With a hacking incident at KT following SK Telecom, the government is expected to impose a heavier penalty surcharge on corporations that see personal data leaks recur for the same reason. By contrast, it will offer incentives to corporations that take preemptive steps, such as increasing related investments to protect personal information.
The Personal Information Protection Commission on the 11th announced a "plan to strengthen the personal information safety management system" to prevent large-scale personal data leaks like the SKT case. The plan was drawn up to preemptively prevent large-scale data leaks that have a major impact on people's daily lives after SKT's USIM hacking incident.
First, the Personal Information Protection Commission will increase penalty surcharges on corporations that suffer repeated personal data leaks, such as being hacked in the same way repeatedly, and in the mid to long term will also review imposing punitive penalty surcharges.
It decided to give incentives to corporations that have taken proactive measures in advance to protect personal information. For corporations that encrypt and store personal information such as phone numbers or detailed addresses that are not legally required to be encrypted, or that have introduced a system (FDS) to detect and block abnormal signs, the government will pursue a plan to reduce penalty surcharges when a data leak occurs.
The Personal Information and Information Security Management System (ISMS-P) certification will be advanced with a focus on on-site audits, and phased mandatory adoption will be reviewed for key sectors such as mobile telecommunications.
In addition, to strengthen internal controls at corporations, it will present standards for investing in personal information protection personnel and budgets, and grant benefits to corporations that meet them.
The chief executive officer (CEO) will bear ultimate responsibility for corporations' personal information protection, and the chief privacy officer (CPO) system will be revised so the CPO can exercise real authority through measures such as introducing a designation-and-report system, regular board reports, and job security.
If damage is anticipated, the scope of notification will be expanded to include not only those whose data was actually leaked but also those at risk of a leak, while also pushing to use penalty surcharges to help compensate victims. This follows criticism that, because penalty surcharges are fully turned over to the national treasury, they do not help with actual victim relief.
The Personal Information Protection Commission said it will hold briefings for businesses and gather opinions to establish reasonable standards so that these measures can take root in the field, followed by steps such as revising laws and securing budgets.
Koh Hak-soo, chair of the Personal Information Protection Commission, said, "Businesses should not simply view investments in personal information protection as 'unnecessary expense,' but recognize them as 'a basic duty' and 'a strategic investment' to secure customer trust."