2026 Security and Privacy Regulation Impacts: From NTT's 9 Million Leaked Record

--- --- 【News Observation】 【News Observation】 In April and May 2026, a series of major data-related incidents erupted across Asia and the United States, highlighting the inevitable shift in information security governance from "technical protection" to "end-to-turn compliance." First, a subsidiary of NTT West in Japan was found to have misused maintenance system access-related privileges by dispatched engineers between 2013 and 2023, downloading and selling approximately 9 million records including bank and insurance customer data. The Japanese Personal Information Protection Commission (PPC) issued "guidance" and "admonition" under Articles 147 and 148 of the Act on the Protection of Personal Information, requiring the company to clarify the root cause of the failure. The Ministry of Internal Affairs and Communications (MIC) issued administrative guidance under the Telecommunications Business Act, ordering a complete overhaul of the outsourcing supervision mechanism. The Financial Services Agency (FSA) issued "orders for reporting" and "improvement orders" to the affected financial institutions, forcing them to include information security incidents in the calculation of Risk-Weighted Assets (RWA) under the Basel III framework. If the capital adequacy ratio falls below regulatory thresholds, this could directly impact EPS or even force banks to reduce capital or scale back high-margin businesses. In Taiwan, the Financial Supervisory Commission (FSC) rolled out the "Financial Information Security Resilience Development Blueprint" in 2026–2029, mandating that Chief Information Security Officers (CISOs) report directly to the Board of Directors, while requiring financial institutions to implement Software Bill of Materials (SBOM) and Zero Trust architecture. This coincided with the fines for violations of the Personal Data Protection Act increasing from a maximum of NT$200,000 to NT$15,000,000, including a "per-incident" penalty mechanism. Between December 2025 and May 2026, over 162 financial institutions and 800 participants attended the FORCE 2026 InfoSec Exchange, demonstrating the industry's growing awareness of the new regulatory requirements. The 2025 IBM and Ponemon Institute Global Cost of a Data Breach Report noted that the average cost of a data breach in the US has risen to $10.22 million, with 32% of companies paying regulatory fines and 48% paying fines exceeding $100,000; the average cost for the financial services sector specifically is $5.56 million per breach. In the US, the University System of Georgia (USG) discovered on May 31, 2023, that the MOVEit vulnerability was being exploited by the Cl0p ransomware group, resulting in the leak of sensitive data including Social Security numbers and bank information for approximately 800,000 individuals. USG did not publicly disclose the breach until April 15, 2024—a delay of nearly a year—drawing criticism for the lack of clear reporting timelines across US states. USG provided 12 months of credit monitoring to victims but still faces potential lawsuits and reputation damage. Domestically, the EVERY8D SMS platform was breached. According to the Ministry of Digital Affairs on June 3, 2026, the platform served 68 government agencies; 36 have since been decommissioned, and 32 have completed password updates and security hardening. Legislator inquiries focused on the fact that the Ministry only issued a statement on May 26, five days after the incident, highlighting a significant time-gap in the government's information security emergency response. Simultaneously, the Hsinchu City Health Bureau held a meeting on May 27, 2026, regarding the management of video-recording equipment in medical institutions. The bureau declared a "zero tolerance" policy for voyeurism in medical clinics, requiring all video-recording areas to be clearly labeled and all private spaces to be free of recording equipment, citing the Medical Act, the Personal Data Protection Act, and the Criminal Code as the legal basis. This move underscores that medical information protection has expanded into the management of physical devices, becoming a new priority in information security governance. Finally, the EU's GDPR and the forthcoming ePrivacy Regulation are creating dual compliance pressure regarding the use of cookies and the collection of advertising data. GDPR places "personal data" at its core, allowing six legal bases for processing—with "legitimate interests" and "consent" being the most frequently cited by advertisers. The ePrivacy Regulation, however, requires "explicit consent" for any use of cookies or similar technologies, with the technical requirement for browsers to be the gateway for consent. Violations can lead to fines of up to 4% of global annual turnover or €20 million, posing a severe challenge to multinational companies operating in the EU. --- --- 【Jisui Insights】 【Jisui Insights】 At Jisui, we observe that the 2026 information security and privacy regulations have a quantifiable impact on Taiwanese companies' Privacy Information Management Systems (PIMS) across three dimensions: 1️⃣ **Penalties and Financial Impact**: Under the new cap of NT$15,000,000 per violation of the Personal Data Protection Act, a medium-sized financial institution could face fines totaling NT$150,000,000 for 10 violations. When combined with the Basel III RWA add-on for information security incidents, a bank with a 12% capital adequacy ratio could see its RWA increase by 5%, raising capital requirements by NT$120 billion. Failure to raise capital could force the reduction of high-margin, capital-intensive businesses, potentially impacting EPS by over 5%. In the NTT West case, where fines were based on 9 million records with a cap of 1,000 yen per record, the company faced fines of 9 billion yen (approx. NT$1.9 billion), not including reputation damage. 2️⃣ **Compliance Gaps and Common Blind Spots**: - **Incomplete Outsourcing Oversight**: Many companies only sign Service Level Agreements (SLAs) with cloud providers, SMS platforms, or medical equipment vendors, lacking specific information security governance clauses and regular audit rights. The NTT West and EVERY8D cases both stem from a lack of effective access-related audit trails and privilege-related oversight. - **Data-Flow Mapping Deficiencies**: Companies often focus on core systems while overlooking the flow of data through video-recording equipment, mobile messaging, and third-party APIs. The Hsinchu medical voyeurism incident demonstrates that any video-recording device not integrated into the information security framework represents a major privacy leak-point. - **Missing DPIA (Data Protection Impact Assessments)**: When deploying AI-generated content or deepfake-related tools, many companies fail to perform a DPIA as required by GDPR Article 35. This lack of preparation makes them reactive rather than proactive when faced with incidents like the US MOVEit breach or EU ePrivacy enforcement. 3️⃣ **Case Alerts: This Could Happen to You** - **Financial Institutions**: If your bank still manages third-party cloud services using traditional Active Directory or LDAP without a Zero Trust architecture or least-privilege principles, you are vulnerable to RWA-related capital-adequacy-related fines. - **Medical Institutions**: If your clinic uses unlabelled video-recording equipment or fails to obtain patient consent, you are in violation of the Medical Act and the Personal Data Protection Act, facing fines and potential blacklisting by local health authorities. - **Public Sector & Enterprise SMS Users**: If you use SMS platforms like EVERY8D without verified information security hardening, a single breach could expose over 100,000 customers' data, triggering fines and mandatory credit monitoring costs. --- --- 【Actionable Recommendations】 【Actionable Recommendations】 1️⃣ **Audit Outsourcing Security Immediately**: Establish a cross-departmental InfoSec Committee to review all third-party vendor contracts (cloud, SMS platforms, medical equipment) for information security governance clauses, including SBOM requirements, Zero Trust standards, regular audits, and breach-related indemnification. This is the highest priority to prevent regulatory fines. 2️⃣ **Implement ISO 27701 PIMS and DPIA Processes**: Use ISO 27701 as the framework for managing the entire data lifecycle and data subject rights. Perform a DPIA for any new system deployment (AI, Cloud, IoT) to ensure compliance with GDPR Article 35 and the revised Taiwan Personal Data Protection Act. This will be a key-selling point for ESG reporting and investor confidence. 3️⃣ **Deploy Zero Trust and Least-Privilege Access**: Implement micro-segmentation and dynamic access control across internal networks and cloud environments. All third-party access must be authenticated via multi-factor authentication (MFA) and regularly audited. This prevents the type of privilege-related-misuse seen in the NTT West case. 4️⃣ **Establish InfoSec Incident Reporting and Crisis Response SOPs**: Create a procedure for reporting incidents within 24 hours and notifying affected subjects within 7 days, as required by the Personal Data Protection Act and the Financial InfoSec Blueprint. Pre-sign agreements with credit-monitoring services to avoid the reputation-damaging delays seen in the USG case. 5️⃣ **Enhance Privacy Consent and Cookie Management**: For websites and mobile apps, implement a dual-layer consent mechanism compliant with both the EU ePrivacy Regulation and the Taiwan Personal Data Protection Act. Utilize a Consent Management Platform (CMP) to track and manage user choices, avoiding fines of up to 4% of global turnover. 6️⃣ **Conduct Regular InfoSec Drills and Employee Training**: Schedule semi-annual company-wide drills covering social engineering, deepfakes, and AI-driven phishing. Report the results of these drills directly to the Board of Directors to ensure the highest level of governance. 7️⃣ **Continuous Monitoring and Independent Audits**: Engage independent auditors with expertise in ISO 27001, SOC 2, or CIS Controls to perform annual information security maturity assessments. Use these insights to prioritize investments and resource allocation. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---