As a massive personal information leak occurred at Coupang, debate over "punitive damages" is flaring up again. Some say the discussion could spread to KT and LG Uplus, which are under government investigation over recent hacking incidents.
On the 2nd, Bae Kyung-hoon, Deputy Prime Minister and Minister of Science and ICT, said regarding a series of hacking incidents, "Incidents that directly harm the public and cause financial instability must not be repeated, through punitive damages." The industry sees the remark as a "signal" that could apply not only to Coupang but also to telecom hacking cases.
The current Personal Information Protection Act has a punitive damages system that requires personal information controllers to pay up to five times the amount of damages if personal information is leaked through intent or gross negligence and causes harm. However, since the system was introduced in 2015, there has not been a single case in which a court recognized punitive damages. Because the law contains a proviso that "does not apply if the personal information controller proves the absence of intent or gross negligence," the scope of liability shrinks significantly if corporations prove a certain level of management and protection measures. Kakao Pay, which faced allegations that the personal information of 40 million people was subject to transfer to China's Alipay, also ended up only receiving a penalty surcharge of 5.9 billion won.
Regarding the KT hacking incident, some say the requirements for punitive damages could be met, going beyond this kind of proviso serving as a "shield." KT used the same vendor authentication key commonly across about 190,000 femtocells (small base stations) and failed even to properly manage whether the equipment was lost, fueling controversy. On top of that, suspicions have been raised that the company may have intentionally destroyed a server related to the hacking, with many assessing that this "goes beyond simple negligence and amounts to grave management neglect." Some in the legal community also say, "At this level, it is hard to rule out the possibility that intent or gross negligence could be recognized."
There is also speculation that LG Uplus could be put on the chopping block for punitive damages depending on future investigation results. For now, a government investigation is underway into how the hacking occurred and the response after the incident, but if subsequent probes uncover security laxity close to intent or signs of evidence destruction or concealment, the fallout is expected to be as great as KT's.
Because telecom companies handle foundational infrastructure directly connected to financial and public services, there is a strong possibility that public criticism could grow as fierce as in the Coupang case. There is also growing momentum for arguments that the "punitive" nature of the penalty surcharge should be further strengthened, not just punitive damages.
Previously, SK Telecom was slapped with a penalty surcharge of 134.7 billion won, about 1% of revenue, over a hacking incident. But critics say that if similar-sized sanctions are repeated despite consecutive major incidents, the preventive effect will be limited. Meanwhile, KT and LG Uplus have not yet been subjected to penalty surcharges, and there is rapidly growing sentiment inside and outside the industry that the maximum allowed by law should be considered for the two remaining of the three telecom companies.
Some say that because both higher penalty surcharges and punitive damages are being discussed, telecom and platform corporations will have no choice but to fundamentally change their security investments and risk management methods. If the perception spreads that a penalty surcharge is not a simple expense to be paid when a personal information leak occurs but could grow to a level that threatens a company's existence, long-delayed replacements of outdated systems and staffing increases could be moved up. However, the industry also worries that excessive punishment could dampen corporate activity.
An IT industry official said, "Even if the same hacking method caused damage, we need detailed criteria for how to distinguish corporations that have diligently invested in information security from those that have not," adding, "If there is excessive punishment without clear standards, the side effects will be significant."