South Korea Introduces Punitive Damages Resulting from Data Breach

South Korea amended its Personal Information Protection Act last month by adding punitive and statutory damages to the statute. The amendment will become effective in July 2016 and will allow Korean courts to award punitive damages of up to three times the actual damage from the “loss, theft, leakage, forgery, alteration, or impairment of personal information due to a deliberate act or a serious error.” In other words, damages resulting from a data breach. Another new provision enables consumers to claim statutory damages of up to 3 million Korean won ($2,640) unless the defendant proves that it is not at fault in relation to an alleged breach.

This new amendment is the latest in a series of more stringent requirements and penalties in relation to data privacy issued by the South Korean government following a number of major data breach incidents, including those involving South Korea's three largest credit card companies. These new damages provisions follow and mirror those of the amended Use and Protection of Credit Information Act in February 2015 applicable to credit information companies. An amendment to the Act on the Promotion of Information Communication Network Utilization and the Protection of Information in May 2014 already allows for fines of up to 3% of a company's revenue in connection with data protection violations.

TIP: The latest amendment is consistent with other recent developments in South Korea and makes punitive and statutory damages broadly applicable. It is expected that the number of lawsuits relating to personal data breaches will increase significantly. Accordingly, companies operating in South Korea should act swiftly to ensure that they are aware of all the new requirements and compliant with data protection laws in general.