Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.

Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

In Korea, there are various laws, regulations and guidelines that promote cybersecurity: two general laws (the Act on the Promotion of IT Network Use and Information Protection (the Network Act) and the Personal Information Protection Act (PIPA)) and other laws targeting specific areas, as discussed below.

The Network Act plays an important part in promoting cybersecurity in terms of protecting personal information and enhancing data security in the context of IT networks. The Network Act also prohibits any unauthorised access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs.

Furthermore, the PIPA acts as a general law on personal data protection that is applied in combination with the Network Act to all incidents of data privacy infringement, including cyberattacks and data leaks.

There are additional targeted statutes, such as the Electronic Financial Transactions Act (EFTA), which includes provisions prohibiting electronic intrusion into the network systems of financial companies, and data protection is mandated for financial companies in the Regulation on Supervision of Electronic Financial Transactions (the RSEFT), which is an administrative regulation subordinate to the EFTA.

The Credit Information Use and Protection Act (the Credit Information Act) regulates entities that collect, use, investigate, manage or provide credit information (called ‘credit information companies’), and requires that such entities employ technological, physical and administrative security measures in order to protect credit information computer systems.

The Act on the Protection and Use of Location Information (the Location Information Act) specifically targets the protection of ‘location information’ and ‘personal location information’, which allows a certain individual to be located on its own or in combination with other information.

In contrast with the laws mentioned above, which are more focused on the protection of data, the Protection of Information and Communications Infrastructure Act (PICIA) is more engaged with the protection of information and communications infrastructure against ‘electronic intrusion’, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves and other means.

Though not entirely dedicated to cybersecurity or the protection of personal information, the Act on Consumer Protection in Electronic Commerce mandates the protection of relevant information in the context of electronic commerce, and the Digital Signature Act sets out various protective measures to guarantee the safe maintenance of the ‘certified digital signature’ system, which is not only used when verifying an individual but also to access a variety of forms of personal information, including accessing personal bank accounts.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

Following a massive data leak incident involving major credit card companies in Korea in 2014, the financial sector has made further efforts to promote cybersecurity to prevent any similar event from taking place, which has resulted in reinforcement of the statutory penalties for data leak incidents. The financial sector is required to abide by stricter standards where it comes to data protection, pursuant to a variety of cybersecurity statutes and regulations, which include the EFTA, the RSEFT, the Credit Information Act, the Network Act and PIPA. Financial institutions are regularly monitored by the Financial Services Commission (FSC) and Financial Supervisory Service (FSS) for their cybersecurity compliance.

Furthermore, online service providers (eg, e-commerce, SNS, portals and search engines) that operate their businesses through the internet have been significantly affected by the Network Act; security requirements have been continuously raised in recent years as a result of increased awareness of network vulnerability, along with the rapid growth of online businesses and increased attempts to perform cyberattacks. To check whether online service providers are operating in accordance with the Network Act and other cybersecurity laws, the Korean Communications Commission (KCC) and Korea Internet and Security Agency (KISA) monitor websites and instruct website operators to rectify any non-compliance with the law.

Has your jurisdiction adopted any international standards related to cybersecurity?

Korea has not officially adopted any international standards, such as ISO 27001. However, certain certifications with evaluation standards similar to those of ISO 27001 do exist, as explained in detail below.

The Information Security Management System (ISMS) certification granted by the Ministry of Science and ICT (MSIT) is awarded to entities that have established and are operating a ‘comprehensive management system’ that includes administrative, technical and physical protective measures for ensuring the safety and reliability of their network system. According to the Network Act, any company whose sales revenue arising from their information and communications business for the preceding year amounts to 10 billion won, or whose average daily users amount to 1 million, or whose annual sales amount to 150 billion won, is obligated to acquire the ISMS certification. A company that has earned the ISMS certification receives additional credit when evaluated for certain other government-issued certifications, and also may receive a discount when purchasing certain data protection-related insurance.

Previously, the Personal Information Management System (PIMS) certification was separately granted by the KCC to entities that have implemented necessary technical, administrative and physical measures to ensure the systematic and continued protection of personal information.

Recently, as of 7 November 2018, the ISMS and PIMS were integrated into ISMS-P, which certifies that entities are operating a ‘comprehensive management system’ that includes administrative, technical and physical protective measures for ensuring the safety and reliability of their network system, as well as the personal information protection measures, in accordance with the relevant legal standards. However, despite the launch of ISMS-P, entities that do not collect or process any personal information issues can still apply for ISMS. An online service provider that has earned ISMS-P certification may benefit from a deduction of up to 50 per cent of the total amount of the fine in the event of any breach of the Network Act.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

According to PIPA, an entity that manages personal information is required to appoint a chief privacy officer (CPO), who is responsible for regularly investigating the entity’s personal information management status and reporting to the head of the organisation upon discovering any violations of data security laws.

The Network Act also prescribes that ‘online service providers’ that meet certain criteria must appoint: (i) a CPO who is responsible for protecting users’ personal information and dealing with customers’ privacy-related complaints; and (ii) a chief information security officer (CISO), who is responsible for analysing the provider’s data security system for weaknesses and ensuring security of the information network and the data.

Under the EFTA, financial companies or entities engaged in electronic financial business must also appoint a CISO, who is responsible for:

  • establishing strategies and plans to ensure the safety of electronic financial transactions and protection of users;
  • protecting IT systems;
  • managing the personnel and budget necessary to protect IT systems;
  • preventing accidents in electronic financial transactions;
  • conducting self-assessments regarding the safety of the company’s electronic financial business and IT systems; and
  • training the officers and employees in IT security.

The CISO of any financial company that employs at least 1,000 full-time employees, with total assets of at least 10 trillion won is prohibited from assuming any roles related to information technology other than what is prescribed in the EFTA, as described as above, for the purpose of ensuring that the CISO focuses solely on cybersecurity-related matters.

The Credit Information Act mandates the appointment of a ‘chief credit information officer’ (CCO) for credit informa­tion comp­an­ies. The CCO should investigate how credit information is managed and check whether the regulations related to credit information are properly adhered to by the officers and employees of the credit information company.

The above laws impose various penalties, depending on the nature and degree of violation, on both the entity (company) and the individuals responsible for cybersecurity.

How does your jurisdiction define cybersecurity and cybercrime?

Under the National Cybersecurity Maintenance Regulation, ‘cybersecurity’ and ‘cyberattack’ are defined as follows:

  • cybersecurity: ‘maintaining the security, integrity and availability of the national information and communications network and data, through the protection of the national information and communications network from cyberattacks’; and
  • cyberattack: ‘all forms of attack through electronic means, including hacking, computer viruses, logic bombs, email bombs and denial of service, that unlawfully infringe, disturb, paralyse or destroy the national information and communications network, or steal or harm data’.

Furthermore, ‘intrusion’ under the Network Act is defined as: ‘an event resulting from an attack on an information and communications network or an information system related to such network by means of hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves, etc’.

Lastly, ‘electronic intrusion’ under the EFTA is defined as: ‘any attack on electronic financial infrastructure by means of hacking, computer viruses, logic bombs, email bombs, denial of service, high-powered electromagnetic waves, etc’.

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

Under PIPA and the Network Act, the following technical, administrative and physical measures must be implemented to protect data from loss, theft, leakage, alteration or damage:

  • establishing and implementing an ‘internal management plan’ that sets out the details relating to the CPO, data encryption, restrictions on access to data, response plans in case of data leak incidents, etc;
  • imposing restrictions on access to personal information;
  • adopting measures for the safe keeping and secure transfer of personal information (eg, data encryption);
  • adopting measures to prevent the forging and falsification of access logs, which are utilised upon the occurrence of data breach incidents;
  • installing and updating security programs designed to protect personal information; and
  • establishing a secure storage space for personal information.

Under the Credit Information Act, credit information companies must establish technical, physical and administrative measures, which include:

  • establishing and implementing access control systems that prevent illegal access by third parties to credit information;
  • preventing the alteration of, tampering with and destruction of the information entered into the credit information computer system; and
  • establishing a structure where access rights to credit information are discriminately granted among persons with different positions and tasks, and carrying out periodic inspections of credit information examination logs.

Under the EFTA, financial companies are obligated to abide by the security standards set by the FSC with respect to the personnel, facilities, electronic devices and expenses required to secure the safety of electronic financial transactions. Furthermore, financial companies must also report to the FSC the results of their analysis of any weaknesses embedded in their systems used for electronic financial transactions and their network systems.

The Location Information Act prescribes that entities engaged in the business of location information must implement administrative and technical measures necessary to prevent any loss, alteration and damage of location information. Administrative measures must include:

  • designating a location-information management officer;
  • implementing access control for each stage of data flow, such as collection, use, transfer and destruction;
  • establishing guidelines on the obligations and responsibilities of the persons handling location information;
  • managing records of the provision of location information; and
  • conducting regular self-audits of the entity’s protection of location information.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

There are no laws or regulations in Korea that specifically address cyberthreats to intellectual property.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

The PICIA was established for the protection of information and communications infrastructure against ‘electronic intrusion’, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service or high-power electromagnetic waves, etc. The heads of the central administrative agencies may designate ‘critical information and communications infrastructure’ according to its national and social importance. Critical information and communications infrastructure is subject to periodic analysis and evaluation for weaknesses, and any intrusions should be reported to the relevant authorities.

The EFTA also has provisions addressing electronic infringement of the network systems of financial companies, which are utilised for electronic financial transactions.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

There are no cybersecurity laws or regulations that specifically restrict the sharing of cyberthreat information in Korea.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The cyberactivities that are criminalised by the PIPA, the Network Act, the Credit Information Act and the EFTA include the following.

PIPA

Imprisonment for up to 10 years or a fine of up to 100 million won may be imposed for causing severe disruption to the business of a public institution by changing or deleting the personal information handled by such public institution; or acquiring personal information handled by a third party through illegal means and providing such information to a third party for profit or illegal purposes.

Imprisonment for up to two years or a fine of up to 20 million won may be imposed for causing loss, theft, leakage, falsification of or damage to personal information resulting from insufficient security measures.

The Network Act

Imprisonment for up to five years or a fine of up to 50 million won may be imposed for intruding into an information and communications system or causing disruption to an information and communications system.

Imprisonment for up to three years or a fine of up to 30 million won may be imposed for collecting personal information through deception in an information and communications system.

Imprisonment for up to two years or a fine of up to 20 million won may be imposed for loss, theft, leakage, falsification of or damage to personal information resulting from insufficient security measures.

The Credit Information Act

Imprisonment for up to five years or a fine of up to 50 million won may be imposed for altering or deleting information in the credit information system without proper authority; or searching or copying credit information without proper authority.

The EFTA

Imprisonment for up to 10 years or a fine of up to 100 million won may be imposed for accessing electronic financial infrastructure or altering, destroying, concealing or leaking the data stored in such infrastructure; destroying data or deploying a computer virus, logic bomb or email bomb; or causing errors in electronic financial infrastructure by sending out a large amount of data, signals or a high-powered electromagnetic wave at a single time.

Imprisonment for up to seven years or a fine of up to 50 million won may be imposed for improper use of access media (eg, falsification or alteration of access media, and the sale or use of falsified, altered, lost or stolen access media).

How has your jurisdiction addressed information security challenges associated with cloud computing?

The Cloud Computing Development and User Protection Act (the Cloud Act) was introduced as a means to more specifically address the security and data privacy issues that may arise along with the expanded utilisation of cloud computing. Although the Cloud Act aims to promote the development of cloud computing, it also provides regulations regarding the protection of data in the context of cloud computing. By stating that PIPA and the Network Act will both apply to protection of personal data, the Cloud Act indicates that strict data protection standards will not be relinquished even within the arena of cloud computing. Recently, the Financial Security Institute published a guideline on the utilisation of cloud computing for financial companies, and the Ministry of Interior and Safety (MIS) has also published a guideline for public institutions on the utilisation of cloud computing provided by the private sector. The KISA has also published a guideline about the protection of data with regard to cloud computing on December 2017.

For financial institutions, the use of cloud computing was not permitted until now if the information system included personal information of the customers. However, the RSEFT was recently amended to allow the financial institutions to use cloud computing to store and process personal information, subject to complying with the security measures applicable to financial companies, and the server is physically located in Korea. The new rule came into effect on 1 January 2019.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Though there is no clear indication in Korean laws whether foreign organisations will be subject to Korean cybersecurity laws, there are cases in which the Korean law enforcement agencies and courts have applied the Korean cybersecurity laws to multinational corporations. The rationale is that there is no significant differentiation between domestic and foreign entities. Also, based on the Act on Private International Law, which stipulates that a consumer cannot be deprived of the protections of the mandatory provisions of the law of the country of his or her habitual residence, even if the parties agree on alternative governing law, foreign organisations are obliged to adhere to the mandatory provisions of Korean cybersecurity laws in a commercial relationship with a Korean consumer.

Generally, with respect to foreign organisations that do not have any legal presence in Korea, if they are targeting Korean consumers (for example, running a Korean language website), governmental agencies tend to demand that the foreign organisations abide by Korean cybersecurity laws and rectify any breaches thereof.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Government authorities such as the KCC, the MSIT and the MIS periodically publish guidelines for each cybersecurity law, which elaborate on their respective provisions. These guidelines lay out a more detailed explanation of the meaning of each cybersecurity law provision. The government has recently even gone as far as publishing guidelines on the creation of mobile applications, although such guidelines are not necessarily strictly enforceable (however, they provide an important reference guide).

How does the government incentivise organisations to improve their cybersecurity?

In 2014, the MSIT announced that the government will provide tax credits for amounts invested in data privacy-related infrastructure and offer tax relief for amounts invested in research on data privacy. In July 2016, the government also announced that it will focus on the promotion of the data privacy industry through a variety of incentives for relevant players in the industry.

See question 3 regarding the benefits accompanying ISMS and PIMS certificates.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are cases in which industry-specific guidelines are created. For example, the Guideline on Comprehensive Countermeasures to Prevent Personal Information Leak Accidents by Banks was published by the Korea Federation of Banks. Another example would be the Guideline for the Protection of Personal Information in the Financial Sector, which was jointly published by the MIS, the FSC and the FSS. ISMS and ISMS-P (see question 3) are also good examples.

Are there generally recommended best practices and procedures for responding to breaches?

According to the Network Act, online service providers must immediately report any incidents of intrusion into the network system (intrusion incidents) to the MSIT or the KISA, analyse the underlying cause of such intrusions and take measures to prevent additional damage. Also, if personal information has been breached in connection with such intrusions, the online service provider must immediately notify the affected individuals. In the case of financial companies, the Financial Security Institute, a governmental institution, is responsible for analysing the cause of intrusions and taking measures to respond to such intrusions.

It is advisable to seek professional advice since inadequate responses to breaches or intrusions may subject an online service provider or any persons or entities who have breached cybersecurity laws, to criminal penalties. Therefore, it is common for professional firms (such as law firms, consulting firms and forensic firms) to become involved in the event of a breach.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Companies that are members of the Financial Security Institute may share information on cyberthreats, since the Financial Security Institute provides forecasts and alerts upon the occurrence of any intrusion. Online service providers often share their cyberthreat experiences with the KISA to seek its expertise. However, there is otherwise no special statutory system through which private entities may share information on cyberthreats.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

When introducing new regulations or amending regulations, the National Assembly or the relevant government organisation provides an opportunity for the citizens or various interest groups to submit their opinions or comments on the newly introduced or amended regulations. The relevant agencies, including the KISA and the Financial Security Institute, often have a meeting with various industry players to listen to current cybersecurity issues in the market.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Although insurance for cybersecurity breaches is available in Korea, such insurance is not common for various reasons, including the difficulty of accurately assessing the amount of damage in cybersecurity-related incidents. However, as recognition of the importance of cybersecurity continues to grow, it is expected that the market for such insurance will also grow.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The regulatory authorities that are primarily responsible for enforcing the respective cybersecurity rules are as follows:

  • PIPA - the MIS;
  • the Network Act - the KCC, the MSIT and the KISA;
  • the Credit Information Act and the EFTA - the FSS and FSC;
  • the Location Information Act - the KCC;
  • the Act on Consumer Protection in Electronic Commerce - (mainly) Korea Fair Trade Commission; and
  • PICIA - the MSIT.

There are amendment bills pending at the National Assembly that aim to consolidate the supervisory powers to one government agency.

The police and the prosecutor’s office are responsible for the investigation and the prosecution of cybercrimes that result from any breach of the aforementioned cybersecurity rules.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

Under PIPA, the MIS can investigate companies to assess their level of data protection. Also, the Personal Information Protection Committee, which is an organisation under the jurisdiction of the President of Korea, may request companies to submit materials showing their level of compliance with the law and their personal-information management status. The MIS may make recommendations for improvement to the relevant companies if it deems it necessary for the protection of personal information.

Under the Network Act, the MSIT and the KISA may take appropriate measures to respond to cyberattacks on information networks or related information systems. The MSIT and the KCC may also request submission of relevant materials by online service providers when it has come to their attention that there has been a breach of the Network Act or the occurrence of incidents that damage the safety and reliability of data protection. The KCC regularly visits online service providers’ business places to evaluate their cybersecurity compliance.

Under the Credit Information Act and the EFTA, the FSS and the FSC are authorised to monitor financial companies’ level of compliance with the EFTA.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

The most common issues are as follows:

  • a lack of organisational security measures, including obtaining proper consent from data subjects for collecting their data and sharing it with third parties, proper management of outsourced service providers and internal administrative organisation devoted to cybersecurity;
  • a lack of technical security measures, including password encryption, log-in data management, system and account access control, cybersecurity software and hardware maintenance, and proper data destruction; and
  • a lack of physical security measures, including secure entrances to computer server rooms, and CCTV systems.

When the KCC, the MOI and the FSC discover instances of the issues above, depending on the nature and consequences thereof, the agencies initiate a process for imposing penalties (and sometimes refer the case to the police and prosecutor’s office). Generally, the major private sector players hire a professional firm to voluntarily monitor their own cybersecurity compliance in advance, and respond to agencies and the police or prosecution once they initiate the sanctioning process.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

In case of loss, theft, leakage, forgery or falsification of personal information as a result of one’s failure to take measures required by PIPA and the Network Act, the person in breach will be subject to imprisonment of up to two years and a fine of up to 20 million won. In particular, under the Network Act, failure to take security measures may result in an administrative fine of up to 3 per cent of the total relevant sales.

Furthermore, an administrative fine of up to 50 million won will be imposed on credit information companies that have not established the technical, physical and administrative measures prescribed by the Credit Information Act.

Under the EFTA, non-compliance with the mandated maintenance of security measures can result in an administrative fine of up to 50 million won. If financial companies leak or exploit electronic financial transaction information in violation of the standards set out by the FSC for the purpose of securing the safety of electronic financial transaction information, such financial companies will be subject to a fine of up to 5 billion won. Furthermore, the officers of financial companies may be subject to various penalties including suspension of duties, and financial companies may even be subject to suspension of their business for a period of six months.

Notably, the KCC may even cancel the authorisation for a location-information business, and may even demand discontinuance or suspension of operation by entities engaged in the business of location information that have not taken administrative and technical measures for the protection of location information. Responsible persons at such entities are also subject to up to a year’s imprisonment and a fine of up to 20 million won.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

PIPA prescribes that an entity handling personal information must make a report to the MIS or the KISA upon recognising an information leak involving 1,000 people or more, and failure to make such a report will result in an administrative fine of up to 30 million won.

Under the Network Act, an online service provider that has been affected by an ‘intrusion incident’ should make a report to the MSIT or the KISA, and any violation of this obligation will result in an administrative fine of up to 10 million won. Online service providers are also obliged to report the occurrence of leakage incidents without regard to the number of affected people. A breach of the above reporting obligation is subject to an administrative fine of up to 30 million won.

Credit information companies must notify the affected data subjects upon recognising that credit information has been leaked other than for valid business purposes, according to the Credit Information Act. Failure to abide by such obligation will subject the relevant credit information company to an administrative fine of up to 30 million won.

Financial companies are also subject to reporting requirements under the EFTA. Upon the occurrence of any electronic intrusion incident, financial companies should report such fact to the FSC without delay. Failure to meet such obligation will result in an administrative fine of up to 10 million won.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

If a party has suffered damage resulting from unauthorised cyberactivity or failure to adequately protect systems and data, it can seek damages in civil court, under the Civil Act. Furthermore, PIPA and the Network Act explicitly state that a victim who suffers from breach or loss of personal data through an intentional or grossly negligent breach of PIPA or the Network Act is entitled to seek punitive damages that do not exceed three times the total amount of actual damage. The victim of data breach or loss may alternatively seek statutory damages of up to 3 million won irrespective of the actual degree of harm, and the party that has failed to protect the data has the burden to prove the absence of wilful misconduct or negligence.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

See question 6.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Under the Network Act, the MSIT may request a company to keep access records and relevant materials if it decides that such records are necessary for analysing an intrusion incident. Although not directly obliged to keep records of cyberthreats or attacks, online service providers and financial companies are required to keep records of relevant transactions for the period prescribed under the Network Act and EFTA, as well as other regulations, respectively.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

See questions 16, 21 and 24.

Timeframes

What is the timeline for reporting to the authorities?

Under PIPA, in the event of any data leak, the relevant entity must notify the information subjects ‘without delay’ and take actions to minimise the damage. If the data leak involves more than 1,000 persons’ information being breached, the relevant entity must ‘without delay’ report the incident and the steps taken by the entity, to the MIS or the KISA.

Under the Network Act, when an online service provider detects a loss or leak of personal information, it must notify the affected user of such fact and report it to the KCC or the KISA ‘without delay’. The report should be made within 24 hours unless there are justifiable reasons.

Under the EFTA, financial companies should report intrusion incidents to the FSC ‘without delay’.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Under PIPA, the Network Act and the Credit Information Act, when personal information or credit information has been leaked, the responsible party is required to notify the affected party ‘without delay’. When making such notification, the responsible party must include the following information in its notification:

  • the specific personal information that has been leaked;
  • the time and details of the leak;
  • measures that may be taken by the affected party;
  • contact information of the department that may provide relevant assistance; and
  • the measures the responsible party is taking to minimise damage.

The responsible party shall notify the aggrieved data subjects of such divulgence in writing, etc, and post the matters, including the above, on its website for at least seven days so that the data subjects may easily recognise them. If the responsible party has no website, the responsible party shall notify the divulgence of personal information in writing, etc. and post the matters, including the above, at easily noticeable places of its workplace, etc, for at least seven days.

The authors would like to give special thanks to Seung Ah Seo, May Huiyeon Kim, Jung Min Lee, Jun Il Park, Chris Mandel and Jae Hyeong Cho for their valuable contributions to this article.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

No updates at this time.