論我國資訊安全法制與驗證機構監理—以利益衝突防免為中心

Abstract

自2020年疫情爆發後，遠距工作與數位轉型浪潮興起，資訊安全議題益顯重要。近年來資安事件頻仍，面對各種資安風險與系統漏洞，若未能適當控管，恐將削弱消費者對於網路安全之信賴。然而，就資安監理而言，主管機關須耗費龐大監理資源，方能因應眾多資安漏洞與威脅，如何有效分配監理資源，遂成為亟待關注之議題。藉由資安驗證機構對受監管對象進行監督，使政府得以將監理重點聚焦於資安驗證機構之監管，或可作為有效降低監理負擔之一策。倘若採行此種資安監理模式，則如何有效監理資安驗證機構，將成為未來資安監理之關鍵課題。 透過法律經濟分析可見，資安市場存有資訊不對稱之問題，而有引進驗證制度之必要。然若政府直接介入，恐將致資源無法達致最有效率之運用，故較為適切之方式應為「私人驗證制度」。此外，私人標準於業界已發展成熟並行之有年，資安監理應審慎評估其運作機制，並適切導入私人驗證標準，以強化監理效能。再者，依據守門人理論，資安驗證機構作為守門人之一，其運作恐有發生「守門人失靈」之可能。「市場競爭性」即為守門人失靈之一類型，無論市場呈現寡占或過度競爭，皆可能產生監理難題。「付費模式」之採擇亦為守門人失靈之另一重要議題，本文認為應採「資訊受評價端付費模式」，而非「資訊利用者付費模式」，並輔以適當之「利益衝突防免配套措施」。關於「利益衝突防免」之議題，宜增訂具體規範，以確保資安驗證機構運作之公正性與獨立性。 比較法研究上，本文主要聚焦於「歐盟網路安全法」與「歐盟網路韌性法」。儘管歐盟資安驗證法規範立法施行未久，然其關於「利益衝突防免」之具體規範已值得作為我國資安認驗證法制建構參考之借鏡。透過國際資安認驗證監管模式之比較與分析，亦得反思我國監管模式應採行之監管模式。 最後，本文就我國資安認驗證監管模式之採擇以及守門人失靈相關問題，包括市場競爭性、付費模式及利益衝突防免，提出相應對策。此外，本文聚焦於現行驗證機構管理辦法之檢討，並提出修法建議，至於尚未制定驗證機構管理辦法之產業，亦提出立法方針，以供立法者與主管機關作為未來立法方向之參考。

In 2020, COVID-19 broke out and caused a surge in remote work. Since then, cybersecurity has become an extremely unignorable issue. Inadequate control of cybersecurity risk has recently caused numerous noteworthy incidents, eroding the consumer trust of companies. Regarding cybersecurity supervision, competent authorities must consume significant resources to address millions of cybersecurity incidents. Thus, how to effectively allocate regulatory resources becomes a critical issue that requires attention. Laws can ask certification bodies to supervise the entities. In this way, governments can focus only on certification bodies without wasting numerous resources. This should be the way to efficiently reduce the overall regulatory burden. If this cybersecurity supervision method is adopted, how to effectively supervise cybersecurity certification bodies becomes the next significant cybersecurity supervision challenge. By examining the management regulations of cybersecurity certification in Taiwan, this thesis discovers several problems. Although there are some sporadic regulations, Taiwan lacks regulations for assessors and certification bodies. Furthermore, certification bodies of certain industry regulations are either insufficient or absent. It is necessary for lawmakers or cybersecurity competent authorities to legislate proactively to deal with the risks mentioned above. Which cybersecurity certification regulatory model to be adopted is an issue of allocating regulatory resources effectively. Through economic analysis of law, this thesis advocates that private certification systems and standards are necessary. If the government intervenes the market directly, the usage of resources will not be most effectively. Additionally, certification body is one of gatekeepers whose failure may occur under the gatekeeper theory. “Market competitiveness” is a potential factor of gatekeeper failure, including oligopoly and excessive competition. The pays model is another gatekeeper failure. Therefore, this thesis suggests adopting the "regulated entity pay" model rather than the "information user pay" model. Based on the above, this thesis argues that Taiwan should take measures to prevent of conflict of interests of certification bodies. In the comparative legal research, this thesis primarily focuses on the "EU Cybersecurity Act" and “EU Cyber Resilience Act”. Although EU cybersecurity certification regulations do not have a long history, this might be a worthwhile reference of cybersecurity certification regulations for Taiwan. Taiwan can also reflect on what kinds of regulatory models to take via the study of international cybersecurity certification regulatory models. Finally, this thesis proposes corresponding solutions to the choice of cybersecurity accreditation and certifications regulatory model in Taiwan. It specifically attempts to figure out the solution to gatekeeper failures, including market competition issues, fee structures, and prevention of conflict of interests. For industries without regulations of certification bodies, this thesis also suggests legislative directions for legislators and competent authorities to introduce them in the future.