Product Liability of Living Lab Products

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards” 2022/06/24 I. Introduction 　　The Electronic Identification and Trust Services Regulation (eIDAS)[1] of the European Union was passed in 2014 and came into effect in July 2016. The eIDAS consists of six chapters and its core elements are covered in two parts: Chapter 2 Electronic Identification and Chapter 3 Trust Services. Chapter 3 provides the legal framework for trust services (TS) in relation to electronic transactions and encompasses electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Each trust service can be provided by trust service providers (TSP) or qualified trust service providers (QTSP). Qualification from the supervisory authority of each member state is required to become a QTSP and provide qualified trust services (QTS). 　　In March 2021, the European Union Agency for Cybersecurity (ENISA) published “Recommendations For QTSPs Based On Standards[2]” for those interested in becoming QTSPs. II. Highlights 　　The eIDAS is technology neutral regarding trust service security requirements, without specifying any technology. In other words, TSP can achieve the level of security required by the eIDAS with different technologies. In fact, the European Union hopes to drive standardization with common grounds gradually formed with industry self-regulation in the legal framework and the trust framework under the eIDAS[3]. 　　Since 2009, the European Union has been formulating the standardisation framework related to electronic signatures with the assistance from standardization bodies such as European Committee for Standardization (CEN) and European Telecommunications Standards Institute (ETSI). The vision is to establish a comprehensive standardization framework to resolve the problems of using electronic signatures across borders within the European Union. A series of standards on electronic signatures and relevant trust services have been put in place, to meet the international requirements and the eIDAS[4]. The ETSI/CEN standards of digital signatures related to QTSP are as follows[5]: 1. Provision of qualified certificates for electronic signatures (Article 28 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-2 and EN 319 412-5). 2. Provision of qualified certificates for electronic seals (Article 38 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-3 and EN 319 412-5). 3. Provision of qualified certificates for website authentication (Article 45 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-4 and EN 319 412-5). 4. Qualified electronic time stamping service (Article 42 of the eIDAS) 　 ETSI EN 319 421 (and in adherence to EN 319 401), EN 319 422. 5. Qualified validation service for qualified electronic signatures (Article 33 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 6. Qualified validation service for qualified electronic seals (Article 40 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 7. Qualified preservation service for qualified electronic signatures (Article 34 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 8. Qualified preservation service for qualified electronic seals; (Article 40 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 9. Qualified electronic registered delivery service (Article 44 of the eIDAS) 　 ETSI EN 319 401, EN 319 521, EN 319 522, EN 319 531 and EN 319 532. III. Comment and Analysis 　　The ENISA recommendations demonstrate the European Union’s intention to encourage ICT service providers to become QTSPs by introducing relevant standards in electronic signatures formulated by the European Union standardization bodies. The purpose is to provide companies and users in the European Union with more secure and trustworthy services in relation to electronic signatures. This enhances the confidence of users and promotes the vibrant development of electronic transactions throughout the European Union. 　　Over recent years, Taiwanese companies have been proactively involved in digital transformation. The process toward digitalization often requires assistance from external ICT service providers. However, the unfamiliarity in ICT makes it difficult for companies to judge the professional expertise of providers. Perhaps companies can refer to the introduction above to understand whether a provider meets the requirements of the European Union standards. This serves as a basis for the selection of ICT service providers to ensure a certain level of competences. This will be beneficial to the digital transformation and entrance in the European Union market for companies. [1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (last visited Jun. 24, 2022). [2] European Union Agency for Cybersecurity [ENISA], Recommendations for Qualified Trust Service Providers based on Standards (2021), https://www.enisa.europa.eu/publications/reccomendations-for-qtsps-based-on-standards (last visited Jun. 24, 2022). [3] id. at 8 [4] id. at 8-9. [5] id. at 11-12

An Introduction to Taiwan’s Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries 2023/11/29 I. Preface The Personal Data Protection Act (below, the “Act”), Article 27, paragraph 3 authorizes all central government authorities in charge of specific industries to formulate regulations regarding security standards and maintenance plans for their concerned industries. Beginning August 27, 2022, Taiwan transferred authority over information services, software publishers, businesses that do retail sales of goods purely via the Internet, third-party payment providers, and other businesses in digital economy industries from the Ministry of Economic Affairs to the newly-established Ministry of Digital Affairs (MODA). Businesses in the digital economy industries collect, process, and use large amounts of important personal data, and therefore bear a relatively heavy responsibility for maintaining the security of personal data. In light of this, and in accordance with the Act, Article 27, paragraph 3, the MODA therefore promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries (below, the “Regulations”) on October 12, 2023. These Regulations specify the standards for digital economy industries’ personal data file security maintenance plans and rules governing the handling of personal data following a business termination (below, “security and maintenance plans”, or “SMPs”). These regulations apply to all businesses in the digital economy industries. In order to reinforce responsibility for personal data security maintenance in the digital economy industries, tiered management is applied to businesses at different scales. The key points of these Regulations are introduced below. II. Where the Regulations apply As stipulated in the Regulations, Article 2, the “digital economy industries” that these Regulations apply to refer to any natural person, private juridical person, or other group, that engages in any of the following business operations: 4871 Retail Sale via Internet (industries that engage in retail sales to others via the Internet, but not including television, radio, phone, or other electronic means, nor postal sales); 582 Software Publishing; 620 Computer Programming, Consultancy and Related Activities; 6312 Data Processing, Hosting and Related Activities (industries that engage in processing customers’ data, server & website hosting, and other related services, but not including online audio/video streaming services); 639 Other Information Service Activities; or 6699 Other Activities Auxiliary to Financial Service Activities Not Elsewhere Classified (third-party payment industries, but not including other fund management activities). For the specific industries covered, see Attachment 1 of the Regulations. III. Security maintenance and management measures The relevant measures are stipulated in Articles 3 to 17 of the Regulations. In consideration that the businesses so regulated may collect, process, or use large amounts of personal data as part of their business activities, they bear a larger responsibility for maintaining the security of personal data than does the average enterprise. In compliance with the Regulations, every such enterprise is required to formulate an SMP, the content of which shall comply with the specifications in Articles 5 to 17. This includes putting in place management personnel and relevant resources; defining and inventorying the scope of personal data; risk assessment; putting internal management procedures in place; and other such matters. These Regulations also adopt tiered management for businesses based on their capital levels, in order to reinforcement the frequency at which security maintenance measures are performed. The specific regulations for security maintenance measures are introduced below. 1. Formulating an SMP In accordance with the Regulations, Article 3, and in order to maintain the security of personal data, each enterprise shall, within three months of the date the Regulations take effect, plan and formulate their SMP. Every enterprise shall also cause all staff members to understand and fully implement the SMP. In order to monitor implementation, the MODA may require that each enterprise submit its implementation of SMP; the enterprise shall then submit their implementation status information in written form within the specified time limit. 2. Making the protection policy known internally In accordance with the Regulations, Article 4, and to make sure that everyone in the enterprise comprehends and implements personal data protection, each enterprise shall make its personal data protection policies known to all personnel within the enterprise. Matters that must be explained include Taiwan’s legal regulations and orders on personal data protection; how personal data may only be collected, processed, and used for specific purposes and in a reasonable, secure way; that protective technology must be at a level of security that could be reasonably expected; points of contact for rights relating to personal data; personal data contingency plans; and proper monitoring of outsourced service providers to whom personal data is outsourced. All of this must be done to make sure that every enterprise carries out their duty for comprehensive, continuous SMP implementation. 3. SMP content (1) Putting in place management personnel with relevant resources In accordance with the Regulations, Article 5; in accordance with both the Regulations as a whole and other laws and orders regarding the protection of personal data; and in order to implement personal data protection, each enterprise shall do the following things: Weigh the size and characteristics of their business to reasonably allocate operating resources; take responsibility for the personal data protection and management policy; and formulate, revise, and implement their SMP. Also, the enterprise’s representative or the representative’s authorized personnel shall carry out formulation and revision, in order to make sure that the SMP’s content is fully carried out. (2) Establishing the scope of personal data In accordance with the Regulations, Article 6, in order to define the scope of personal data to be included in the SMP, each enterprise shall periodically check the status of personal data that is collected, processed, or used. (3) Risk assessment and management mechanisms for personal data In accordance with the Regulations, Article 7, in a timely manner, and in accordance with their already-established personal data scopes and the processes in which their business involves the collection, processing, or use of personal data, each enterprise shall evaluate risks that may arise within their scope and processes. Based on the risk evaluation results, each enterprise shall then adopt appropriate security management and response measures. (4) Incident prevention, reporting, and response mechanisms In accordance with the Regulations, Article 8, and in order to reduce/control damages to data subjects resulting from personal data theft, tampering, damage, destruction, leakage, or other such security incidents, each enterprise shall formulate response, reporting, and prevention mechanisms: 1. Response mechanism: Methods to be followed after a security incident has occurred, to reduce/control damages to data subjects, and appropriate ways to notify data subjects after an incident investigation, as well as what such notifications shall contain. 2. Notification mechanism: Post-incident notifications to data subjects, in a form (such as email, text message, phone call, etc.) that makes it convenient for such subjects to learn what has occurred and what the incident handling status is; also, providing data subjects with a hotline or other way of seeking information later on. 3. Prevention mechanism: A post-incident mechanism for discussing and adjusting the prevention measures. Within 72 hours after an enterprise learns that a personal data security incident has occurred, the enterprise shall use Attachment 2, the Enterprise Personal Data Leak Reporting Form, to notify the MODA of matters such as: A description of what caused the incident; an incident summary; the damage status; possible results from the personal data leakage; proposed response measures; proposed method and time for notifying data subjects; etc. Alternately, the enterprise may notify the special municipality or county/city government to then notify the MODA. If the enterprise is unable to report the incident within the time limit or is unable to supply complete reporting information all at once, the enterprise shall attach explanation of the reasons for the delay, or provide the information in stages. After the MODA or the special municipality or county/city government receives a report, they may implement reasonable handling in accordance with Articles 22 to 25 of the Act. (5) Internal management procedures for personal data collection, processing, and usage In accordance with the Regulations, Article 9, in order to ensure that their collection, processing, and use of personal data complies with the laws and orders regarding the protection of personal data, each enterprise shall do the following: Formulate internal management procedures; assess whether the use, processing, or collection of special categories of personal data are involved; assess data subjects’ consent has been obtained; assess whether the legal circumstances create an exemption from the obligation to inform; etc. The internal management measures shall also include providing data subjects with information on their rights in accordance with the Act, Article 3; putting in place mechanisms for ensuring the accuracy of and inquiring regarding personal data; and periodically reviewing whether the specific purposes for collecting personal data still exist or have expired. (6) Limits, notifications, and monitoring for international transfers In accordance with Article 10 of the Regulations and Article 21 of the Act, when an enterprise’s transfer of personal data across a national border affects data subjects to the extent that there is a major national interests concern, the enterprise shall assess whether MODA restrictions apply to the transfer. The enterprise shall also notify the data subjects of the region(s) that the data is transferred to; perform appropriate monitoring of the data recipient; and provide the data subjects with information on their rights in accordance with the Act, Article 3. (7) Data, personnel, and equipment security management measures 1. Data security management measures: In accordance with the Regulations, Article 11, and when personal data is backup, kept confidential, or transferred by various means based on the risk assessment results, each enterprise shall put in place protective measures against abnormal access behaviors. When an enterprise provides information/communication technology services, the enterprise shall also put in place and regularly monitor intrusion countermeasures, abnormal access monitoring and contingencies, anti-malware mechanisms, account password verification, system testing, and other such data security management measures. 2. Personnel security management measures: In accordance with the Regulations, Article 12, each enterprise shall contractually specify the obligation to maintain confidentiality with all staff members; identify personnel who job duties involve collecting, processing, or using personal data; and periodically assess the appropriateness and necessity of personnel’s permissions to access personal data. 3. Equipment security management measures: In accordance with the Regulations, Article 14, and to prevent personal data being stolen, tampered with, damaged, destroyed, or leaked, each enterprise shall put in place appropriate media protection for personal data storage devices. The protection requirements include management measures such as technology, equipment and secured environments that meet a specific level of security. (8) Education and training In accordance with the Regulations, Article 13, each enterprise shall periodically use education and training to ensure that all staff members understand the following things: The laws and regulations pertaining to personal data protection; their personal duties and roles within their scopes of responsibility; and the requirements for all SMP management procedures, mechanisms, and measures. For any enterprise that engages in retail sales via the Internet, their SMP shall include user training and education regarding personal data protection and management; and the enterprise shall also formulate personal data protection rules for compliance. (9) Continuous audit, recording, and improvement mechanisms 1. Data security auditing mechanisms: In accordance with the Regulations, Article 15, each enterprise shall periodically do internal audits of personal data, then put the audit results into an evaluation report that reviews improvements to the enterprise’s protection policy, SMP, etc. If there are any deficiencies, the enterprise shall make corrections. 2. Use of records, tracking data, and retention of evidence: In accordance with the Regulations, Article 16, and as part of carrying out its SMP, each enterprise shall retain a minimum of five years of records on the collection, processing, and use of personal data; tracking data for automated machinery; and evidence of having implemented the SMP. After an enterprise’s operations cease, it shall retain records of the destruction, transfer, or other deletion of personal data for a minimum of five years. 3. Comprehensive, continuous improvement for personal data security maintenance: In accordance with the Regulations, Article 17, any time an enterprise’s SMP is not implemented, the enterprise shall adopt corrective and preventive measures. Also, based on the SMP’s implementation status, its handling methods/implementation status, developments in data technology, adjustments to the enterprise’s business, and changes in the law and regulations, each enterprise shall periodically review and amend its SMP. 4. Tiered management In accordance with the Regulations, Article 18, and to prevent relatively small businesses having to take on excessive personal data management costs, tiered management is applied. For an enterprise with a specific business scale (having capital of NT$10 million or more, or holding 5,000 or more personal data records), stronger security measure implementation is required, namely, the personal data security measures shall be implemented, reviewed, and improved at least once every twelve months. If an enterprise reaches NT$10 million or more in capital after the Regulations take effect, or if an enterprise’s number of personal data records held reaches 5,000 or more as a result of direct or indirect data collection, then within six months of meeting those conditions, the enterprise shall implement and review the improvement measures at least once every twelve months. 5. Outsourced personal data Commercial outsourcing in the digital economy comes in many forms. In light of this, and in order to make clear each enterprise’s security management obligations with regard to the collection, processing, and use of personal data, Article 19 of the Regulations clearly spells out what duties shall be carried out with regard to any outsourcing that touches on personal data. When an enterprise outsources the collection, processing, or use of personal data, it is considered equivalent to the enterprise’s own activity. Thus, the enterprise shall understand and follow the legal orders and regulations on personal data set by the central government authorities in charge of the outsourcing party’s industries. Any oversight responsibilities arising from outsourcing the collection, processing, or use of others’ personal data shall be clearly stipulated in the outsourcing contract or other such documents. IV. Conclusion The Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries are designed to balance development for Taiwan’s digital economy industries with comprehensive, continuous improvement of personal data security maintenance. In pursuit of those goals, the Regulations clarify what each enterprise must do: Plan, formulate, and carry out security maintenance plans for personal data that falls within the bounds of the enterprise’s business; ensure that all staff members receive training on personal data protection; provide personal data subjects with channels to file complaints and seek consultation on their rights; and inform the government authorities in charge of the digital economy about the enterprise’s SMP, including the status of any personal data security incidents. All this is done in hopes that the security measures will continuously improve the security of personal data in Taiwan’s digital economy industries.

How Does Taiwan Respond to Tax Challenges Arising from Digitalization Yuan-Qing, Liao Attorney and Legal Researcher 2022/3/24 I. The Tax Challenges arising from Digitalization 　　According to the Ability-to-pay principle, companies need to pay income tax for their income or profit. Nevertheless, in order to avoid their tax obligations, Multinational Corporations (MNCs) have been continuously developing sophisticated and refined tax planning practices to disconnect or mismatch between “where value is created” and “where taxes are paid”, and such practices erode the tax base.[1] 　　A well-known example of trade model under digitalization of MNCs is that “MNCs do not necessarily have to open domestic physical stores or set up servers, those domestic consumers can purchase goods and services from MNCs directly through the Internet”. This trade model not only breaks the international tax rules “With Permanent Establishment (PE), With taxing power”, but also disconnects or mismatches between “where value is created” and “where taxes are paid” more perfectly. As a result, the taxing power of “where value is created” is eroded. This is a classical type of challenges faced by tax regulators in the age of digitalization of the economy. 　　In response, The European Commission (EC) and The Organization for Economic Cooperation and Development (OECD) had respectively proposed new plans to ensure that digital business activities are taxed in a fair and friendly way. (I) The Digital Service Tax proposed by EC[2] 　　In 2018, EC proposed a temporary tax - Digital Services Tax (DST), which a basic rate of 3% to be imposed on revenues of a digital platform when such platform meets all of the following criteria, including (1) online placement or advertising services, (2) sales of collected user data, (3) facilitate interactions between users, (4) annual worldwide revenues exceeding 750 million euros and (5) taxable revenues within the European Union (EU) exceeding 50 million euros.[3] 　　Concerning that the DST apparently targeting US MNCs - Google, Amazon, Facebook and Apple (GAFA), the US government once threatened to impose retaliatory tariffs. Insofar, it seems that only a part of MNCs will be immediately affected by DST, but the entire trading systems in the rest of the world will be impacted if the retaliatory tariffs conducted by the US take effect. (II) The Two-Pillar plan released by OECD[4] 　　In October 2020, OECD had released Reports on the Pillar One and Pillar Two Blueprints (The Two-Pillar plan), which aimed to terminate the international dispute resulting from DST of EC and provide solutions for tax challenges arising from the digitalization of the economy in the long term.[5] 　　Pillar One is “Unified Approach”, to ensure the exercise of taxing powers of governments and a fairer distribution of profits among countries where largest MNCs, including digital companies are located at. It would “re-allocate” the taxing powers over MNCs among governments of different jurisdictions. The governments located at the place where MNCs have business activities and earn profits will have the tax powers over those MNCs, even MNCs do not have a physical presence there. Pillar Two is “Global Anti-Base Erosion rules (GloBE)”, tried to protect tax bases of countries through the introduction of “Global Minimum Tax (GMT)” which sets up a minimum corporate income tax rate on MNCs to prevent tax competitions among countries. 　　Compared with DST proposed by EC, which focuses on the taxing powers of the government that is located at the place where value is created. The Two-Pillar plan focuses more on both re-allocation of international taxing powers and protects the tax base of each country. (II) The Consensus on The Two-Pillar plan[6] 　　The Group of Seven (G7[7]), G20[8] and 137 countries and jurisdictions OECD stated not only agreed to remove the DST or the similar measures, but also had a consensus on Two-Pillar plan to reform international taxation rules[9]. In order to ensure that MNCs pay a fair share of tax wherever they operate, as well as to set a GMT rate to protect tax base of each country. Moreover, the new international tax system that the GMT rate is 15%[10] is expected to take effect in 2023 and an estimated 154 domestic MNCs will be thus affected accordingly. II. The Response of Taiwan to Tax Challenges 　　A foreign enterprise has to pay Taiwan taxing regulators enterprise income tax for income generated in Taiwan in the premise that this foreign enterprise has a PE in Taiwan. In other words, a PE in Taiwan, which is recognized as the fixed place of business through which the business of an enterprise is wholly or partly carried on[11], is the determinant that affects the power of Taiwan to tax the profits of a foreign enterprise. In brief, “No PE, No taxing power”. 　　In the era of digitalization, the foreign enterprises can create value through the digital means without establishing a PE in Taiwan. The situation of disconnection or mismatch between where value is created and where taxes are paid not only erodes the taxing power of Taiwan, but also breaks the principle of equality in substantive taxation[12] as mentioned above. As a result, the Ministry of Finance (MOF) adjusted and implemented several new taxation policies or measures, including, inter alia, “Income Taxation on Cross Border Electronic Services[13]” and “Income Basic Tax Act”. These two measures were once considered similarly to DST or GMT individually. (I) Income Taxation on Cross Border Electronic Services 　　Responding to tax challenges posed by foreign enterprises under digitalization, the MOF promulgated a new income tax regulation “Income Taxation on Cross Border Electronic Services[14]”, and asked those foreign enterprises who provide cross-border electronic services to purchasers in Taiwan, shall register for business value-added tax (VAT), including register a tax identification number and file taxes. The causation between the electronic services and national economy shall be the determinant to identify income generated in Taiwan: The payment made by a purchaser located in Taiwan to a foreign enterprise in order to procure following products or services provided by such foreign enterprise shall be deemed as income generated in Taiwan. (1) The product that is produced, manufactured, transmitted, downloaded and saved in a digital device and can only be provided with assistance by individuals or enterprises in Taiwan. (2) The real-time, interactive, handy, and continuing electronic services that are provided through digital means A foreign enterprise provides a digital platform to conduct transactions, once one of the transaction parties is in Taiwan, the sales amounts shall be recognized as income generated in Taiwan (II) Income Basic Tax Act (IBT) 　　To promote domestic economic development and industrial innovation, Taiwan has enacted many laws on tax incentives, mainly tax deductions and credits. However, these laws have been overdeveloped, the implement period has also been excessively extended, which contributes to severely unreasonable tax burden inequality. 　　Therefore, Taiwan officially introduced Alternative Minimum Tax System (AMT) and promulgated Income Basic Tax Act (IBT)[15] since 2006. As a separate taxation system, AMT is imposed by government that places a floor on the percentage of taxes a certain filer must pay, regardless of how many tax incentives the filer may claim[16]. Hence, in accordance with Article 1 of IBT “[T]he purposes of this Act are to uphold tax equity, to ensure tax revenue for the country, and to establish the basic requirements of profit-seeking enterprises and individuals in regard to their obligation to fulfill their income tax burden as a contribution to public finance.” 　　AMT uses a different set of rules to determining taxable income compared with the normal tax calculations. Once the regular income-tax amount is higher than the AMT, the taxpayer pays the regular income tax. Thus, if AMT is higher, then the taxpayer pays the AMT. And according to Article 8 (1) of IBT, the enterprise IBT rate is prescribed of 12% since 2013.[17] 　　However, according to Article 3 (1) (5) of IBT[18], a foreign enterprise without domestic fixed place of business or domestic business agent is not regulated by IBT. (III) Conclusion “Income Taxation on Cross Border Electronic Services (Hereinafter referred to as “the measure”)” asked the foreign enterprises to file income tax. But the elements of “the measure” are different from DST. The reasons may be (1) “This measure” has been designed and promulgated earlier than DST and (2) The DST is essentially more like alternative minimum tax. IBT may effect by the concept of “with PE, with taxing power”. Therefore, a foreign enterprise without PE in Taiwan is not regulated by IBT, this means “No PE, No obligation of IBT”. Also, the IBT rate of profit-seeking enterprise is 12%. III. The Remaining Problems of Tax System in Taiwan 　　It is foreseeable that with the international consensus on launching the Two-Pillar Plan in 2023, those countries and jurisdictions will start to adjust their tax policies, inclusive of increasing the income tax rate as well as basic tax rate. As long as the issue of "Taiwan companies abusing tax planning to hide wealth aboard and avoid domestic tax obligations" is not solved, this issue will lead to the continuous erosion of Taiwan taxing power. 　　Concretely, in order to reduce domestic tax burden, several Taiwan companies abusing tax planning to detain profits in foreign affiliated companies or disguise as foreign companies. Though Income Taxation on Cross Border Electronic Services has taking effect, those companies pay income tax only on income generated in Taiwan instead of global income. Therefore, the Controlled Foreign Company Rules and the Place of Effective Management Rules have been proposed. (I) The Controlled Foreign Company Rules 　　A controlled foreign corporation (CFC) is a corporate entity that is registered and conducts business in foreign countries or jurisdictions, and is either directly or indirectly controlled by a resident taxpayer. 　　According to Article 43-3 of the Income Tax Act, if a parent company holds 50% or more of the shares of a foreign subsidiary, or has significant influence on such foreign subsidiary, the subsidiary may be seen as a conduit of the parent company and subject to domestic enterprise income, whether there is dividend distribution to the parent company or not, unless the subsidiary can pass the substantial activity test or its revenue is below a certain threshold.[19] 　　Yet, the “Paragraph 3”, compared with “Paragraph 4”, is not ruled the “a CFC can deduct the domestic income tax from foreign income tax it paid[20]”, which may result in double taxation. 　　The Taiwan CFC rules have not come into effect yet. However, according to the ancillary resolution passed by Legislative Yuan[21], our CFC Rules will come into effect within one year after the tax amnesty legislation, "The Management, Utilization, and Taxation of Repatriated Offshore Funds Act", expires. Namely, the Taiwan CFC Rules will finally come into effect in 2022 at the latest. (II) The Place of Effective Management Rules 　　The place of effective management (PEM) is defined as a place where key managements and commercial decisions a business entity substantially made.[22] This means, once a foreign company sets and operates a branch in Taiwan, and this branch substantially made key managements and commercial decisions for the foreign company, then it will be deemed as a PEM, the foreign company will also be deemed as a domestic company, and will be subject to tax assessment in accordance with the Taiwan Income Tax Act and other tax regulations.[23] 　　Following the PEM rules, which is incorporated into Article 43-4 of the Income Tax Act, the elements of PEM including (1) decision making location, (2) record keeping and maintenance location, and (3) actual operating location are all in Taiwan. 　　However, take foreign experience for example, German practice believes that the PEM rules only need to list "decision making location" as a necessary condition. The rest elements "record keeping and maintenance location" and "actual operating location" are more like reference factors than necessary conditions[24]. 　　The Taiwan PEM rules list all three elements as necessary conditions, which may probably cause excessive restrictions on future applications. And the PEM Rules were announced by the MOF in July 2016, which have yet to take effect neither. (III) Attachment: The Sophisticated and Conflicting Tax System 　　The enterprise income tax rate in Taiwan is 20% to 24% in accordance with Article 5 (5) and Article 66-9 (1) of Income Tax Act. Still, to achieve specific policy goals by promoting or suppressing certain behaviors, a policy that oriented tax deductions and credits is called tax incentives, and the disadvantage of which is apparently turn the tax burden into inequality. In the end, to solve the inequality of tax burden resulting from tax incentives and to ensure tax revenue, the minimum tax will be levied by AMT. The AMT rate in Taiwan is 12% as aforementioned. 　　The implementation of tax incentives and AMT has made the domestic tax system over-complicated. Since the overused tax incentives have abnormally increase the amount of uncompetitive enterprises, who heavily rely on them. While the AMT may strangle the enterprises, who are compliance with economic policies. Then, the interaction and conflicts between tax incentives and AMT not just complicate the domestic tax system, also substantively result in unpredictability and inconsistency of domestic tax environment, which may cause a double-loss situation between tax revenue for the country and economic development policies. IV. Conclusions and Prospects (I) Conclusion Amend the Income Basic Tax Act and Increase Enterprise Rate to at Least 15% 　　First, those foreign enterprises without PE but create value in Taiwan are not ruled by IBT. Second, the enterprise IBT rate in Taiwan is now 12%, apparently lower than GMT of 15%. If IBT rate maintains 12% through 2023, the difference between GMT and IBT may be deemed as a harmful tax-based competition. Hence, it is imperative to amend the IBT to rule the foreign enterprises without PE but create value in Taiwan and increase the enterprise IBT rate to at least 15%. 　　Once consider that GMT is aimed at large MNCs, the IBT may adopt a categorized approach and set different rates based on the size of the enterprise. For instance, increase the IBT rate of MNCs that meet all GMT criteria to 15%, and the rest maintains 12%. Amend and Take CFC rules and PEM rules into effects 　　A domestic company pays income tax on global income, while a foreign company with PE in Taiwan pays income tax on income generated in Taiwan. Responding to digitalization, the implement of Income Taxation on Cross Border Electronic Services regulates foreign companies without PE in Taiwan to pay income tax generated in Taiwan fairly. 　　It is necessary to implement both CFC rules and PEM rules, to prevent domestic companies from abusing tax planning to detain the profit in foreign affiliated companies or to disguise as foreign companies for reducing domestic tax burden, which may continuously eroding taxing power of Taiwan. However, CFC rules and PEM rules still leave some problems to be improved and solved as aforementioned, which is undoubtedly the obligation of Taiwan government. (II) Prospects Substantive Review the Tax Incentives and Reconstruction of Taiwan Tax System 　　The Reasoning of Interpretation No.565 mentioned that “[W]hile taxpayers should, under the principle of equality in taxation, pay taxes which they are supposed to pay according to their actual taxpaying ability, it is not forbidden by Article 7 of the Constitution to specify, with reasonable cause, differential treatments by way of exceptions or special provisions within the scope of discretion authorized by law to grant taxpayers of a particular class tax benefits in the form of tax reduction or exemption in order to promote the public interest.”. 　　The principle of ability-to-pay means that those who have greater ability to pay taxes, usually measured by income, wealth and financial capability, should pay more in taxes compared with those who have minor capability. Since taxation is the pecuniary obligation with non-counter performance under public law, the only foundation of legitimacy is the principle of ability-to-pay. Therefore, this is the core principle of the tax law. 　　To achieve specific policy goals, a policy that oriented tax deductions and credits to promote or suppress certain behaviors is called tax incentives, which can be permitted only in case of justifiable reasons presented. Nevertheless, the weak connection between the policy goals and the tax incentives made the acts, especially the tax incentives, unreasonable. 　　Additionally, the tax-form expenditure is generally a formal review of fiscal balance, no substantive review of the impact on principle of ability-to-pay taxation and the compensation for it. Under these premises, the excessively extended implementation period of tax incentives has resulting in severely unreasonable tax burden inequality and excessive reliance of uncompetitive enterprises on tax incentives. 　　To sum up, instead of implement the tax incentives to limit the principle of ability-to-pay, then solve it with AMT. The enactment, amendment and implement of tax laws must strictly abide by above principle. The restriction of above principle must be strictly review and limited as a whole. Namely, it is better to comply with the principle of ability-to-pay strictly. Therefore, it is important to substantively review the domestic tax incentives and reconstruct the domestic tax system. Ministry of Digital Development and The Tax Reform 　　Taiwan government is intending to form Ministry of Digital Development (MODD),[25] which is considered as a step toward the right direction to coordinate and expedite the development of Taiwan’s digital economy. 　　According to Article 1 of the Organizational Act of MODD, "[T]o promote the development of digital industries such as national communications, information, cyber security, network and communication, to undertake digital governance and digital infrastructure, and to assist the digital transformation of public and private sectors, the Executive Yuan has specially established the Ministry of Digital Development."[26] 　　However, in name of the above-mentioned policies and ideals, which may possibly related to tax policies. Thus, this article considered that, once the MODD is staffed with public servants and experts both proficient in tax law as well as forward-thinking, and given a clear mandate, the MODD may not only contribute significantly to both domestic digital transformation and the tax reform, but also improve the efficiency of tax administration and maximize the overall economic and social benefits. [1] OECD, 〈BEPS – Base Erosion and Profit Shifting〉, https://cleartax.in/s/beps-oecd (last visited Aug 20, 2021). [2] 拙著，〈柳暗花明的數位服務稅〉，工商時報名家評論，2021年5月17日，網址：https://view.ctee.com.tw/tax/29375.html，最後瀏覽日：2021年11月24日。 [3] 陳衍任，〈歐洲數位服務稅發展簡析〉，台灣經濟論衡，2020年3月，第18卷第1期，頁58，網址：https://www.ndc.gov.tw/Content_List.aspx?n=1BD4A3B93EF55A5F，最後瀏覽日：2021年4月21日。 [4] 拙著，〈勢在必行的全球企業最低稅負制〉，工商時報名家評論，2021年4月20日，網址：https://view.ctee.com.tw/tax/28814.html，最後瀏覽日：2021年11月24日。 [5] 拙著，〈勢在必行的全球企業最低稅負制〉，工商時報名家評論，2021年4月20日，網址：https://view.ctee.com.tw/tax/28814.html，最後瀏覽日：2021年11月24日。 [6] 拙著，〈取消數位服務稅已為國際趨勢〉，工商時報名家評論，2021年11月23日，網址：https://view.ctee.com.tw/economic/34152.html，最後瀏覽日：2021年11月24日。 [7] Mayer Brown LLP, 〈The G7 Agrees on a Broad Framework for Pillar One and Two〉, June 23, 2021, https://www.mayerbrown.com/en/perspectives-events/publications/2021/06/one-small-step-but-perhaps-one-giant-leap-for-global-tax-reform-the-g7-agrees-on-a-broad-framework-for-pillar-one-and-two (last visited Nov 11, 2021). [8] G20, 〈G20 ROME LEADERS’ DECLARATION〉, at 11 of 20, https://www.g20.org/wp-content/uploads/2021/10/G20-ROME-LEADERS-DECLARATION.pdf (last visited Nov 11, 2021). [9] OECD, 〈Mauritania joins the Inclusive Framework on BEPS and participates in the agreement to address the tax challenges arising from the digitalization of the economy〉, https://www.oecd.org/tax/mauritania-joins-the-inclusive-framework-on-beps-and-participates-in-the-agreement-to-address-the-tax-challenges-arising-from-the-digitalisation-of-the-economy.htm (last visited Nov 11, 2021). [10] Statement on a Two-Pillar Solution to Address the Tax Challenges Arising From the Digitalization of the Economy, at 4 (Aug 2021), available at https://www.oecd.org/tax/beps/statement-on-a-two-pillar-solution-to-address-the-tax-challenges-arising-from-the-digitalisation-of-the-economy-july-2021.pdf (last visited Aug 20, 2021). [11] Model Tax Convention on Income and on Capital 2010 (Full Version), at c(5)-1 (2010), available at https://read.oecd-ilibrary.org/taxation/model-tax-convention-on-income-and-on-capital-2010_9789264175181-en#page208 (last visited Aug 20, 2021) [12] 稅捐稽徵法第12條之1第1項：「涉及租稅事項之法律，其解釋應本於租稅法律主義之精神，依各該法律之立法目的，衡酌經濟上之意義及實質課稅之公平原則為之。」亦有釋字第420、460、496、519、597、625及第700號供參。 [13] 資誠，〈法國徵數位服務稅，我不跟進〉，2019年7月24日報導，網址：https://www.pwc.tw/zh/news/media/media-20190724-1.html，最後瀏覽日：2021年4月15日。 [14] 財政部賦稅署，〈外國營利事業跨境銷售電子勞務課徵所得稅制度簡介〉，2018年4月27日，頁1以下，網址：https://www.dot.gov.tw/download/dot_201804270002_1_doc_476，最後瀏覽日：2021年4月21日。 [15] 中華民國94年12月28日總統華總一義字第09400212601號令制定公布全文18條；本條例施行日期除另有規定外，自95年1月1日施行。 [16] 所得基本稅額條例第1條：為維護租稅公平，確保國家稅收，建立營利事業及個人所得稅負擔對國家財政之基本貢獻，特制定本條例。 [17] 財政部台財稅字第10100670710號函：自102年度起營利事業基本稅額之徵收率為12％。 [18] 所得基本稅額條例第3條第1項第5款：營利事業或個人除符合下列各款規定之一者外，應依本條例規定繳納所得稅：五、所得稅法第七十三條第一項規定之非中華民國境內居住之個人或在中華民國境內無固定營業場所及營業代理人之營利事業。 [19] 所得稅法第43條之3第1項：營利事業及其關係人直接或間接持有在中華民國境外低稅負國家或地區之關係企業股份或資本額合計達百分之五十以上或對該關係企業具有重大影響力者，除符合下列各款規定之一者外，營利事業應將該關係企業當年度之盈餘，按其持有該關係企業股份或資本額之比率及持有期間計算，認列投資收益，計入當年度所得額課稅：一、關係企業於所在國家或地區有實質營運活動。二、關係企業當年度盈餘在一定基準以下。但各關係企業當年度盈餘合計數逾一定基準者，仍應計入當年度所得額課稅。 [20] 參考「所得稅法增訂第43條之3建立我國受控外國公司(CFC)課稅依據，係以受控外國公司當年度盈餘，依控制公司對其持有之資本比率按「權益法」認列之國外投資收益。惟查此依權益法認列之投資收益，似漏未規定該關係企業在國外已納所得稅額可予扣抵，恐形成公司階段稅負重複課稅；對照本條第4項規範營利事業於實際獲配股利或盈餘時，國外已納所得稅額得予扣抵之規定，其疏漏自明。」立法院，〈受控外國公司課稅新制相關問題評析〉，110年8月，網址：https://www.ly.gov.tw/Pages/Detail.aspx?nodeid=6590&pid=210513，最後瀏覽日：2021年10月25日。 [21] 境外資金匯回管理運用及課稅條例自2019年8月15日起施行，施行期間2年，已於今（2021）年8月14日失效，故我國CFC制度至遲於明（2022）年8月14日前報請行政院核定施行日期。參考「另附帶決議針對105年增訂之「所得稅法」第43條之3條文（營利事業CFC制度），與106年增訂之「所得基本稅額條例」第12條之1條文（個人CFC制度），要求財政部於本案施行期滿後1年內報請行政院核定施行日期，有助落實反避稅條款。」立法院，〈制定境外資金匯回管理運用及課稅條例〉， 網址：https://www.ly.gov.tw/Pages/Detail.aspx?nodeid=33324&pid=184215，最後瀏覽日：2021年8月20日。 [22] OECD, 〈THE IMPACT OF THE COMMUNICATIONS REVOLUTION ON THE APPLICATION OF “PLACE OF EFFECTIVE MANAGEMENT”AS A TIE BREAKER RULE〉, at 4 (Feb 2001), https://www.oecd.org/ctp/treaties/1923328.pdf (last visited Aug 20, 2021). [23] 所得稅法第43條之4第1項：依外國法律設立，實際管理處所在中華民國境內之營利事業，應視為總機構在中華民國境內之營利事業，依本法及其他相關法律規定課徵營利事業所得稅；有違反時，並適用本法及其他相關法律規定。 [24] 參考「從德國的經驗回頭看台灣可以發現：台灣雖然立意良善地將「決策者或決策地」、「帳簿及會議紀錄的製作或儲存地」，以及「實際執行主要經營活動地」，「同時」列為PEM的認定標準。然而，其中只有「決策者或決策地」確實屬於PEM認定上的必要條件；至於將「財務報表、會計帳簿紀錄、董事會議事錄或股東會議事錄的製作或儲存處所」及「實際執行主要經營活動地」也列為PEM的認定標準，恐怕就值得商榷。因為上述兩項標準，固然可以作為認定企業的PEM是否在台灣境內的「參考因素」，但卻不適合作為認定企業的PEM在台灣境內的『必要條件』」。陳衍任，〈實際管理處所在適用上的爭議問題〉，月旦會計實務研究，2018年3月，頁29以下。 [25] 2021 Taiwan White Paper Overview, 〈Facing New and Existing Challenges Head On〉, at WP7 (2021), https://amcham.com.tw/wp-content/uploads/2021/06/June-2021-Taiwan-Business-TOPICS.pdf (last visited Aug 20, 2021). [26] 作者自譯。

1.Introduction Cyber insurance is one of the effective tools to transfer cyber and IT security risk and minimize potential financial losses. Take the example of Sony’s personal information security breach, Sony made a cyber insurance claim to mitigate the losses. In Taiwan, the cyber insurance market demand was driven by Taiwan’s Personal Information Protection Act (PIPA) which was passed in April 2010 and implemented in Oct 2012. According to PIPA, a non-government agency including the natural persons, juridical persons, or group shall be liable for the damages caused by their illegal collection, processing or using of personal information or other ways of infringement on the rights of the individual whose personal information was collected, processed or used. The non-government agency may thus pay each individual NT$500 to NT$20,000 and the total compensation amount in each case may be up to NT $200 million if there is no evidence for actual damage amount. However, the cyber insurance market does not prosper as expected one hand because of the absence of incentives of insurance companies to develop and promote the cyber-insurance products and on the other hand because of the unaffordable price that deters many companies from buying the insurance. Some countries have tried to identify the incentives and barriers for the cyber insurance market and have taken some measurements to kick start its development. In this paper, the barriers for the cyber insurance market were addressed and how American government promoted this market was mentioned. Finally, suggestions on how to stimulate the cyber insurance market growth were proposed for reference. 2.What is cyber insurance? Insurance means the parties concerned agree that one party pays a premium to the other party, and the other party is liable for pecuniary indemnification for damage caused by unforeseeable events or force majeure1. Thus, the cyber insurance means the parties concerned agree that one party pays a premium to the other party, and the other party is liable pecuniary indemnification for damage caused by cyber security breach. The cyber insurance usually covers the insured's losses (or costs) and his liabilities to the third party. For example, the insured was to be liable for the damages caused by the unlawful disclosure of identifiable personal information belonging to the third party resulted from the insured's negligence. 2Typically, cyber insurance covers penalties or regulatory fines for data breaches, litigation costs and compensation arising from civil suits filed by those whose rights are infringed, direct costs to notify those whose personal data was illegal collected, processed or used and so on. 3 3.What are the barriers for cyber insurance market? Per the report made by European Network and Information Security Agency in2012, the following issues have significant influence on incentives of insurers to design and provide cyber –insurance products, including uncertainty about the extent of risk and lack of robust actuarial data, uncertainty about what risk is being insured, fast-paced nature of the use of technology, little visibility on what constitutes effective measures, absence of insurer of last resort to re-insure catastrophic risks, and perception that existing insurance already covers cyber-risks 4. In Taiwan, insurance companies face the same issues as mentioned above when they tried to develop and promote the cyber-insurance products. However, what discourages the insurance and re-insurance companies from investing in the cyber-insurance market most is the lack of accurate information to figure out the costs associated with different information security risk and thus to price the cyber insurance contract precisely. Several cases involving personal data breach did happened after Taiwan’s PIPA became effective on Oct 1th 2012, but few verdicts have been made. It is not easy to master the direct costs or losses resulting from violation of PIPA, including penalties or fines from regulator,, compensation to the parties of the civil suit who claim their personal data were unlawfully collected, processed or used, litigation costs and so on. Otherwise, indirect costs or losses such as media costs, costs to regain reputation or trust of consumers, costs of deployment of proper technical measures to prevent the data breach from happening again etc. are difficult to calculate. Therefore, it is not easy to identify the costs of information security risk and thus to calculate the premium the insured has to pay precisely. The rapid development of technology also has a negative impact on the ability of the insurers to master the types of the information security risk which shall be insured and its costs. Accompanied with the convenience and efficiency of applying new technologies into the working environment, security issues arise, too. For example, the loss or theft of mobile or portable devices may result in data breaches. In 2012, an unencrypted laptop computer with personal information and other sensitive information of one of NASA's employees was stolen from his locked vehicle and this led to thousands of NASA's workers and contractors at risk. 5And, per the report made by a NASA inspector, similar data breaches had been resulted from the lost or theft of 48 NASA laptops and mobile computing devices between April 2009 and April 2011. 6 There is no singe formula which could guarantee 100% security, but some international organizations have promulgated best practices for information security management, such as ISO 2700x standards. 7In Taiwan, Bureau of Standards, Metrology and Inspection (BSMI) which belongs to the Ministry of Economic also consulted ISO standards and announced Chinese National Standards on information security. For example, BSMI consulted ISO 27001 “Information technology – Security techniques – Information security management systems – Requirements” and then promulgated CNS27001. Theoretically, if the company who tries to buy cyber insurance policy that covers data breaches and damages to customers' data privacy can show that it has adopted and do implement the suite of security management standards well, the premium could properly be reduced because such company shall face less security risk. 8 However, it is still not easy to price the cyber insurance contract rightly because of no enough data or evidence which could approve what constitutes effective information security measures as well as no impartial, controversial or standard formula to value intangible assets like personal or sensitive information. 9 Finally, the availability of re-insurance programs plays an important role in the cyber insurance market because insurers would appeal to such program as a strategy of risk management. The lack of solid and actual data as mentioned above would discourage re-insurers from providing insurance policies that covers the insured’s losses and liabilities. Therefore, insurers may not be keen to develop and offer cyber insurance products. 4.The USA experience on developing cyber insurance market 4.1Current market status Due to the increase of the number of data breaches, cyber attacks, and civil suits filed by those whose data were illegal disclosed to third parties, more and more enterprises recognize the importance of cyber and privacy risks and turning to cyber insurance to minimize the potential finical losses. 10 However, the increased government focus on cyber security also contributed to the rapidly growth of the cyber insurance market. 11 For example, US Department of Homeland Security has been aware of the benefits of the cyber insurance, including encouraging better information security management, reducing the finical losses that a company has to face due to the data breach and so on. 12 Compared to other lines of insurance, cyber insurance market is not mature yet and is small in USA. For example, the gross premiums for medical malpractice insurance are more than 10% of that for cyber insurance market. However, the cyber insurance market certainly appears to grow rapidly. Per the survey made by Corporate Board Member & FTI Consulting, 48% of corporate directors and 55% of general counsel take highly of the issue of data security. 13And, per the report made by Marsh, there are more and more companies buying cyber insurance to cover financial losses due to the data breach or cyber attack, and the number of Marsh’s US clients purchasing cyber insurance increased 33% in 2012 over 2011. 14 4.2What contributed to the growth of the cyber insurance market in USA? Some measurements taken by the government or regulatory intervention had impacts on the incentives of companies to carry cyber insurance. CF Disclosure Guidance published by U.S. Securities and Exchange Commission in Oct 2011 mentioned that except the operation and financial risks, public companies shall disclose the cyber security risks and cyber incidents for such risks and incidents may result in severe finical losses and thus have a board impact on their financial statements. 15 And, according to the guidance, appropriate disclosures may includes risk factors and this potential costs and consequences, cyber incidents experienced or expected and theirs costs and consequences, undetected risks related to cyber incidents, and the relevant insurance coverage. 16 Such disclosure requirements triggered the demands for the cyber insurance products because cyber insurance as an effective tool to transfer financial losses or damages could be an evidence that firms are managing cyber security risks well and properly. 17 The demand for cyber-insurance products may be created by government by means of requiring government contractors and subcontractors to purchase cyber insurance under Federal Acquisition Regulations (FAR) which mentions that contractors are required by law and FAR to provide insurance for certain types of perils 18. Also, in order to sustain the covered critical infrastructure (CCI) designation, the owner of such infrastructure may need to carry cyber insurance, too. 19 On the other hand, referring to Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 which requires those who provides Federal and non-Federal Government customers with a qualified/certificated anti-terrorism technologies shall obtain liability insurance of such types but the amount of such insurance shall be reasonable and will not distort the sales price of such technologies 20, the federal government tried to draw and enact legislation that provides limitations on cyber security liability 21. If it works, this could raise the incentive of insurers because amounts of potential financial losses which may be transferred to insurers are predictable. Besides, referring to Terrorism Risk Insurance Act of 2002 which established the terrorism insurance program to provide compensations to insurers who suffered the insured losses due to terrorist attacks 22, the federal government may increase the supply of cyber insurance products by means of providing compensations to insurers who suffered the insured losses due to cyber security breach or cyber attacks. 23 Otherwise, some experts and stakeholders did suggest the federal government implement reinsurance programs to develop cyber insurance programs. 24 Finally, to solve the problem of information asymmetry, the government tried to develop the legislation that could build a mechanism for information-sharing among private entities. 25 Also, it was recommended that the federal government may consider to allow insurance firms to establish an information-sharing database together so that insurers could accordingly develop better models to figure out cyber risks and price the cyber insurance contract accurately. 26 5.Suggestions and conclusion Compared to USA where 30-40 insurers offer cyber-insurance products and thus suggested that a more mature market exists 27, the cyber insurance market in Taiwan is still at the first stage of the product life cycle. Few insurers have introduced their cyber-insurance products covering the issues related to the personal information breach. Per the experience how US government developed the cyber insurance market, the following suggestion are made for reference. First, the government may consider requiring his contractors and subcontractors to carry cyber insurances. This could stimulate the demand for cyber insurance products as well as make cyber insurance prevail among private sector as an effective risk management tool. Second, the government may consider establishing re-insurance program to offer compensation to those who suffer the insured’s large losses and damages or impose limitations of the amount insured by law. However, it is undeniable that providing re-insurance program is not feasible as the government’s budget is not abundance. Finally, an information-sharing mechanism, including information on cyber attacks an cyber risks, may be helpful to solve the problem of information asymmetry. 1.Insurance Act §1 (R.O.C, 2012). 2.European Network and Information Security Agency, Incentives and barriers of the cyber insurance market in Europe , June 2012, at 8, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/incentives-and-barriers-of-the-cyber-insurance-market-in-europe. 3.Ben Berkowitz, United States: insurance-cyber insurance, C.T.L.R. 2012, 18(7), N183. 4.Supra note2, at 19-25. 5.Mathew J. Schwartz, Stolen NASA laptop had unencrypted employee data , InformationWeek, November 15, 2012 11:17 AM, http://www.informationweek.com/security/attacks/stolen-nasa-laptop-had-unencrypted-emplo/240142160；Ben Weitzenkorn, Stolen NASA laptop prompts new security rules, TechNewsDaily , November 15 2012 11:35 AM, http://www.technewsdaily.com/15482-stolen-nasa-laptop.html. 6. Irene Klotz, Laptop with NASA workers' personal data is stolen, CAPE CANAVERAL, Nov 14, 2012 8:47pm, http://www.reuters.com/article/2012/11/15/us-space-nasa-security-idUSBRE8AE05F20121115. 7.The Government of the Hong Kong Special Administrative Region , An overview of information security standards, Feb 2008, at 2, http://www.infosec.gov.hk/english/technical/files/overview.pdf；Supra note2, at 21. 8.Supra note2, at 21-22. 9.Id. 10.Id. 11.Id. 12.U.S. Department of Homeland Security, Cyber security insurance workshop readout report, Nov 2012, at 1, http://www.dhs.gov/sites/default/files/publications/cybersecurity-insurance-read-out-report.pdf. 13.John E. Black Jr., Privacy liability and insurance developments in 2012, 16 No. 9 J. Internet L. 3, 12 (2013). 14.Marsh, Number of companies buying cyber insurance up by one-third in 2012, March 14, 2013, http://usa.marsh.com/NewsInsights/MarshPressReleases/ID/29878/Number-of-Companies-Buying-Cyber-Insurance-Up-by-One-Third-in-2012-Marsh.aspx. 15.U.S. Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 Cybersecurity, October 13, 2011, http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 16.Id. 17.Supra note2, at 6.(last visited Dec. 31, 2012) 18.Federal Acquisition Regulations §28.301. 19.E. Paul Kanefsky, Insuring against cyber risks: congress and president Obama weigh in, March 2012, http://www.edwardswildman.com/newsstand/detail.aspx?news=2812. 20.Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 §864. 21.Supra note19. 22.Terrorism Risk Insurance Act of 2002 §103. 23.Supra note19. 24.Id. 25.Id. 26.Id. 27.Supra note2.