The Korean National Assembly has passed new rules that will require stricter data control measures among “information and communications service providers” (or “IT service providers”), including telecoms, web portals and website operators. At the same session earlier this month, the legislature also passed new rules to restrict data sharing among financial holding company affiliates.
Under amendments to the Act on Promotion of Information and Communications Networks Utilization and Information Protection, Etc. (or “IT Networks Act”), in case of a breach of personal data maintained or handled by an IT service provider, the IT service provider will have to report the data breach within 24 hours after learning of it, and may be liable to each affected user for statutory damages of up to KRW 3 million (approx. USD 3,000).
Separately, under changes to the Financial Holding Companies Act, data sharing among financial holding company affiliates will be subject to customer consent and notification requirements. This has a retroactive aspect: Information that was previously shared without such consent/notification will not be exempt, but will have to be destroyed.
Pressed forward in the wake of a large-scale data breach involving credit card issuers earlier this year, the new rules will likely be promulgated later this month or in June 2014, and for the most part they will take effect 6 months later, i.e. probably in November or December 2014. However, the customer notification requirement for data sharing among financial holding company affiliates will take effect one year later, i.e. probably in May or June 2015.
Main aspects of the new rules are summarized below.
Amendments to IT Networks Act
The rules under the amended IT Networks Act will apply to IT service providers, which is a broadly defined group. In addition to phone carriers, web portals and e-commerce firms, the group can include virtually any entity that operates a website for commercial purposes, and the rules become relevant for any such entity that collects or handles personal data from users.
- Duty to report a data breach within 24 hours: Upon discovering a leak or theft of personal information, the IT service provider must, absent “proper” reason to do otherwise, report the same within 24 hours to the affected users, and to the Korea Communications Commission or the Korea Internet & Security Agency. Under the existing rules, in contrast, the requirement is to report “without delay”, a looser timetable.
- Liability for statutory damages in case of data breach: In case of leakage or theft of user personal information, the user will be entitled to claim from the IT service provider up to KRW 3 million (approx. USD 3,000) in statutory damages, without need to show actual loss resulting from the data breach. The law is unclear about the criteria for the right amount of damages in a given case. In contrast, existing rules already allow a claim for damages but require a showing of actual loss.
- Criminal penalty for lax disposal of information: Under both current and new rules, an IT service provider must, when destroying personal information, take measures to preclude copying or restoring of the information. However, under the new rules, a violation may incur criminal penalties, including a criminal fine or imprisonment, whereas existing law only calls for an administrative fine.
- Duty to appoint data security officer: Larger-scale IT service providers, based on workforce and user count thresholds, will be newly required to appoint a “chief information security officer” and report the appointment to a government ministry. The size thresholds have yet to be prescribed—normally this would follow within a few months, in any case ahead of the effective date of the new rules.
- New limits on phone and text ads: While existing law already restricts email spam, the amended law will additionally prohibit various kinds of for-profit phone and text advertising techniques, such as automatic phone number registration.
Amendments to Financial Holding Companies Act (FHCA)
The new rules under the FHCA will apply to financial holding company affiliates.
- Customer consent generally required for information sharing: Under the current FHCA, a financial holding company affiliate could, without customers’ consent, furnish their personal credit information to another affiliate for broad purposes of “use in business”. Under the amended rules, however, a financial holding company subsidiary cannot, without prior customer consent, pass a customer’s information to another subsidiary, except for “internal management control” purposes, such as management of the customer’s credit risk. Violations will be subject to an administrative fine, of up to KRW 50 million (approx. USD 50,000).
- Financial holding companies will also be subject to requirements for added protective measures, such as customer data encryption and data deletion. Specifics of these measures are to be further decided and prescribed by the Financial Services Commission, presumably within the next few months.
- Notification of information shared: When a financial holding company affiliate passes customer information among its group, the affiliate must give notice of this to the customer. This particular rule will take effect 12 months after promulgation, i.e. probably in May or June 2015, while the other FHCA rules noted above will take effect in 6 months, i.e. probably in November or December 2014. In other words, the financial company will require prior consent before passing of information in the first place, starting towards the end of 2014; in addition, the company will have to notify the customers when it in fact passes the information, but only starting probably in May or June 2015.
- Retroactive effect—need to delete prior shared information: Information that has been shared in a way contrary to these rules (including sharing before the new rules were announced) must be destroyed within 3 months after the rules take effect. This would include destruction of information that one affiliate has, without customer consent, obtained from another affiliate for a purpose other than “internal management control”. So, for example, if the requirement of customer consent takes effect in November 2014, and the notification requirement takes effect in May 2015, then apparently the new rules could require destruction of information by February 2015 (3 months from November 2014), or by August 2015, depending on the circumstances of the information.
These new FHCA rules raise a number of questions of meaning and implementation, and no doubt they will pose operational challenges. The financial sector may well see, soon, a broad collective effort to determine the proper adaptive measures.