Ken-Ying Tseng heads Lee and Li’s M&A practice group (non-financial sector) and the data protection practice group. She received an LLM from Harvard Law School. Ken-Ying advises on various forms of mergers and acquisitions, and is experienced in resolving both legal and commercial issues. She assisted and represented several multinational corporations in their M&A activities, including, among others, BASF, Henkel, Yahoo!, Arrow, Bureau Veritas, Aleees, DIC, Sony, Micrel, NTT DoCoMo, Energy Absolute, Qualcomm, McDonald’s.
In addition to M&As, Ken-Ying advises various tech companies that operate the businesses of social networks, instant messengers, search engines, portal sites, sharing economy, e-commerce, OTT, on-line game, P2P lending, e-payments, cloud computing, and so on. Ken-Ying also advises clients, including multinational companies, on privacy and data protection (GDPR), e-marketing, big data, e-signature, domain name, telecommunications, satellite, fintech, cybersecurity, internet governance and other legal issues.
Ken-Ying is admitted to practise law in both Taiwan and New York.
GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Ken-Ying Tseng: On 6 June 2018, the first piece of cybersecurity legislation of Taiwan, the Cybersecurity Management Act (the Cybersecurity Act), has become a statute after being publicly announced by the Office of the President, Taiwan. The Cybersecurity Act was enacted by the Legislative Yuan of Taiwan on 11 May 2018, with the actual effective date to be further determined by the Executive Yuan. The local news originally reported that the Executive Yuan planned to set an effective date for each of the three categories of agencies, organisations and entities that are subject to the Cybersecurity Act (ie, the government agencies, critical infrastructure providers and other specific non-government agencies) starting from the end of June 2018. Recently, given the complexity and difficulty in setting up three different effective dates for one statute, the Executive Yuan has changed the plan and it will set only ‘one’ effective date for the Cybersecurity Act. It is anticipated that the effective date will be announced soon and the Cybersecurity Act will become effective early next year. The government expects to protect cybersecurity and promote the growth and development of the local cybersecurity industry by imposing the various regulatory obligations under the Cybersecurity Act.
The Cybersecurity Act applies to the public sector and a few private industries that are operating ‘critical infrastructure’. The exact scope of ‘critical infrastructure’ will be subject to further public announcement of the Executive Yuan. According to the Department of Cyber Security, Executive Yuan, after the Cybersecurity Act is enacted, further rules and regulations on enforcing the Cybersecurity Act will be promulgated, including the Enforcement Rules of Cybersecurity Act, Guidelines on Cybersecurity Obligation Levels and Classifications, Cybersecurity Intelligence Sharing Measures, Guidelines on Cybersecurity Incident Reports and Responsive Measures, Cybersecurity Plans for Certain Non-government Agencies, and Guidelines on Rewards and Punishments for Public Agency Personnel Regarding Cybersecurity Matters.
According to the draft Guidelines on Cybersecurity Obligation Levels and Classifications, there will be four levels of cybersecurity obligations: Levels A, B, C and D. Each level has different security requirements. Levels A, B and C shall adopt the security standards pursuant to CNS27001 and ISO27001 and shall be certified by an independent third party for such compliance within three years. The attachments to these guidelines also set forth various securities measures and standards that the regulated agencies should follow.
Meanwhile, a couple of Taiwan regulators have adopted ISO27001 and its equivalent, CNS27001, as the cybersecurity standards for the industries that they regulate. For example, Type I telecommunications operators are required to adopt ISO27001/CNS27001 and ISO27011 as their security standards and to obtain the relevant certifications. Certain financial institutions are also required by the financial regulator to adopt ISO27001.
GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
K-Y T: Pursuant to the Cybersecurity Act, a government agency and a non-government agency that is subject to the Cybersecurity Act must report to its supervisory agency, or to the regulator of the industry to which the certain non-government agency belongs, as applicable, when the agency becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident where the cybersecurity policy or protection of a system may have been compromised, thereby the function of the system is effected and the cybersecurity policy is threatened. Hence, as long as there is a cybersecurity incident, even if no personal data is involved, a regulated agency under the Cybersecurity Act should submit a report pursuant to the Cybersecurity Act. The Cybersecurity Act itself does not stipulate the reporting requirements in detail, such as the deadline or content of the report, nor does it require the affected individuals be notified. Further details may be provided under the ‘Guidelines on Cybersecurity Incident Reports and Responsive Measures’ to be established by the Executive Yuan in the near future.
If personal data is involved in a data breach incident, pursuant to the Personal Data Protection Act (the PDPA), either a public agency or a non-public agency shall inform the affected data subjects of the data breach incident as soon as it inspects the relevant incident. In the notice to the data subjects, the relevant facts concerning the incident must be stated; for example, what data was stolen, when the incident happened, the suspect(s), as well as the remedial actions that have been taken. The PDPA does not set forth any threshold (such as number of affected data subject) that triggers the requirement to notify the affected data subjects. Technically speaking, even if there is only one data subject affected by the data breach incident, the data subject must be notified of the data breach incident.
The PDPA does not stipulate any obligation to report a data breach incident to the regulator. However, among the personal data security maintenance plans set by the various industry regulators, some of the regulators require the private sector to report a data breach incident to the regulator in charge of the industry. In most of the cases, the reporting will only become mandatory when the data breach incident is deemed material. For example, the regulator of the financial industry requires financial institutions to report a material personal data breach incident to the regulator if the daily operation of a financial institution is affected by such an incident. Online retailers are also required to report data breach incidents to the regulator.
When deciding whether to report to the regulator or notify the data subjects, a business should check and verify the relevant facts of the data breach incident, identify the causes of the security breach and the potential suspect(s), evaluate the magnitude of incident, such as the number of data subjects affected, the amount of personal data leaked, and the sensitiveness of the leaked data (whether the data lost or leaked includes any credit card numbers, bank account information, and so on).
GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
K-Y T: The most important issue for a company facing a data security incident should be how to prevent further damage or harm from such an incident. If possible, a company should notify the affected data subjects as soon as possible so that they are alerted and given the chances to take precautionary measures (for example, resetting their passwords) in time. A company should also take immediate actions to detect and fix the loophole in its system, if any, to prevent any further breach or damage or take other technical remedial measures.
In many of the local data security incidents that are reported, the cause of the incident was not a technical issue but the misconduct of current or previous employees or contractors or their employees. Hence, it is very important for a company to adopt proper security measures and internal control rules, conduct awareness training, and implement standards for employee or contractor selection. In the service agreements that a company enters into with its contractors, clauses addressing personal data protection and indemnification liabilities, among others, should definitely be included.
The most important issue for a company facing a data security incident should be how to prevent further damage
GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
K-Y T: In Taiwan, most businesses are cost-sensitive small or medium-sized enterprises that tend to adopt a ‘one-stop’ solution (ie, installing a package software) as the solution to cybersecurity issues, as well as compliance with applicable privacy laws (including the GDPR). This is, of course, inadequate. Even purely from the IT perspective, installing certain software packages may not be sufficient to protect the business from cyberattacks.
For large corporations, they are usually more cautious and normally hire IT specialists/consultants to implement security measures, to conduct internal training, to design standard operating procedures (SOPs), and so on. They also seek internationally recognised certifications, such as ISO27001. Certain industries are required to obtain ISO27001/CNS27001 certifications, such as telecommunications operators and certain financial institutions.
GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
K-Y T: Pursuant to the PDPA, a cloud service provider will most likely be deemed a data processor, while a business using the cloud service will be deemed the data controller. Pursuant to the PDPA, a data controller will be held liable to its customers if the cloud service provider (the data processor) does not comply with the PDPA. Hence, it is important to select a trustworthy cloud service provider when a business decides to move its data to the cloud.
A business should also check whether it is subject to any special sectorial regulations for outsourcing data processing or storage activities. For example, financial institutions are subject to the prior approval of the relevant regulators for outsourcing activities (even locally). The conditions (one of which is having obtained the customers’ consent for the outsourcing activities) for obtaining the regulatory approval for moving the data to a foreign cloud are difficult to meet. For certain industries, customer data is prohibited from being stored in China, such as telecommunications operators, TV channels and cable TV system operators.
GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
K-Y T: In recent years, the websites and systems of the Taiwan government, as well as large corporations, have been frequently hacked or attacked. Rumour has it that the ‘cyber-army’ of China is responsible for over half of the attacks. To protect cybersecurity in Taiwan, the Executive Yuan took a series of actions, including the enactment of the Cybersecurity Act. By imposing the relevant requirements under the Cybersecurity Act, such as strengthening the regulated agencies’ internal procedures and SOPs, the government hopes to raise cybersecurity standards in Taiwan as well as the ability to fight cyberattacks. The government also hopes to foster the growth of the local cybersecurity industry through the implementation of the Cybersecurity Act as there will be more audits of regulated agencies in the future.
A while ago the Taiwan government established a special taskforce, the Ninth Investigation Corp of the Criminal Investigation Bureau, to combat criminal activities conducted via high-tech or information technology, such as computer crimes, cybercrimes, and so on. All reports on cyber-related criminal activities are forwarded to the Ninth Investigation Corp for further investigation. The Ninth Investigation Corp is equipped with personnel with a technology background as well as advanced hardware and software. It has established channels with police authorities in other jurisdictions to investigate cross-border crimes. With regard to phone scams, the National Police Agency has set up a special phone line, 165, for the general public to report such scams.
GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
K-Y T: In an M&A deal, the acquirer needs to evaluate the potential privacy or security risks from the following perspectives.
First, the track records of the target. The records of data breach incidents or notable non-compliances with privacy laws can serve as the basis for calculating existing or contingent liabilities of the target, as well as the pattern and frequency in terms of future liabilities if the target will continue with its operation in the same manner after the M&A transaction.
Second, data ethics. If the target constantly ignores security threats or disrespects privacy or data ethics, there may be unpredictable or unidentified contingent liabilities already.
Third, costs of future reform. In addition to the liabilities evaluation stated above, the acquirer or surviving entity should also estimate the costs of resolving existing issues and implementing reforms. This will include the costs of securing IT, obtaining the required consents from the data subjects, and notifying the data subjects, and so on.
Fourth, losses attributable to deletion of customer data. Customer data that was collected without the required consents will need to be deleted, and the resulting losses of business opportunities should be considered and calculated.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
First, the lawyer must be familiar with the relevant laws and regulations concerning data security and privacy. In handling cases like this, the client would need to take responsive measures immediately so there will be no time for the lawyer to conduct lengthy legal searches before any advice can be rendered. Meanwhile, a cybersecurity incident may not be handled merely from the legal perspective; at times, the client would need to deal with the government and manage public image and reputation. Hence, the lawyer needs to be able to take all of the relevant factors into consideration when rendering legal advice. In sum, the client should look for an experienced lawyer who can act fast and offer practical solutions.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
I found cybersecurity and privacy practice fascinating because I encounter unprecedented legal and commercial issues and the need to respond fast, while addressing all of the potential legal liabilities and consequences to the clients. Whenever a cybersecurity incident or personal data leakage is spotted or reported, the client would face immediate security threats, complaints from its customers, as well as pressure and questions from the regulatory authorities. In Taiwan, although the PDPA does not stipulate a specific deadline for notifying the affected data subjects or reporting to the regulator, there is limited time for the clients to respond (ie, resolving security problems, fulfilling legal obligations, communicating with the press/customers, and so on). In addition, since the PDPA is relatively rigid in terms of marketing activities and cross-border data sharing, creative solutions are at times required for the clients to obtain the necessary consents from data subjects, etc.
How is the privacy landscape changing in your jurisdiction?
While Taiwan’s data protection laws and regulations are similar to, if not even stricter than, the EU’s, the regulator’s mindset and the enforcement levels are quite different. Taiwan is one of the very few countries without a centralised data protection authority. The regulators of different industries have their own positions and adopt different enforcement levels. Certain regulators take more aggressive initiatives to protect personal data while others are reluctant to render their opinions on important issues. As Taiwan is preparing for obtaining the GDPR adequacy decision from the EU, the government is expected to amend the PDPA to be more ‘GDPR compliant’ and take the same position as the EU with similar issues.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
In recent years, business email compromise (BEC), malware, and ransomware also became the major causes of cybersecurity incidents in Taiwan. According to local news, the CIB indicated that the total losses caused by BEC reached NT$187,360,000 in Taiwan in 2017 and that BEC has become the No. 1 method of attack in Taiwan. Meanwhile, online fraud is also a major issue for the law enforcement agency. Such cases are often caused by a leak of personal data associated with online shopping websites. It was reported that the CIB stated that of all the fraud cases in 2017, 50 per cent were ‘communications’ or ‘internet’ fraud in connection with online shopping activities.
Lee and Li, Attorneys-At-Law