At the Risk of Losing Data: Data Privacy and Protection
Korea’s largest ever data loss may lead to changes to a privacy-related legal and regulatory environment that is already both comprehensive and confusing.
Data privacy and protection have become increasingly important over the last few years. As more and more companies compete in the new knowledge economy through the use of the internet, computers and the use of large batches of data, data privacy and data protection have become serious risk concerns. Countries, including South Korea have enacted strict data privacy laws which levy fines for violations and have enacted tough regulations on the use of personal data.
Besides personal data, companies must also deal with the numerous risks associated with unauthorized access, and use or dissemination of other data, such as financial data, IP related data, medical data and marketing strategy data. Data misuse or theft can lead to financial risks, IP related risks and of course brand risks or loss of reputation.
A number of countries have enacted strict policies when it comes to the protection of personal and private data. Such policies, though onerous, are supposed to provide a level of protection to society in general as well as instill confidence in a country’s financial marketplace and commercial sector. South Korea has enacted far reaching data privacy rules (more stringent than the US, similar to the EU), which should have, if companies had been in compliance with the rules, prevented the recent data leakage of 104 million credit card records. The fact that these comprehensive and strict regulations did not, in this case, protect the personal data of some 20 million Korean persons held by some of the largest financial institutions in the country underlines the difficulty of the task of managing the risk companies face when collecting and retaining personal data. Firstly, the regulations must be properly focused to correctly deal with the actual threats as they are likely to be confronted. Secondly, the regulations must be understandable and not so burdensome that most companies are simply not able to comply. Also, companies must be able to understand exactly what they mandate and what is expected of them. Companies must then correctly apply the internal technological and policy measures to implement the regulations. There are enough moving parts to ensure no one really knows 1. if the organization is in compliance or not and 2. if, even if in compliance, the data is safe.
A basic timeline of the Korean credit card crisis is as follows:
1. On January 20 it was reported that credit card data of 15 Million credit card users involving KB Financial, Nong Hyup and Lotte credit cards had been stolen or leaked to loan marketing companies.
2. On January 21 , the top executives at KB Financial and NongHyup resigned amid reports that the data leakage had occurred months before the announcement.
3. On January 22, the top 40 executives at KB Financial, NongHyup and Lotte Card resigned and it was announced that 82 million cardholders were exposed to the data leak. KB Kookmin had the largest data leak of 43 Million accounts and Lotte announced 17 Million cardholders were also exposed.
4. On January 23 the Korean Financial Services Commission ( FSC) announced HB Kookmin, NongHyup and Lotte Card would be suspended for 3 months with a potential suspension of 6 months depending on responsibility for the breach. The FSC also announced it might levy a fine of $4. & Million on the companies responsible for the breach instead of the normal fine of $6,000. The FSC did caution however that cardholders private data such as credit card pin numbers or card validation codes had not been leaked.
5. On January 24 the FSC announced that financial institutions would only be allowed to hold personal credit information for a five (5) year period after the completion of the transaction requiring such personal information. The FSC also announced that customer information will no longer be allowed to be used by the subsidiaries of a financial holding group noting that though the information can be shared by and between the subsidiaries such use would be strictly limited to internal business management purposes such as credit risk management.
5. On February 4 the Ministry of Security and Public Administration announced it was considering a major overhaul of the country’s 13 digit resident registration system.
6. On March 10, the FSC announced its planned measures for upgrading the consumer data protection framework as a result of this incident.
7. On March 14, the FSS admitted that some of the personal information leaked from the credit cards had been sold or transferred to personal data dealers in direct contradiction to earlier claims by regulators that the personal data leak had been contained.
It is important to look at the current laws and regulations as they pertain to data privacy, data protection, trade secrets and information related processes. South Korea has a number of laws relating to the protection of information and data, most notably the Communications Network Act (CNA), the Credit Information Act (CIA) , the Location Information Act (LIA) as well as the Personal Information and Protection Act (PIPA).
The problem with PIPA and other related laws however, is the current confusion over the data governed by PIPA or the CNA and CIA. Basically, PIPA applies to personal information processed by an entity deemed to be a handler of personal information whether electronic or manually recorded information. However, PIPA does not apply to private information controlled or regulated under CNA or CIA. As there exists little by way of administrative regulations on interpreting and enforcing the CNA, CIA or PIPA, there is little guidance on interpretation of the data privacy provisions of the statutes.
As the Korean credit card companies involved in the data leakage debacle in South Korea have now discovered, there is great risk when it comes to the collection, use and management of personal data even when South Korea has implemented rigorous laws pertaining to the collection and use of personal data. This is especially true when the data leakage or misuse is attributed to people within the organization that is collecting or managing the data. The leakage of 20 million credit card customer’s data in South Korea is a wake-up call to all companies doing or intending to do business in South Korea that if they are involved in the collection, use or management of personal data that they must actively manage the risk of data piracy or face the consequences.
Obviously, companies have to implement rigorous and realistic processes and procedures to prevent unauthorized access and misuse of data. They must also enact policies and procedures to comply with South Korea’s regulations dealing with personal data. It is therefore incumbent upon management of any organization doing business in South Korea to implement appropriate strategies to deal with the unauthorized access or dissemination of data including : the latest use of technology to prevent and detect potential data leaks; establishment of training programs to train all employees on processes and procedures to safeguard data and prevent unauthorized disclosure of data; and proactive managerial oversight in the implementation of operational requirements to prevent data leakage and comply with regulatory policies.
Though the recent credit card fiasco may in the long run strengthen South Korea’s regulations when it comes to the protection of personal data there will be short term consequences that companies doing business in South Korea will face. The FSC in Korea, will undoubtedly act based on continued pressure from outraged consumers who are upset with how the credit card scandal has been handled to date. All financial institutions are on notice to aggressively protect and manage personal data and to ensure compliance with data protection laws. In fact the FSS has announced that new penalties and restrictions on a company’s use of personal information shall go in force as of June of this year.
There will be period where the companies will be at the whim of the regulators in charge of data privacy and therefore there will be a period of uncertainty regarding obligations and duties to prevent unauthorized access and misuse of data. Though the FSS announced on March 4 that efforts will be made to remove regulatory barriers for foreign financial firms operating in Korea, agencies are beginning to implement stricter rules and regulations regarding data privacy which can be seen as creating additional barriers and compliance issues.
Such consequences will include or most likely include:
1. A more active and litigious consumer population. Expect more class actions and other forms of litigation over personal data issues. To date at least one class action has been filed on behalf of 514 people who were effected by the information leak.
2. More governmental approvals will be required for service providers requesting or requiring personal information.
3. Foreign owned banks and credit card providers will be subject to more governmental scrutiny and potential investigations.
4. Personal data security costs will increase as more regulations are promulgated to enforce and strengthen the various personal data protection laws.
5. Lawsuits and or investigations against Korea’s 6 largest banks including Citibank and Standard Chartered.
6. Institutions mishandling the collection, management or publication of personal information can expect heavier sanctions from the government.
7. Curbs on marketing financial products via SMS. Financial institutions will be requested to cease marketing loans and financial products via SMS until the FSC has concluded its investigations of the personal information leaks.
8. Potential revamping of the national ID system requiring the use of an RRN issuance number that contains arbitrary numbers unrelated to birth and gender instead of the current system that relies on a RRN (resident registration number) that contains a number relating to birth records, etc.
9. As of June, stricter rules shall go in force to toughen data protection laws such as stricter regulations concerning a financial institution’s use of personal data as well as the time period it may keep personal data records after collecting such data.
10. As of June, a penalty of up to $4.7 Million USD may be levied against a financial institution that leaks (whether intentionally or not) its customers’ personal information. It is currently a mystery as to what criteria exists for levying the maximum fine. Companies therefore must proceed very cautiously with the understanding that even foreign financial firms are subject to the maximum penalties that are currently being decided inter-agency.
Context, Explanation, Analysis (Commentary/Analysis Material)
Communications Network Act
The CNA contains comprehensive regulations concerning the collection, use and disclosure of personal information by any company that provided information electronically. Specific personal information such as DOB and name is covered under the CNA. One of the key components of the CNA is that companies subject to the CNA must implement technological and managerial safeguards to secure and protect information and prevent such personal information from being stolen, lost, altered or leaked. Also, the statute prohibits the use of any personal information beyond the disclosed purpose of the electronic disclosure. As the consent of the user is required for the collection and use of personal information, the user has the right to control his own personal information and the provider must obtain his consent prior to disclosing the information.
Credit Information Act
The CIA covers credit related information obtained or produced by a user for purposes of commercial transactions such as financial transactions. This covers third parties who are provided with credit information from users in relation to their businesses.
Location Information Act
The LIA was enacted over data privacy concerns raised due to the increased popularity of smart phones or PDAs. The purpose of the LIA is to prevent unauthorized use of location information of a person without the consent of the person or principle. Not only are companies, entities and people prohibited from collecting or using location information of people without their consent but organizations or individuals may not receive personal location information of an individual by deceiving the location information provider. The location information provider is required by statute to take affirmative measures to prevent leakage, alteration or impairment of location information through the establishment of processes to manage location information including the use of encryption software and other technical measures.
Personal Information Protection Act
PIPA, the latest Korean law on the protection of private data, governs a company’s use and protection of personal information if such information is not expressly regulated by the CNA or CIA. PIPA covers any organization, company, institution or individual that manages personal information directly or via another who administers such information as part of their duties or responsibilities. PIPA requires the organization managing personal information to organize and manage it properly which includes restricting access to the information entrusted in the company’s care and to constantly check the information for security purposes. The duty to adequately secure the information is very well defined under PIPA. The company or organization managing the user’s personal information must take technical, administrative and physical measures for securing the information and restricting access to the information. Not only is the company required to install and update its security program on a regular basis, it must also use encryption technology when saving and transferring the personal information and ensure there is a personal information management policy in place.