1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
In Taiwan, there are specific statutes covering ‘cybersecurity' and ‘data protection' respectively. With regard to cybercrime, while the Criminal Code sets out certain crimes and offences with regard to the use of computer equipment, the term ‘cybercrime' is not explicitly spelled out in the Criminal Code.
Matters concerning cybersecurity are governed by the Cyber Security Management Act (CSMA) in Taiwan. The CSMA defines ‘cybersecurity' as "such effort to prevent information and communication system or information from being unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and system".
Personal data protection matters are governed by the Personal Data Protection Act (PDPA) in Taiwan. Under the PDPA, the term ‘personal data' refers to a natural person's name, date of birth, ID card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, sex life data, records of physical examination, criminal records, contact information, financial conditions, social activity data and any other information that may be used to directly or indirectly identify that person. The PDPA imposes general obligations on all data controllers to protect the personal data that they hold. In order to obtain an adequacy decision from the European Union, the Taiwan government is contemplating revising the PDPA to incorporate the principles and mechanisms of the EU General Data Protection Regulation (GDPR) in the near future.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Currently, there is no statute specifically drafted for the regulation of cyberspace in Taiwan. As stated in question 1.1:
- cybersecurity is regulated under the CSMA and the relevant enforcement rules, regulations and rulings;
- personal data protection matters are regulated under the PDPA and the relevant enforcement rules, regulations and rulings; and
- cybercrime is mostly subject to the Criminal Code.
On the other hand, the term ‘Internet' appears in many statutes, regulations, rules and guidelines, given that this is now the world's most important communication tool. This term is included in many statutes as one of the mechanisms for notification, publication and communication.
The new Telecommunications Management Act will become effective on 1 July 2020 and will replace the current Telecommunications Act. Both acts have expanded their jurisdiction from traditional telecommunications businesses to internet-related matters by assuming the role of supervising the assignment and allocation of domain names and IP addresses. It is anticipated that the primary regulator of the Telecommunications Management Act, the National Communications Commission, will play an increasingly important role in regulating the Internet in the future.
Meanwhile, the Taiwan government is contemplating setting up a new ministry to regulate all digital-related matters in order to consolidate cross-ministry efforts to regulate the Internet and digital-related matters. The government may propose a new statute in relation to the regulation of cyberspace once the new ministry has been established
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Cybersecurity: The CSMA regulates matters with regard to cybersecurity, including government agencies and providers of critical infrastructure. Financial instructions and healthcare providers such as hospitals are likely to be designated as critical infrastructure providers and subject to the CSMA.
National security: The National Security Act regulates general matters with regard to the protection of Taiwan's national security. There is no reference in this act to cybersecurity, personal data or cybercrime; but in general, it will apply to any national security matters in relation to cyberspace.
Financial services: The financial industry is subject to strict scrutiny by its primary regulator. There are many rules and guidelines on the information security measures that financial institutions must implement. Meanwhile, certain financial institutions are likely to be designated as critical infrastructure providers, in which case they will be subject to the security and reporting requirements under the CSMA.
Healthcare: The healthcare industry is also subject to strict scrutiny by its primary regulator. Hospitals are likely to be designated as critical infrastructure providers and be subject to the CSMA.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: The protection of personal data is governed by the PDPA, including the protection of health-related personal information and financial-related personal information.
Health information: Certain medical records and health check information are classified as sensitive personal data, and the collection and use of such data are subject to strict restrictions under the PDPA. Meanwhile, pursuant to the relevant statutes governing healthcare professionals, patient information must be kept strictly confidential.
Financial information: Banking laws and other statutes governing the operation of financial institutions require such institutions to keep clients' data strictly confidential.
Classified information: Under the Criminal Code of Taiwan, breach of confidentiality obligations with regard to certain business secrets as stipulated under the law or a contract may incur criminal liability. Disclosing or compromising secret information with regard to national defence may also be subject to criminal sanctions.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
The relevant statutes do not include specific provisions on extraterritorial application; rather, whether they will have extraterritorial application shall be subject to the general provisions of the Criminal Code. If the relevant actions cause any consequences in Taiwan, or if one element of the actions is conducted in Taiwan, the Taiwan court will have jurisdiction over such offences and the Criminal Code will apply. The PDPA will have extraterritorial effect in the same circumstances.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
No. However, the GDPR has a significant impact on the implementation and interpretation of the PDPA. The Taiwan government is contemplating revising the PDPA in order to be compatible with the GDPR.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
Chapter 36 of the Criminal Code includes a list of ‘offences against computer security', which includes various cybercrimes such as including hacking, denial of service attacks, phishing and infection of IT systems with computer virus, such as malware, ransomware, spyware, worms and Trojans. These offences may incur penalties of imprisonment for up to three years or five years, depending on the offence, as well as criminal fines of up to NT$300,000 or NT$600,000.
The theft of trade secrets is subject to the Trade Secret Act and may incur criminal liability. Penalties include imprisonment for up to five years and criminal fines of up to NT$10 million or twice the profits generated from the theft. If the purpose of stealing the trade secret is to exercise that trade secret outside Taiwan, the term of imprisonment may be increased to up to 10 years and the criminal fines to up to NT$50 million or up to 10 times the profits generated from the theft.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Cybersecurity: The primary regulator of the Cyber Security Management Act (CSMA) is the Executive Yuan. The Executive Yuan established an internal Department of Cybersecurity with responsibility for these matters. If a private critical infrastructure provider breaches the CSMA, the private entity itself may be subject to administrative fines.
Personal data: The National Development Council (NDC) is in charge of interpreting and enforcing the Personal Data Protection Act (PDPA). The NDC also acts as a coordinator between different government authorities with regard to the interpretation and implementation of personal data protection matters. The NDC established a Personal Data Protection Office in July 2018 in order to perform these tasks. Another important mission of the Personal Data Protection Office is to obtain an adequacy decision from the European Union concerning the General Data Protection Regulation. The negotiations commenced in Spring 2018.
Meanwhile, central competent authorities and local (city and county) government authorities are granted the power to enforce certain matters stipulated under the PDPA, such as:
- stipulating rules with regard to the security maintenance of personal data;
- carrying out audits and inspections; and
- imposing rectification orders and administrative penalties on the non-government agencies that they regulate.
Breach of the PDPA may incur civil liability, criminal liability and administrative fines. In most instances the entity that breached the relevant provisions will be held liable. If this is a corporation, the penalty will normally be imposed on that corporation; however, the regulator also has the power to impose a fine of the same amount on the ‘responsible person' of the corporation, such as the chairman, if he or she failed to perform his or her duty. Criminal sanctions are usually applicable to the individuals who conduct the relevant actions. There is no extraterritorial reach thus far.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
A private party's claim must be based on either general tort or contractual claims under the Civil Code, or torts under the PDPA or the Trade Secret Act. There is no specific statute allowing the claimant to claim against directors, officers or employees of a company that breaches CSMA or PDPA. In order to do so, a further tort claim must be established.
2.3 What defences are available to companies in response to governmental or private enforcement?
There is no specific defence available under the CSMA, the PDPA or the Criminal Code. This will depend on the actual factual situation.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Copyright infringement in cyberspace has been a serious legal issue for many years in Asia and Taiwan is no exception. Many offshore websites offer movies, TV shows and original content produced by local and foreign over-the-top (OTT) platforms to users for free or on subscription without obtaining proper licences from the copyright owners. Copyright owners such as movie production houses, TV stations and OTT platforms have been trying to find an effective mechanism to locate and take down such websites for many years. On 8 April 2020 the Telecommunications Investigation Group of the Criminal Investigation Bureau raided a website, 8maple, which is famous for providing infringing content, and seized its domain names and tools and equipment used to operate the website, including cloud servers and cell phones. 8maple was established and operated by two Taiwan individuals, who were transferred to the Prosecutor's Office for further investigation. This was the first-ever action taken by the Taiwanese enforcement authorities against internet content and is considered a milestone case.
According to the local news, the Motion Picture Association of the USA, certain copyright organisations in Japan and certain TV stations in Taiwan were the plaintiffs in the action. The local news also reported that after the raid, the revenues of the OTT operators in the Taiwan market increased notably. It is anticipated that more such legal actions will be taken under this approach in the future.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Cyber-related legislative activity: Several statutes specifically require internet platforms and content providers to proactively take action against so-called ‘illegal' content, such as fake news and illegal advertisements.
For example, amendments to the Contagious Animal Diseases Prevention and Control Act took effect on 15 December 2019. Article 38-3 of the amended act authorises the entry-exit inspection and quarantine authorities to demand advertisers, platform providers, application service providers and/or telecommunications carriers to:
- add warnings necessary to raise awareness about epidemic prevention and quarantine;
- retain the personal data of advertisers, sellers or purchasers or periodically provide such data to the authorities; and/or
- restrict access to or remove any relevant web pages, in accordance with the rules promulgated by the Council of Agriculture of the Executive Yuan, whose content involves the import of commodities that are subject to mandatory inspection and quarantine (ie, any objects that can spread animal disease pathogens, including animal corpses, bones, flesh, internal organs, fat, blood, fur, feathers and so on), or any other quarantine-related matters.
Pursuant to Paragraph 18, Article 45 of the amended act, if an advertiser, platform provider, application service provider or telecommunications carrier fails to comply with the above-mentioned requirements, the authorities may impose an administrative fine of between NT$30,000 and NT$150,000, and designate a timeframe within which to rectify the non-compliance. If the advertiser, platform provider, application service provider or telecommunications carrier fails to rectify the non-compliance within the designated timeframe, the administrative fine may be imposed consecutively until the non-compliance is rectified.
A draft bill regulating the distribution of images of private sexual activities was proposed to the Legislative Yuan around two years ago and is still pending at the Legislative Yuan. Under the draft bill, an internet platform or an application service provider must take down content regarding private sexual activities that is posted on its platform or web pages once it becomes aware of such posting or upon receiving notice from the victim or the relevant authorities.
It is anticipated that more such statutes will be introduced in Taiwan in the future.
Cybersecurity incidents: The number of cybersecurity incidents being reported by local news is increasing. For example, state-owned enterprise CPC Corporation, which controls the gas supply and operates most gas stations in Taiwan, came under attack in early May 2020. During the attack, customers were unable to make payments using CPC Pay or other similar payment tools. CPC was forced to shut down the infected computers and customers' payment options were limited to cash or credit card. Following the CPC cybersecurity incident, the country's second large player, Formosa Petrochemical Corporation, was also reportedly attacked. The company announced that its mainframe was hacked and some employees were unable to operate their computers. It is still unclear as to whether the attacks are related; but given that gas stations are deemed as critical infrastructure, experts have urged the government to take proper action to investigate the incidents and prevent further attacks.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The Taiwan government has promoted the protection of personal data as well as cybersecurity for many years. Many government agencies, public organisations and private businesses have stipulated their own personal data protection guidelines or cybersecurity guidelines. The Industrial Bureau of the Ministry of Economic Affairs has issued several personal data protection guidelines for all industries in general, as well as specifically for the information service industry, the manufacturing industry and the technology service industry.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
Pursuant to the Personal Data Protection Act (PDPA), the primary regulator of each industry is empowered to require the businesses that it regulates to disclose their personal data security maintenance plans. Quite a few regulators have promulgated guidelines for disclosing such plans. The enterprises that are subject to such requirements include financial institutions, online shopping companies, airlines, recruitment consultants, private schools, parking lots management companies, travel agencies, hotels and shipping companies.
With regard to cybersecurity, the Bureau of Standards, Metrology and Inspection at the Ministry of Economic Affairs has promulgated several standards with regard to cybersecurity for the industry to follow. The most important standard in this regard is CNS27001 (information security management system).
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
There is no such trend in local practice. Theoretically, any corporation in Taiwan must protect the personal data that it holds pursuant to the PDPA; if it fails to do so, its responsible person – in most cases, the chairman – will be subject to a fine in the same amount as that imposed on the corporation.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
There are no specific rules, regulations or guidance requiring public companies to proactively comply with the cyber requirements. However, public companies in Taiwan must establish proper internal control mechanisms and cybersecurity is specified as one of the aspects that public companies must periodically check and audit. Meanwhile, as the scale of public companies is usually larger than that of private companies, the security standards that they are expected to adopt are usually higher.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There is no mandatory requirement to share cyber-intelligence information with industry. Private companies that are designated as critical infrastructure providers are obliged to report security incidents to the relevant authorities, so that the government can establish an information sharing system to prevent, detect, control or remedy any cybersecurity incidents. The government will then determine whether and how to alert the other private industries about cybersecurity threats or attacks.
Private businesses that are not subject to the Cyber Security Management Act are encouraged to join other cybersecurity taskforces for information sharing, as long as this does not constitute a breach of their confidentiality obligations. For example, they can participate in the reporting system and network maintained by the Taiwan Computer Emergency Response Team/Coordination Centre.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Pursuant to either the Cyber Security Management Act (CSMA) or the Personal Data Protection Act (PDPA), if an entity is required to report to notify a cyber incident, it must report all such incidents. Under the CSMA, a ‘cybersecurity incident' is any incident where a system or the information it contains may, without authorisation, have been accessed, used, controlled, disclosed, damaged, altered, deleted or otherwise infringed, affecting the functionality of that system and thereby threatening its cybersecurity policy.
There is no specific definition of a ‘cyber incident' under the PDPA. According to Article 12 of the PDPA, as long as any personal data is stolen, disclosed, altered or otherwise infringed due to a violation of the PDPA by a data controller, the data subject must be notified by appropriate means, regardless of the type of incident.
Financial institutions are further required to report significant incidents, including cybersecurity incidents, to their regulators. For example, a bank must immediately report to the Banking Bureau and the other relevant law enforcement authorities if it encounters any cybersecurity incident that may have an adverse impact on the rights and benefits of its customers or on its operations. Other types of financial institutions are subject to similar reporting requirements.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Pursuant to the CSMA, government agencies and private entities that are subject to the CSMA must report to their supervisory agency or to the competent authority in the relevant industry, as applicable, where they become aware of a cybersecurity incident. As long as there is a security breach, even if no ‘personal data' is involved, the incident may be subject to the reporting requirements.
The Regulations for Reporting and Responding Cybersecurity Incidents set forth further details on the reporting of cybersecurity incidents, as required under the CSMA. A ‘specific non-government agency' must report to its regulator at the central government within one hour of becoming aware of the cybersecurity incident; the regulator will respond within two to eight hours, depending on the classification of the incident. Meanwhile, the agency must complete damage control measures or systems recovery within 36 to 72 hours.
Financial institutions must immediately notify their primary regulator by telephone or through an online reporting system, as well as the other relevant regulatory authorities by telephone or fax, of a cybersecurity incident. They must also submit a written report to the primary regulator within seven business days of such notification.
Meanwhile, if personal data is involved in a data breach, then pursuant to the PDPA, both public agencies and non-public agencies must inform the affected data subjects of the data breach as soon as they have investigated the relevant incident. The information provided to the data subjects must include the relevant facts of the incident, such as:
- what data was stolen;
- when the incident happened;
- the potential suspect; and
- the remedial actions that have been taken.
The PDPA does not specify any threshold for the notification of affected data subjects.
The PDPA specifies no obligations to report a data breach incident to the regulator. If even one data subject is affected, he or she must be notified of the data breach. However, in the personal data security maintenance plans stipulated by the competent authorities of certain industries, private sector players must report a data breach incident to the competent authority of the industry. In most cases, reporting is mandatory only where the data breach incident is deemed ‘material'. Some competent authorities have adopted their own definitions of a ‘material' breach, such as a breach that "affects the daily operations" of the private business. The industries that must report to their regulators include online retailers, financial institutions and so on.
No exceptions or safe harbour is available. There are also no voluntary cyber-incident notification requirements.
5.3 What steps are companies legally required to take in response to cyber incidents?
Pursuant to the CSMA, if a company is a critical infrastructure provider, it must report the cyber incident and the proposed damages control measures to the relevant regulator within the timeframe set forth under question 5.2. Meanwhile, pursuant to the PDPA, where the cyber incident concerns personal data, the company must investigate the incident, take remedial measures and notify the affected data subjects.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Taiwan law does not specifically prescribe such a duty for corporate officers and directors. In general, corporate officers and directors bear a ‘fiduciary duty' to the company and will be held liable in case of breach of this duty. A company's failure to prevent, mitigate, manage or respond to an incident may not necessarily lead to the conclusion that the directors have breached their fiduciary duty. Under Taiwan law, the directors are responsible for making business decisions for the company by joint decision of the board; but they are not responsible for implementing those decisions or for the daily operations of the company. Whether cybersecurity incidents must be reported to the board will depend on the company's internal rules. If the management reports an incident to the board pursuant to those internal rules and the board fails to take proper action to address or resolve the incident, or even tries to conceal or cover the incident, the board may be held liable.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Cyber-incident insurance policies are offered to private businesses in the Taiwan market by various insurance brokers. Companies have recently started to consider purchasing such insurance policies, especially those that have suffered from cybersecurity incidents.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
As the number of cybersecurity incidents is on the rise and government agencies and private critical infrastructure providers – such as banks, hospitals, gas stations, power companies and shipping companies – are increasingly coming under attack, it is anticipated that both the government and the private sector will spend more time and resources on implementing cybersecurity measures such as employee awareness training, consultation with security experts, procurement of security tools and purchase of insurance policies.
Meanwhile, the Taiwan government agencies and law enforcement authorities are increasingly requiring internet-related businesses to actively take down illegal/improper content, such as fake news, pornography, illegal hotel listings, advertisement of contraband products and illegal advertisements. Given that monitoring the Internet would violate people's freedom of speech, such practices have been highly controversial in Taiwan. Recently, both the administrative and legislative branches of the Taiwan government have proposed draft statutes spelling out the authority of the government, and even of individuals and companies, to request internet-related businesses to take down certain improper content without any need for a court warrant, ruling or judgment. Internet-related businesses will shoulder more responsibilities (or be granted more power) to monitor content posted on the Internet.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
Virus attacks: Cyber-incidents caused by computer viruses – such as malware, ransomware and Wannacry – are on the increase in Taiwan. Faced with the Chinese cyber-military, the Taiwan government and critical infrastructure providers are under great pressure to protect the security of their networks. It is very important that both the government and the private sector take proper steps to protect their IT systems from virus attacks initiated from the other side of the strait or around the world. Although it sounds clichéd, the implementation of simple security standard operating procedures (SOPs) is vital in helping to prevent major security incidents. For example, one major Taiwan company suffered a security incident that caused significant losses merely because one employee failed to follow the SOP to run anti-virus software before installing new equipment on its network. Businesses should regularly remind employees to remember and implement SOPs.
Threat from outside vendors: With regard to the unauthorised disclosure of personal data, many incidents are caused by third-party vendors. For example, the illegal disclosure of personal data of customers of online shopping companies is often due to the carelessness or intentional conduct of their logistics vendors. Hence, it is very important that businesses carefully select their vendors and supervise or monitor the data protection measures that they have implemented.
Unexpected major losses: In a serious cybersecurity incident, the losses or damages that a company or its customers suffer can amount to a major and unexpected financial burden, especially in the case of malicious attacks. In order to protect themselves from unexpected cyber risk, companies might want to consider purchasing cyber insurance policies to cover potential losses or damages.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.