Discussion on data communication security management law: responsibility for data security management that an enterprise cannot avoid

Numerous data security events occur every day under the circumstance that changing data security threats are faced. Whether data security protection inside an enterprise is improved and whether data security management policies are sound have become important topics that current enterprises pay attention to. Taiwan Data Security Response Annual Conference which will be finished at the beginning of October made participants know how to solve data security problems that the enterprise currently faced by means of the talks with domestic and foreign famous data security experts.

In May this year, data communication security management law was adopted at the Legislative Yuan. The government and enterprises attached more and more importance to the need for data protection. To properly deploy protective measures and avoid data security vulnerabilities caused by illegal use and destruction behaviors, the enterprise must take the corresponding data security protection measures to minimize the impact.

The law was intended for protecting the safety of the country and safeguarding the interests of civilians. There are two objects:  one is central and local government agencies; the other is specific non-government agencies, namely the provider of critical infrastructure,  public undertakings and juridical persons donated by the government. The legislation was adopted by the Legislative Yuan in May of this year. In July, six infra-laws were determined and advanced notice was issued. It was pre-determined that such laws will be officially implemented on January 1, 2019.

What are the differences in the data security risk in the digital age?
These will be explained through the following three aspects.

1. Age of Internet of Things
   Various devices from the past PCs to cell phones, current wearable devices, connected AI smart sound boxes, IPCAM and smart homes become the target attacked by hackers or are leveraged as zombie devices for attacking others once they are connected to the Internet. If data security is not properly protected, all of them are risks.
2. The trend of data digitalization and service online processing is more and more advanced.
   Both public and private sectors always keep digitalization. Many data are gradually transferred from hardcopy format to the cloud. Especially, personal data have a great value in the black market.
3. Emerging attack techniques alternate quickly and cannot be mastered in time
   The change of digital technology is fast. For example, a manufacturer can apply AI to develop various defense tools and AI may also become the attacking tool of individuals with evil intentions.

AI is a hot topic for emerging technology. For example, various attacking  tools and personal data are sold on the hidden web which is a hotbed for various crimes.

Under above mentioned circumstances where we are facing the development of digital technology, the competent authorities must establish the legislation for data security. Other countries have formulated relevant regulations and rules for data communication security management many years before us did so. On the premise that we are about to become a smart country, foundations for data security should be properly established; otherwise, the smart country may probably face a great challenge.

For example, several months ago, Singapore temporarily discontinued the smart country program because personal data including those of the Prime Minister Lee were leaked. They discontinued the program and inspected where the problem was and then decided to promote the program. Therefore, data security is a very important topic for the process in which each country becomes a digital country.

Levels of impacts of data security threats over the country, enterprise and individuals

There are data security risks in each country, each enterprise and for each individual and such risks are different in terms of perspective.

1. If personal data security is improperly ensured, personal privacy will be harmed due to leakage.
2. If the enterprise data security is improperly ensured, properly losses may occur. In the data security event occurring to a famous semiconductor company, the media reported the losses caused to them. The enterprise must face property loss, reputation loss, competitiveness deterioration and legal responsibility.
3. The country should face data security risks. Terrorists, online spies and national-level hackers attack critical infrastructures in the country because these infrastructures cause greatest impacts to civilians.

There were many cases in which critical infrastructures were attacked over recent years. Several years ago, partial power supply interruption was caused due to the attack of the power plant in Ukraine. Several months ago, the control system of a port in a certain country was hacked. A display unit at an airport was hacked by hackers and then was shut down and cannot display information normally. In these cases, once these infrastructures were attacked, a certain impact will be caused to the life and properties of civilians.

Therefore, human resources and capabilities of the country for data security must be continuously improved so that future attacking techniques can be coped with. Continuous progress and strengthening must be made on the defense and protection ends.

The need for legislation for data communication security law is also justified by the above mentioned explanations.

Responses to notification of data security events

In case of material data security events occurring, civilians and enterprises must issue the notice. They may announce the events through the phone number, email and official website of TWCERT/CC and provide contact details of relevant persons relating to the events, information on the affected host and description of the events. And they may provide more detailed system LOG information and this will be more helpful to event handling.

Tips for data security for individuals and enterprises: three don’ts and four pithy formulas

Three don’ts

1. Do not click a suspicious webpage/mail link
2. Do not open any mail attachment
3. Do not install the software from unidentified source

Four pithy formulas

1. System bugs should be patched up.
2. Virus scanning should be performed.
3. Data security training should be conducted.
4. Attention should be paid to data security news.

It is necessary to have effective tools to do good work.

When the enterprise faces the above mentioned new attack techniques in the digital age, information personnel should use integrated proactive protection methods in combination with professional systems in the data security field so that they can perform their responsibility for management according to law and they can remain invincible by providing evidences to cope with data security events. For example, enterprises should be protected via endpoint protection, data leakage prevention, information security, computer asset management and file encryption. Enterprise risk management can be improved by preventing against enterprise data security vulnerabilities.