Practical Takeaways Related to the Comprehensive Solution Package for Enhanced Data Protection
|
| In response to the massive data breaches of three major Korean credit card companies that occurred last January, the Korean government launched a pan-government task force (the “PTF”) consisting of members from 18 government agencies dedicated to establishing stronger measures for the prevention of security breaches and protection of personal information. On July 31, 2014, the PTF announced a comprehensive solution package (the “CSP”) with 98 subcategories designed to cover and tighten a broad range of data security safeguards. Given the importance of the CSP and the magnitude of its potential implications on those subject to the CSP’s provisions, we have summarized below certain key points of the CSP, including its legislative background and practical takeaways. |
| 1. Background
|
 |
In light of the recent massive data breach incidents, the public sentiment has decisively swung towards increased regulation and scrutiny over the processing of personal information and an overhaul of Korea’s privacy-related laws and regulations. |
|
The CSP is meant to serve as a base plan towards a fundamental paradigm shift in the field of data protection and data security. |
|
The spirit and major provisions of the Comprehensive Solution for the Prevention of Security Breaches in the Financial Sector (“Comprehensive Solution for Financial Sector”; announced on March 10, 2014) and the amended version of the Act on Promotion of Information and Communications Network Utilization and Information Protection (“ICNA”; promulgated on May 28, 2014, scheduled to take effect on November 29, 2014) (please see our previous newsletter for more details) will be applied more extensively to the Personal Information Protection Act (“PIPA”). The government also stated its plans to additionally amend previously-amended laws and regulations/rules to reflect the new requirements included in the CSP. |
|
The PIPA is expected to undergo its biggest overhaul since it took effect on September 30, 2011, while the Use and Protection of Credit Information Act (“UPCIA”) and Resident Registration Act (“RRA”) are also scheduled for amendments. |
|
As such, now more than ever, there are major implications to companies and businesses handling personal information, including on- and off-line service providers, financial firms, medical institutions and educational institutions. |
|
| 2. Key Points of the CSP
|
| (1) Punitive damages and statutory damages available |
 |
Punitive damages Individuals who suffer damages due to a data breach that was caused by the data handler’s willful misconduct or gross negligence may be entitled to punitive damages of up to three times the actual damages. The punitive damages cover both property and non-pecuniary loss, while the plaintiff bears the burden of proof with respect to the amount of actual damages. |
|
Statutory damages Individuals whose personal information has been lost, stolen, or leaked due to a data breach may request damages of up to certain amount prescribed by statute (e.g., KRW 3 million under the ICNA), based on the existence of a data breach and the negligence or willful misconduct of the company. Unlike the punitive damages provision, plaintiffs are not even required to prove the amount of damages they suffered. (The ICNA has already been amended to include a statutory damages provision. Pursuant to the CSP, the UPCIA and PIPA will also be amended to include such a provision.) |
|
Damage claims available against both data handlers and outsourced data processor Individuals may at their election claim damages against either the data handler or its data processor outsourced to handle the individual’s personal information. This translates into stricter responsibilities for the third-party service provider (PIPA to be amended accordingly). |
|
|
Up until now, whenever there were issues surrounding the liability of a data handler in connection with an information security incident, victims of a data breach were typically awarded KRW 100,000-200,000 (appx. USD 100 – 200) per individual as compensation for damages they suffered from a data leak or statutory violation by the data handler. |
|
Particularly noteworthy among the key points of the CSP is the fact that the victims of data breaches may enjoy a damage compensation either up to three times of their actual damages as punitive damages if successful in proving actual damages, or statutory damages within an increased cap of statutory damages (e.g. KRW 3 million, appx. USD 3,000) without having to prove their specific actual damage amounts. |
|
With the burden of proof shifted to the companies, the companies are now responsible for proving that they exercised due care in protecting the personal information of employees, users, etc. and thus were not at fault for the ensuing data breach incident. In order for companies to minimize the legal risks associated with statutory violations and data breaches, they should (i) establish and implement reasonable security measures and (ii) accumulate necessary evidence of their compliance with laws, regulations, etc. |
|
The above clauses providing for increased compensation of damages to victims of data breaches carry the risk of opening the floodgates to litigation. Furthermore, such new changes to the laws may result in material contingent liabilities for companies in their business management and corporate governance. |
|
| (2) Increased responsibility of CEO and CPO |
|
The chief privacy officer (“CPO”) must be designated as an executive of the company, and is required to report any information security issues to the chief executive officer (“CEO”). (A parallel provision was included in the Comprehensive Solution for Financial Sector. The PIPA to be amended accordingly.) |
|
If the corporation violates any of the data protection or privacy-related laws, the relevant ministry having jurisdiction on the industry/business of the corporation may render recommendation for disciplinary actions (including dismissal) against the responsible executive, including CEO, in the case of violation of data protection or privacy-related laws. |
|
|
The first above requirement (regarding CPO) is an extended version of the Comprehensive Solution for Financial Sector and ICNA to the PIPA. Once this becomes applicable to every data handler, it would be extremely difficult for CEO and other executives of enterprises to be free from the liability in relation to the violation of data protection laws. |
|
On the other hand, the second above requirement is an extended version of the existing requirement of the PIPA to the ICNA. The CSP expands the scope of business entities to be subject to the regulator's recommendation for disciplinary actions (including dismissal) against the CEO, etc. in the case of violation of data protection or privacy-related laws. This means, the regulator may recommend dismissal of the CEO or other executive of an online company for violation of the ICNA. This may also raise the issue of director's liability for the violation of fiduciary duty under the corporate law. |
|
Thus, companies need to cope with the increasing risks for executives who now take on more liability than ever, with regards to data protection issues. |
|
| (3) Greater flexibility for technical and managerial safeguards |
|
Instead of prescribing detailed criteria for technical and managerial safeguards to be implemented, only the basic principles and minimum requirements will be provided to the companies. The companies will be responsible for designing their own individual security measures based on such basic provisions. (The Standards for the Technical and Managerial Safeguards of Personal Information and the Regulations on Supervision of Electronic Financial Activities to be amended accordingly.) |
|
|
So far, companies may, to some extent, prove that they are not negligent, by proving they have complied with the specific requirements for technical and managerial safeguards simply as prescribed by data protection laws. However, under the CSP, they must on their own seek or develop and implement such applicable safeguards as adequately as possible. In this regard, they will likely have difficulties in setting standards for adequate and applicable safeguards, which will accordingly make it harder for them to prove the absence of negligence. |
|
It will be necessary for companies to evaluate whether higher standards need to be applied than measures currently implemented, taking into account the volume of personal information handled by them, sensitivity of the information, their company size and the like. |
|
To this end, they would need to actively take advantage of the existing self-regulatory systems through various certifications (e.g., PIPL, PIMS, ISMS, etc.). |
|
By allowing companies to define their own safeguards based on certain security targets and objectives stipulated by the Ministry of Security and Public Administration, the Korean government is reviewing the possibility of transitioning from a government-centered data protection regime to one that is more company-focused. |
|
| (4) Changes of resident registration number (“RRN”) administration system |
|
New RRNs may be issued in exceptional cases: A person who suffers significant physical harm/property damage or is faced with a significant risk of such harm due to the leakage of his/her RRN may apply for a new RRN (RRA to be amended accordingly). |
|
Minimization of the collection/use of RRNs and stronger encryption of RRNs: Starting on August 7, 2014, the collection/use of RRNs will be generally prohibited, but a six-month temporary guidance period lasting until February 6, 2015 will also be provided. |
|
|
Korea’s RRN-centered identification system was strongly criticized as the fundamental cause for many of the data leaks cases, along with the highly prevalent IT infrastructure deployed in Korea. |
|
Since 2012, the government has already endeavored to change the RRN-centered identification system, and companies still utilizing the RRN-centered identification system need to promptly establish an alternative identification system, considering that the restrictions on the collection/use of RRN is applicable from August 7, 2014. |
|
In the case of companies that inevitably have to collect RRNs, they will be more heavily held liable for the violation of any requirement to implement safeguards (e.g., encryption) with respect to the RRNs. Further, those companies will also need to be prepared to build systems that can cope with the RRN change, if any individual is allowed to change his/her RRN pursuant to the law. |
|
| (5) Improved consistency among data protection laws |
|
The CSP limits the scope of persons subject to the ICNA and UPCIA and clarifies the standard for exclusive application of the PIPA |
|
> ICNA (currently, anyone who utilizes an information and communications network for commercial purposes is subject to the ICNA, but pursuant to the CSP the ICNA will only be applicable to telecommunications service providers and mail-order distributors, etc.) |
|
> UPCIA (currently, anyone who uses or provides credit information is subject to the UPCIA, but pursuant to the CSP the UPCIA will only be applicable to financial firms, credit information companies, etc.) |
|
Enhance the authority and roles of the Personal Information Protection Commission. |
|
|
Once applicable laws are amended in compliance with the CSP, it is expected to substantially reduce practical difficulties arising from the inconsistency between them, the jurisdiction and applicability of the law and the like. |
|
However, the flipside of the sharp reduction of those subject to the ICNA and the UPCIA would be that the Korean Communications Commission and the Financial Services Commission/Financial Supervisory Service are expected to strengthen enforcement of the applicable laws, as they will be able to concentrate their regulatory powers on fewer entities. |
|
| 3. Conclusion
|
|
Multiple steps to be taken |
|
To implement the CSP, there remain additional steps to be taken – e.g., enactment/amendment of pertinent laws by the National Assembly, followed by enactment/amendment of implementing regulations, rules, guidelines, etc. – and such laws, regulations, etc. will take full force and effect gradually step-by-step. |
|
Due care and supervision on the data protection strongly recommended |
|
If data handlers perform legal obligations and take due care and exercise close supervision over their employees and vendors pursuant to laws, their liability may be reduced or exempted. Taking this into account, data handlers need to establish and implement appropriate standards of fiduciary duty for the protection of personal information, and also keep accumulating evidence to prove such efforts in order to minimize legal risks arising from a possible data breach or violation of data protection laws. |
|
From 2015 when the CSP is likely to be implemented in a full-fledged manner, companies need to upgrade the standard for data protection as high as that for the protection of their trade secrets. Further, enterprises need to keep an eye on the amendment of applicable laws, regulations, etc., and hurry to prepare their own appropriate and adequate measures for data protection, well-tuned to the new paradigm to the extent reasonably feasible. |
|
|
|
