修個資法能解決頻傳的個資外洩事件嗎?

議程

14:00-14:05  活動介紹
14:05-15:45  焦點座談

  • 主持人-黃彥棻  資安主筆(iThome電腦報 )
  • 與談人-
    • 林俊宏 主持律師  (義謙法律事務所 )
    • 涂予尹 會長(台灣人權促進會 )
    • 葉奇鑫 所長(達文西個資暨高科技法律事務所 )
    • 簡宏偉 執行副總經理(勤業眾信聯合會計師事務所 )
      (依姓名筆劃順序排列)

15:45-16:00  現場問答

**簡報下載 <經講者同意提供>**

會議記錄

國內近半年來發生了多起重大個資外洩事件,例如全民戶政資料在網路公開兜售、政商名流的航空公司會員資料遭公開於外國論壇等。無論是公部門或私部門,民眾的個人資料外洩似乎已經成為常態,行政院會也在4月13日通過「個人資料保護法修正草案」,預計將成立獨立機關「個人資料保護委員會」,另外對於非公務機關洩漏個資事件,修法條文也提高罰鍰兩萬元至兩百萬元,情節重大者可處十萬元以上至一千萬元。

本場次由iThome電腦報黃彥棻資安主筆主持,並邀請義謙法律事務所林俊宏主持律師、台灣人權促進會涂予尹會長、達文西個資暨高科技法律事務所葉奇鑫所長,以及勤業眾信聯合會計師事務所簡宏偉執行副總經理,共同就近期國內發生的多起包括公務機關及企業的個資外洩事件,探討相關因應做法。

林俊宏律師認為個資外洩問題核心在於業者欠缺建構良好資安環境的誘因。他說明當前通過的個資法修法重點為「加重罰則」,如個資法第48條針對企業違反安全維護義務的裁罰方式及額度,改為逕行處罰同時命其改正,並提高罰鍰上限,處新台幣2萬元以上、200萬元以下罰鍰;未改正罰則也調高成按次處新台幣15萬元以上1500萬元以下罰鍰。政府的手段是提高罰責促使業者更重視個資外洩的問題,但對業者而言,其沒有從政府取得建立良好資安環境的誘因或資源,是較大的問題。

林律師也指出現階段修法尚未處理的幾項課題,包括像是在個人資料保護法第27條中提到非公務機關需採行適當之安全措施以保護個資不外洩,而所謂「適當之安全措施」,業者該怎麼做才算適當?另外在事件通報機制、損害賠償與個資外洩間的關聯性、強化企業責任等課題上都尚待解決。

涂予尹會長首先提出「資安不等於隱私」的概念,隱私更強調自主控制權,而資安只是保障隱私的必要條件,並非充分條件。他也提到目前個資法尚未有專責的機關,早期個資法主管機關為法務部,現在則由國發會負責,而不論是法務部或者國發會,他們將自己定位在「解釋法律」的機關。但不同產業的個資相關行為則是由不同的事業主管機關來管理,如財稅相關單位的主管機關是財政部,一般公司行號屬經濟部等,如此便造成了多頭馬車的問題,無法通盤思考如何建立個資保障該有的架構。

涂會長主張未來的個資專責機關應有更高的獨立性。目前的獨立機關分為兩種,一種是相當中央二級獨立機關,專任委員是經由立法院同意後任命,像是中選會、公平會以及通傳會等。另一種則是中央三級獨立機關,如運安會。在未來與人民個資隱私處理站在對立面的是屬二級機關的數位發展部情境下,相當於三級機關的個資法專責機關應如何在二級機關前真正的發揮其獨立性? 未來包括專責機關是否有通案決定權限、獨立性確保等課題,都是未來值得關注的重點。

最後涂會長提到人民個資在目的外利用的侵權情境,包括第6條、第16條、第20條等也有必要進一步明確化,包括像是對「公共利益」的定義、何謂「有利於當事人權益」等。涂會長也提醒,個資退出權的豁免要件,應進一步的釐清與限縮。

葉奇鑫所長提到,民眾最能感受到個資外洩可怕之處,是因為發生個資外洩事件後,民眾經常會接到詐騙電話,進而掉入詐騙陷阱而蒙受錢財損失。葉所長首先與大家分享三個網路詐騙態樣,首先是跟「即時個資」相關,也就在某網路商城購物交易完畢,幾週或幾個月後接到偽造客服電話,此類詐騙因為已經掌握購買者的個資,很容易說服對方落入陷阱,此類詐騙是目前大家比較常遇到的。第二種樣態是葉所長在擔任檢察官時期就已發現有許多駭客獲得個資後,至暗網交流互通有無,將資訊整併為完整的個資資料庫,此類利用經年累月所獲得的個資來紀行詐騙,對象通常以老人居多。第三種是不需要個資的投資詐騙,歹徒手法是假冒名人在社群平臺上開立粉專或成立網頁,再利用話術吸引受害者進入通訊軟體的群組後進行詐騙。當因應詐騙議題時,個資法絕對不會是唯一的答案。

葉所長也認同企業缺乏誘因執行個資保護,而罰則提高有利於企業提高對資安的投資,個資外洩的機率也將因此減少,近期的共享汽車個資外洩案例只遭輕判20萬,正是本次修法罰則提高的來由。葉所長肯定當前主管機關快速修法之作為,他認為尚存的諸多待處理問題可透過未來成立的個資專責機構再來逐項討論與解決。此外,他也認同該獨立專責機關為二級機關。

簡宏偉副總經理首先說明,個資法當前或未來的修法都無法讓個資外洩事件停歇,目前也有人提出修改資安法作為因應的建議,將擁有大量個資的單位都納入規範,但他並不認同此看法,因為如此將給予主管機關空白授權,且個資數量的多寡也無法作為客觀評估重要性的標準,他認為就算是一筆個資外洩都要算三級事件,因為該個資對於當事人來說就是重要的資料,不能因為數量少就不重要。

簡副總經理提到,想要解決個資外洩問題,就必須先知道問題在哪,首先是對法律瞭解和認知不足、有相關制度卻難以落實、缺乏合適的專業知識、委外管理不足以及測試資料不足等等。他引用世界經濟論壇數據,有非常高比例的網路資訊安全事件歸因於人為失誤,這也是法律較難處理的問題。根據簡副總的經驗,造成資安事件常見的問題通常是「管理」,如權限管理不當、帳號共用、漏洞未修補、內部監督機制失效、職務交接沒有落實以及刪除程序沒有監督機制等。他認同法律須隨著客觀環境去修正,但修正後的落實與執行確認,還要透過稽核來處理。

對於目前個資法修法方向是否充足,林律師認為政府或許可以有更進一步的引導,讓業者有更多執行誘因。涂會長表示這次修法仍略顯不足,國發會並沒有充分對外表述自己的立場,且吝於公開目前已經規劃的草案,讓公民社會有討論的空間,只是匆促的提出要增加個資會提高罰責而已。葉律師覺得目前的個資法修法還有很長一段路要走,在共識凝結的過程中,勢必有很多議題需爭論與解決。簡副總認為這次修法中提高罰責,讓企業願意重視個資外洩的問題,進而防止個資外洩,接著才能爭取到更多時間與空間去重新規劃更完善的個資法,這也是一個不錯的機會點。

最後黃彥棻主筆結論,當我們推動資料經濟的同時,也應同時做好資料保護,無論是採匿名化或使用資料庫加密工具等,都應當在確保個資合理使用的前提下為之。

簡報下載
  • 林俊宏 主持律師  (義謙法律事務所 ) 簡報下載
  • 涂予尹 會長(台灣人權促進會 )簡報下載
  • 葉奇鑫 所長(達文西個資暨高科技法律事務所 )簡報下載

Will amending the Personal Data Protection Act solve the frequent incident of data leaks?

Agenda

14:00-14:05  Introduce
14:05-15:45  Panel Discussion

  • Moderator:
    Huang, Yanfen, Chief Writer of Information Security, iThome Weekly
  • Penelists:

    • Lin, Junhong, Leading Lawyer, Cogito Law Office
    • Tu, Yuyin, President of the Taiwan Association for Human Rights.
    • Yeh,Simon, Managing Partner of DaVinci Personal Data and High-Tech Law Firm
    • Howard Jyan, Executive Vice President, Deloitte Touche Tohmatsu Limited
15:45-16:00  Q&A

**Presentation Download <Provided with the consent of the speaker>**

Meeting Minutes

There have been several large-scale personal data leaks in the country over the past few months, such as the national household registration data being sold on the dark market, illegal leakage of health insurance data by staff for over a decade, airline membership data of several celebrities being disclosed in an overseas forum, and more than 90,000 customer data being hacked from a local department store, just to name a few. The leakage of personal data seems to have become a norm in Taiwan, possibly because organizations lack awareness of information security or personal data protection.

The panel invites experts from various fields to discuss whether the current direction of the Personal Data Protection Act amendments is sufficient in response to recent major incidents. The discussion was moderated by Yanfen Huang (Information Security Chief Writer of iThome Weekly), and panelists include Junhong Lin (Leading Lawyer of Cogito Law Office), Dr. Yuyin Tu (Chairman of the Taiwan Association for Human Rights), Simon Yeh (Managing Partner of DaVinci Personal Data and High-Tech Law Firm), and Howard Jyan (Executive Vice President of Deloitte Taiwan).

Junhong Lin believes that the core of the data breach issue lies in the lack of incentives for business to establish a robust cybersecurity environment. He explains that, the focus of the amended Personal Information Protection Act was on “penalties for violations.” For example, article 48 of the Act has been revised regarding the penalties and limits for enterprises that violate their security maintenance obligations. The amendment now imposes immediate penalties while also requiring corrective measures, with an increased upper limit for fines ranging from a minimum of NT$20,000 to a maximum of NT$2,000,000. The penalties for persistent non-compliance have also been raised, with fines ranging from a minimum of NT$150,000 to a maximum of NT$15,000,000 per violation. The government’s approach is to increase penalties in order to make operators pay more attention to the issue of data breaches. However, for operators, the lack of incentives or resources provided by the government to establish a robust cybersecurity environment is a significant problem.

Lin also pointed out several unresolved issues in the current stage of the amendment, including the definition of “taking appropriate security measures to protect personal information from being leakage”. Additionally, issues such as incident reporting mechanisms, the correlation between damage compensation and data breaches, and strengthening corporate responsibility all require further resolution.

Dr. Yuyin Tu introduced the concept of “information security is not equal to privacy.” He considered privacy emphasizing individual data control rights, while information security is merely a necessary condition for safeguarding privacy.  He also mentioned that currently, there is no dedicated agency in the country responsible for personal information protection. In the early stages, the Ministry of Justice was the main authority for the Personal Information Protection Act, but now the National Development Council. However, the 2 agencies position themselves as “interpreting the law.” Different industries’ practices regarding personal information are still managed by different regulatory authorities. For example, the regulatory authority for financial matters is the Ministry of Finance, and for general companies, it falls under the jurisdiction of the Ministry of Economic Affairs. This fragmentation creates a problem of multiple agencies handling personal information matters, making it challenging to comprehensively consider how to establish the necessary framework for personal information protection.

Tu advocates for greater independence for the future dedicated agency responsible for Personal Information Protection Act. The current designed privacy independent agency is a third-level government body. In the scenario when the Ministry of Digital Affairs, which is a second-level body, may potentially be in conflict with the handling of people’s personal data privacy, it may not be easy for the privacy independent agency to exercise its independence when facing a higher-level agency. Other issues such as decision power, independence assurance will be key areas of concern for the future.

Simon Yeh mentioned that the most frightening aspect of a data breach for the public is the aftermath, as individuals often receive scam calls and subsequently fall into fraud traps, resulting in financial losses.  He further agreed that there is a lack of incentives for businesses to implement personal data protection, and that increasing penalties will encourage businesses to invest more in cybersecurity, thereby reducing the likelihood of data breaches. The recent case of a data breach in the shared-car company resulted in a light sentence of only NT$200,000, which is precisely the reason for the increased penalties in the current amendment.  Yeh also acknowledged the swift actions taken by the current governing authority in amending the law, and he believes that the remaining unresolved issues can be discussed and addressed individually through the establishment of a dedicated agency for personal information in the future. Furthermore, he share the same view that the independent dedicated agency should be a second-level government body.

Howard Jyan explained the current or future amendments to the Personal Information Protection Act cannot eliminate data breach incidents. Some have suggested amending the cybersecurity law to include entities that possess a certain amount of personal data. However, he disagrees with this viewpoint because it would grant the governing authority excessive authority, and the quantity of personal data cannot be used as an objective measure of importance. He believes that even a single data breach should be considered a severe incident because that personal data is crucial to the individuals involved, and its importance should not be undermined based on quantity.

Jyan further indicated that in order to solve the data breaches issues, it is necessary to identify the underlying problems, such as a lack of understanding and awareness of the law, difficulty in implementing relevant systems, a lack of appropriate professional knowledge, inadequate outsourcing management, and insufficient testing data. He cites data from the World Economic Forum, which shows a significant proportion of cybersecurity incidents being attributed to human error, which is a challenging problem for the law to address. Based on his experience, the common causes of cybersecurity incidents are often related to “management” issues, such as improper permission management, shared accounts, unpatched vulnerabilities, ineffective internal supervision mechanisms, inadequate job handover procedures, and a lack of oversight in deletion processes. He agrees that the law needs to be adjusted according to the objective environment, but the implementation and enforcement of the amended laws should be confirmed through audits.

In responding to the question whether the current amendment of the Personal Information Protection Act is sufficient, Lin believed that the government could provide further guidance to incentivize businesses to take more action. Tu stated that the current amendment is still somewhat insufficient, as the National Development Council has not adequately expressed its position and has been reluctant to publicly disclose the drafted proposals, which would allow for public discussion. The focus has only been on increasing penalties for personal information breaches.

Yeh believed that there is still a long way to go in amending the Personal Information Protection Act, and many issues are to be debated and resolved during the process of consensus-building. Jyan believed that the increased penalties in the current amendment will encourage businesses to take personal information breaches more seriously and prevent them. In conclusion, the moderator stated that as we promote the data economy, we must also prioritize data protection. Whether it’s anonymization or the use of database encryption tools, it should be done while ensuring the reasonable use of personal data.

Presentation Download