has taken to protect the data subjects.

With regard to a personal data breach incident, if a private organisation fails to take proper security measures to protect the personal data that it retains, or breaches its obligation to notify the data subjects affected by the personal data breach incident, the competent authority has the power to order the private organisation to take corrective measures, and if no corrective measure is taken before the designated deadline, the authority has the power to impose an administrative fine ranging from TWD20,000 to 200,000 consecutively until corrective measures are made.

Key Regulators of Personal Data Security Incidents

There is no specific authority dedicated to the enforcement of the PDPA, which governs personal data security incidents. The regulators of the PDPA are the local governments (ie, the municipal/city/county governments) and the central authority overseeing the industry. In the case of a personal data security incident, both local governments and the central authority can impose administrative dispositions (eg, fines or corrective measures) on a non-governmental agency. The Ministry of Justice was originally the authority in charge of interpreting the PDPA, but was replaced by the National Development Council (“NDC”) in July 2018. The NDC has also set up a Personal Data Protection Office for the harmonisation of Taiwan’s data protection law with the GDPR.

Key Regulators of Cybersecurity Events

As the Executive Yuan (the executive branch of the Taiwan government) is responsible for carrying out national cybersecurity policies, the CSMA makes clear that the competent authority for the Act is the Executive Yuan. For government agencies, the regulator would be the competent agency at a higher level or the supervisory agency, which oversees the lower agency’s stipulation, revision and implementation of its cybersecurity maintenance plan.

As to the specified non-governmental agencies, the regulator will be the central authority of the industry. For example, the regulator for insurance companies, securities firms and futures commission merchants is the Financial Supervisory Commission. The central authority is authorised by the CSMA to set out rules for the companies in the industry to stipulate, revise, and implement their cybersecurity maintenance plans.

It should be noted that the Taiwan government is forming a new ministry, the Ministry of Digital Development, which will become the central authority in charge of cybersecurity matters. It is anticipated that this new ministry will be formed and start operating by end of June 2022.

Under the CSMA, the central authority is required to first order the non-government agency that violated the regulations to complete corrective actions within a specified time before imposing fines. However, the central authority need not observe such requirement when a non-government agency has failed to report a cybersecurity incident (Articles 20 and 21 of the CSMA).

Under the PDPA, the central government or the municipal governments have the power to conduct a business inspection (Articles 22 and 23 of the PDPA) of the non-government agency, order the violating non-government agency to complete corrective actions and/or impose penalties on the violating non-government agency (Articles 47–50 of the PDPA).

Regardless of which administrative dispositions the agency imposes under the CSMA or the PDPA, the agency must follow the principles stipulated in the Administrative Procedure Act. The disposition should be specific, non-discriminatory, made in good faith and not against the rule of proportionality.

The respondent has the right to counsel, and unless otherwise stipulated, the right to express its opinion before the disposition is rendered.

The administrative dispositions imposed by the administrative agency can be appealed to its supervisory agency. If the supervisory agency does not rule in favour of the respondent, the respondent can file for administrative litigation with the Administrative High Court to revoke such a decision. The judgment rendered by the Administrative High Court can be appealed to the Supreme Administrative Court, whose judgment would be final and binding on the respondent if it does not revoke the Administrative High Court’s judgment.

While the legislative intent of the CSMA indicates that the legislators consulted foreign laws when drafting the CSMA, such as the guidelines of the US National Institute of Standards and Technology, the US Federal Information Security Modernisation Act of 2014, the EU Directive on security of network and information systems, and Japan’s Basic Cybersecurity Act, the CSMA and its enforcement rules are implemented at the national level.

Few local governments have enacted cybersecurity management directions or cybersecurity management committee directions as internal guidelines.

Information Sharing Organisations

Alliances such as the Taiwan Computer Emergency Response Team (TWCERT) provide opportunities for private companies to obtain and share intelligence and resources on recent cybersecurity threats.

Government Assistance

Article 8 of the CSMA dictates that the Executive Yuan should set up a cybersecurity information sharing mechanism. The Cyber Security Information Sharing Regulations further provide that the competent authorities of the relevant industries should timely share cybersecurity information with the “specific non-government agencies” under their charge. The “specific non-government agencies” may also voluntarily share information with the competent authorities or the Executive Yuan (Article 3 of the Regulations).

For individuals, entities or organisations that are not subject to the CSMA, the competent authorities or the Executive Yuan may also share cybersecurity information with them, provided that they have agreed in writing to comply with the requirements under the Regulations (Article 10 of the Regulations).

In implementing the Regulations, some authorities, such as the National Communication Commission (NCC), periodically hold training sessions and seminars to encourage companies to strengthen their information security.

In addition to information sharing, the government also provides assistance to help agencies cope with cybersecurity incidents. According to the Regulations for Reporting and Responding to Cybersecurity Incidents, the competent authority in charge of the relevant industry is required to provide necessary support or assistance to help a “specific non-government agency” report or respond to a cybersecurity incident. The Executive Yuan may also provide such assistance and support if circumstances so require.

Personal Data Protection

The regulatory landscape of Taiwanese personal data protection is centralised under the PDPA. The PDPA imposes general obligations on all data controllers to protect the personal data that they hold, and there is one over-arching agency, the National Development Council, which is in charge of interpreting the PDPA. In this sense, Taiwan’s approach is more similar to the EU model. However, enforcement of the PDPA is more sector-specific, thus being the responsibility of local governments and the central authority overseeing the industry.

In order to obtain an adequacy decision from the European Union, the Taiwan government is contemplating revising the PDPA to incorporate the principles and mechanisms of the EU General Data Protection Regulation (GDPR) in the near future.

Cybersecurity

Similar to the data protection regulatory landscape, Taiwan has a comprehensive law in cybersecurity; ie, the CSMA. However, the CSMA only provides a baseline for cybersecurity of the government agencies and specific non-government agencies, and numerous sector-specific laws and regulations are promulgated as supplements. The CSMA and the relevant regulations prescribe the security requirements and special treatment of each A, B, C, D and E level of the agencies subject to the CSMA in the aspects of management, critical infrastructure, technical measures and control systems for software vulnerabilities, awareness and training. In terms of the enforcement of cybersecurity, Taiwan also adopts a sectoral model. For public agencies, the regulator for cybersecurity of a lower agency would be the competent agency at a higher level; ie, the supervisory agency. As to specified non-governmental agencies, the regulator will be the central authority with responsibility for that industry.

The Enforcement Rules of the CSMA and its sub-laws were amended and promulgated on 23 August 2021.

The key impact of this amendment is as follows.

• The Enforcement Rules of the CSMA: the amendment gives government agencies and the central authority in charge of the industry more power as to the stipulation, revision and implementation of their cybersecurity maintenance plans as well as the implementation report in order for government agencies and non-government agencies to supervise the planning and execution of such plans.
• Regulations on Classification of Cyber Security Responsibility Levels: the most significant impact of this amendment on the practical side is the relevant amendments to Schedule X.
• Regulations on the Notification and Response of Cyber Security Incident: this amendment enhances the supervision mechanism of the supervising authority or the competent authority of the government agency and the central authority in charge of the subject industry of the specific non-government agency regarding cybersecurity incidents, and also meets the requirements of ISO27001, Appendix A16 on the management of cybersecurity incident.
• Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency: this amendment gives government agencies the flexibility regarding the auditing schedule of specific non-government agencies and the composition of the audit team.
• Cyber Security Information Sharing Regulations: this amendment encourages specific non-government agencies to share effective and tangible information to enhance the effectiveness of cybersecurity.
• Award and Punishment Regulations on Cyber Security Affairs for the Public Servants: the amendment includes the chief officer of the personnel in charge of cybersecurity operations or the supervising personnel of the supervising authority to be subject to penalty for the ineffective supervision of cybersecurity operations, in order to properly enforce the cybersecurity laws and regulations.

Significant Pending Changes

The Legislative Yuan passed the Organic Law of Cybersecurity Agency, Ministry of Digital Development on 28 December 2021 and it was promulgated on 19 January 2022. Currently, the Executive Yuan is working on staffing and the transition of business to the newly founded Cybersecurity Agency. It is expected that the Cybersecurity Agency will commence work in June or July 2022. The Cybersecurity Agency is responsible for the planning and execution of (i) national cybersecurity policy and regulations, (ii) significant national cybersecurity projects, (iii) management and protection mechanisms for critical infrastructure, and (iv) the training and evaluation of cybersecurity personnel in the government and government-owned enterprises.

Hot Topics and Issues

In January 2022, Delta Electronics, Inc. (“Delta”), a supplier for Apple, Tesla, Ford and BMW, published material information indicating that part of its system had been hacked through overseas subsidiaries but that the incident had no material impact on the company’s operations. Though foreign media reported that Delta was attacked by Conti ransomware, Delta denied it.

Acer Inc., a leading Taiwanese PC brand, was reportedly attacked by ransomware REvil and asked to pay a ransom of USD50 million. According to the news, Acer’s financial spreadsheets, bank balances, and bank communications had been pilfered. Acer did not confirm whether it had been hacked by ransomware, and maintained that it was under “constant attack,” and had “reported the recent irregularities to the law enforcement and data protection authorities in multiple countries.”

Later in October 2021, Acer’s server in India (post-sale service system) was reportedly breached by the hacker group Desorden, and over 60 GB of files and data were stolen. A few days later, Desorden also breached Acer’s Taiwan server and claimed to have acquired company employees’ information. In response, Acer published material information confirming the attack on the Taiwan and India servers and declaring that its clients’ data was safe.

In April 2021, Quanta Computer Inc., a major supplier of Apple, was reportedly hacked by ransomware REvil and asked to pay a ransom of USD 50 million or USD 100 million after the given deadline. The perpetrator threatened to leak Apple’s product blueprints online if Quanta chose not to pay. Quanta confirmed the attack, but stated its operations had been unimpeded by the attack. After Quanta refused to negotiate, REvil tried to have Apple buy back its stolen data.

In November 2021, three local securities companies that offer online trading were targeted by credential stuffing attacks in which clients’ trading accounts were used to buy Hong Kong stocks, even though the clients did not place such orders. In response, the Financial Supervisory Commission (for further details of which, see 2.5 Financial or Other Sectoral Regulators) tightened cybersecurity rules and fined some securities companies for failing to improve cybersecurity loopholes, etc.

Regulations Based on Different Kinds of Data

Personal data

The protection of personal data is governed by the PDPA, including the protection of health-related personal information and personal financial information.

Classified information

Under the Trade Secret Act, one who intentionally or negligently misappropriates another’s trade secret shall be liable for damages and one who intentionally misappropriates another’s trade secret shall be subject to criminal liability as well. Under the Criminal Code of Taiwan, breach of confidentiality obligations with regard to certain business secrets as stipulated under the law or a contract may incur criminal liability. Disclosing or compromising secret information with regard to national defence may also be subject to criminal sanctions.

Regulations Based on Infrastructure

The CSMA governs the cybersecurity of “critical infrastructure providers.” According to the Executive Yuan, there are eight critical infrastructure sectors, including energy, water resources, telecommunications, transportation, banking and finance, hospitals, central and local government, and high technology parks.

The laws that governs the above critical infrastructure sectors are provided as follows.

Telecommunications industry

The Telecommunications Management Act requires that telecommunications enterprises which have established a public switched telephone network (PSTN) using telecommunications resources, or other telecommunications enterprises announced by the competent authority, shall draw up an info-communications security maintenance plan and implement it accordingly (see Article 15 of the Act). The details are further stipulated in the Administration Regulations of Cyber Security on Telecommunications Business.

The Technical Specifications for Security Testing of Information and Communication Equipment for Critical Telecommunications Infrastructure governs technical specifications for info-communications security evaluation.

Bank and finance

The Regulations of Special Non-official Agencies’ Cyber Security Management by the Financial Supervisory Commission govern the cybersecurity of the banking and finance industry.

For public agencies, the regulator for cybersecurity of a lower agency would be the competent agency at a higher level; ie, the supervisory agency.

As to the specified non-governmental agencies, the regulator will be the central authority of the industry. A few examples are as follows.

• Energy (electricity, petroleum and gas) – the Ministry of Economic Affairs.
• Financial industry:
1. banking – the Financial Supervisory Commission and Ministry of Transportation and Communications;
2. securities – the Financial Supervisory Commission; and
3. the banking payments system – the Taiwanese Central Bank.
• Telecommunications – the National Communications Committee.
• Medical care and disease control – the Ministry of Health and Welfare.
• Technology industrial parks and biomedical parks – the Ministry of Science and Technology.
• Software parks and industrial areas – the Ministry of Economic Affairs.

As stated in 1.2 Regulators, the Executive Yuan is responsible for carrying out national cybersecurity policies, and the competent authority of the CSMA is thus the Executive Yuan. Under the Executive Yuan, the Department of Cyber Security was founded in 2016, and is responsible for cybersecurity affairs.

The Executive Yuan has also founded the National Information and Community Task Force, which is responsible for stipulating and implementing national cybersecurity policy, including:

• acting as the advisory committee on (i) the national security policy, (ii) the reporting, responding and rehearsal mechanisms relating to cybersecurity incidents, and (iii) other significant national cybersecurity projects; and
• the supervision and co-ordination of inter-agency cybersecurity matters.

The National Development Council (NDC) is in charge of interpreting and enforcing the PDPA. The NDC also acts as a co-ordinator between different government authorities with regard to the interpretation and implementation of personal data protection matters. The NDC established a Personal Data Protection Office in July 2018 in order to perform these tasks. Another important mission of the Personal Data Protection Office is to obtain an adequacy decision from the European Union concerning the GDPR. The negotiations commenced in the Spring of 2018.

Meanwhile, central competent authorities and local (city and county) government authorities are granted the power to enforce certain matters stipulated under the PDPA, such as:

• stipulating rules with regard to the security maintenance of personal data;
• carrying out audits and inspections; and
• imposing rectification orders and administrative penalties on the non-government agencies that they regulate.

Breach of the PDPA may incur civil liability, criminal liability and administrative fines. In most instances, the entity that breached the relevant provisions will be held liable. If this is a corporation, the penalty will normally be imposed on that corporation; however, the regulator also has the power to impose a fine of the same amount on the “responsible person” of the corporation, such as the chairman, if they have failed to perform their duty. Criminal sanctions are usually applicable to the individuals who conduct the relevant actions.

There are two main financial regulators in Taiwan, the Financial Supervisory Commission (FSC) and the Central Bank.

The FSC is the regulator of financial services enterprises, including financial holding companies, the Financial Restructuring Fund, the Central Deposit Insurance Corporation, banking enterprises, securities enterprises, futures enterprises, insurance enterprises, and electronic financial transaction enterprises. The FSC also promulgates the cybersecurity regulations for the specific non-government agencies under its supervision.

The Central Bank is the regulator of the three entities managing the banking payments system: the Taiwan Clearing House, the Central Engraving and Printing Plant, and the Central Mint.

Other sectoral regulators are identified in 2.2 Regulators.

There are no relevant regulators or agencies other than those already discussed in this chapter.

There are no de jure or de factor standards commonly adopted by Taiwanese agencies and companies. Different sectors adopt different standards.

For government agencies and “specific non-government agencies,” each of the competent authorities for those agencies has issued guidelines in which ISO27001 is referred to and recommended. However, there is no reference to specific cybersecurity obligations that shall be imposed on the government agencies or the specific non-government agencies.

The specific cybersecurity obligations vary among industries. For instance, operators in the telecommunications industry are required to obtain ISO/IEC 27001 and ISO/IEC 27011 certifications, while financial institutions are required to meet the security standards stipulated by the relevant competent authorities.

There is no consensus or commonly applied framework for “reasonable security.” Other than the specific non-government agencies under the CSMA, a company is not legally required to adopt specific standards or measures for cybersecurity.

In general, large corporations are more cautious and would normally hire IT specialists or consultants/lawyers to implement security measures, and would conduct internal training. They are also more inclined to seek internationally recognised certification, such as ISO/IEC 27001.

As for government agencies and specific non-government agencies that are subject to the CSMA, the Regulations on Classification of Cyber Security Responsibility Levels classify their responsibilities into five levels – A, B, C, D and E – and prescribe the security requirements for each level in terms of management, technical measures, and awareness and training.

Security Measures

Other than the specific non-government agencies under the CSMA, a company is not legally required to have written information security plans or incident response plans, appoint a chief information security officer (CISO), conduct risk assessment or internal training, or implement other security measures. A company is also not required to disclose software vulnerabilities unless they are material to the operation of a listed company.

For government agencies and the specific non-government agencies, the CSMA requires adoption of cybersecurity maintenance plans and reporting of cybersecurity incidents to the related government authorities. Each of the competent authorities has issued guidelines in which ISO27001 is referred to. In particular, implementing anti-virus measures and adopting periodic checks on security procedures are encouraged. In addition, some statutes for the telecommunications industry prescribe critical infrastructure and the related security level.

Response to Incidents

In terms of the requirements for incident response plans, in addition to the reporting obligations, the agencies subject to the CSMA are required to complete damage control or recovery of the system within 36 or 72 hours (depending on the severity of the cybersecurity incident).

Use of Cloud

The business using a cloud service will most likely be deemed a data controller under the PDPA. According to the PDPA, a data controller will be held liable if the data processor it engages (in this case, the cloud service provider) fails to comply with the PDPA. Therefore, businesses using cloud services to store personal data of a third party should be cautious about how the cloud service provider protects and processes the data.

Article 3 of the Cyber Security Information Sharing Regulations dictate that the Executive Yuan should engage in international co-operation to exchange cybersecurity information with foreign countries.

In addition to the government, the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) serves as a platform for international cybersecurity resources. TWCERT/CC is government-sponsored, promoting cybersecurity advancements and providing assistance to this end to Taiwanese companies. It interacts with computer emergency response teams (CERTs)/computer security incident response teams (CSIRTs) worldwide for information exchange and collaboration. By actively participating in international cybersecurity communities and attending activities held by foreign CERTs, the TWCERT/CC tracks the latest international cybersecurity trends, and endeavours to enhance collective cybersecurity defence domestically.

Pursuant to the PDPA, a data controller shall adopt any or all of the following technical and organisational measures which are reasonable and sufficient to protect the personal data held by the data controller, pursuant to the Enforcement Rules of the PDPA:

• allocate personnel to enforce data security measures with sufficient resources;
• identify the scope of personal data that the data controller holds;
• evaluate the relevant risk to the personal data’s risk valuation and management mechanism;
• establish the mechanisms for prevention, notification and handling of accidents;
• establish internal management procedures for collection, processing and use of personal data;
• establish security management and personnel management;
• conduct awareness and education training;
• establish the IT infrastructure’s security management;

• adopt data security auditing mechanisms;
• adopt maintenance of access records, track log files and relevant evidence; and
• continuously improve security and maintenance measures.

In 2022, many sectoral regulators adopted the Personal Data Files Security and Maintenance Plans governing the relevant industries under which more detailed security measures were introduced.

Other than those regulated under the CSMA, or in highly regulated business such as financial institutions or telecommunications businesses, there are no general affirmative security requirements.

Under the CSMA, there are different requirements on the regulated entities or agencies depending on the different security levels with which they can be classified.

The CSMA provides different requirements on critical infrastructure, networks and systems, which are classified into different security levels. For example, for critical infrastructure, networks and systems classified into Level-A, they are required to do at least the following:

• implement the ISO27001 standard within two years of being classified into Level-A and be certified by a neutral third party within three years;
• implement vulnerability alert and notification system within one year of being classified into Level-A and maintain and submit information asset information; and
• within one year of being classified into Level-A, the dedicated cybersecurity personnel shall hold a total of not less than four licences, and shall continually maintain the validity of those licences.

Exhibit 10 of Regulations on Classification of Cyber Security Responsibility Levels provides some requirements for entities subject to the CSMA to ensure the integrity and the availability of the information system. For example, entities with a defence standard classified as high are required to conduct at least the following control measures:

• the cybersystem should adopt automatic tools to monitor the access of communication flows and, if unusual or unauthorised activities are found, conduct an analysis of such activities;
• conducting an inspection of the integrity of software and information;
• using integrity verification tools to detect any unauthorised change of specific software and information;
• examination of the legitimacy of input data of users should be placed on the server terminal of the application system; and
• if any violation to the integrity is found, the cybersystem should implement the security protection measures designated by the agencies.

The security requirements involved for such data systems are the same as those discussed in 4.4 Denial of Service Attacks.

Under the CSMA, a cybersecurity incident refers to any incident under which the system or information may have been subject to unauthorised access, used, controlled, disclosed, damaged, altered, deleted, or otherwise infringed, effecting the function of the information communication system, and thereby threatening the cybersecurity policy.

There is no specific definition of a cyber-incident under the PDPA. According to Article 12 of the PDPA, as long as any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a data controller, the data subject shall be notified via appropriate means, regardless of the type of incident.

Under the CSMA, there are no specific requirements. Under the PDPA, the requirements only cover personal data.

There are no specific requirements in this regard.

The Ministry of Health and Welfare (MOHW) published two guidelines concerning the security requirements for medical devices.

The Guideline on Medical Device Inventory Management and Risk Assessment

This guideline is merely advisory for hospitals, and aims at helping information security staff and medical device managers in hospitals identify and assess the risks of medical devices so as to take appropriate protective measures and lower security risks at hospitals.

The Guideline on Cybersecurity of Medical Devices Applicable to the Medical Device Manufacturer

This guideline provides cybersecurity issues that manufacturers of medical devices should consider during phases of product design, product development, and application for market approval and after the product is launched on the market. The guideline is also purely advisory, and is published for manufacturers to ensure the cybersecurity of the medical devices they make. This guideline, however, also notes that the MOHW examiner might ask a manufacturer to provide other documents that are not required in this guideline.

Both guidelines will be updated from time to time to adapt to technological advances.

The National Information & Communication Security Taskforce (NICST) published the Guidance for Critical Information Infrastructure Protection in 2018, in which NIST SP800-82[3], IEC 62443-3-3[5] and other international security standards are referred to and recommended. The competent authority for each industry also promulgated regulations for security requirements for industrial control systems (and supervisory control and data acquisition) for businesses in that industry. For instance, the Ministry of Economic Affairs promulgated Guidelines Concerning Security Requirements for ICS in Energy and Water Resource Industries.

Promotion of the security for the IoT has been the focus of Taiwan’s government in recent years. The Department of Cyber Security of the Executive Yuan has been co-operating with the competent authorities of IoT companies in different industries to promulgate the security standards for IoT products/services, including those for internet protocol cameras (IP cams), network video recorders, digital video recorders, smart bus systems, and intelligent street lamps. Among them, the security standard for IP cams has become a national standard (CNS 16120).

The government is also establishing the standards and system for examination of IoT security and has published seven standards as well as set up nine information security testing laboratories for web cams, one information security testing laboratory for smart bus systems, and two testing laboratories for intelligent street lamps.

Exhibit 10 of Regulations on Classification of Cyber Security Responsibility Levels provides some requirements regarding the security software life cycle of entities subject to the CSMA. For example, for the requirement phase of the software life cycle, entities should use a checklist to confirm system security requirements (including confidentiality, availability and integrity). For the design phase, depending on the system functions and requirements, the entities should identify the threats that might impact the system, to conduct risk analysis and assessment, feed the risk assessment results back to the screening items of the requirement phase and submit the revision of security requirements. For the development phase, entities should execute “source code scanning” security testing and have notification mechanisms for serious errors in the system. For the testing phase, entities should execute “penetration testing”. For the deployment and maintenance operation phase, attention should be paid to the version control and change management.

Pursuant to the CSMA, government agencies or private entities subject to the CSMA shall report to their supervisory agencies, or to the competent authority of the industry that a given private entity is engaging in, as applicable, when the agency or private entity becomes aware of a cybersecurity incident. As long as there is a security breach incident, even if no “personal data” is involved, the incident may be subject to the reporting requirements.

The “Regulations for Reporting and Responding Cybersecurity Incidents” set forth further details about the reporting of cybersecurity incident as required under the CSMA. A specific non-government agency shall report to its regulator at the central government within one hour after it becomes aware of the cybersecurity incident and the regulator shall respond within two to eight hours depending on the classification of the cybersecurity incident. Meanwhile, the specific non-government agency shall complete damage control or recovery of the system within 36 to 72 hours.

If personal data is involved in a data breach incident, pursuant to the PDPA, either a public agency or a non-public agency shall inform the affected data subjects of the data breach incident as soon as it inspects the relevant incident. In the notice to the data subjects, the relevant facts concerning the incidents, such as what data was stolen, when the incident happened, the potential suspects with regard to the breach, as well as the remedial actions that have been taken, shall be described. The PDPA does not set forth any threshold for the notification to the affected data subjects.

On the notification to the regulator, the PDPA does not specify any obligations to report a data breach incident to the regulator. As long as one data subject is affected, the data subject must be notified of the data breach incident. However, in the personal data security maintenance plans stipulated by the competent authorities of certain industries, a private sector entity is required to report a data breach incident to the competent authority in charge of the industry (normally within 72 hours).

Personal Data

In most of the cases for personal data breach incidents, the obligation to report to the authority will only become mandatory when the data breach incident is deemed “material”, such as when the incident would affect the daily operation of the private business.

Pursuant to the CSMA, government agencies or private entities subject to the CSMA shall report to their supervisory agencies or to the competent authority when they become aware of a cybersecurity incident. A cybersecurity incident refers to any incident in which the system or information may have been accessed without authorisation and used, controlled, disclosed, damaged, altered, deleted, or otherwise infringed, affecting the functioning of the information communication system and thereby threatening the cybersecurity policy. Moreover, pursuant to the Regulations on Classification of Cyber Security Responsibility Levels, the non-government agencies classified with cybersecurity responsibility levels A, B and C have to complete the development of threat detection mechanisms and vulnerability alert and notification systems (VANS).

Generally, there is no specifically permitted or restricted practice or tool for network monitoring or other cybersecurity defensive measures. As long as a measure does not constitute cybercrime under the Criminal Code, violate an individual’s privacy (see 6.2 Intersection of Cybersecurity and Privacy or Data Protection), or intrude upon or abuse another’s trade secret, an organisation should be permitted to implement it.

That said, if personal data is concerned, compliance with the PDPA is required. Therefore, when implementing cybersecurity defensive measures, companies should be aware if the measures touch on the personal data of a third party.

As explained in 6.1 Cybersecurity Defensive Measures, when implementing cybersecurity defensive measures, such as monitoring or intercepting email communications or internet use of an employee, businesses should always be prudent with personal data.

In addition, privacy rights of the person(s) being monitored should also be taken into account. In principle, employee monitoring practices will not be considered a violation of privacy if the employees have no reasonable expectation of privacy. Employees are deemed to no longer have a reasonable expectation of privacy if they are informed of the monitoring policy or have consented to the monitoring. Employees are deemed to have given implied consent if they continue to use the computer (or other equipment) provided by the employer after being informed of the monitoring policy.

Reporting Requirement under the CSMA

An agency subject to the CSMA is required to report to the competent authority when it becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident where the agency’s system or information may have been accessed and used, controlled, disclosed, altered or otherwise misappropriated without authorisation, thereby threatening cybersecurity.

The Regulations for Reporting and Responding to Cybersecurity Incidents set forth further details about the reporting obligation under the CSMA. A specific non-government agency shall report in the manner designated by the central authority within one hour after it becomes aware of the cybersecurity incident. The report to the authority should include detailed descriptions of the incident, such as the time when the incident occurred, how the agency became aware, responsive measures that have been taken, risk assessment, etc. If there is a change in the severity of the incident, the agency should continue to report the incident in the same manner. If the agency is unable to report in the designated manner, it should report in another proper manner within the same time frame, and notify the authority of the cause for its inability to report in the prescribed manner. After the elimination of the aforementioned cause, the agency should report in the original manner.

Other Reporting Requirement

Whether or not an agency is subject to the CSMA, in the event that personal data is involved in a data breach, besides prompt notification to the data subjects, a report to the competent authorities is required in certain industries if the breach is considered material. Industries that require such reporting include finance and online retail, among others.

According to the Cyber Security Information Sharing Regulations, a specific non-government agency may voluntarily share information (excluding the information regarding the cybersecurity incident, which is required to report to the central authority under the CSMA) with the competent authorities (Article 3 of the Regulations). In addition, if an individual, entity or organisation that is not subject to the CSMA obtains consent from the authority and undertakes in writing to comply with the Regulations, they or it may also exchange information with the government (Article 10 of the Regulations).

Furthermore, companies, agencies, organisations and CSIRTs may join alliances like TWCERT to obtain and share cybersecurity intelligence and resources.

Far Eastern International Bank Fined TWD8 million for Data Breach

In October 2017, Far Eastern International Bank’s SWIFT system was breached by a computer virus. The hacker fabricated sham transactions and stole around USD60 million. Far Eastern managed to recover most of the amount, and the final loss the bank suffered was around USD160,000.

The FSC stated in its disposition that Far Eastern did not establish a strong cybersecurity defence system, mismanaged user admin rights, botched the crisis response, and did not strengthen its SWIFT system as required. Far Eastern was thus fined TWD8 million by the FSC based on the Banking Act.

CTBC Bank Fined TWD4 million for Data Breach

In April 2013, CTBC Bank accidentally leaked its consumers’ personal data online, giving the public access to data intended only for the bank’s staff. Over 30,000 customers were affected and the bank was fined TWD4 million by the FSC based on the Banking Act.

Two examples of administrative penalties imposed for cybersecurity breach and data leaks are provided in 8.1 Regulatory Enforcement or Litigation.

Investigation of First Commercial Bank Security Breach

In July 2016, the ATM network of First Commercial Bank in Taiwan was hacked, which made selected ATMs spew cash out to 12 waiting “bagmen”. More than USD2.63 million was stolen through the 41 ATMs. While the police department worked on finding the bagmen, the Investigation Bureau under the Ministry of Justice, which is responsible for investigating computer crimes, handled the digital forensics of the breached ATMs and located the installed malware. After the investigation wrapped up, about USD2.44 million was recovered by the police. Though there were 22 suspects from nine countries involved, only three were apprehended and indicted for fraud, in September 2016.

The FSC pointed out that First Bank did not provide sufficient cybersecurity protection to its ATMs and network, and thus imposed a TWD10 million fine on the bank, and suspended its cardless withdrawal services before it improved its system.

Investigation of Attacks on Major Oil Companies in Taiwan

State-owned enterprise CPC Corporation, which controls the gas supply and operates most gas stations in Taiwan, came under attack in early May 2020. During the attack, customers were unable to make payments using CPC Pay or similar payment tools. CPC was forced to shut down the infected computers, and customers’ payment options were limited to cash or credit cards. Following the CPC cybersecurity incident, the country’s second largest oil company, Formosa Petrochemical Corporation, was also reportedly attacked. The company announced that its mainframe was hacked and some employees were unable to operate their computers. Given that gas stations are deemed critical infrastructure, the Investigation Bureau formed an ad hoc group to investigate the attack. The Investigation Bureau also worked with international authorities to find the culprit, and Winnti Group was identified as the hackers that conducted the attack.

The Ministry of Economic Affairs (MOEA), which has authority over CPC’s cybersecurity measures, requested CPC to provide a review report concerning the breach within one month of the attack. After reviewing CPC’s report, the MOEA determined it was not CPC’s fault that it was hacked and did not impose any administrative dispositions on CPC, even though CPC did not report the incident to the MOEA within the hour, as required.

In April 2021, the Investigation Bureau signed the National Cybersecurity Information Exchange and Co-operation Memorandum with CPC. Both will share cybersecurity information with each other and make sure the supply of energy will not be disrupted in a cybersecurity incident.

Regulatory Enforcement

A person can be liable for administrative liabilities for violation of the PDPA and CSMA. A person may also face criminal convictions for violation of the PDPA. For the government to impose administrative dispositions, it has to meet the preponderance of evidence standard. As to validating a criminal conviction, the legal burden of proof required is “beyond a reasonable doubt.”

Civil Litigation

Where the computer system of a private organisation has been hacked or breached and the organisation has sustained losses or damage, the organisation, as the victim, may file a civil lawsuit against the hacker or the other perpetrators either based on a tort claim or an unjust enrichment claim. The private organisation, as the plaintiff, needs to establish the facts with regard to how the system had been attacked, breached or manipulated, and how such activities can be linked to the hacker or the other perpetrators.

The organisation will also be required to substantiate the amount of the actual damage and the causation between the occurrence of the actual damage and the hack.

The organisation should also be able to file a civil action against the vendor that provided the IT/cybersecurity services to it if the vendor had failed to perform the required services or had failed to meet the required security standard. In this regard, the private organisation is required to establish that the vendor is obliged to provide it with security services meeting a certain level or standard based on the contract as well as substantiate the actual amount of the damage.

The evidentiary standard applied in civil litigation is also “preponderance of evidence.”

Since 2016, there have been quite a few “business email compromise” (“BEC”) incidents and many civil lawsuits have been filed with the Taiwan court. Many of the cases involve a cross-border BEC scheme, under which a foreign company sought civil relief from the Taiwan courts against individuals in Taiwan. Such individuals offered their bank accounts as the nominee accounts for receiving the improper funds for hackers and their identities were discovered through the records in the banking system.

The Taiwan law enforcement authority then worked with the foreign law enforcement authority to seize the nominee accounts and track down the individuals offering the nominee accounts.

The nominee account holder would be held criminally liable under Taiwan law, either for being the accomplice of the hacker or breaching the Money Laundering Control Act. The victim would then bring a civil lawsuit against the nominee account holder. There are also court cases under which the nominee account holders were not found or criminally indicted but still the court ruled in favour of the victims against the nominee account holders and declared that the nominee account holders should return the improper gain to the victims.

Although class actions are permitted in Taiwan, the mechanism is rarely used.

There are no class action-specific regulations in cybersecurity regulations. As to personal data breaches, the PDPA allows an incorporated foundation or an incorporated charity to file a class action when the rights of multiple data subjects have been infringed owing to the same incident, after obtaining a written delegation of litigation rights of at least 20 data subjects.

Article 22 of the PDPA further stipulates the following criteria under which an incorporated foundation or an incorporated charity can bring a class action to the court:

• the total registered assets of an incorporated foundation shall be TWD10 million or more, or the total number of members of an incorporated charity shall be 100 or more;
• the protection of personal data shall be set forth as one of its purposes in its charter; and
• it shall have been established for more than three years following its receipt of the approval thereof.

The Consumers’ Foundation Class Action

As of today, there has only been one data breach class action lawsuit, brought by the Consumers’ Foundation (“Foundation”) against a travel agency to Taipei Shihlin District Court in March 2018. The travel agency was hacked by a third party and its customers’ personal data was leaked as a result.

In this case, the defendant, the travel agency, first argued that the Foundation did not fulfil the requirement of a qualified incorporated charity under the PDPA, because the protection of personal data was not set forth as one of its purposes in its charter. The court dismissed the contention, stating that the purpose of the Foundation is to “protect consumer interests,” which can cover protection of consumer personal data. Furthermore, the court pointed out that the act of endowment of the Foundation also enables the Foundation to file class actions claiming damages regarding personal data. The court, therefore, recognised the Foundation as a qualified incorporated charity to file class actions under the PDPA.

Nonetheless, the Foundation still lost its claim for damages due to data breach under the PDPA. The Foundation argued that the travel agency did not adopt proper security measures to ensure the security of the personal data. Based on the Taiwan Code of Civil Procedure, a party bears the burden of proof with regard to the facts which it alleges are in its favour. The Foundation, therefore, should have proved that the travel agency did not adopt proper security measures. As there is no discovery-equivalent mechanism in Taiwan civil litigation, it was difficult for the Foundation to provide evidence to substantiate its argument. The travel agency, however, provided ample evidence that it complied with relevant regulations, including submitting a personal data security maintenance plan as required by law. In the end, the court deemed that the data breach was not caused by mismanagement of the agency, and thus the agency was not liable for damages under the PDPA.

Even though this case was appealed to the Taiwan High Court, both parties settled the dispute in July 2010. The settlement terms were not made available to the general public.

As this is the only class action as of today, the courts’ attitude toward personal data class action remains to be seen.

Generally, it is advisable for companies conducting corporate transactions to assess and “red-flag” potential risks through inspection of the following items.

• Data protection or cybersecurity policy/certification – if the counterparty has an adopted policy or obtains a certification for data protection or cybersecurity (eg, ISO/IEC 27001), it reduces the risk of data leak or breach.
• Records of cybersecurity incidents – past records of data breach indicate the potential additional cost to rectify the defect(s) in the system or to meet the requirements for data protection (see Cost to fix the problem below).
• Data ethics and patterns – if the counterparty has a history of disrespecting others’ privacy or ignoring cybersecurity threats, it denotes a risk of related liabilities that might be incurred or have been incurred.

If a red flag is detected, in determining whether to continue the deal, the company should consider, among others, the following.

• Cost to fix the problem – if the cost to rectify the potential cybersecurity defect(s) in the system or to comply with the requirements for data protection is too high, the company should consider ceasing the transaction; such a cost includes, for instance, the cost of retaining additional IT personnel, or of obtaining proper consent from the data subjects.
• Loss of value due to the reduction of customer data – customer data lacking proper consent would have to be eliminated; whether or not the deal on the table is still valuable as originally proposed should be further assessed and contemplated.

If a cybersecurity incident, or any administrative disposition of a listed company rendered by the authority pursuant to the CSMA has a material impact on the listing company’s shareholders’ rights and interests or securities prices, the listing company shall disclose such information according to the Taiwan Securities and Exchange Act. The guidelines enacted by the Taiwan Stock Exchange specify when a listing company should make such disclosure: (i) if a cybersecurity incident causes substantial losses to the listing company, or (ii) the combined fines on the listing company exceed TWD1 million for such incident.

Under the draft Regulations Governing Information to Be Published in Public Offering and Issuance Prospectuses, a company should disclose in its prospectus (i) an assessment of cybersecurity risks (ie, impact on the company’s finances and corresponding measures); and (ii) the losses, possible impact and response measures of significant cybersecurity incidents.

The draft Regulations Governing the Preparation of Financial Reports by Securities Firms and Regulations Governing the Preparation of Financial Reports by Futures Commission Merchants also compel securities firms and futures commission merchants to disclose in their financial reports (i) structure of cybersecurity risk management, cybersecurity policy, and investment in cybersecurity management; and (ii) the losses owing to, possible impact of and response measures to significant cybersecurity incidents in recent years.

Taiwan faces national-level organised cyberthreats due to its special political and economic status. As such, cybersecurity is a key policy focus. In May 2021, the Executive Yuan listed cybersecurity as one of the six core strategic industries meriting special promotion. It can thus be expected that the Taiwan government will continue to invest in the further development of the cybersecurity industry in Taiwan.

Cybersecurity insurance is available in Taiwan. Only 424 policies were sold in the first three quarters of 2021 because it is not mandatory for companies to purchase it. But as more companies come under cybersecurity threat, there has been a marked increase in interest. In fact, the number of policies sold in 2021 actually represents a 35% growth rate.