In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea. The number of affected accounts was twice the number of the population of South Korea’s. The incident arose when a temporary employee of a personal credit rating agency that manages personal financial data of customers of three major credit card companies allegedly copied personal credit details of millions of people on his portable disk drive and subsequently sold the information to loan marketers and brokers.
On March 10, 2014, the Korean Government announced plans to prevent a recurrence of a large-scale security breach in the financial sector (the “Plan”) (available in Korean here). The Plan contains a number of elements that may be modeled on the EU’s proposed General Data Protection Regulation, such as turnover-based sanctions, limitations on data transfers and data retention and a reinforcement of individuals’ rights. Some of the proposed measures are supposed to be implemented by amending existing relevant laws. Members of the National Assembly have already tabled legislative proposals for a number of amendments that reflect the Plan at a parliamentary committee meeting on February 24, 2014; however, it is at present unclear when they will be discussed and adopted by the Parliament. By contrast, other measures that do not require legislative changes are likely to be implemented as quickly as possible.
If adopted, the legislative proposals will have a significant impact in particular on financial institutions that handle a large amount of Korean customers’ personal information — such as banks, credit card companies and personal credit rating agencies. However, companies in other sectors are not off the hook, as the Government has indicated the possibility of a comprehensive inquiry to improve general personal information protection beyond the financial sector in the near future.
Key points of the Plan include:
Sanctions Against Financial Institutions
- A fine of a “certain percentage (for instance, 3%) of the relevant turnover” will be imposed on a financial institution for the unlawful use of customers’ personal information.
Note: While the Plan itself does not specify important details such as the scope of the “relevant” turnover (e.g., worldwide or national) or the ceiling of the amount, some legislative proposals are more specific. One proposal suggests a maximum fine of up to “1% of the firm’s turnover” for leaking or illegally using customers’ personal information; another proposal suggests the maximum fine as “10% of the company’s business profit.”
- The Plan increases the overall level of sanctions for a security breach. The proposed sanction is imprisonment of up to 10 years and/or a fine of up to KRW 0.5 billion (approximately USD 470,000); particularly for credit rating agencies, the Plan proposes a suspension of the business or a revocation of a business permit as possible sanctions.
Liability of Financial Institutions and Internal Governance
- The Plan reinforces a financial institution’s liability for the illegal acquisition and use of personal information by its affiliates or intermediaries. When hiring an intermediary for the marketing of loan products, a financial institution must check the lawfulness of personal information that has been acquired and is used by the intermediary. The financial institution may also be subject to sanctions in case of a violation by the intermediary. For the related legislative proposal see here.
- The Chief Information Security Officer, which financial institutions have to appoint, may no longer take up other IT-related leadership roles within the institution. The threshold for an applicable company size has not yet been specified. This is to avoid a conflict of interest. For the related legislative proposal see here.
- Financial institutions are required to annually report about the status of personal information protection and policy to their CEO, boards of directors and the regulatory authorities.
Transmission of Customers’ Personal Information to Third Parties Subject to Consent
- According to the Plan, a financial institution’s affiliated companies and third parties will not be able to use customers’ personal information without the customers’ consent; and such use must be limited to the minimum necessary period.
- When transmitting customer’s personal information to a third party, financial institutions cannot rely on the customer’s broad consent. Rather, specific consent is needed for each transmission to a third party. A consent request must clearly distinguish whether the transmission is essential or optional. Also, the request must specify the purpose of use, the identity of the third party, the period of use and destruction plans.
Note: The related legislative proposal is available here; it mainly concerns transmission of an individual’s credit information to a third party.
Limited Retention and Destruction of Customers’ Personal Information
- Financial institutions must in general destroy customers’ personal information within three months upon the termination of a transaction, except certain identification or transaction information. Such information may be kept for up to five years or, in limited circumstances governed by other laws, for a longer period. The related legislative proposal is available here.
Collection of Customers’ Personal Information (Including Mandatory Encryption of RRNs)
- The types of customers’ personal information that a financial institution are entitled to collect under the Plan are: (i) universally essential items such as a name, resident registration number (RRN), address, profession and nationality; and (ii) items essential to specific financial products, e.g., the annual income for long-term savings.
- Financial institutions may ask for a customer’s RRNs only at the first transaction by using an encrypted keypad. For identification in subsequent transactions, other information must be used. RRNs which have been already collected must be encrypted.
Note: Every Korean national as well as a foreigner living in Korea has a unique national identification number (RRN) assigned by the Government. RRNs contain individuals’ personal data such as the date of birth, age and address. RRNs are also extensively used for identification in banking and online services, but such use has been under criticism after several massive security breaches of banks and online service providers. On February 27, 2014, the National Assembly passed an amendment to the Personal Information Protection Act (PIPA) to make encryption of RRNs mandatory. For more information on RRNs, see InsidePrivacy Korea Strengthens Protection for ‘Resident Registration Numbers’ (RRNs): Leaks May Face a Fine of up to 0.5 Billion Korean Won, August 7, 2013.
Customers’ Rights to Personal Information
- A financial institution must establish a system to allow customers to check the use status of their personal information by the institution itself or by third parties.
- A financial institution must assure that customers can revoke their previous consent if they so desire.
- Non-face-to-face marketing activities (via SMS, phones or emails) must be strictly limited. Financial institutions must set up a system to handle customers’ requests to opt out of any marketing communications.
- Upon request of a terminated customer, a financial institution must destroy or impose safety measures on the customer’s personal information.
- If an identity theft is suspected, individuals can instruct a personal credit rating agency to briefly hold off responding to a third party’s request to perform credit checks for new loans or credit cards (e.g., for 24 hours).
Separate Networks for Internal and Customer Use to prevent cyber-attacks
For an effective defense against cyber-attacks, the Plan requires financial institutions to establish separate network systems for internal use and for customer use.