Cyber Security in South Korea

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Under the Personal Information Protection Act (the “PIPA”), a personal information manager who collects personal information of a person without having obtained the consent of the subject person may be subject to an administrative fine of up to KRW 50 million. If a personal information manager damages, destroys, alters, fabricates or leaks personal information of others, the personal information manager may be subject to imprisonment for up to two years or a fine of up to KRW 10 million. For the purposes of the PIPA, the personal information manager means an entity or individual that manages the processing of personal information for itself/himself/herself or through another entity or person to operate personal information files for business purposes. The personal information manager under the PIPA is more like a data controller rather than a data processor under the EU’s legislative system. In addition, if the relevant personal information is secret information, the personal information manager may be subject to imprisonment or imprisonment without forced labor for up to three years or a fine of up to KRW five million for violation of secrecy under the Criminal Code. Under the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Information and Communications Network Act”), no one shall damage another person’s information processed, stored or transmitted through an information and communications network, nor shall infringe, misappropriate or leak another person’s secret. A violation of the above provision may result in imprisonment for up to five years or a fine of up to KRW 50 million. Under the Information and Communications Network Act, no one shall collect another person’s information or induce another person to furnish information through an information and communications network by fraud. A violation of the above provision may result in imprisonment for up to three years or a fine of up to KRW 30 million. The PIPA, the Information and Communications Network Act, the Act on Use and Protection of Credit Information (the “Credit Information Act”), the Act on Use and Protection of Location Information, etc. contain provisions of liability for damage compensation in connection with personal information protection. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? If a person reports a data breach to a data breach complaint centre established based on the PIPA or the Information and Communications Network Act (the “Complaint Centre”), the Complaint Centre may demand that the relevant personal information manager or information and communications service provider submit documents and other materials related to the data breach in question. The Complaint Centre is required to conduct a fact-finding investigation for such a data breach and upon the completion of the fact-finding investigation, notify the person who made the report of the results of the fact-finding investigation and of the measures taken with respect to the data breach. If a victim of a data breach files a civil claim for damage compensation with a court, the person may petition the court to grant an order for production of documents, whereby materials related to the data breach in question may be obtained. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Under the Civil Procedure Act, a party may petition the court to limit the persons who are eligible to make a request for access to litigation documents which contain secrets to the parties to the litigation. Other than that, there are no particular restrictions. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? Under the Civil Procedure Act, when a person or an entity submits certain documents pursuant to a court order for production of documents, such a person or an entity may request an in private examination of the submitted documents. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? If the lawsuit is withdrawn before the court renders a final decision, you can subsequently commence proceedings on the same issue. If the lawsuit is withdrawn after the court has rendered a final decision, you are prevented from commencing proceedings on the same issue based on the principle of res judicata. You are prevented from commencing proceedings on the same issue when proceedings on the same issue are pending and not withdrawn (based on the principle of prohibition against double jeopardy). Is there an obligation in your jurisdiction to hold personal information securely? The PIPA imposes personal information protection obligations on the personal information managers, and the Information and Communications Network Act imposes personal information protection obligations on the information and communications service providers. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Under the Information and Communications Network Act, an information and communications service provider should not enter into an international contract containing any term or condition that violates the Information and Communications Network Act with respect to users’ personal information, and for an overseas transfer of users’ personal information, should notify the subject users of certain matters and obtain the consent of each such user. In addition, when an information and communications service provider intends to transfer users’ personal information overseas after having obtained the consent of the users, the information and communications service provider is required to take certain protective measures as prescribed by the Information and Communications Network Act and the Enforcement Decree thereto. Under the PIPA, a transfer of personal information to an overseas third party requires the notification of certain matters to the data subjects and the consent of the data subjects, as in the case of a provision of personal information to a third party in Korea. Entering into an agreement for overseas transfer of personal information that would violate the above provision is prohibited. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? Under the PIPA, in the event of a data breach, the personal information manager is required to promptly notify the data subjects of the details of such a data breach. Under the Information and Communications Network Act, if an information and communications service provider becomes aware of a loss, theft or leak of personal information, the information and communications service provider is required to notify the relevant users of certain matters concerning such event (as prescribed by the Information and Communications Network Act), and to report to the Korea Communication Commission or the Korea Internet & Security Agency, which notification and report, without any justifiable reason, must not be made after the lapse of 24 hours from the time when the communications service provider becomes aware of such event. This reporting obligation is absolute. The notification and report may be made after the lapse of 24 hours if there is a justifiable reason, but even in such a case, the obligation itself is not exempted. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? Under the PIPA, in the event of a data breach of a certain scale (i.e. a scale not smaller than the scale prescribed by the Presidential Decree), the personal information manager is required to report the fact of data breach and the results of the measures taken for such data breach to the Ministry of Government Administration and Home Affairs or a special agency designated by the Presidential Decree. Under the Information and Communications Network Act, if an information and communications service provider becomes aware of a loss, theft or leak of personal information, the information and communications service provider is required to notify the relevant users of certain matters concerning such event (as prescribed by the Information and Communications Network Act), and to report to the Korea Communication Commission or the Korea Internet and Security Agency. The notification and report, without any justifiable reason, must not be made after the lapse of 24 hours from the time when the communications service provider becomes aware of such event. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Under the Credit Information Act, if a credit information company becomes aware of a leak of credit information for a purpose other than the intended business purposes, the credit information company must promptly notify the subject of the credit information of such leakage.