Korean Business Law Credit Card Data Breach Incident in the early 2014 * 1)Park, Whon-il** Ⅰ. Snowballing consequences Ⅱ. The legislation and previous cases Ⅲ. Countermeasures by the government Ⅳ. Prospects Unprecedented credit card data breach was reported in January 2014. Its consequence was more like an avalanche in terms of data breach scale and remedies than expected. 1) The beginning was a brief report from a local prosecutors office that an employee of KCB, an independent Korean credit bureau, who had been dispatched to upgrade the security systems of client card companies, illegally stole 104 million pieces of cardholders personal and financial information, and sold a part of them to people marketing bank loans. The personal credit information seller and buyers were indicted by the public prosecutor on January 8, 2014. However, an ordinary data breach case was getting much worse than initially thought. As the inspection of the financial watchdog, the Financial Supervisory Service (FSS), went on, the scope of personal data leaked from the three credit card * This article (카드정보 대량유출 사건) has been posted on the KoreanLII website, which is operated by Prof. Whon-Il Park for the Korean Law via the Internet campaign. ** Professor, Ph.D. at Kyung Hee University Law School. 1) See the full story written by Whon-Il Park for the Privacy Laws & Business International Report No. 127, February 2014.
152 KHU 글로벌 기업법무 리뷰 제7권 제1호 companies - KB Kookmin Card, Lotte Card and NH Card snowballed to an unexpected scale as many of the country s major financial institutions were also found to be affected by the leaks. 2) Ⅰ. Snowballing consequences The FSS tried to calm down the situation by saying no fraud has been detected as a result of data leaks. But in the following days, suspicious customers stormed into banks and card companies to make complaints and account terminations. The FSS hastily issued a warning to the public to be suspicious of any calls because phishing and financial fraud swindlers might take advantage of people s uneasiness. When the three credit card companies started offering a service through which the customers could check what kind of personal data had been leaked, most of them found out that more information was leaked than previously believed, including names, resident registration numbers, home addresses, credit card numbers and even expiry dates. It means that any scammer could use their cards unnoticed to buy good online or overseas. It was also disclosed that information was leaked not only on current card holders but also previous users who had canceled their cards. This massive data breach incident was tackled seriously in terms of the information networks, and finally resulted in the amendment to the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. 3) (ICN Act), which was promulgated by Act No. 12681 on May 28, 2014. The newly revised ICN Act will be effective on November 29, 2014. Ⅱ. The legislation and previous cases Of course, all the information about cardholders is classified as personal data. In 2) Korea JoongAng Daily, "Personal data leaks snowball to 104 million", January 20, 2014. 3) The English translation of the Act (정보통신망 이용촉진 및 정보보호 등에 관한 법률) is available as attached to this article.
2014 Credit Card Data Breach Incident in the early 2014 153 Korea, personal credit information is governed by the Act on the Use and Protection of Credit Information (the Credit Information Act ), separately from the Personal Information Protection Act. Accordingly, its supervisory authority is the FSS, not the Personal Information Protection Commission (PIPC). Since the Act demands personal credit information must be treated in a careful manner, the collectors and processors of such credit information usually handle it more seriously than any other personal data. By law, card companies can hold information about previous customers for up to five years. But it was disclosed that the card companies used to share customers information with other affiliates like insurance companies, based on comprehensive consent given by customers. An affiliate credit card company in the same banking group is also allowed to have access to the bank s customer information. Even though no significant damage was reported aside from small phishing activities, more and more angry customers gathered at lawyers Internet cafes 4) to take legal actions against the financial companies. In past cases, the courts have hesitated to find fault with such managerial and technical security measures as adopted by banks and financial companies to prevent incidents and protect customers personal data, and were not convinced that it was the data leaked from the defendant that had caused damage and losses to the plaintiffs, considering such data were already traded online. Since few cases of substantial losses out of data leaks were reported, the court had only to rule that small amount of damages should be paid to compensate hundreds of thousands of victims for their mental distress. Ⅲ. Countermeasures by the government In spite of a series of countermeasures by the government, the angry public outcries continued unabated. On 20 January, the top management of the credit card companies 4) They are a form of joint blog run for potential clients in a collective lawsuit.
154 KHU 글로벌 기업법무 리뷰 제7권 제1호 as well as affiliated banks announced their intention to resign after the incidents are finished. At the same time, the government measures were escalated to draconian ones: Punitive surcharges 5) up to five billion won (US$4.6 million) will be levied on a financial company which caused customers personal data to be leaked, or took advantage of such unlawful personal data for business operations. Criminal fines are not applicable in such corporate cases. Also, there will be a one percent surcharge levied on the related sales utilizing such unlawful personal data. Harsh disciplinary action will be imposed on the management and employees responsible for such incidents. Information sharing between affiliates shall be prohibited without prior consent of customers, as well as the approval of the board of directors of the relevant financial company. Until last year, the financial authorities allowed sharing of customers big data so as to exploit innovative services among financial subsidiaries under the common control of a bank holding company. Telemarketing via telephone shall be suspended until March 2014. It s because the personal data leaked from the card companies might be used for soliciting loan applications, insurance products, etc. Also the unregistered loan marketers who sell bank loans on behalf of local or foreign banks with small branch networks will be punished by up to five years imprisonment. In this regard, tens of thousands of telemarketers will be laid off. 6) Additional authentication processes by means of short message (SMS) notice or telephone call is required for online transfer of funds of more than one million won (US$930) a day. The first response has come from American insurers, arguing that the suspension of telemarketing was legally groundless and possibly in breach of the Korea-US Free Trade Agreement. 5) 징벌적 과징금을 말한다. 6) Owing to mounting criticism from telemarketers, FSS lifted the suspension of telemarketing via telephone earlier than schedule as from February 14, 2014.
2014 Credit Card Data Breach Incident in the early 2014 155 Ⅳ. Prospects Against this backdrop, no one is so sure that massive data breaches won t take place again in this highly digitized society. As stated by President Park Geun-hye, who was reportedly infuriated at the news of massive data breach while staying in Davos, Switzerland in January 2014, the government will now consider whether the resident registration number should be replaced by other methods such as the i-pin. This is because, by obtaining this universal identifier, still in very wide use across the private sector, other sources of information may be changed into personal data which can identify the data subject. With the 2014 regional elections around the corner, the political parties (conscious of public opinion) were prepared to use the data breach incident to their likings. At the end of January 2014, the legislators agreed to conduct a National Assembly inspection of the financial authorities, and, at the same time, hold parliamentary hearings on how to improve personal information protection. Data protection specialists seemed to concern too much politics may play havoc with the technological nature of Korea s data use and data protection laws. This is a cautionary tale potentially relevant to businesses in any country: the attractions of big data and other hidden uses of personal data carry with them the risk of very big and punitive counter-measures when something goes wrong. 7) 7) It is a valuable comment by Prof. Graham Greenleaf. See supra note 1.
156 KHU 글로벌 기업법무 리뷰 제7권 제1호 지상세미나 다문화 한부모가족 지원을 위한 정책포럼 경희법학연구소는 서울특별시 한부모가족지원센터(센터장: 이영호), 사단법인 한국건강 가족실천운동본부(총재: 소재선)와 공동 주최로 2014년 6월 27일 한부모가족의 법적 사 회적 지위 다문화한부모가족을 중심으로 라는 주제로 정책포럼을 개최하였다. 이날 포럼에는 이자스민 의원과 유덕렬 동대문구청장 등 여러 인사들과 다문화지원단 체 등 100 여명이 참석하여 큰 관심을 이끌었다. 포럼은 사례발표에 이어 다문화한가족의 지원관련 법제도와 서비스, 우리나라의 다문화 한부모가족의 양육비확보 및 지원 관련 법적 쟁점, 독일에서의 한부모가족지원법 전개 및 법제분석이라는 세 가지 소주제로 주제발표와 토론이 이어졌다. 한국건강가족실천운동본부 소재선 총재(경희대학교 법학전문대학원 교수, 경희법학연구 소 제16대 소장)는 최근 국제화시대의 도래에 따라 우리 사회에 다문화가족이 급증하고 있고, 그 중에서도 다문화가정이 이혼 등으로 깨어져 자녀들이 한부모 슬하에서 양육되고 교육되는 가정의 위기상황이 발생하고 있는데, 이러한 가정의 자녀들을 보호하고 지원하 는 정책의 수립과 제도의 정립이 절실한 상황이라고 밝혔다. 포럼에서는 지금까지의 지원법제와 정책의 미비점을 분석하고 이에 대한 개선방안에 대한 열띤 논의가 이어졌으며, 다문화가정과 한부모가정이라는 어려움을 동시에 겪는 이 중의 취약계층에 대한 사회적 관심의 증대와 더불어 정확한 현황파악에 기반한 효율적이 며 안정적인 법적 정책적 지원방안의 마련에 대해 더욱 많은 연구가 필요하다는 데 의견 이 모아졌다.