The Personal Information Protection Commission has completed its probe into allegations of a Coupang personal data leak and begun sanction procedures. Industry watchers say the final level of sanctions on Coupang could be decided as early as June.
According to the security industry and others on the 11th, the Personal Information Protection Commission finished its investigation into the Coupang data leak and sent a prior notice of disposition to Coupang in early April. The notice is said to include matters deemed to violate the Personal Information Protection Act and the planned disposition.
Under the rules on investigations and dispositions by the Personal Information Protection Commission, the Researcher must inform the party in advance of the planned disposition based on the investigation report and provide at least 14 days to submit opinions. The prior notice includes the facts constituting grounds for disposition, the planned disposition, the applicable statutes, and the deadline for submitting opinions. However, the specific size of any penalty surcharge is generally not specified in the prior notice.
After receiving the prior notice, Coupang requested an extension of the deadline to submit opinions, and the Personal Information Protection Commission accepted. Coupang then submitted a statement indicating it could not agree with the commission's overall direction of disposition. The only step left now is for the Personal Information Protection Commission to review Coupang's statement and place the item on the agenda of the full commission meeting.
Full commission meetings of the Personal Information Protection Commission are scheduled for the 13th and 27th of this month, but it has been confirmed that the Coupang item will not be introduced on the 13th. Still, with the commission said to have set an internal policy to wrap up the case within the first half, industry insiders and others see a strong chance the level of sanctions could be finalized as early as June.
Given the scale of the damage, some expect Coupang could face a record-high penalty surcharge. According to the announcement by the Ministry of Science and ICT's public-private joint investigation team, 33,673,817 items of personal information, including user names and emails, were leaked from Coupang's "edit my information page."
Under the current Personal Information Protection Act, when a personal data breach occurs, a penalty surcharge of up to 3% of the average revenue over the preceding three years can be imposed. A revision to the Personal Information Protection Act that passed the National Assembly includes a "punitive penalty surcharge special case" allowing fines of up to 10% of total revenue when a large-scale leak occurs due to intent or gross negligence, but because it takes effect in Sep., it does not apply to this Coupang case.
Coupang Inc., Coupang's parent company, posted revenue of about 49 trillion won last year. A simple application of 3% would put the statutory maximum penalty surcharge at about 1.5 trillion won.
However, the industry does not believe the actual penalty surcharge is likely to reach that level. Revenue not directly related to the violation must be excluded from the calculation, and mitigating factors under the notice would also be reflected.
To date, the largest penalty surcharge imposed by the Personal Information Protection Commission was about 134.8 billion won, levied last year over SK Telecom's USIM information leak.