Politics & Law
Overview of cybersecurity law in Taiwan
By John Eastwood, Wendy Chu, Nathan Snyder, and David Rosenthal
Cybersecurity has been an important topic in Taiwan recently, one that touches several areas of the technology business. A recent case concerns the Covid-19 pandemic when the central government prohibited all government agencies from using a popular video conferencing service based on cybersecurity concerns. Due to the novelty of general cybersecurity legislation in Taiwan, this was likely the first time such a blanket prohibition was issued.
Telecom operators have already started advertising campaigns for 5G, which promises higher data speeds and reliability. While the ad campaigns are relatively new, Taiwan’s National Communications Commission (NCC) released 5G licenses to telecommunication operators in 2019. The NCC currently requires telecommunications companies to provide cybersecurity maintenance plans and stick to the strict cybersecurity rule relating to the Regulations for Administration of Mobile Broadband Businesses.
In Taiwan, there are two main branches of legislation pertaining to information security: legislation on cybersecurity and legislation protecting personal data. While the information security aspects of personal data protection legislation (mainly the PDPA) only apply to collection, storage and processing of personal data, the requirements of the cybersecurity legislation (mainly the CSMA) apply depending on the status of the juristic person controlling the data. Certain sector-specific regulations apply more broadly, such as those governing the financial sector.
The Cybersecurity Management Act (CSMA), announced in June 2018, is the core piece of legislation regarding cybersecurity in Taiwan. It is further specified by the following rules and regulations which are effective as of 1 January 2019:
- Enforcement Rules of the Cybersecurity Management Act (CSMA Enforcement Rules)
- Regulations on Audit of Implementation of Cybersecurity Maintenance Plan of Specific Non-Government Agency (Audit Regulations)
- Regulations on the Notification and Response of Cybersecurity Incident (Incident Regulations)
- Cybersecurity Information Sharing Regulations
- Regulations on Classification of Cybersecurity Responsibility Levels (Classification Regulations)
The Personal Data Protection Act (PDPA), last amended in December 2015, includes regulations on information security in regards to personal data. Namely, such data may only be collected, processed or used, provided that “proper security measures” have been adopted to ensure the security of the data. The Enforcement Rules of the PDPA provide valuable guidance for interpretation and were promulgated in March 2016.
Supervisory authorities for cybersecurity in Taiwan include the Financial Supervisory Commission (“FSC"), the National Communications Commission (“NCC”), the National Security Bureau, Ministry of Interior, Ministry of Foreign Affairs, Ministry of National Defense, Ministry of Economic Affairs, and the Central Bank. Other authorities include regulatory agencies in charge of specific industry sectors.
The government has also issued several guidelines under the CSMA, including the Regulations for Classification of Cybersecurity Responsibility, Regulations for Reporting and Responding Cybersecurity Incidents, Regulations for Inspecting Implementation Status of Specific Non-Governmental Agencies' Cybersecurity Maintenance Programs, and Cybersecurity Information Sharing Regulations. Many specific industry-sector regulators have also issued their own cybersecurity management guidelines.
The CSMA governs the cybersecurity requirements for government agencies, excluding military and intelligence agencies, and so-called “specific non-governmental agencies”. These non-governmental agencies are critical infrastructure providers, state-owned enterprises and government-endowed foundations. Additionally, the CSMA sets out requirements for outsourcing. As such, the CSMA does not apply to military or intelligence contractors (or subcontractors) unless these contractors are themselves classed as specific non-governmental agencies.
The duties imposed by the CSMA follow a three-pronged approach:
- Implementation of a Cybersecurity Maintenance Plan, including annual reporting thereof
- Annual audits on the implementation of the Cybersecurity Maintenance Plan, including improvement requirements in case of insufficient implementation
- Handling and reporting of cybersecurity incidents
In regards to private actors, the CSMA only applies to critical infrastructure providers (and parties to which the set-up or maintenance of cybersecurity systems have been outsourced, or who provide cybersecurity services to agencies subject to the CSMA). Critical infrastructure providers are actors who “maintain or provide critical infrastructure either in whole or in part, as designated by the central authority in charge of relevant industry”. Critical infrastructure is defined in Article 3.7 of the CSMA as an “asset, system or network, either physical or virtual, once discontinued from operation or becoming less effective, would lead to significant negative impact upon the national security, public interests, living standard of citizen and economic activities.” Only companies which have been designated as critical infrastructure providers by the central authority in charge of the relevant industry are subject to the CSMA. These companies are not required to register with the central authority. However, they have a right to be heard during the designation process (Article 9 CSMA Enforcement Rules).
Thus far, the following infrastructure areas were deemed critical when drafting the CSMA:
- Water resources
- Emergency medical care
- Central and local government agencies
- Science parks
Article 3.1 of the CSMA defines information and communication systems and services as systems or services “to be used to collect, control, transmit, store, circulate, delete information or to make other processing, use and sharing of such information.”
Communication infrastructure has been deemed critical. Therefore, the CSMA applies to these operators insofar as they have been designated as critical infrastructure providers by the competent authorities. Additionally, the CSMA and related regulations may indirectly apply to critical information infrastructure operators if they provide outsourced services to government agencies or specific non-government agencies.
Additionally, the CSMA and related regulations may indirectly apply to cloud computing service providers if they provide outsourced services to government agencies or specific non-government agencies. Use of cloud services and cross-border data transfers are also specifically regulated in the context of financial institutions. Financial institution customer data must have backup copies stored locally in Taiwan.
The CSMA applies to digital service providers insofar as they have been designated as critical infrastructure providers by the competent authorities. Additionally, the CSMA and related regulations may indirectly apply to digital service providers if they provide outsourced services to government agencies or specific non-government agencies.
Energy, water, transportation and emergency medical care infrastructure has been deemed critical. Therefore, the CSMA applies to these operators insofar as they have been designated as critical infrastructure providers by the competent authorities.
Outsourcing under CSMA
Pursuant to Article 9 of the CSMA, an agency subject to the act may outsource for the setup or maintenance of information or communication systems, or for the provision of information or communication services. When outsourcing, the agency remains responsible for overseeing the cybersecurity maintenance services provided, and therefore also remains responsible for compliance with the obligations provided by the CSMA and related regulations. Namely, Article 4 of the CSMA Enforcement Rules specifies selection criteria and outsourcing requirements.
Service providers must show they have implemented cybersecurity management measures, and that they have qualified cybersecurity personnel. Furthermore, security background checks must be conducted in cases concerning national security information, customized developments must be security tested and the service provider is obliged to notify the outsourcing agency of any cybersecurity incident it becomes aware of. The outsourcing agency must further be able to audit the service provider on the implementation status of its cybersecurity measures.
Article 16 of the CSMA charges critical infrastructure providers with satisfying the requirements of the cybersecurity responsibility level, as set forth in the Regulations on Classification of Cybersecurity Responsibility Levels and its 10 Schedules. These regulations provide five levels of cybersecurity responsibility, A to E, with increasing levels of security measures that must be implemented in order to satisfy the responsibilities. A critical infrastructure provider’s cybersecurity responsibility level is determined based on its size, area and substitutability of its operations, and the potential impact caused in case of disruptions (Articles 4 - 10 of the Classification Regulations).
Based on the responsibility level, providers must implement varying degrees of control through management, technology, and awareness and training. Control measures may include implementation of internationally recognized standards, such as CNS 27001 or ISO 27001, employing dedicated cybersecurity personnel, conducting bi-annual internal cybersecurity audits, restricting the use of certain third-party products, regular testing of core systems, installing cybersecurity defense software and mechanisms, and ensuring awareness of cybersecurity in all information personnel (Schedules 1 - 8 Classification Regulations).
Irrespective of its cybersecurity responsibility level, the provider’s cyber system defense level - high, medium, or common - must be commensurate to the highest requirements relating to at least one of either confidentiality, integrity, availability or regulatory compliance of the provider (Schedule 9 Classification Regulations). Based on this defense level, a provider may determine the minimum requirements for its cyber system in regards to access control, business continuity, user identification and authentication, and system and information integrity, among others (Schedule 10 Classification Regulations). Depending on the industry, there may be additional or other defense standards for cyber systems which have been issued by the central authority in charge of that industry.
Personal Data Protection Act
The PDPA does not specify a specific security standard for preserving the confidentiality of personal information and protecting personal privacy. However, the Enforcement Rules of the PDPA offer more clarification about the kinds of mechanisms that entities which handle personal data may adopt. In addition, industry-specific guidelines have been issued for several sectors that provide more rigorous standards, depending on the nature of the business (such as the financial industry, travel and tourism, telecommunications, and human resources agencies).
Article 12 of the Enforcement Rules of the PDPA lists 11 factors for evaluating whether the security measures adopted by a collector or processor of personal data are adequate. These are:
1. Allocating management personnel and reasonable resources;
2. Defining the scope of personal data;
3. Establishing a mechanism of risk assessment and management of personal data;
4. Establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. Establishing an internal control procedure for the collection, processing, and use of personal data;
6. Managing data security and personnel;
7. Promoting awareness, education and training;
8. Managing facility security;
9. Establishing an audit mechanism of data security;
10. Keeping records, log files and relevant evidence; and
11. Implementing integrated and persistent improvements on the security and maintenance of personal data.
Notification of cybersecurity incidents
Article 18 of the Cybersecurity Management Act imposes a duty upon critical infrastructure providers in the event of a cybersecurity incident to notify regulators within one hour of becoming aware of the incident (as further specified in Article 11 Incident Regulations). Such an incident is broadly understood to be an event where the state of the system, service or network likely indicates a violation of the cybersecurity policy, or a failure of security measures, which adversely affects the information and communication system, thus constituting a threat to cybersecurity. The notification must include details such as the time of occurrence, a description of the situation, response measures to the incident, as well as an assessment of the level of the incident. According to the Regulations on the Notification and Response of Cybersecurity Incident, there are four levels of incidents which result in varying responsibilities in case of an event. These levels are determined based on the business affected by the incident, the severity of the incident, and its potential impact, especially on critical infrastructure (Article 2 Incident Regulations).
Upon awareness of the incident, the provider must complete damage control or recovery within 36 or 72 hours, depending on the incident level. Once complete, the provider must further investigate and manage the incident and submit an according report to the central authority in charge of the relevant industry, which includes improvement measures taken in response to the incident (Article 13 Incident Regulations). This investigation, management and improvement report must be submitted within one month and must include details such as the time frame of the event, a damage assessment, cause analysis of the incident, and details on measures taken to prevent recurrences of similar incidents (Article 8 of the CSMA Enforcement Rules).
Under the PDPA, there is no obligation to notify regulating authorities in the event of personal data breaches, which are defined in Article 12 as any time “any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA”. However, a holder of personal data must notify the affected data subjects “after the relevant facts have been clarified”. A sufficient notice must include “the facts pertaining to the data breach and the response measures already adopted to address such breach” (Article 22 of the Enforcement Rules of the PDPA).
Information Security Officer
Only government agencies are required to designate a Cybersecurity Officer. There is no obligation for companies to do so under the CSMA. However, depending on the Cybersecurity Responsibility Level, a critical infrastructure provider may be legally required to employ dedicated cybersecurity personnel with relevant professional certifications or business experience.
Similarly, under the PDPA, only government agencies are expressly required to appoint personal information security officers (Article 18). However, according to the Enforcement Rules of the PDPA, appointment of management personnel is one of the recommended factors in an adequate privacy protection scheme. Furthermore, industry-specific regulations may require the employment of specialist personnel to conform to registration or reporting requirements.
Cybersecurity Maintenance Plans
Under Article 16 of the CSMA, critical infrastructure providers are required to implement a Cybersecurity Maintenance Plan, which must include items such as the provider’s cybersecurity-related policies and mechanisms, identifying core businesses, taking inventory of information and systems, broad-scale risk assessments and management measures in place regarding outsourced systems and services (Article 6 of the CSMA Enforcement Rules). This Cybersecurity Maintenance Plan builds the foundation for the provider’s fulfilment of its cybersecurity obligations, and also acts as a basis for the authorities’ control through the auditing process. Additionally, critical infrastructure providers must report annually on the implementation status of their Cybersecurity Maintenance Plan.
Critical infrastructure providers are required to cooperate with annual audits on the implementation of their Cybersecurity Maintenance Plans. These audits are scheduled and may only be deferred once by written notice within five days of receiving the audit program notice, except for cases of force majeure (Article 4 of the Audit Regulations). During such an audit, the competent authority reviews the implementation status of the Cybersecurity Maintenance Plan, and may require the subject of the audit to cooperate with the pre-audit interview and the on-site physical audit, as well as provide explanations, relevant documents and supporting information (Article 5 of the Audit Regulations).
If the audit results show insufficiencies or flaws in the implementation of the Cybersecurity Maintenance Plan, the critical infrastructure provider will be required to submit an improvement report within one month of receiving the results of the audit (Article 8 of the Audit Regulations). This improvement report must contain the flaws or items that are to be improved, the causes of occurrence, specific improvement measures that will be taken, the estimated timeline for these measures, as well as mechanisms for tracking the implementation progress (Article 3 of the CSMA Enforcement Rules).
Similar to audits, critical infrastructure providers are also required to conduct cybersecurity exercises, such as cyber offense and defense, or scenario exercises (Article 19 of the Incident Regulations). This is related to the biennial testing of system penetrations that must be conducted by specific non-government agencies with a cybersecurity responsibility Level-A, B or C (Classification Regulation, Schedules 2, 4 and 6). However, the cybersecurity exercises are required of all critical infrastructure providers, regardless of their cybersecurity responsibility level. Additional sector-specific requirements may also apply, such as in case of mobile broadband operators, who are required under the Regulations for Administration of Mobile Broadband Businesses (Article 83-1) to conduct penetration tests to probe system weaknesses regularly.
Sector specific requirements
According to an administrative regulation issued by the Ministry of Health and Welfare on 24 April 2019, every critical infrastructure provider charged by the Ministry of Health and Welfare must provide a cybersecurity maintenance plan before 31 January of each year and report the implementation of the cybersecurity maintenance plan before 31 December of each year. The Ministry of Health and Welfare will also audit the critical infrastructure provider pursuant to the CSMA.
Financial institutions, issuers of electronic stored-value cards, and enterprises which facilitate electronic payments must coordinate with the Central Bank and Joint Credit Information Center (JCIC) to standardize their information-security measures, and must additionally report or register with the Central Deposit Insurance Corp and the Financial Supervisory Commission (FSC), in the case of regular audits or breach incidents.
Insurance providers who conduct business online must be ISO 27001 certified and establish a traffic cleaning mechanism against distributed denial-of-service attack (DDoS) in order to receive licenses to conduct business.
On the HR side, there are no specific cybersecurity regulations that apply regarding the employer/employee relationship. Taiwan’s Labor Standards Act requires employers to maintain employee records for a duration of five years after the termination of the employment relationship. Employers are required to secure the confidentiality of these records, subject to the general requirements of the PDPA.
In 2016, the Ministry of Education issued an administrative rule governing the protection of cybersecurity and personal data, the “Personal Data and Cybersecurity Management Guidelines for Education”. In these guidelines, all schools are classified into grades A (e.g. medical universities), B (e.g. universities), or C (e.g. primary/high schools), and they shall set up a “Personal Information Management System” or “Information Security Management System” to manage cybersecurity and personal data, and allocate proper resources and staff to periodically maintain and improve the system.
Article 20 of the CSMA provides for administrative fines of between NT$100,000 to 1 million for companies that fail to complete corrective actions within the time period specified by the central authority in charge of their industry. If a company has failed to report a cybersecurity incident, then under CSMA Article 21, the relevant central authority can impose administrative fines ranging from NT$300,000 to 5 million and order the company to make improvements that, if not completed on time, can lead to additional fines.
John Eastwood is the managing partner of award-winning firm Eiger and regularly works with SMEs through to multinationals on data-protection compliance matters.
Wendy Chu is a senior associate at Eiger, handling compliance matters for several international clients.
Nathan Snyder is an associate at Eiger.
David Rosenthal is a trainee at Eiger, assisting with legal research and translations.