In a previous blog post, I have discussed certain updates to Korea's data privacy laws. The updates are in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach. Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be successful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
One of principle revisions of Korea' s data privacy regulations is the recent amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection ( "ICNA"). The revisions have potential major implications on those it regulates such as information service providers ( "ICSPs") or communication service providers. ICSPs include numerous online service providers including e-commerce companies, website operators, online content providers as well as the traditional telecommuncations service providers and communication companies.
There are many changes to ICNA but the major changes are as follows:
1. Collection of information on privacy- ICSPs are limited from collecting more than the absolute minimum level of privacy related information from users, regardlesss of whether they obtain the user's consent or not.
2. Report of Data Breach- there is a 24 hour deadline in reporting a data breach to the Korea Communications Commission ( "KCC").
3. Penalties- the penalties for failure to destroy personal information have increased. ICSPs must implement necessary measures to destroy personal information of users so it may not be restored. Failure to do so may result in criminal prosecution.
4. Statutory Damages- statutory damages for ICSPs' failure to adequately protect personal information from being stolen, hacked, lost or leaked has increased to $2,900 USD in case of willful or negligent misconduct.
5. Increased Administrative Penalties- Administrative penalties have increased in the case of ICSPs who collect or process personal information without the users consent. The penalty has now increased to 3% of annual turnover. There was a cap of USD 95,000 on the administrative penalty in case a data security breach occurred due to the ICSP's failure to implement adequate safeguards to protect users' personal information. The cap has been lifted which may now expose ICSPs to increased litigation.
6. Chief Privacy Officer- ICSPs who meet certain criteria are required to designate a Cheif Privacy Officer ( CPO) and report such designation to the Minister of the Ministry of Science, ICT & Future Planning. The criteria to determine whether an ICSP must designate a CPO is based on a minimum number of users and employees.
7. Direct Marketing- No one, whether an ICSP or not, can engage in the direct marketing of personal information by electronic means without having an opt-in consent in place from the potential recipient.
Major Concerns
- The legal risks associated with violations of ICNA and other personal privacy related statutes have significantly increased as stricter regulations now impose heavier fines including criminal prosecution.
- The ICNA provides for lighter sanctions or even exemption from sanctions if the ICSPs have carried out or performed their duties in "Good Faith". For companies to take advantage of this they need to immediately implement reasonable internal procedures and standards to show compliance with the new regulations.
- Management is presumed to have a greater awareness of data privacy breaches as well as the stricter duties regarding the collection, usage and processing of personal information. Therefore, the ICSPs now have the burden of proof to prove lack of negligence of willful misconduct related to data breaches.
As with the other changes in Korea's personal information and data privacy laws, we will see if the recent revisions and amendments have the intended impact. What is apparent is that the new amendments place a heavy burden on ICSPs which will likely result in more litigation and greater penalties and fines.
Credit Insurance- Protect Your A/R
These days, many companies are faced with numerous risks such as cyber security threats, government investigations, scandals, onerous litigation, etc. These threats and others of course pose a great risk to the long term viability of a company. Manufacturing companies as well as distributors face the added burden of dealers and retailers declaring insolvency or refusing to pay their debts as they become due for a number of reasons. Fortunately, commercial credit risk insurance, sometimes called “trade” credit risk insurance, can help a company protect its account receivables (A/R) from unexpected losses due to nonpayment or slow payment by the company’s buyers or debtors. It usually covers nonpayment because of a buyer’s insolvency but may also cover nonpayment due to political events that hinder payment or distributors on credit. A/R is the money owed to a company by its customer for products and services sold on credit. Normally, a sale is only treated as an account receivable after the customer has been invoiced for the product or service.
Depending on the industry and size of the company, it may or may not sell many or all of its products via credit. The risk, therefore, of nonpayment or slow payment (90 or 180 days after invoice, etc.) can be quite serious and expose the company to a potential crisis if the A/R is not paid. This is a major concern for any company selling product on credit.
In fact, on a number of occasions, I had to deal with bankruptcy issues because dealers and retailers of the company I worked for declared bankruptcy. Because we had a sound risk management program in place, one that also had credit insurance, we were not exposed to the extent of other creditors that had failed to obtain credit insurance. So even though the company I worked for was one of the major unsecured creditors, it exposure was primarily the deductible it had to pay as part of the insurance coverage.
Credit risk insurance normally covers two kinds of risk: commercial risk and political risk.
Commercial risk
Note: Credit risk insurance will not usually cover nonpayment due to contractual or legal disputes between the company and customer.
Benefits of Credit Insurance
There are numerous benefits for using credit insurance, if applicable. The most obvious benefits are:
Transfer or mitigation of risk. Credit insurance assures a company that its A/R will be paid if one of its customers declares bankruptcy or is unable to pay. This is subject to the terms and conditions of the insurance policy.
When a company initially sets up its risk management processes it should pay attention to credit insurance or trade insurance if that insurance is available in its industry and for the products its sells. It is another way of transferring risk when debtors are unable to pay outstanding A/R. Remember, insurance is a way of transferring risk. Use it.
When managing risk consider insurance
Though most people don’t consider how risky everyday life can be, most companies and organizations understand that risk exists around every corner. The trouble is that some companies still do not take adequate steps to properly manage risk. Consider the recent incident of the executive who died via a treadmill accident when he hit his head. Though the accident was a freak accident- nonetheless it happened. If you drill down a little closer, you will find out that fatalities related to exercise and sports are not that uncommon. Perhaps they are more common than we would like to believe. Everyday life, whether business related or not, carries a certain amount of risk. Though companies may use insurance to manage risk, the problem arises when the insurance program in place doesn’t really address the potential risks the company faces. That is the problem many companies dont realize until it is too late- say after that catastrophe that wiped out the stock or assets of the company.
It should be noted that companies use insurance as a risk mitigation or transfer tool and that they manage insurance programs differently than the average consumer. However, when developing a risk assessment of insurance considerations, data is extremely important when considering a probability or a risk-related event. The collection of relevant data will determine what kind of insurance policies can be obtained, the price, and even the availability of certain insurance programs. How far back a company can go historically to obtain data determines the potential risks a company faces and, therefore, what insurance program and insurance provider is available as well as the costs involved.
When looking at risk insurance programs, the first question that should be asked by the company is whether it has accurate data. Does it have a good risk management information system in place? If not, does its insurance broker or provider have one? Or maybe the insurance broker or provider can help develop one.
Accurate data leads to the right risk management strategy and the right insurance program. Lack of data makes it harder to have an accurate picture as to the risks involved and, therefore, harder to develop the appropriate insurance strategy and program. It is necessary to obtain accurate historical data if at all possible.
The main reason that companies make extensive use of insurance coverage is to diversify and shift risk through use of business-related insurance. Insurance, if properly used and maintained can be a major risk management tool.
A major issue facing companies when trying to insure legal risk is the insurability of the risk. In essence, the cost of insuring the risk may be too great to justify the particular form of risk insurance. So when a risk assessment identifies a business risk, not only does the company need to determine if insurance coverage exists to cover the risk, but whether the cost of such insurance justifies its acquisition. Many manufacturing companies will not purchase product recall insurance or similar insurance because of its expense. Some manufacturing companies or organizations will not even purchase credit insurance because of its expense. Therefore, a company or corporation must pay attention to costs and consider methods to reduce the cost of insurance.
Questions you should ask yourself when considering insurance:
As with anything, asking the right questions is half of the battle.
A number of countries have enacted strict policies when it comes to the protection of personal data as well as private data. Such policies, though onerous, are supposed to provide a level of protection to society in general as well as instill confidence in a country’s marketplace and commercial sector. South Korea enacted what was supposed to be far reaching data privacy ( more stringent than the US) similar to the EU which should have , if properly followed, prevented the data leakage of 15 million credit card users’ personal data last year. The fact it did not, emphasizes the risks an organization faces in collecting, managing or using personal data.
Recently, in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach, Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be sucessful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
There is no doubt about it-cyber security is a major issue around the world. Cyber security concerns have insurance companies scrambling to create and offer cyber security products for multinationals and companies doing business internationally. In the public space, some countries are taking action through a comprehensive set of laws designed to protect data privacy and some are not.
Besides amending the Act on Promotion of Information and Communication Network Utilization And Information Protection ( “ICNA”) , the Korean Government has amended a number of laws and regulations including the standards governing the regulatory standards that control service providers that process personal information as well as creating guidelines for processing big data that contains personal information. A few of the more important changes are listed and/or summarized below.
STANDARDS OF PERSONAL INFORMATION SECURITY MEASURES
To prevent data breach incidents such as the massive data breach of the three major credit card companies that occurred in January 2014 , the Korean Ministry of Government Administration and Home Affairs (the “MGAHA”) announced the amended version of the “Standards of Personal Information Security Measures” (the “Standards”), which took effect on December 30, 2014. The Standards apply to all data handlers such as public institutions, companies, and organizations who process personal information and cover the management of personal information as well as the establishment of personal information protection policies.. The recent amendments by the MGAHA were implemented to address certain loopholes in and inadequacies of the previous Standards in light of the developments in the IT industry. The key points of the amended Standards include:
Due to the Credit Card Company Data Breach, the MGAHA added a number of safeguards to the Standards and also stipulated new security measures for mobile devices.
More specifically, the Standards contain a new provision that requires data handlers to specify information on the management/supervision of Outsourced Providers in their internal administrative plans if the processing of personal information is outsourced to the Outsourced Provider. Although this principle was emphasized in the Personal Information Protection Act, it was not explicitly stated in the previous version of the Standards. However, due to the significance of the matter, the MGAHA is presumed to have included it in the Standards amended this time around.
This section on access control has seen the most change, with some of the major provisions summarized below:
As evidenced by the Credit Card Company Data Breach and other recent data breaches, the risk of misuse/abuse and leakage of personal information has increased greatly as more and more data handlers outsource the processing of personal information but fail to oversee the Outsourced Providers’ compliance with data protection laws and regulations. There is now a stricter obligation for data handlers to manage Outsourced Providers.
In light of the fact that it is now becoming more and more common for people to conduct business on their mobile devices, the Standards were amended to include “mobile devices” and therefore data handlers who intend to process personal information with a mobile device will need to confirm that the mobile devices of their employees and officers satisfy the security requirements for mobile devices set forth in the Standards.
There are other major changes in Korean data privacy laws, regulations and financial control laws as well that help tighten up the use and protection of data. Those will be a topic for another day.
Recently, Korea’s government has been racked by a corruption scandal that has resulted in the resignation of Prime Minister Lee Wan-Koo. The scandal threatens to engulf Park Geun Hye’s administration and may result in an early application of Korea’s new anti-graft law resulting in prison sentences for some government officials. No one wants to be implicated in scandals involving graft or corruption of government officials including corporations. (more…)
One mistake many companies make with regards to crisis management is the failure of adequately implementing existing risk management protocols and processes. Many crisis are in fact preventable or foreseeable and could be avoided had adequate risk management procedures been implemented and followed. (more…)
