[Personal Information] Fine imposed for violation of personal information protection measures? Verify the importance of technical and administrative protection measures!
Article posted in 2022-04-19 18:16:46 | VEAT

Do you overlook mandatory security measures due to complex personal information processing procedures, lack of specialized personnel in personal information processing, and insufficient personal information protection?
According to the 2021 Personal Information Protection Status Survey, both public institutions and private companies consider personal information protection important, but they feel “difficulties related to personal information protection” due to a lack of specialized personnel and complex personal information processing procedures.
Does our company overlook mandatory personal information protection measures for these reasons? Please verify the importance of technical and administrative protection measures in accordance with the “Personal Information Protection Act” as follows.
As stipulated in Article 29 of the “Personal Information Protection Act,” negligence in fulfilling mandatory security measures can lead to penalties. This type of situation frequently occurs, and it is essential to note that mandatory security measures are aligned with the purpose of the “Personal Information Protection Act,” which is to protect the rights of individuals, and failure to comply can result in serious damage to the information controller. According to Article 39 of the “Personal Information Protection Act,” if personal information is lost, stolen, leaked, falsified, modified, or damaged due to the intentional or gross negligence of a personal information controller, the controller is liable for compensation. The criteria for determining this intentional or negligent conduct primarily consists of the extent to which the protective measures stipulated in the “Personal Information Protection Act” and its enforcement regulations have been implemented.
When personal information is leaked,
Can you avoid liability for damages?
If personal information is leaked, under what circumstances can you avoid liability for damages? In cases of information leakage due to hacking, if the company has not taken the protective measures stipulated in the “Personal Information Protection Act” or if a security incident occurred due to a failure to take such measures, liability can be avoided. Additionally, if an executive other than the company’s representative commits a violation of the “Personal Information Protection Act” by leaking personal information and assumes liability for damages, the personal information controller may be liable to compensate the executive for damages arising from the administration and supervision, but if significant attention was paid or was given to the management and oversight, or if such attention was given, liability can be avoided if damage resulted from the leak. Therefore, personal information controllers need to carefully verify and supplement protective measures stipulated in “Personal Information Protection Act” to reduce the burden of liability for damages.
In particular, with regard to the security measures for personal information of communication service providers, etc., due to the reach and spread of the communication network and the fact that services are primarily provided online, special provisions have been established. The Supreme Court has stated that when determining whether a communication service provider has violated a legal or contractual obligation to take necessary protective measures for the security of personal information, it must comprehensively consider various factors and “whether the provider has fulfilled the reasonably expected protective measures at the time of the security incident.” (Reference: Supreme Court Ruling on 2015d24904, 24911, 24928, 24935).
① The level of cybersecurity commonly known at the time of the security incident
② The industry and business scale of the communication service provider and the overall content of security measures taken by the provider
③ The economic cost and degree of efficacy related to cybersecurity
④ The potential for avoiding damage based on the level of hacking technology and the development of cybersecurity technology
⑤ The content of personal information collected by the communication service provider and the extent of damage to users resulting from the leakage of personal information
When personal information is leaked,
Can you avoid liability for damages?
Moreover, it is important to note that the “Personal Information Security Measures Standards” stipulated for personal information controllers and the “Technical and Administrative Protection Measures Standards” stipulated for communication service providers must be carefully reviewed. The Supreme Court has ruled that even if protective measures stipulated in the regulations have been “duly implemented,” liability can be assessed if the provider has not fulfilled the reasonably expected protective measures.
Additionally, the Court has stated that failure to comply with the “duty of care” to refrain from facilitating illegal actions, and if a “substantial relationship” exists between the damage caused by such an act and the damage suffered by a victim of the illegal act, the action may be considered a joint illegal action and the parties may be held jointly liable.
If personal information is lost, stolen, leaked, falsified, modified, or damaged, the personal information controller will be liable for damages, as stipulated in Article 73(1) of the “Personal Information Protection Act,” and may be subject to imprisonment for up to 2 years or a fine of up to 200 million won. Therefore, it is essential for personal information controllers or communication service providers to carefully examine detailed standards for security measures for personal information.
Specifically, Law Firm Veat provides comprehensive consulting services to companies that handle personal information, ensuring compliance with the “Personal Information Protection Act,” its enforcement regulations, “Personal Information Security Measures Standards,” and “Technical and Administrative Protection Measures Standards.”
Contact Law Firm Veat for legal review of whether personal information protection is being carried out in accordance with mandatory security measures.
Thank you.
Law Firm Veat Team.