Taishin FHC Corporate Social Responsibility Report 2019

53 Superior Service Grievance Mechanism of Personal Information Protection Said department's supervisor The Level at which the Incident is Handled The Level at which the Incident is Reported The Handling of Each Level of Incident and the Reporting Level Personal Information Protection Implementation Department Emergency Response Team User Identification and Authentication Management Security Information Event Management Personal Information and Sensitive Data Masking Network Encryption Intrusion Prevention System Management Access Control and Monitoring Management Secure Software Development Life Cycle President Information Security Measures for e-Commerce Services Taishin Bank’s Grievance Mechanism of Personal Information Protection Level 1 incident is characterized by any of the following conditions: Level 2 incident is characterized by any of the following conditions: Year Accountable case count Source of customer compliant Type of customer complaint Competent Authority Customer feedback Leakage of personal Theft of personal information Loss of personal information Inappropriate use of personal information Other Must be handled within 48 hours. Must be reported within 4 hours; the Emergency Response Team must be convened within 24 hours; the response plan must be established within 48 hours. Taishin places great emphasis on the protection of personal information, To enhance security management practices, Taishin Bank engaged certified public accountants to perform a special audit on personal information protection in 2019, for which the CPAs issued a statement claiming that the Bank's internal control system has been effectively designed and executed to ensure protection of personal information and fair presentation in all material aspects. the incident involves fewer than 100 records of personal information that have been disclosed, or used without the Party's authorization, or improperly processed, used, or disclosed; or the collec - tion of personal information without going through legal and proper channels; the incident was notified by law enforcement agencies or the central competent authorities, and that has been determined as a Level 1 incident. the incident involves more than 100 records of personal information that have been disclosed, or used without the Party's authorization, or improperly processed, used, or disclosed; or the collec - tion of personal information without going through legal and proper channels; the incident appears to have been caused by the Bank's improper control of its information technology system and operating procedures; the incident was notified by law enforcement agencies or the central competent authorities, and that has been determined as a major incident; involving highly-sensitive information (ex: public figures etc.); incidents reported by the media. For cases of improper handling of private information occurred in 2019, Taishin Bank had identified the cause of the negligence and required the relevant units to undertake improvement actions, such as stepping up its communication on laws and regulations regarding personal information, all staff of the unit were required to take and pass an examination. The system management was strengthened, and cross- computer checks on information retention was introduced. Moving forward, we will continue to monitor our personal information protection and we will adjust or add improvement mechanisms as needed to protect our customers’ rights and interests. Accountable case count refers to complaints in which customers believe to have suffered losses due to misuse of their personal information. The Bank would clarify the customer’s point of dispute and issue apologies to customers through the Head Office. If an internal investigation finds violations of personal data protection regulations, our staff will be punished (such as: assessment and demotion, cuts in bonuses, internal warnings, etc.), The management unit concerned must also propose concrete improvements to the system and processes that are root cause of the complaint in order to avoid recurrence of similar situations. After conclusion, the case was reported to the Board of Directors and the head office management center also implemented continuous monitoring and improvement to ensure effective improvement and prevent reoccurrence. Level 1 Incident 2016 2017 2018 2019 3 1 3 1 0 1 0 4 0 1 2 1 0 0 0 0 0 0 0 0 1 1 1 4 2 0 0 0 2 2 3 5 Level 2 Incident