Sustainability

Privacy Protection

 

Cybersecurity and Personal Information Protection

Chunghwa Telecom values its customers' privacy rights by carrying out the relevant protective measures on the following 4 dimensions in order to enhance protection of consumer confidentiality and to prevent CHT’s customer service staff (including permanent employees and contractors) from unlawfully accessing customer information from the corporate information system:

Information Security Strategy

The main points of the Company’s information security strategy include:

1. Standard compliance

2. Establish an overall protection mechanism that includes multi-layer protection, threat hunting and monitoring, and rapid incident response

3. Establish & cultivate excellent information security talents

4. Establish the corporate culture of Security Designed-In

The implementation of CHT's information security strategy is risk management orientation., which measures the implementation results of security management, ensures the implementation’s compliance and effectiveness, identifies risks, reviews and improves the implementation, and integrates them into operation procedure.

The Company reviews strategies and information security regulations based on external environment (such as government policies and regulations, information security threats, international standards, technical development trends) and internal risk assessments (including internal and external audit results, CHT SOC security monitoring and incident handling review improvement, etc.) each year, and is constantly refurbished in response to external threats and hacker technology and continuously refine internal anomaly detection and prevention techniques(such as enhancing intelligence, strengthening endpoint defense, machine learning technology, etc.) to reduce the risk for the company overall safety.

The above information security strategy, after analyzing the operational environment risks every year and according to the evaluation results of the frequency of risk factor occurrences and impact levels, is used to formulate important action plan performance indicators for the year. After securing approval from the President, it is then included as a company and employee performance assessment item. In addition, the dedicated information security department shall be responsible for the related implementation issues including regulating, advocating, promoting and auditing.

A monthly review is also conducted, and execution conditions and additional risk information are submitted to the Risk Management Committee to be put under surveillance and control. Furthermore, the strategy is reviewed and adjusted through regularly information security meetings held by CISO (Chief Information Security Officer). In case of major security threats, crisis response handling is implemented. 

Laws and Regulations

● Protecting customer basic information by keeping it "confidential."

● Employees should sign the "business confidentiality agreement", and their senior executives should take full responsibility.

● In the event where a contractor is involved in confidential business matters, both the contractor and his/her employer shall sign the relevant confidentiality agreements.

Protection of Customer Information

● Pre-event control measures: Some of the customers' personal information is not accessible to first-line operators.

● Post-event audit and random inspection: A complete record of information usage and inquiry is always well documented and maintained.

System Management

● First-line operators are prohibited from using portable storage device on their computers and sending emails. They also have limited access to Internet connection.

● Establish the customer information management system and supervisors shall check the inquiry records on a daily basis.

● Management of information authority is one of the key items of periodic and special audits of information security.

Internal Control

● All branches and offices shall report the implementation status of the measures to protect consumer confidentiality on an annual basis.

● Customers' application forms are stored and locked away in designated cabinets.

● The corporate headquarter and branches shall conduct special audits on the various service centers.

● Promote the importance of ensuring the confidentiality of consumer information and the associated legal liabilities on regular basis.

Information security/cybersecurity awareness training

CHT revises the information security standards, and conducts awareness training for all employees to familiar with the content of the regulations annually. In addition, 9 professional security courses have been planned for newly recruited employees and general employees (including outsourcing personnel), supervisors, and technical personnel (including security experts.) Each year's annual training program objectives are planned to accurately train and subsidize employees to obtain professional security license and improve their cognitive ability. The summary is as follows:

  1. Newly recruited personnel: All newly recruited personnel need to complete the information security courses and pass the test. In 2017, approximately 656 people completed the training and passed the tests.

  2. Employees (including outsourcing personnel):

-             All employees (including our CEO) are required to take the “Information Security Promotion Course” and must score 100 to pass the after test. In 2017, a total of 21,953 employees and 8,703 outsourced personnel completed the course.

-             Conduct the e-mail social engineering drills twice a year to enhance APT attack awareness and protection capabilities.

  3. Supervisors: They need to complete the information security training and pass the test when they are assessed for promotion. In 2017, about 308 people completed the assessment.

  4. Technical staff (including security experts):

-             Establish relevant information security courses according to system management, network management, program development, security management, security equipment transportation, and capital protection, etc. Employees with security expertise need to attended the training and must pass the test. 8 classes were held and 13,179 trainings were completed. (total 84,945 hours)

-             All program developers need to pass the test of security code review, which totaled 1,946 persons in 2017.

-             A total of 826 external security certificates (such as CISSP, CEH, CHFI, ECSA, etc.) obtained over the years.

-             Established an internal personal information protection and management personnel verification system. In 2017, a total of 3,461 personnel and 1,447 inspectors were involved.

Customer Privacy Service and Measures

In response to the upcoming implementation of the “Personal Data Protection Act,” an additional “Personal Data Protection Team” will be established under the “IT Strategy Committee”. We set up personal data safety training and awareness plan, personal data process analysis and inventory plan, risk assessment plan, which are all categorize as our KPI indicator.

In order to strengthen customer data protection, Chunghwa Telecom has categorized basic customer information as “top secret” documents and stored in locked counter. Employees are asked to sign the “Trade Secret Protection Contract” and their supervisors are jointly liable. Any outsourcing company is involved in trade secrets, must also sign related confidentiality agreements. Subsidiaries report protection status annually; headquarters perform random audits at customer service centers to enforce the implementation.

We treat the rights and interests of our customers as priority; we follow strictly to the Personal Information Protection Act and had never got beyond any range. We only collect data for legitimate and legal reasons.

For the customer service line built for rapidly solve complaints in privacy and confidentiality, we established ISO9001 Suspected Leakage Handling Procedures to report and handle all privacy complaints, hence to protect personal information and raise company appearance and service quality.

Customer Personal Information Collection, Processing and Use

According to the “Terms of Customer Personal Information Collection of Chunghwa Telecom” which has been provided to all the customers (including MOD, broadband, landline & international and mobile service), to promote the diversification of products/services, the Company shall use customers’ personal information to market affiliated company and sell products/services on a commission basis with cooperative partners. However, the Company shall not provide personal information to a third party without customers’ consent or in accordance with the law.

Take "promoting speeding up to existing customers" for example. Marketing personnel can use the CRM marketing platform to understand the current Internet behaviors of customers and the status of available equipment, and to filter appropriate targeting customers for telemarketing, sending text message, and EDM and further to offer the promotion message. Besides, the CRM marketing platform is Chunghwa Telecom's special security system. If relevant personnel want to use it, they must formally file an application and obtain authorization through the supervisor's approval and the operations on the platform will be monitored and recorded by the system. In addition, Chunghwa Telecom adheres to the principle of “highly confidential” and will not display detailed information such as attributes of individual customer behavior on the platform. It also prohibits personnel from acquiring or downloading data to comprehensively protect customer privacy and avoid leakage risks.

In order to assist government agencies in safeguarding public safety and fighting against crimes, if the government sends official documents to access or inquire about customer information, the Company should follow the competent authority’s “Regulations Governing Implementation of Telecommunications Industry Dealing with Relevant Agencies (Institution) Inquiring about Information of Telecommunications Users”, “Regulations Governing Implementation of Telecommunication Industry Inquiring about Telecommunications Communication Records” and other relative regulations. After strict audit of the application process, the Company should provide as required; those who do not comply with the statutory regulations should be denied to ensure customer privacy and information security. In 2017, according to the inquiry of governmental agencies, Chunghwa Telecom provided approximately 99.55% of the total or partial customer information.

If customers request the Company to stop processing and using, they can fill in the application and reply form to stop processing, use, and delete personal information through the service centers at any time. Customers can select agree or disagree freely and 16.8% of customers have selected disagree in 2017.

Breaches of Customer Privacy: Complaints

In 2017, complaints filed by clients regarding suspected information leakage, suspected cases lost, suspected personal information theft totaled in total of 20 (9 of which were notified by the competent authority). Compared to 2016, there was a decrease of 15 cases, accounting for 0.0001% of the total accepted cases via the customer service lines. However, after investigation, no facts of leakage, loss, or theft of personal information were found in 2017. We publicly disclose related information to our stakeholders on our website and in annul corporate social responsibility report. And we will also disclose in annual report if a critical case happens.

Please refer to our privacy policy. 

 

http://www.cht.com.tw/en/csr/upload/content/CHT_Privacy_Policy.pdf 

Please refer to our Information Security Policy,Information_Security Policy of Chunghwa Telecom.pdf

 

In 2015, 32 suspected complaints of information leakage were reported, a 27% decrease compared to the 2014 statistics and make up 0.0001% of total complaints.

 

Cybersecurity and Personal Information Protection

Chunghwa Telecom values its customers' privacy rights by carrying out the relevant protective measures on the following 4 dimensions in order to enhance protection of consumer confidentiality and to prevent CHT’s customer service staff (including permanent employees and contractors) from unlawfully accessing customer information from the corporate information system:

Information Security Strategy

The main points of the Company’s information security strategy include:

1. Standard compliance

2. Establish an overall protection mechanism that includes multi-layer protection, threat hunting and monitoring, and rapid incident response

3. Establish & cultivate excellent information security talents

4. Establish the corporate culture of Security Designed-In

The implementation of CHT's information security strategy is risk management orientation., which measures the implementation results of security management, ensures the implementation’s compliance and effectiveness, identifies risks, reviews and improves the implementation, and integrates them into operation procedure.

The Company reviews strategies and information security regulations based on external environment (such as government policies and regulations, information security threats, international standards, technical development trends) and internal risk assessments (including internal and external audit results, CHT SOC security monitoring and incident handling review improvement, etc.) each year, and is constantly refurbished in response to external threats and hacker technology and continuously refine internal anomaly detection and prevention techniques(such as enhancing intelligence, strengthening endpoint defense, machine learning technology, etc.) to reduce the risk for the company overall safety.

The above information security strategy, after analyzing the operational environment risks every year and according to the evaluation results of the frequency of risk factor occurrences and impact levels, is used to formulate important action plan performance indicators for the year. After securing approval from the President, it is then included as a company and employee performance assessment item. In addition, the dedicated information security department shall be responsible for the related implementation issues including regulating, advocating, promoting and auditing.

A monthly review is also conducted, and execution conditions and additional risk information are submitted to the Risk Management Committee to be put under surveillance and control. Furthermore, the strategy is reviewed and adjusted through regularly information security meetings held by CISO (Chief Information Security Officer). In case of major security threats, crisis response handling is implemented. 

Laws and Regulations

● Protecting customer basic information by keeping it "confidential."

● Employees should sign the "business confidentiality agreement", and their senior executives should take full responsibility.

● In the event where a contractor is involved in confidential business matters, both the contractor and his/her employer shall sign the relevant confidentiality agreements.

Protection of Customer Information

● Pre-event control measures: Some of the customers' personal information is not accessible to first-line operators.

● Post-event audit and random inspection: A complete record of information usage and inquiry is always well documented and maintained.

System Management

● First-line operators are prohibited from using portable storage device on their computers and sending emails. They also have limited access to Internet connection.

● Establish the customer information management system and supervisors shall check the inquiry records on a daily basis.

● Management of information authority is one of the key items of periodic and special audits of information security.

Internal Control

● All branches and offices shall report the implementation status of the measures to protect consumer confidentiality on an annual basis.

● Customers' application forms are stored and locked away in designated cabinets.

● The corporate headquarter and branches shall conduct special audits on the various service centers.

● Promote the importance of ensuring the confidentiality of consumer information and the associated legal liabilities on regular basis.

Information security/cybersecurity awareness training

CHT revises the information security standards, and conducts awareness training for all employees to familiar with the content of the regulations annually. In addition, 9 professional security courses have been planned for newly recruited employees and general employees (including outsourcing personnel), supervisors, and technical personnel (including security experts.) Each year's annual training program objectives are planned to accurately train and subsidize employees to obtain professional security license and improve their cognitive ability. The summary is as follows:

  1. Newly recruited personnel: All newly recruited personnel need to complete the information security courses and pass the test. In 2017, approximately 656 people completed the training and passed the tests.

  2. Employees (including outsourcing personnel):

-             All employees (including our CEO) are required to take the “Information Security Promotion Course” and must score 100 to pass the after test. In 2017, a total of 21,953 employees and 8,703 outsourced personnel completed the course.

-             Conduct the e-mail social engineering drills twice a year to enhance APT attack awareness and protection capabilities.

  3. Supervisors: They need to complete the information security training and pass the test when they are assessed for promotion. In 2017, about 308 people completed the assessment.

  4. Technical staff (including security experts):

-             Establish relevant information security courses according to system management, network management, program development, security management, security equipment transportation, and capital protection, etc. Employees with security expertise need to attended the training and must pass the test. 8 classes were held and 13,179 trainings were completed. (total 84,945 hours)

-             All program developers need to pass the test of security code review, which totaled 1,946 persons in 2017.

-             A total of 826 external security certificates (such as CISSP, CEH, CHFI, ECSA, etc.) obtained over the years.

-             Established an internal personal information protection and management personnel verification system. In 2017, a total of 3,461 personnel and 1,447 inspectors were involved.

Customer Privacy Service and Measures

In response to the upcoming implementation of the “Personal Data Protection Act,” an additional “Personal Data Protection Team” will be established under the “IT Strategy Committee”. We set up personal data safety training and awareness plan, personal data process analysis and inventory plan, risk assessment plan, which are all categorize as our KPI indicator.

In order to strengthen customer data protection, Chunghwa Telecom has categorized basic customer information as “top secret” documents and stored in locked counter. Employees are asked to sign the “Trade Secret Protection Contract” and their supervisors are jointly liable. Any outsourcing company is involved in trade secrets, must also sign related confidentiality agreements. Subsidiaries report protection status annually; headquarters perform random audits at customer service centers to enforce the implementation.

We treat the rights and interests of our customers as priority; we follow strictly to the Personal Information Protection Act and had never got beyond any range. We only collect data for legitimate and legal reasons.

For the customer service line built for rapidly solve complaints in privacy and confidentiality, we established ISO9001 Suspected Leakage Handling Procedures to report and handle all privacy complaints, hence to protect personal information and raise company appearance and service quality.

Customer Personal Information Collection, Processing and Use

According to the “Terms of Customer Personal Information Collection of Chunghwa Telecom” which has been provided to all the customers (including MOD, broadband, landline & international and mobile service), to promote the diversification of products/services, the Company shall use customers’ personal information to market affiliated company and sell products/services on a commission basis with cooperative partners. However, the Company shall not provide personal information to a third party without customers’ consent or in accordance with the law.

Take "promoting speeding up to existing customers" for example. Marketing personnel can use the CRM marketing platform to understand the current Internet behaviors of customers and the status of available equipment, and to filter appropriate targeting customers for telemarketing, sending text message, and EDM and further to offer the promotion message. Besides, the CRM marketing platform is Chunghwa Telecom's special security system. If relevant personnel want to use it, they must formally file an application and obtain authorization through the supervisor's approval and the operations on the platform will be monitored and recorded by the system. In addition, Chunghwa Telecom adheres to the principle of “highly confidential” and will not display detailed information such as attributes of individual customer behavior on the platform. It also prohibits personnel from acquiring or downloading data to comprehensively protect customer privacy and avoid leakage risks.

In order to assist government agencies in safeguarding public safety and fighting against crimes, if the government sends official documents to access or inquire about customer information, the Company should follow the competent authority’s “Regulations Governing Implementation of Telecommunications Industry Dealing with Relevant Agencies (Institution) Inquiring about Information of Telecommunications Users”, “Regulations Governing Implementation of Telecommunication Industry Inquiring about Telecommunications Communication Records” and other relative regulations. After strict audit of the application process, the Company should provide as required; those who do not comply with the statutory regulations should be denied to ensure customer privacy and information security. In 2017, according to the inquiry of governmental agencies, Chunghwa Telecom provided approximately 99.55% of the total or partial customer information.

If customers request the Company to stop processing and using, they can fill in the application and reply form to stop processing, use, and delete personal information through the service centers at any time. Customers can select agree or disagree freely and 16.8% of customers have selected disagree in 2017.

Breaches of Customer Privacy: Complaints

In 2017, complaints filed by clients regarding suspected information leakage, suspected cases lost, suspected personal information theft totaled in total of 20 (9 of which were notified by the competent authority). Compared to 2016, there was a decrease of 15 cases, accounting for 0.0001% of the total accepted cases via the customer service lines. However, after investigation, no facts of leakage, loss, or theft of personal information were found in 2017. We publicly disclose related information to our stakeholders on our website and in annul corporate social responsibility report. And we will also disclose in annual report if a critical case happens.

Please refer to our privacy policy. 

 

http://www.cht.com.tw/en/csr/upload/content/CHT_Privacy_Policy.pdf 

Please refer to our Information Security Policy,Information_Security Policy of Chunghwa Telecom.pdf

 

In 2015, 32 suspected complaints of information leakage were reported, a 27% decrease compared to the 2014 statistics and make up 0.0001% of total complaints.