Ken-Ying Tseng established and currently heads Lee and Li’s personal data protection practice group. Before 2018, she was the head of Lee and Li’s M&A practice group for 12 years. She received an LLM from Harvard Law School.
Ken-Ying advises on various forms of mergers and acquisitions, and is experienced in resolving both legal and commercial issues. She assisted and represented several multinational corporations in their M&A activities, including BASF, Henkel, Yahoo!, Arrow, Bureau Veritas, Aleees, DIC, Sony, Micrel, NTT DoCoMo, Energy Absolute, Qualcomm and McDonald’s, among others.
In addition to M&A, Ken-Ying regularly advises various tech companies that are in the businesses of social networks, instant messengers, search engines, portal sites, sharing economy, e-commerce, over-the-top content, online games, peer-to-peer lending, e-payments, cloud computing and so on. Ken-Ying also frequently advises clients, including multinational companies, on privacy and data protection, e-marketing, big data, e-signature, domain name, telecommunications, satellite, fintech, cybersecurity, internet governance and other legal issues.
Ken-Ying is admitted to practise law in both Taiwan and New York.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
On 6 June 2018, the very first cybersecurity legislation of Taiwan, the Cybersecurity Management Act (the Cybersecurity Act), became an official statute of Taiwan after being publicly announced by the office of the President. The executive branch of the government has been proposing the relevant enforcement rules and regulations since then and promulgated a series of rules and regulations on 21 November 2018, including the Enforcement Rules of the Cybersecurity Act (the Enforcement Rules), Regulations for Classification of Cybersecurity Responsibility, Regulations for Reporting and Responding Cybersecurity Incidents, Regulations for Inspecting Implementation Status of Specific Non-Governmental Agencies’ Cybersecurity Maintenance Programs, Cybersecurity Information Sharing Regulations and Award and Punishment Regulations on Cybersecurity Affairs for the Public Servants. The Cybersecurity Act, the Enforcement Rules and the other regulations have all become effective since 1 January 2019.
The Taiwan government now deems ‘cybersecurity’ as ‘national security’ and it has been anticipated that the Cybersecurity Act will reshape the protection of cybersecurity in Taiwan. The government also expects to promote the growth and development of the cybersecurity industry in Taiwan by imposing the various regulatory obligations under the Cybersecurity Act.
Pursuant to the Cybersecurity Act and the above regulations, such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibility is further classified into five levels (from Level A to Level E). Each government agency must stipulate its own cybersecurity maintenance plan and also set forth guidelines on cybersecurity matters for the ‘specific non-governmental agencies’ that it regulates. Many government agencies have promulgated such guidelines to regulate the non-governmental agencies subject to their jurisdiction. For example, the regulator of the telecommunications and broadcasting industries, the National Communication Commission (the NCC), promulgated the Regulations of Specific Non-governmental Agencies’ Cybersecurity Management by the National Communications Commission on 1 April 2019.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
Pursuant to the Cybersecurity Act, the agencies subject to the Cybersecurity Act shall report to its supervisory agency, or to the competent authority of the industry that the private agency is engaging in, as applicable when the agency becomes aware of a cybersecurity incident. A cybersecurity incident refers to any incident under which the system or information may have been accessed, used, controlled, disclosed, damaged, altered, deleted or otherwise infringed without authorisation, affecting the function of the information communication system, and thereby threatening the cybersecurity policy. Hence, as long as there is a security breach incident, even if no personal data is involved, the incident may be subject to the reporting requirements.
The Regulations for Reporting and Responding Cybersecurity Incidents set forth further details about the reporting of cybersecurity incident as required under the Cybersecurity Act. A ‘specific non-government agency’ shall report to its regulator at the central government within one hour of it becoming aware of the cybersecurity incident and the regulator shall respond within two to eight hours depending on the classification of the cybersecurity incident. In the meantime, the specific non-government agency shall complete damages control or recovery of the system within 36 to 72 hours depending on the classification of the cybersecurity incident.
Meanwhile, if personal data is involved in a data breach incident, pursuant to the Personal Data Protection Act (the PDPA), either a public agency or a non-public agency shall inform the affected data subjects of the data breach incident as soon as it inspects the relevant incident. In the notice to the data subjects, the relevant facts concerning the incidents, such as what data was stolen, when the incident happened, the potential suspect that breach the data, as well as the remedial actions that have been taken, shall be described. The PDPA does not set forth any threshold of the notification to the affected data subjects.
On the notification to the regulator, the PDPA does not specify any obligations to report a data breach incident to the regulator. As long as there is one data subject affected, the data subject must be notified of the data breach incident. However, in the personal data security maintenance plans stipulated by the competent authorities of certain industries, the private sector is required to report a data breach incident to the competent authority in charge of the industry. In most cases, the reporting will only become mandatory when the data breach incident is deemed ‘material’. Some of the competent authorities have adopted their own definitions of ‘material’, such as ‘affecting the daily operation’ of the private business. The industries that must report to their regulators include online retailers and financial institutions and so on.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
I believe that the most important issue for a company facing a data security incident is how to prevent further damages or harm that may be caused by such an incident. If possible, a company shall notify the affected data subjects as soon as possible so that they are alerted and have the chances to take precautionary measures (for example, resetting their passwords) in time. A company shall also take immediate actions to detect and fix the loophole in its system, if any, to prevent any further breach or damages.
In many of the data security incidents that are locally reported, the cause of the incident is not system failure or hackers’ activity but the misconduct of the relevant employees, contractors or the employees of the contractors. Hence, it is very important for a company to adopt proper security measures and internal control rules, awareness training and standards for employee and contractor selection. Meanwhile, though often data breach incidents are caused by a mistake made by the staff of small service vendors, large companies retaining their services will be forced to deal with the customers who may suffer damage. In the end, cases will be settled because the small service vendors may not be financially capable of bearing the relevant liabilities but the large companies need to protect their brand names. Hence, a company needs to carefully select its service vendor and in the service agreements, clauses addressing to personal data protection and indemnification liabilities should be included.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
In Taiwan, most of the businesses are cost-sensitive small- or medium-sized enterprises and they tend to believe that adopting a certain ‘one-stop’ solution, such as installing a certain ‘package software’, can handle cybersecurity issues as well as compliance with the applicable privacy laws, including the EU General Data Protection Regulation. This is, of course, not the case. Even purely from the IT perspective, installing certain package software may not be sufficient to protect the businesses from cyberattacks.
Large corporations are more cautious and normally will hire IT specialists or consultants and lawyers to implement security measures, to, for example, conduct internal training and design standard operating procedures (SOPs). They will also seek internationally recognised certifications, such as ISO27001. Some of industries are required to pass ISO27001 certifications, such as the telecommunications industry.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
Pursuant to the PDPA, a cloud service provider will most likely be deemed as a data processor, while the business using the cloud service will be deemed as the data controller. Pursuant to the PDPA, the data controller shall be held liable to its customers if the cloud service provider or data processor does not comply with the PDPA or the instruction of the data controller. The data controller may also be imposed administrative fines for any breach of PDPA by the data processor. Hence, it is important to select a trustworthy cloud service provider when a business decides to move its data to the cloud.
The business shall also check whether it is subject to any special sector regulations for outsourcing data processing or even storing data outside of Taiwan. For example, financial institutions are subject to the prior approval of the competent authorities for outsourcing activities even locally. The thresholds (one of which is customers’ consent for the outsourcing activities) to obtain the regulatory approval for moving the data to a public cloud are difficult to reach. The regulator of the financial institutions, the Financial Supervisory Commission, is contemplating relaxing the restrictions so as to allow banks in Taiwan to adopt the public cloud services provided by third-party service providers, such as Google, Amazon Web Services and Microsoft, but the relevant rules have not been finalised. Furthermore, for some industries, customers’ data is prohibited from being storing in China, such as telecommunications operators and TV channels, and cable TV system operators.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
The websites and systems of the Taiwan government, as well as large corporations, have been frequently hacked or attacked by attackers outside Taiwan, such as from China. The ‘cyber-army’ of China was blamed for most of the attacks and incidents. Meanwhile, recent incidents involving ‘fake news’ or ‘misinformation’ that have been alleged to be posted by Chinese on Taiwanese websites also caught the attention of the Taiwan government. To protect the cybersecurity of Taiwan, the executive branch initiated a series of actions, including the implementation of the Cybersecurity Act. By imposing the relevant requirements under the Cybersecurity Act, such as strengthening the regulated agencies’ internal procedures and SOPs, the government has sought to raise cybersecurity standards in Taiwan and the ability to fight against cyberattack. The government also hopes to foster the growth of the local cybersecurity industry through the implementation of the Cybersecurity Act as there will be more audit tasks to be conducted by the regulated agencies.
Given that cybersecurity is now national security, the legislative branch enacted certain amendments to the National Security Act on 19 June 2019, which claims and explicitly states that the protection of national security shall include the security of the cyberspace as well as the physical space, in the territory of Republic of China. This means that the application of the National Security Act to the activities conducted on the internet is now officially confirmed without the need for further interpretation.
With regard to the prevention of criminal activities, the Taiwanese government has long established a special taskforce, the 9th Investigation Corp of the Criminal Investigation Bureau, to combat criminal activities conducted via high tech or information technology, such as computer crime, cybercrime and so on. All of the cyber-related crime activities reports will be forwarded to the 9th Investigation Corp for further investigation. The 9th Investigation Corp is equipped with police officers with technology backgrounds as well as high tech hardware and software. It has established channels with police authorities in offshore countries to investigate cross-border crimes. To combat phone fraud activities, the National Police Agency further established a special phone line, ‘165’, to assist the general public in fighting fraudsters.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
An acquirer or surviving entity in an M&A deal needs to evaluate the potential risks in the following perspectives.
- First, the track records of the target. The past records of data breach incidents and notable non-compliance of privacy laws can be used to calculate the existing or contingent liabilities of the target, as well as the pattern for future liabilities in the event that the target continues its operation in the same manner after the M&A.
- Second, data ethics. If the target constantly ignores cybersecurity threats or disrespects privacy or data ethics, there may be unpredictable contingent liabilities already.
- Third, costs for future reform. In addition to the liabilities evaluation stated above, the acquirer or surviving entity shall also estimate the costs to fix the existing issues and to reform the operation. This will include the costs for IT, obtaining proper consents from the data subjects and performing notification obligations to the data subjects.
- Fourth, the losses to be incurred due to reductions of customer database. Customer data without proper consents would need to be eliminated and the loss of business opportunities shall also be considered and calculated.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
The lawyer must have sufficient knowledge and training to think and act fast. Lengthy legal searches will not help. Also, a cybersecurity incident must not be handled from merely legal perspective and must be dealt with by combining multiple perspectives, such as public relationship. Hence, the lawyer needs to be able to take all of the relevant factors into consideration when rendering advices.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Cybersecurity and privacy is fascinating because of the cutting-edge legal and commercial issues that need responding to simultaneously, while addressing all of the potential legal liabilities and consequences to the clients. Whenever a cybersecurity incident or personal data leakage is spotted or reported, the client faces immediate security threats, complaints from the consumers, as well as pressures and questions from the regulatory authorities.
How is the privacy landscape changing in your jurisdiction?
Taiwan adopted a legal framework of personal data protection that is similar to the data protection laws of EU, though the regulatory position and enforcement is quite different. Notably, we do not have one single regulator in charge of the data protection matters. Taiwan has submitted its application for the GDPR adequacy decision in 2018 and it can be anticipated that the Taiwan government may reform the privacy law to be ‘more’ GDPR-compliant and take the same position with the EU authorities in similar issues.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
In 2018, there was a major security incident caused by virus infection and this incident caused considerably damages to a major industrial player in Taiwan. Hence, it is very important for a company to follow its standard procedure to scan virus before adding any new equipment to the existing system.
Ken-Ying Tseng firstname.lastname@example.org
Lee and Li, Attorneys At Law - Taipei - www.leeandli.com