Data breach notification

Until the new Personal Information Protection Act (개인정보보호법/個人情報保護法) came into force on September 30, 2011, it was not obligatory whether personal information processors should notify the affected data subjects of the data breach.

Under the new Act, however, the data breach notification (개인정보 침해사고의 통지/侵害事故通知) is mandatory in case of any probable data breach incident, and the failure to do so could put the personal information processor into jeopardy of punishment.

Key words
Personal Information Protection Act, data breach, data breach incident

Relevant provisions of the new DP Act
Article 34 (Data Breach Notification, etc.)
 * (1) The personal information processor shall notify the aggrieved data subjects without delay of the fact in the following Subparagraphs when it becomes to know that personal information is leaked:
 * What kind of personal information was leaked;
 * When and how personal information was leaked;
 * Any information how data subject can do to minimize probable damage suffered from personal information leakage;
 * Countermeasures of the personal information processor and remedial procedure; and
 * Help desk of the personal information processor and contact points for data subjects to report sufferings.
 * (2) The personal information processor shall prepare countermeasures to minimize the damage in case of personal information leakage, and take necessary measures.
 * (3) In case where a large scale of data breach above the level specified by the Presidential Decree takes place, the personal information processor shall, without delay, report the notification stated in Paragraph (1) and the result of measures stated in Paragraph (2) to the Minister of Public Administration and Security and such specific institution as stated in the Presidential Decree. In this case, the Minister of Public Administration and Security and such specific institution as stated in the Presidential Decree may provide technical assistance for the prevention and recovery of further damage, etc.
 * (4) Necessary matters in relation to the time, method and procedure of the data breach notification pursuant to Paragraph (1) shall be provided by the Presidential Decree.

Article 75 (Fine for Negligence)
 * (2) A person referred to in any of the following Subparagraphs shall be subject to a fine for negligence not exceeding 30 million won:
 * 8. A person who has failed to notify data subjects of the fact in the Subparagraphs of Article 34(1) in violation of the same Paragraph;
 * 9. A person who has failed to report the result of notification in violation of Article 34(3);
 * 10-13. Omitted.

Matter of Choice
For fear of harsh punishment as mentioned above, some personal information processors in the public or private sector could be inclined to cover up the data breach incidents.

However, the massive scale data leakage cannot be swept under the carpet. Rather it would be wise to make the incidents public and to encourage the victims to change their IDs or passwords so as to block any chance of misuse of the stolen personal data.

Also effective countermeasures could be worked out in view of the types of data breach. For further information, refer to Data breach incidents:

- Whether personal information was leaked negligently or stolen intentionally by employees (referring to the cases of Kookmin Bank, SK Broadband and GS Caltex) or leaked by outsiders (referring to the Auction case); or

- Whether both incidents are mixed by inefficient technical safeguards and lack of caution dealing with customers' data (referring to the Lineage case).

Voluntary or mandatory data breach notification
As a matter of fact, a voluntary notification of data breach is the only way to prevent further attacks on privacy and properties. With a low probability of arresting hackers, data breach notification could prompt the victims to be aware of probable abuse and misuse of their personal data. Eventually it could make the leaked personal data useless.

In this context, civic groups as well as consumerism activists demanded that data breach notification be established, and, in failure of such notification, ISPs be subject to considerable amount of damages and/or harsh penal punishment. Also, a contingent plan to deal with such a data breach would be in great need. This kind of situation may apply to the public agencies processing personal information in the public sector.

Finally, at present in Korea, the US-type class action applies only to securities fraud cases. So the data protection victims had to file the lawsuits individually. The attorneys as well as the court need to confirm the plaintiffs one by one, and it took a huge amount of papers and time. Accordingly, to ensure the full-fledged data protection and compensation of the victims, it will be necessary to introduce a real class action, where several representatives may file suit to compensate a class of victims of the same incident.