South Korea Data Breach Penalty Rules Revised to Encourage Voluntary Reporting

The Korean Communications Commission (KCC) recently revised its data breach penalty rules to allow reductions in fines of up to 30% if companies voluntarily report a data breach to the regulator. The stated objective is to incentivize businesses to come forward of their own accord in relation to data breaches.

Following the amendment to the Act on the Promotion of Information Communication Network Utilization and Protection of Information which became effective in November 2014, businesses are required to notify customers immediately and report to the KCC within 24 hours in the event of a data breach. That amendment introduced statutory base fines of up to 3% of a company’s annual revenue and court-sanctioned compensation of up to 3 million Korean won ($2,640) to consumer victims of a data breach, with further compulsory fines of up to 50% of the statutory base fine based on the scale and duration of the breach, and also discretionary adjustments (up or down) of these additional compulsory fines to take account of the seriousness of the breach and the attitude and responsiveness of the company.  

The latest notice allows the KCC to increase or reduce the discretionary fines under the penalty regime. The implication is that timely and voluntary reporting, together with active and effective cooperation with the regulator, is encouraged and rewarded, while obstructive behavior or failure to cooperate will result in even higher penalties.

Tip: South Korea continues to add to and clarify its legislation on data breaches, in particular the significant penalties that may apply. Companies doing business in South Korea are reminded to ensure that they have adequate protections in place to try to prevent data loss, as well as a mechanism and protocol for reporting and handling data breach incidents without delay.