TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
(a) Failure to record personal data usage – the bank’s personal data security main - tenance guidelines require recording the use of personal data, retaining trace data, or relevant evidence. However, the report system did not retain personal data usage traces in accordance with internal regula - tions, which hinders the ability to track the usage of personal data in the event of a data breach and affects the auditing timeline. (b) Failure to confirm the implementation of system security updates – the bank’s information equipment authorisation and protection management rules, as well as the personal computer usage manage - ment regulations, stipulate that operation - al environment changes should undergo proper testing, and security updates delivered to workstations should be confirmed. However, prior to and during system updates, the bank failed to iden - tify vulnerabilities in the security monitor - ing software and confirm its execution on workstations. As a result, the software failed to start normally, preventing proper control and recording of portable device data access, which affected audit effec - tiveness and made it impossible to assess actual damage, hindering subsequent investigation procedures. Vehicle-Sharing Platform Risks Exposure of Personal Data of More Than 400,000 of its Users In January 2023, a security researcher dis - covered a database containing iRent (a large vehicle-sharing platform in Taiwan) customers’ personal data (including full names, cell phone numbers, email addresses, home addresses, photos of their drivers’ licences, and partially redacted payment card details) on a cloud serv -
er that was inadvertently accessible to the pub - lic. Because the database was not password- protected or encrypted, anyone on the internet could access this iRent customer data. The database, which contained about 4.2 terabytes of data, was exposed on the open web for at least nine months before the researcher discov - ered it. This incident instantly captured widespread public attention as iRent is the largest vehicle- sharing platform in Taiwan. iRent explained that its temporary database did not properly block external connections, resulting in the database potentially being accessed by external parties using specific tools and techniques to access information of members, with 400,000 members potentially being affected. The Directorate General of Highways and the Tai - pei Municipal Transportation Bureau separately imposed a fine of TWD200,000 and TWD90,000 for the data leakage. iRent was also ordered to improve its data security. After this incident, a councillor of Taipei City Council considered that because the amount of fines under Taipei City’s autonomous ordinance for data breach was too low, enterprises often overlooked the severity of such incidents and did not give earnest attention to data security measures. With fines set at a level that does not proportionately reflect the potential impact and damages resulting from breaches, there is a diminished incentive for enterprises to proac - tively invest in robust security measures. There - fore, the councillor proposed a draft amend - ment to the “Taipei City Autonomous Ordinance Governing Ridesharing Services Management”. This amendment was passed in December 2023. Under the new ordinance, if a data breach results from the enterprise’s intentional act or
447 CHAMBERS.COM
Powered by FlippingBook