Responding quickly to personal information breaches in South Korea

By Chan Sik Ahn and Chae Eun Shin of HMP Law

Chan Sik Ahn

You will remember that Facebook was recently fined USD5 billion for privacy breaches that affected 50 million users. The U.S. Federal Trade Commission recently announced the settlement it had reached with the company because of its loss of control over personal data belonging to its users. The New York Times interpreted this development as “signal[ing] a newly aggressive stance by regulators toward the country’s most powerful technology companies.” As lawyers at a Korean law firm, we see this trend occurring in Korea as well. In this article, we would like to point out what in-house lawyers should know in case of a personal information leak in Korea.

Chae Eun Shin

Korea has some of the strictest personal information laws in the world. The Personal Information Protection Act of Korea also applies to any and all foreign companies that collect personal information of Koreans. Therefore, companies that process specific data belonging to Korean citizens should prepare countermeasures in case of a personal information breach. These countermeasures must aim to respond quickly and systematically to potential breaches in accordance with the Personal Information Protection Act (hereinafter “PIPA”) and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter “Network Act”).

Korea has some of the strictest personal information laws in the world.

The Personal Information Protection Act of Korea also applies to foreign companies that collect personal information of Koreans.

According to Article 25 of the Standard Personal Information Protection Guideline, a personal information breach means that the personal information processor has lost control of the personal information of the information subject, or has allowed access by an unauthorized person, not in accordance with the statutes, nor with the personal information processor’s free will.

This can be caused by one of the following cases:

1. Loss or theft of written records, a portable storage device, or a portable computer containing personal information
2. A person without proper authority obtains access to the personal information processing system, such as a database where personal information is stored;
3. Files or paper documents containing personal information or other storage media containing same are mistakenly delivered to unauthorized person(s) due to the personal information processor’s misdeed or negligence; or
4. Personal information is directly conveyed to someone who does not have authority.

In other words, South Korea’s laws regarding the protection of personal information define leaks of such information very broadly, but in all circumstances, it includes a situation where the person who is supposed to be managing the personal information has lost control of it. It should be noted that the transfer of personal information to an “unauthorized” third party, even if it was not leaked on a big scale but to a specific person, is regarded as an unlawful outflow of personal information.

Personal information breach cases where companies frequently make mistakes

External attacks were cited as the top cause of personal information leaks. According to a KISA survey, these account for about 60 percent of data breaches, followed by leads caused by internal staff (whether deliberate or accidental), carelessness of the manager, and system errors.

In case of a hack, it will be most important to properly maintain the programs that manage personal information, keeping them secure and up-to-date. But the security of the program is not the only thing that matters. It is worth noting that, surprisingly, administrators, when sending emails or other electronic communication to customers, often accidentally include personal information pertaining to other customers as well.

In Korea there have been instances where some customers’ e-mail addresses were exposed to other customers in the process of sending out a large number of apologies for personal information leaks to multiple recipients, by using the Copy (CC) function instead of Blind copy (BCC). Recently, Naver, Korea’s largest internet portal, sent e-mails to some of its members to issue official Receipts for Income Tax Withholding, mistakenly including the personal information of other members in attached files. Naver said this was caused by an internal system error, but it could have been prevented if the manager had paid enough attention. In addition, it can be seen that personal information is frequently leaked in the process of sending e-mails. The company should be aware that such a route could also lead to personal information breaches in advance.

Essential measures in the event of a personal information breach

First of all, if you find out that personal information has been leaked, you must provide the affected data subjects in writing, by email, fax, telephone, or mobile phone text messaging, etc. within five days, the following details: (1) The particulars of the personal information divulged; (2) When and how the personal information was divulged; (3) Any information about what the data subjects can do to minimize the risk of damage from the leak; (4) Countermeasures taken by the personal information controller and subsequent remedial procedures; (5) Help desk and contact points for data subjects to report damage.

In addition, in case of a breach of personal information of at least one thousand individuals, update the above five items on the website for seven or more days. It is recommended that a separate page be prepared for information subjects to check for details about personal information breaches.

Lastly, in case of a breach of personal information of at least one thousand individuals, within five days the company should report (i) the result of the notification of the breach to the relevant personal information subjects and (ii) the result of remedial steps to minimize damage to the Minister of the Interior and Safety (“MOIS”) or Korea Internet & Security Agency (“KISA”). Regardless of the amount of personal information leaked, the Network Act stipulates that the personal information controller shall report the several items above to the Korea Communications Commission (“KCC”) or the Korea Internet & Security Agency (“KISA”) within twenty-four (24) hours of knowledge of the personal information breach. Overall, it is recommended to report any personal information breach to KISA without delay.

Preventing personal information breaches in advance is of course the most effective way, but if personal information has been divulged, it is imperative to quickly take action as described under point 3 above. Failure to comply may result in a separate administrative action. In addition, after taking the above steps, it’s a good idea to consult a Korean legal expert.

It should be born in mind that personal information leaks can have a very serious impact on a company’s reputation and financial bottom line, as seen in the recent Facebook case. To be forewarned is to be forearmed.