Cybersecurity in Taiwan

    By Jackson Huang Shuai-Sheng, Formosa Transnational
    Copy link

    Data protection and cybersecurity are evolving areas of regulation in Asia. Here, experts shed light on emerging jurisprudence in the region’s top jurisdictions


    Cybersecurity laws in Taiwan consist of various laws and regulations set out in different regimes. Although the Cyber Security Management Act (CSMA) was promulgated in 2018, it mainly establishes cybersecurity control mechanisms for governmental agencies and specific non-governmental agencies. Other related laws and regulations are of importance and may include, among others, the Criminal Code, Personal Data Protection Act (PDPA), and the new Anti-Infiltration Act.

    The Criminal Code

    The provisions regarding cybersecurity are set out in chapter 36 of the Criminal Code, “computer offences”. The conduct listed below is subject to criminal punishment, including, but not limited to, imprisonment and fines.

    Jackson Huang Shuai-Sheng
    Senior Partner at Formosa Transnational in Taipei
    Tel: +886 2 2755 7366

    (1) Hacking into another’s computer (article 358 of the Criminal Code). If a person, by: (i) entering another’s account ID and password; (ii) breaking computer protection measures; or, (iii) taking advantage of a system loophole accesses another’s computer or related equipment without a justified reason, that conduct constitutes an offence under article 358 of the Criminal Code. The term “reason” may include the authorization of the relevant other, or a legal requirement.

    (2) Illegal disposal of the electronic or magnetic record. If a person illegally obtains, deletes or alters the electronic or magnetic record of another’s computer or related equipment, that conduct may violate article 359 of the Criminal Code. The term “electronic or magnetic record” refers to “records for computer processing made through the use of electronic, magnetic, optical or other similar means”.

    (3) Interference with the use of a computer or related equipment. If a person interferes with the use of a computer or related equipment of another person, and causes injury to the public or said other, that conduct may be in violation of article 362 of the Criminal Code.

    Making computer programs to commit the offence specified in chapter 36 of the Criminal Code. If a person makes computer programs specifically for himself/herself or another, for the purpose of committing the offences of the above articles 358, 359 and 362, that conduct may be in violation of article 363 of the Criminal Code.

    The Civil Code

    There are no specific laws or regulations regarding the civil liability for cybersecurity violations in the Civil Code. However, if anyone, through hacking a computer of others, or by other means affecting cybersecurity, causes others to suffer loss or injury, the injured person/entity may claim compensation pursuant to article 184 of the Civil Code (torts) and other provisions, including, but not limited to, articles 18 (infringement of personal rights) and 195 (infringement of fame) in principle, and other related provisions as may be relevant to the particular circumstances.

    Personal Data Protection Act

    For the protection of personal data, the PDPA stipulates that governmental/non-governmental agencies must implement proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed. These provisions are not directly related to cybersecurity. However, personal data are currently collected, processed and transferred by utilizing the internet, and, as such, security measures may also be of assistance to enhance the overall effectiveness of cybersecurity measures.

    The PDPA also stipulates that the central competent authority in charge of certain industries may designate and order certain non-governmental agencies (private entities) to establish so-called security and maintenance plans for the protection of personal data files, and to formulate and implement guidelines for the disposal of personal data following a business termination.

    For example, Taiwan’s Finance Supervisory Commission has enacted the “security and maintenance plan for the protection of personal data files for non-governmental agencies as designated by the Financial Supervisory Commission”. Under these regulations, the non-governmental agencies that provide electronic commerce services must utilize the following information security measures, including:

    (1) verify identity;

    (2) conceal personal data;

    (3) secure encryption for transmission via the internet;

    (4) verify and confirm the processes for developing, going online and maintaining certain application systems;

    (5) establish and implement protection and supervision measures for personal data files and the databases;

    (6) formulate solutions to prevent external unauthorized access; and

    (7) formulate solutions and supervisions for illegal/abnormal access and use.

    The CSMA

    The CSMA was promulgated in Taiwan on 6 June 2018. Aside from the Criminal Act and the PDPA, the CSMA primarily regulates the governmental or specific non-governmental agency’s management of cybersecurity programmes for the construction of an environment to safeguard national cybersecurity. The competent authority of the CSMA is the Executive Yuan, which is the highest administrative central government authority in Taiwan. The Ministry of Economic Affairs has also published guidelines for companies in Taiwan to establish relevant cybersecurity mechanisms per the CSMA.

    The application scope of the CSMA includes governmental agencies and specific non-governmental agencies. The specific non-governmental agencies include state-owned enterprises, government-endowed foundations, and “infrastructure providers”.

    This is important, as infrastructure providers are expected to establish cybersecurity protection mechanisms to the extent required by the CSMA, to ensure that the relevant sensitive information will be secure, and will not be leaked to others with malicious intentions, so as to safeguard national security.

    Infrastructure providers refer to those entities that maintain or provide critical infrastructure, either in whole or in part, as designated by the central authority in charge of the relevant industry, the designations of which are submitted to the competent authority for ratification.

    Critical infrastructures include the suppliers for facilities in the fields of energy, water, telecommunications, finance, transportation, emergency medication, governmental agencies and high-tech parks.

    Once suppliers are designated as being an infrastructure provider, they also bear the same obligations as government agencies to establish cybersecurity protection mechanisms to prevent any unexpected disclosure of sensitive information via the internet that could adversely affect national security.

    The responsibility of governmental agencies and specific non-governmental agencies under the CSMA are categorized in three stages:

    (1) Advance Planning. The CSMA requires governmental agencies or specific non-governmental agencies to establish “security and maintenance plans” and “reporting and responding mechanisms” in advance for personnel to implement accordingly. Agencies are also required to state the cybersecurity responsibility levels by considering the criteria on the importance, confidentiality and sensitivity of the business, the hierarchy of the agency, and the category, quantity and attributes of the information reserved or processed as well as the scale and attributes of the information and communication systems of the agencies.

    (2) Maintenance. The agencies are required to provide reports periodically to the central government authority, and the authorities may conduct on-site due diligence checks per the CSMA. If any event affecting cybersecurity occurs, the agencies must report to the central government authority and take measures to control the loss, and to recover the operations per the mechanisms enacted by the central government authority.

    (3) Post-event occurrence correction. After a cybersecurity event occurs, or at the time that the central government authorities find deficiencies in the cybersecurity control mechanism of the agencies, the organizations must make corrections to such deficiencies, and submit a report indicating the measures being taken to remedy the deficiencies. The agencies are required to track the implementation and efficacy of the remedial and correction measures to ensure that the deficiencies are comprehensively corrected.

    The CSMA also requires the government to establish information sharing mechanisms as the threats to cybersecurity may come from various locales worldwide. The sharing of information between governmental and non-governmental agencies is encouraged in order to strengthen the cybersecurity network.

    The information-sharing mechanisms established include the National-Information Sharing and Analysis Centre (N-ISAC), National-Computer Emergency Response Team (N-CERT), and the National-Security Operation Centre, (N-SOC).

    The Anti-Infiltration Act

    The Anti-Infiltration Act became effective in early January 2020, and prohibits people acting on the instruction of, or with the funding of, “infiltration sources” from engaging in illegal campaigning or lobbying, or from receiving illegal political donations as well as from disrupting the social order.

    The background of the drafting and passage of the Anti-Infiltration Act is the recent local presidential election in Taiwan, as people in the island or abroad were generating so-called “fake news” on the internet in attempts to affect the results of election.

    13/F, 136 Jen Ai Road, Sec. 3, Taipei
    Tel: +886 2 2755 7366
    Fax: +886 2 2755 6486

    Copy link