Go TO Content

Repeated Data Breaches by Home Shopping Company

In the wake of data leak by Eastern Home Shopping & Leisure (EHS) involving 8,000 pieces of consumer data, the National Communications Commission (NCC) and Government Information Office (GIO) is suspected of having engaged in buck-passing. Questions remain as to whether responsible agencies have abided by the Personal Information Act (previously known as Computer-Processed Personal Data Protection Act, effective since August 1995), and whether they have dutifully monitored the gathering, processing and usage of personal data by nongovernment agencies. Control Yuan Member on duty authorizes an investigation to delve into the matter. (Case no. 0990800380)

When Personal Information Act first became effective in 1995, the Ministry of Justice (MOJ) was the designated authority. Before the founding of NCC in February, 2006, the GIO was in charge of supervising EHS, a home shopping company launched in 1999. However, existing Guidelines for Personal Information Management by Broadcasting Industry, introduced by GIO fail to specify how home shopping companies should protect personal data. In the absence of an administrative law, Criminal Code and Civil Code are the only reference available in the event of data breaches. The GIO’s failure to discipline the companies in protecting consumer data is a neglect of duty.

The investigation has identified NCC, MOJ and Banciao District Prosecutors Office responsible for the leakages. The NCC has not only failed to honor its responsibility as “the central industry competent authority”, objecting to its role as a supervisory body, but has also failed to put a stop to EHS’s repeated data breaches. The MOJ has also been blamed for delaying the designation of the NCC as the central industry competent authority to supervise the private sector before reporting the decision to the Executive Yuan, its superior agency. EHS was reported to have been involved in three incidents of data breaches during that period of time (from January 24, 2008 through June 2, 2009), yet there has been no supervisory body to handle the matter. Although MOJ and NCC made a joint announcement on June 11, 2010 to designate the companies as “nongovernment agencies”, subjecting them to Personal Information Act, it does not include leakages prior to June 30 of the same year. Also to blame is Banciao District Prosecutors Office for failing to identify specific suspects.

In response to Control Yuan’s recommendation, the agencies at fault have made the following changes. The MOJ has amended the Personal Information Act. The NCC has amended the Satellite Broadcasting Act, effective in December 2003, to ensure home shopping companies be subjected to the Act. Banciao District Prosecutors Office has divided the case into more manageable parts to allow thorough investigation.