November 2022
Frank Sun and Sally Yang
With frequent international incidents of hacking where system equipment or databases of government and corporate organizations are invaded, not only is the financial sector vulnerable to attacks, but also industries such as manufacturing, food and beverage, online retailing, etc., are likely to be targeted for attack due to their massive holdings of customers’ personal data. Therefore, cybersecurity and risk control have become challenging issues businesses are confronted with today.
In addition, ransomware is also developing in terms of scale and syndication with increasingly creative means of intrusion. In recent years, it is common for hackers to invade corporate intranets or servers, encrypt important corporate data by planting malware, and threaten the victims that their confidential corporate information will be disclosed if they do not pay the ransom. In recent years, it is also common for hackers to demand payment in a cryptocurrency (e.g. Bitcoin) to specific wallets to avoid tracking.
The dilemma of whether to pay the ransom
In practice, businesses often choose to find a way out by paying the ransom. However, if the ransomware requires the ransom to be paid in a cryptocurrency, the payment of the ransom will call into question if this constitutes an offense of aiding the hacker ring’s “money laundering” since it is not easy to trace the flow of the money.
If a business pays the ransom simply as a victim, since the money laundering defined under the Money Laundering Control Act requires “the sources of the proceeds of specific crimes to be covered up or concealed,” [1] there is minor risk of constituting the offense of accessory under the Money Laundering Control Act if the appearance of the transaction is not changed. However, a business should still be prudent in its decision since ransom payment may not necessarily avoid the risk of the encrypted files being decrypted or data being leaked, not to mention that such a money flow will encourage the subsequent crimes of the hacker ring and provide a de facto incentive for ransomware attack on businesses.
It should also be noted that under Article 7 of the Counter-Terrorism Financing Act, no person may “make withdrawals, remittance, transfers, payment, deliveries or assignments related to financial accounts, currency or other payment instruments” of the individuals, legal persons and entities on the sanction list as announced and designated by the Ministry of Justice.[2]
Ex post notification and reporting obligation of businesses
Under Article 12 of the Personal Data Protection Act (hereinafter, the “Act”), if a non-public agency violates the provisions of the Act and causes personal data to be stolen, leaked, tampered with, or otherwise infringed upon, it shall investigate and clarify relevant facts before notifying the persons concerned in an appropriate manner. In addition, Article 27 of the Act authorizes each competent authority to designate non-public agencies to formulate a security maintenance plan for personal data files or methods of handling personal data after the termination of business.
Therefore, when a business has an incident of “theft” such as hacking and encryption of personal data, it is obligated to notify the parties whose personal data are affected, and even notify the competent authority for specified business within a certain period. The personal data file security maintenance plan formulated in accordance with the requirements of each industry may also need to “take appropriate contingency measures to control and reduce the damage to the parties involved in the incident” and “review the deficiencies and develop a prevention mechanism.[3] In addition, in the case of a “critical infrastructure provider” designated by the competent authority, a separate notification and response mechanism must be established in accordance with the Cyber Security Management Act.
Internal summary
Cybersecurity breaches and blackmail are risks that businesses can hardly avoid completely. In practice, businesses may be questioned by customers when they are hacked and may even face compensation claims, but it is often difficult for them to prove that their “systems are flawless” or “appropriate security measures have been implemented.”
The most appropriate response is still to implement security management and compliance in advance as much as possible, and fully carry out the cybersecurity policy. The related ISO cybersecurity certification schemes may be considered and referred to prevent and minimize damage as much as possible, and records related to security measures and inspections should be retained to track the effectiveness of implementation.
[1] Article 2 of the Money Laundering Control Act: The “crime of money laundering” referred to in this Act is committed by anyone who:
1. knowingly disguises or conceals the origin of the proceeds of specified unlawful activity, or transfers or converts the proceeds of specified unlawful activity to help others avoid criminal prosecution;
2. disguises or conceals the true nature, source, the movement, the location, the ownership, and the disposition or other rights of the proceeds of specified unlawful activity; or
3. accepts, obtains, possesses or uses the proceeds of specified unlawful activity committed by others.
[2] For the designated sanction list announced by the Ministry of Justice, please visit: https://www.aml-cft.moj.gov.tw/624184/624196/624197/
[3] Please refer to the Firm’s introductory articles titled Major Personal Data Incidents of Online Retail Businesses and Platforms in Taiwan Shall Be Reported to the Competent Authority in 72 Hours and The Ministry of the Interior Prescribed Regulations Governing the Security Maintenance of Personal Data by Nine Designated Categories (such as Construction) of Non-government Agencies. The Obligation to Report Major Incidents Within 72 Hours and Enhanced Information Security Measures Are Specifically Prescribed
The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.