Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

See question 6.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Under the Network Act, the MSIT may request a company to keep access records and relevant materials if it decides that such records are necessary for analysing an intrusion incident. Although not directly obliged to keep records of cyberthreats or attacks, online service providers and financial companies are required to keep records of relevant transactions for the period prescribed under the Network Act and EFTA, as well as other regulations, respectively.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

See questions 16, 21 and 24.

Timeframes

What is the timeline for reporting to the authorities?

Under PIPA, in the event of any data leak, the relevant entity must notify the information subjects ‘without delay’ and take actions to minimise the damage. If the data leak involves more than 1,000 persons’ information being breached, the relevant entity must ‘without delay’ report the incident and the steps taken by the entity, to the MIS or the KISA.

Under the Network Act, when an online service provider detects a loss or leak of personal information, it must notify the affected user of such fact and report it to the KCC or the KISA ‘without delay’. The report should be made within 24 hours unless there are justifiable reasons.

Under the EFTA, financial companies should report intrusion incidents to the FSC ‘without delay’.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Under PIPA, the Network Act and the Credit Information Act, when personal information or credit information has been leaked, the responsible party is required to notify the affected party ‘without delay’. When making such notification, the responsible party must include the following information in its notification:

  • the specific personal information that has been leaked;
  • the time and details of the leak;
  • measures that may be taken by the affected party;
  • contact information of the department that may provide relevant assistance; and
  • the measures the responsible party is taking to minimise damage.

The responsible party shall notify the aggrieved data subjects of such divulgence in writing, etc, and post the matters, including the above, on its website for at least seven days so that the data subjects may easily recognise them. If the responsible party has no website, the responsible party shall notify the divulgence of personal information in writing, etc. and post the matters, including the above, at easily noticeable places of its workplace, etc, for at least seven days.

The authors would like to give special thanks to Seung Ah Seo, May Huiyeon Kim, Jung Min Lee, Jun Il Park, Chris Mandel and Jae Hyeong Cho for their valuable contributions to this article.