Cathay FHC attaches great importance to the privacy of customers and the security of personal data. In order to ensure the effectiveness of customer privacy protection and personal data security, Cathay FHC has formulated a "personal data file security maintenance plan and personal data processing methods after business termination". It is an important guideline for the protection and management of personal data.
Cathay FHC and its subsidiaries have also established the most appropriate risk management mechanism for personal data protection, provided the resources required for privacy protection risk management, set up a dedicated personal data protection unit, was responsible for evaluating and planning the personal data protection management structure, and supervised relevant operating procedures In order to continuously improve the operation of the privacy protection management mechanism and fully protect the privacy and personal data security of customers.
Customer Privacy Policy
To thoroughly enforce personal information management, Cathay FHC has established the "Personal Information Management Committee." The president serves as the chairperson, while the Risk Management Division serves as the personal information management responsible for planning, overseeing, and enforcing committee decisions and reviewing and improving the group's personal information management. To actively safeguard customer rights in the face of rapidly evolving technologies and attacks, Cathay FHC's main subsidiaries - Cathay Life, CUB, and Cathay Century - have obtained accreditation from international standards, "BSI10012:2017 Personal Information Management." In addition to obtaining international accreditation to observe international privacy rights and protection trends, Cathay FHC also conducts third-party audits annually and utilizes the P-D-C-A method to strengthen personal information management and ensure effective protection thereof.
Cathay FHC and subsidiaries also publish "privacy policies" on official websites to explain how the companies collect, apply, and protect the personal information provided by customers. Personal information is only provided to third-party products and service partners to provide related services with customer consent. To protect users' personal information and maintain online privacy, privacy policies are subject to changes to comply with regulatory changes and new technologies to ensure customer rights. Customers with questions about the company's privacy policies or how their personal information is being used can contact customer service through channels provided on the company's official websites.
Customer Personal Information Management Process
Cathay FHC and its subsidiaries comply with the "Personal Data Protection Act" and related regulations when collecting, processing, or using personal information. Before collecting personal information, Cathay FHC and its subsidiaries will expressly inform the purpose of collection, and with whom the information will be shared. The personal information will not be used in any way exceeding the necessary scope of specific purposes. The company requires third parties to comply with internal policies on personal information protection and has also defined user's rights to make an inquiry of and review; request a copy of; supplement or correct; demand the cessation of the collection, processing, or use of; and erase his/her personal data. In response to the EU's "General Data Protection Regulation" (GDPR), Cathay FHC has aligned personal information management processes with international standards. The company seeks to continue optimizing and enforcing management, control, and protection and introducing multiple layers of protection such as emergency response processes and drills to safeguard customer information and customer rights. In terms of retention periods for personal information, unless otherwise required by law or contractual obligations, Cathay FHC will erase or cease processing or using any retained personal information when the specific purpose of data collection no longer exists, or upon expiration of the relevant time period and retain related trails or evidence for at least five years.
To reduce risks of data leaks from employees storing material personal information on their personal computers, CUB deployed a Personal Information Protection and Administration System (PIPAS) and, in 2020, Cathay Life created a "Personal File Administration Classified Section" by restricting authorized personnel and access time to strengthen protection against data leaks.
In the event of violations against personal information protection, Cathay FHC complies with punishments outlined in the "Personal Data Protection Act" and has also defined disciplinary action in the "Personal Information Processing & Security Management Regulations." Cathay FHC employees in violation of personal information protection regulations impacting the rights and interests of the company and its customers will be handed over to human resource organizations for disciplinary action.
Cathay FHC and its subsidiaries conduct joint marketing activities, and customer data is used for secondary purposes. In accordance with regulations governing joint marketing and the Personal Data Protection Act, a total of 2.46 million customers (as of the end of 2022) have signed their consent allowing Cathay FHC and its subsidiaries to share data for mutual use. This accounts for 16% of all Cathay FHC customers, and each case is reviewed and approved independently when shared for mutual use. Please refer to the following link for a joint statement by Cathay FHC and its subsidiaries on privacy measures for the mutual use of customer data.
Complete Personal Information Protection Education and Training
Cathay FHC organizes annual campaigns, education, and training for raising all employees’ awareness towards personal information protection, so that they understand the regulatory requirements, the scope of their responsibilities, and the various mechanisms, procedures, and measures related to the protection of personal information. The completion rate of personal information training of Cathay FHC and its subsidiaries was 100% in 2020.
Note: The completion rate above excludes employees due to characteristics of their duties and leave plans (temporary dispatch, parental leave, maternity leave, etc.).
Violations & Response to Customer Privacy
Cathay FHC and its subsidiaries have established "Emergency Response Procedures for Personal Data Breaches," processes for regular drills, interdepartmental "Emergency Response Teams," and reporting and handling processes. Regular simulated training can strengthen the ability of employees to respond to personal data breaches, prevent impacts to the company, and reduce, as much as possible, damages to the affected individual. Cathay FHC also verifies the effectiveness of internal processes to identify deficiencies and perfect personal information protection measures.
In 2022, the Financial Supervisory Commission (FSC) announced two sanctions uncovered from customer complaints to the FSC. In 2022, Cathay FHC experienced eight data breaches, 100% of which were related to personal information. A total of 120 customers were affected by the aforementioned violations and breaches. Upon further investigation, Cathay FHC identified the source as sales agents neglecting to inform customers of a third person and one case in which the logistics company lost but later recovered an insurance receipt (containing only the subject's name and insurance premium). None of the cases were material data breaches or infringed on customer privacy. Cathay FHC has been able to settle the cases with customers and has handled the situation accordingly. The company will continue to organize employee training and strengthen awareness programs to ensure related employees fully recognize the importance of personal information protection. In addition, the group will continue to strengthen and monitor the use of customers' personal information and improve related protection measures to reduce future data breaches.
Personal Information Security Implementation Results
|
2020
|
2021
|
2022
|
Personal information protection training completion rate (%)
|
100
|
100
|
100
|
No. of information breaches (cases) (Note 1)
|
-
|
11
|
10
|
Personal information breaches as a percentage of total information breaches (%) (Note 1)
|
-
|
100
|
100
|
No. of customers affected by personal information breaches (customers) (Note 1)
|
-
|
6,520
|
120
|
Note 1: Cathay started to disclose relevant data in 2021. Data in "No. of information breaches," "Personal information breaches as a percentage of total information breaches" and "No. of customers affected by personal information breaches" include data for Cathay Life, CUB, Cathay Century, Cathay Securities and Cathay SITE.
Distribution of Personal Information Cases in 2022
Subsidiaries |
Cases Reported by the Central Competent Authority
|
Investigation Initiated by Cathay
|
Cathay FHC
|
0
|
0
|
Cathay Life
|
0
|
8
|
CUB
|
2
|
0
|
Cathay Century
|
0
|
0
|
Cathay Securities
|
0
|
0
|
Cathay SITE
|
0
|
0
|
Total
|
2
|
8
|