An Overview of Cybersecurity Law in Taiwan - Lexology

1. GOVERNING TEXTS

In Taiwan, there are two main branches of legislation pertaining to information security: legislation on cybersecurity and legislation protecting personal data. While the information security aspects of personal data protection legislation (mainly the PDPA) only apply to collection, storage and processing of personal data, the requirements of the cybersecurity legislation (mainly the CSMA) apply depending on the status of the juristic person controlling the data. Certain sector-specific regulations apply more broadly, such as those governing the financial sector.

1.1. LEGISLATION

General Legislation

The Cyber Security Management Act (CSMA), announced in June 2018, is the core piece of legislation regarding cybersecurity in Taiwan. It is further specified by the following rules and regulations which are effective as of January 1, 2019:
Enforcement Rules of the Cybersecurity Management Act (CSMA Enforcement Rules)
Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency (Audit Regulations)
Regulations on the Notification and Response of Cyber Security Incident (Incident Regulations)
Cyber Security Information Sharing Regulations
Regulations on Classification of Cyber Security Responsibility Levels (Classification Regulations)
The Personal Data Protection Act (PDPA), last amended in December 2015, includes regulations on information security in regards to personal data. Namely, such data may only be collected, processed or used, provided that “proper security measures” have been adopted to ensure the security of the data. The Enforcement Rules of the PDPA provide valuable guidance for interpretation and were promulgated in March 2016.
Criminal Code;
The Communication Security and Surveillance Act;
National Security Act;
Money Laundering Control Act;
Counter-Terrorism Financing Act.
Sectoral Legislation

The Banking Act of The Republic of China
Act Governing Issuance of Electronic Stored Value Cards
Rules Governing the Administration of Electronic Payment Business
Regulations Governing the Clearinghouse’s Plan of Security Measures for Personal Information Files
Regulations Governing Approval and Administration of Financial Information Service Enterprises Engaging in Interbank Funds Transfer and Settlement
Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation
Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries
Regulations Governing Online Insurance Business and Online Insurance Services of Insurance Agent Companies and Insurance Broker Companies
Regulations for Administration of Mobile Broadband Businesses
Regulation Governing Export and Import of Strategic High-Tech Commodities
Regulations on Tourist Hotel Enterprise Plans for Maintaining the Security of Personal Information Files
Regulations Governing Personal Information File Security Maintenance Plan and Processing Method for the Human Resources Recruitment Industry
Regulations Governing Security Protection Plans for and Processing of Personal Information Files by Travel Agencies
1.2. SUPERVISORY AUTHORITIES

The Financial Supervisory Commission (“FSC")
The National Communications Commission (“NCC”)
National Security Bureau
Ministry of Interior
Ministry of Foreign Affairs
Ministry of National Defense
Ministry of Economic Affairs
Central Bank
Other regulatory agencies in charge of specific industry sectors
1.3. REGULATORY AUTHORITY GUIDANCE

General guidelines under the CSMA include the Regulations for Classification of Cybersecurity Responsibility, Regulations for Reporting and Responding Cybersecurity Incidents, Regulations for Inspecting Implementation Status of Specific Non-Governmental Agencies' Cybersecurity Maintenance Programs, and Cybersecurity Information Sharing Regulations.
Also according to the CSMA, many specific industry-sector regulators have issued their own cybersecurity management guidelines.
2. SCOPE OF APPLICATION

A. Cyber Security Management Act

The CSMA governs the cybersecurity requirements for government agencies, excluding military and intelligence agencies, and so-called “specific non-governmental agencies”. These non-governmental agencies are critical infrastructure providers, state-owned enterprises and government-endowed foundations. Additionally, the CSMA sets out requirements for outsourcing. As such, the CSMA does not apply to military or intelligence contractors (or subcontractors) unless these contractors are themselves classed as specific non-governmental agencies.

The duties imposed by the CSMA follow a three-pronged approach:

Implementation of a Cybersecurity Maintenance Plan, including annual reporting thereof
Annual audits on the implementation of the Cybersecurity Maintenance Plan, including improvement requirements in case of insufficient implementation
Handling and reporting of cybersecurity incidents
In regards to private actors, the CSMA only applies to critical infrastructure providers (and parties to which the set-up or maintenance of cybersecurity systems have been outsourced, or who provide cybersecurity services to agencies subject to the CSMA). Critical infrastructure providers are actors who “maintain or provide critical infrastructure either in whole or in part, as designated by the central authority in charge of relevant industry”. Critical infrastructure is defined in Article 3.7 of the CSMA as an “asset, system or network, either physical or virtual, once discontinued from operation or becoming less effective, would lead to significant negative impact upon the national security, public interests, living standard of citizen and economic activities.”

Thus far, the following infrastructure areas were deemed critical when drafting the CSMA:

Energy
Water resources
Communication
Transportation
Finance
Emergency medical care
Central and local government agencies
Science parks
2.1. NETWORK AND INFORMATION SYSTEMS

Cyber Security Management Act

The CSMA in Article 3.1 defines information and communication systems and services as systems or services “to be used to collect, control, transmit, store, circulate, delete information or to make other processing, use and sharing of such information.”

2.2. CRITICAL INFORMATION INFRASTRUCTURE OPERATORS

Cyber Security Management Act

Communication infrastructure has been deemed critical. Therefore, the CSMA applies to these operators insofar as they have been designated as critical infrastructure providers by the competent authorities.

Additionally, the CSMA and related regulations may indirectly apply to critical information infrastructure operators if they provide outsourced services to government agencies or specific non-government agencies.

2.3. OPERATOR OF ESSENTIAL SERVICES

Cyber Security Management Act

Energy, water, transportation and emergency medical care infrastructure has been deemed critical. Therefore, the CSMA applies to these operators insofar as they have been designated as critical infrastructure providers by the competent authorities.

2.4. CLOUD COMPUTING SERVICES

Cyber Security Management Act

Communication infrastructure has been deemed critical. Therefore, the CSMA applies to these service providers insofar as they have been designated as critical infrastructure providers by the competent authorities.

Additionally, the CSMA and related regulations may indirectly apply to cloud computing service providers if they provide outsourced services to government agencies or specific non-government agencies.

Use of cloud services and cross-border data transfers are also specifically regulated in the context of financial institutions. Financial institution customer data must have backup copies stored locally in Taiwan.

2.5. DIGITAL SERVICE PROVIDERS

A. Cyber Security Management Act

Communication infrastructure has been deemed critical. Therefore, the CSMA applies to these operators insofar as they have been designated as critical infrastructure providers by the competent authorities.

Additionally, the CSMA and related regulations may indirectly apply to digital service providers if they provide outsourced services to government agencies or specific non-government agencies.

2.6. OTHER

Outsourcing under CSMA

Pursuant to Article 9 of the CSMA, an agency subject to CSMA may outsource for the setup or maintenance of the information or communication system, or for the provision of information or communication services. When outsourcing, the agency remains responsible for overseeing the cybersecurity maintenance services provided, and therefore also remains responsible for compliance with the obligations provided by the CSMA and related regulations. Namely, Article 4 of the CSMA Enforcement Rules specifies selection criteria and outsourcing requirements. Service providers must show they have implemented cybersecurity management measures, and that they have qualified cybersecurity personnel. Furthermore, security background checks must be conducted in cases concerning national security information, customized developments must be security tested and the service provider is obliged to notify the outsourcing agency of any cyber security incident it becomes aware of. The outsourcing agency must further be able to audit the service provider on the implementation status of its cybersecurity measures.

3. REQUIREMENTS

3.1. SECURITY MEASURES

A. Cyber Security Management Act

Article 16 of the CSMA charges critical infrastructure providers with satisfying the requirements of the cybersecurity responsibility level, as set forth in the Regulations on Classification of Cyber Security Responsibility Levels and its 10 Schedules. These regulations provide five levels of cybersecurity responsibility, A to E, with increasing levels of security measures that must be implemented in order to satisfy the responsibilities. A critical infrastructure provider’s cybersecurity responsibility level is determined based on its size, area and substitutability of its operations, and the potential impact caused in case of disruptions (Articles 4 - 10 of the Classification Regulations).

Based on the responsibility level, providers must implement varying degrees of control through management, technology, and awareness and training. Control measures may include implementation of internationally recognized standards, such as CNS 27001 or ISO 27001, employing dedicated cybersecurity personnel, conducting bi-annual internal cybersecurity audits, restricting the use of certain third-party products, regular testing of core systems, installing cybersecurity defense software and mechanisms, and ensuring awareness of cybersecurity in all information personnel (Schedules 1 - 8 Classification Regulations).

Irrespective of its cybersecurity responsibility level, the provider’s cyber system defense level - high, medium or common - must be commensurate to the highest requirements relating to at least one of either confidentiality, integrity, availability or regulatory compliance of the provider (Schedule 9 Classification Regulations). Based on this defense level, a provider may determine the minimum requirements for its cyber system in regards to access control, business continuity, user identification and authentication, and system and information integrity, among others (Schedule 10 Classification Regulations). Depending on the industry, there may be additional or other defense standards for cyber systems which have been issued by the central authority in charge of that industry.

B. Personal Data Protection Act

The PDPA does not specify a specific security standard for preserving the confidentiality of personal information and protecting personal privacy. However, the Enforcement Rules of the PDPA offer more clarification about the kinds of mechanisms that entities which handle personal data may adopt. In addition, industry-specific guidelines have been issued for several sectors that provide more rigorous standards, depending on the nature of the business (such as the financial industry, travel and tourism, telecommunications, and human resources agencies).

Article 12 of the Enforcement Rules of the PDPA lists 11 factors for evaluating whether the security measures adopted by a collector or processor of personal data are adequate. These are:

Allocating management personnel and reasonable resources;
Defining the scope of personal data;
Establishing a mechanism of risk assessment and management of personal data;
Establishing a mechanism of preventing, giving notice of, and responding to a data breach;
Establishing an internal control procedure for the collection, processing, and use of personal data;
Managing data security and personnel;
Promoting awareness, education and training;
Managing facility security;
Establishing an audit mechanism of data security;
Keeping records, log files and relevant evidence; and
Implementing integrated and persistent improvements on the security and maintenance of personal data.
3.2. NOTIFICATION OF CYBERSECURITY INCIDENTS

A. Cyber Security Management Act

Article 18 of the CSMA imposes a duty upon critical infrastructure providers in the event of a cybersecurity incident to notify regulators within one hour of becoming aware of the incident (as further specified in Article 11 Incident Regulations). Such an incident is broadly understood to be an event where the state of the system, service or network likely indicates a violation of the cybersecurity policy, or a failure of security measures, which adversely affects the information and communication system, thus constituting a threat to cybersecurity. The notification must include details such as the time of occurrence, a description of the situation, response measures to the incident, as well as an assessment of the level of the incident. According to the Regulations on the Notification and Response of Cyber Security Incident, there are four levels of incidents which result in varying responsibilities in case of an event. These levels are determined based on the business affected by the incident, the severity of the incident, and its potential impact, especially on critical infrastructure (Article 2 Incident Regulations).

Upon awareness of the incident, the provider must complete damage control or recovery within 36 or 72 hours, depending on the incident level. Once complete, the provider must further investigate and manage the incident and submit a report accordingly to the central authority in charge of the relevant industry, which includes improvement measures taken in response to the incident (Article 13 Incident Regulations). This investigation, management and improvement report must be submitted within one month and must include details such as the time frame of the event, a damage assessment, cause analysis of the incident, and details on measures taken to prevent recurrences of similar incidents (Article 8 of the CSMA Enforcement Rules).

B. Personal Data Protection Act

Under the PDPA, there is no obligation to notify regulating authorities in the event of personal data breaches, which are defined in Article 12 as any time “any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA”. However, a holder of personal data must notify the affected data subjects “after the relevant facts have been clarified”. A sufficient notice must include “the facts pertaining to the data breach and the response measures already adopted to address such breach” (Article 22 of the Enforcement Rules of the PDPA).

3.3. REGISTRATION WITH REGULATORY AUTHORITY

Private actors directly subject to the CSMA, i.e. critical infrastructure providers, are designated by the central authority in charge of the relevant industry. As such, they are not required to register with the regulatory authority. They do, however, have a right to be heard on the matter before the designation is formalized (Article 9 of the CSMA Enforcement Rules).

3.4. APPOINTMENT OF A 'SECURITY' OFFICER

A. Cyber Security Management Act

Only government agencies are required to designate a Cybersecurity Officer; there is no obligation for companies to do so under the CSMA. However, depending on the Cybersecurity Responsibility Level, a critical infrastructure provider may be legally required to employ dedicated cybersecurity personnel with relevant professional certifications or business experience.

B. Personal Data Protection Act

Similarly, under the PDPA, only government agencies are expressly required to appoint personal information security officers (Article 18). However, according to the Enforcement Rules of the PDPA, appointment of management personnel is one of the recommended factors in an adequate privacy protection scheme. Furthermore, industry-specific regulations may require the employment of specialist personnel to conform with registration or reporting requirements.

3.5. Other

Cybersecurity Maintenance Plan

Under Article 16 of the CSMA, critical infrastructure providers are required to implement a Cybersecurity Maintenance Plan, which must include items such as the provider’s cybersecurity related policies and mechanisms, identifying core businesses, taking inventory of information and systems, broad-scale risk assessments and management measures in place regarding outsourced systems and services (Article 6 of the CSMA Enforcement Rules). This Cybersecurity Maintenance Plan builds the foundation for the provider’s fulfilment of its cybersecurity obligations, and also acts as a basis for the authorities’ control through the auditing process. Additionally, critical infrastructure providers must report annually on the implementation status of their Cybersecurity Maintenance Plan.

Critical infrastructure providers are required to cooperate with annual audits on the implementation of their Cybersecurity Maintenance Plans. These audits are scheduled and may only be deferred once by written notice within five days of receiving the audit program notice, except for cases of force majeure (Article 4 of the Audit Regulations). During such an audit, the competent authority reviews the implementation status of the Cybersecurity Maintenance Plan, and may require the subject of the audit to cooperate with the pre-audit interview and the on-site physical audit, as well as provide explanations, relevant documents and supporting information (Article 5 of the Audit Regulations).

If the audit results show insufficiencies or flaws in the implementation of the Cybersecurity Maintenance Plan, the critical infrastructure provider will be required to submit an improvement report within one month of receiving the results of the audit (Article 8 of the Audit Regulations). This improvement report must contain the flaws or items that are to be improved, the causes of occurrence, specific improvement measures that will be taken, the estimated timeline for these measures, as well as mechanisms for tracking the implementation progress (Article 3 of the CSMA Enforcement Rules).

Cybersecurity Exercises

Similar to audits, critical infrastructure providers are also required to conduct cybersecurity exercises, such as cyber offense and defense, or scenario exercises (Article 19 of the Incident Regulations). This is related to the biennial testing of system penetrations that must be conducted by specific non-government agencies with a cybersecurity responsibility Level-A, B or C (Classification Regulation, Schedules 2, 4 and 6). However, the cybersecurity exercises are required of all critical infrastructure providers, regardless of their cybersecurity responsibility level.

Mobile broadband operators are required under the Regulations for Administration of Mobile Broadband Businesses (Article 83-1) to conduct penetration tests to probe system weaknesses regularly.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

The central authority in charge of the health industry is the Ministry of Health and Welfare. According to the administrative regulation issued by the Ministry of Health and Welfare on April 24, 2019, every critical infrastructure provider charged by the Ministry of Health and Welfare must provide a cybersecurity maintenance plan before every January 31 and report the implementation of the cybersecurity maintenance plan before every December 31. The Ministry of Health and Welfare will also audit the critical infrastructure provider pursuant to the CSMA.

Cybersecurity in the financial sector

Financial institutions, issuers of electronic stored-value cards, and enterprises which facilitate electronic payments must coordinate with the Central Bank and Joint Credit Information Center (JCIC) to standardize their information-security measures, and must additionally report or register with the Central Deposit Insurance Corp and the Financial Supervisory Commission (FSC), in the case of regular audits or breach incidents.

Insurance providers who conduct business online must be ISO 27001 certified and establish a traffic cleaning mechanism against distributed denial-of-service attack (DDoS) in order to receive licenses to conduct business.

Cybersecurity practices for employees

There are no specific cybersecurity regulations that apply regarding the employer/employee relationship. Taiwan’s Labor Standards Act requires employers to maintain employee records for a duration of five years after the termination of the employment relationship. Employers are required to secure the confidentiality of these records, subject to the general requirements of the PDPA.

Cybersecurity in the educational sector

The central authority in charge of the education industry is the Ministry of Education. The Ministry of Education issued in 2016 an administrative rule governing the protection of cyber security and personal data called the “Personal Data and Cyber Security Management Guidelines for Education”. In this administrative rule, all schools are classified into grades A (e.g. medical universities), B (e.g. universities), or C (e.g. primary/high schools), and they shall set up a “Personal Information Management System” or “Information Security Management System” to manage cyber security and personal data, and allocate proper resources and staff to periodically maintain and improve the system.

5. PENALTIES

A. Cyber Security Management Act

Article 20 of the CSMA provides for administrative fines of between TWD 100,000 to 1 million for companies that fail to complete corrective actions within the time period specified by the central authority in charge of their industry. If a company has failed to report a cybersecurity incident, then under CSMA Article 21, the relevant central authority can impose administrative fines ranging from TWD 300,000 to 5 million and order the company to make improvements that, if not completed on time, can lead to additional fines.

6. OTHER AREAS OF INTEREST

E.g. trust, notable incidents and cyberattacks, cybersecurity of 5G networks, cybersecurity of IoT/AI-based systems, risk management.
NCC released 5G licenses to telecommunication operators in 2019 and is currently requiring them to provide the cyber security maintenance plan and stick to the strict cyber security rule relating to the Regulations for Administration of Mobile Broadband Businesses.

During the COVID-19 pandemic, the central government prohibited all government agencies from using a popular video conferencing service based on cybersecurity concerns. Due to the novelty of general cybersecurity legislation in Taiwan, this was likely the first time such a blanket prohibition was issued.