How South Korea Is Dealing With Data Privacy Concerns

A number of countries have enacted strict policies when it comes to the protection of personal data as well as private data. Such policies, though onerous, are supposed to provide a level of protection to society in general as well as instill confidence in a country’s marketplace and commercial sector. South Korea enacted what was supposed to be far reaching data privacy ( more stringent than the US) similar to the EU which should have , if properly followed, prevented the data leakage of 15 million credit card users’ personal data last year. The fact it did not, emphasizes the risks an organization faces in collecting, managing or using personal data.

Recently, in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach, Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be sucessful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.

There is no doubt about it-cyber security is a major issue around the world. Cyber security concerns have insurance companies scrambling to create and offer cyber security products for multinationals and companies doing business internationally. In the public space, some countries are taking action through a comprehensive set of laws designed to protect data privacy and some are not.

Besides amending the Act on Promotion of Information and Communication Network Utilization And Information Protection ( “ICNA”) , the Korean Government has amended a number of laws and regulations including the standards governing the regulatory standards that control service providers that process personal information as well as creating guidelines for processing big data that contains personal information. A few of the more important changes are listed and/or summarized below.

STANDARDS OF PERSONAL INFORMATION SECURITY MEASURES

To prevent data breach incidents such as the massive data breach of the three major credit card companies that occurred in January 2014 , the Korean Ministry of Government Administration and Home Affairs (the “MGAHA”) announced the amended version of the “Standards of Personal Information Security Measures” (the “Standards”), which took effect on December 30, 2014. The Standards apply to all data handlers such as public institutions, companies, and organizations who process personal information and cover the management of personal information as well as the establishment of personal information protection policies.. The recent amendments by the MGAHA were implemented to address certain loopholes in and inadequacies of the previous Standards in light of the developments in the IT industry. The key points of the amended Standards include:

Major provisions that were amended

Due to the Credit Card Company Data Breach, the MGAHA added a number of safeguards to the Standards and also stipulated new security measures for mobile devices.

More specifically, the Standards contain a new provision that requires data handlers to specify information on the management/supervision of Outsourced Providers in their internal administrative plans if the processing of personal information is outsourced to the Outsourced Provider. Although this principle was emphasized in the Personal Information Protection Act, it was not explicitly stated in the previous version of the Standards. However, due to the significance of the matter, the MGAHA is presumed to have included it in the Standards amended this time around.

This section on access control has seen the most change, with some of the major provisions summarized below:

Stricter user authentication process: data handlers are now required to implement additional authentication measures when verifying a user’s identity online through use of the user’s name or resident registration number (“RRN”).
Security measures required for mobile devices as well: in addition to personal information processing systems (“PIPSs”) and work computers, mobile devices must also be equipped with the appropriate security measures to prevent personal information from being leaked to outside third parties.
Vulnerability assessment for particular identification data (“PID”): data handlers who process PID are required to conduct a vulnerability assessment at least once a year to prevent PID from being leaked, falsified, or damaged through their internet websites.

Implications of the Amended Standards

Stricter obligation for data handlers in managing/supervising Outsourced Providers

As evidenced by the Credit Card Company Data Breach and other recent data breaches, the risk of misuse/abuse and leakage of personal information has increased greatly as more and more data handlers outsource the processing of personal information but fail to oversee the Outsourced Providers’ compliance with data protection laws and regulations. There is now a stricter obligation for data handlers to manage Outsourced Providers.

Stricter security requirements for mobile devices

In light of the fact that it is now becoming more and more common for people to conduct business on their mobile devices, the Standards were amended to include “mobile devices” and therefore data handlers who intend to process personal information with a mobile device will need to confirm that the mobile devices of their employees and officers satisfy the security requirements for mobile devices set forth in the Standards.

There are other major changes in Korean data privacy laws, regulations and financial control laws as well that help tighten up the use and protection of data. Those will be a topic for another day.