January 8, 2013, the Korea Communications Commission (“KCC”) amended its two previous guidance notices – one concerning the certification of an information security management system (“ISMS”), and the other concerning measures for data protection – and issued a new guidance notice concerning pre-deployment information security evaluation, all pursuant to the Promotion of Information and Communications Network Utilization and Protection of Information Act of Korea, as amended.
The above guidance notices took effect from February 18, 2013, repealing a previous safety diagnosis system that was not practically effective, and instead certain measures for data protection (such as a uniform process through an ISMS certification system) are prescribed for enterprises to take to improve their data protection levels.
Especially, the guidance notice concerning an ISMS certification system requires certain major information and communications service providers (“ICSPs”) to pass an ISMS certification process, and they include:
- Internet service providers (e.g., ISP);
- Internet data centers (e.g., IDC); and
- the ICSP, of which annual turnover from information and communications sector is 10 billion Korean won (“KRW”) or more, or which operates a website with 1 million or more daily users in average for the last 3 months of the immediately preceding calendar year.
A violation of the foregoing obligation regarding certification may entail an administrative fine of up to KRW 10 million. Thus, companies satisfying the above requirements must be aware of and perform the new obligation.