Financial Supervisory Service Decides to Exempt Companies from Liability in Case of Personal Data Breach
Interest Grows Over Whether This Will Expand to Financial Sector Previously Reluctant to Remote Work
[Asia Economy Reporter Oh Hyung-gil] Samsung Life Insurance is the first insurance company to promote remote work for job positions that access customers' personal information. This move follows a non-action decision from financial authorities stating that the company will not be held administratively responsible if personal information is leaked during remote work by call center counselors.
Until now, other financial companies, which were identified as hotspots for COVID-19 cluster infections, have found remote work practically impossible due to concerns over information leaks. There is growing interest in whether this will expand to other financial firms.
According to financial authorities and the insurance industry on the 8th, the Financial Supervisory Service (FSS) recently issued a non-action opinion letter regarding Samsung Life Insurance's request to implement remote work for some call center counselors to prevent the spread of COVID-19. The FSS stated in the letter that administrative measures will be exempted for institutions, including subsidiaries entrusted with call center operations, in cases of personal information leaks caused by illegal acts of individuals beyond the company's control.
A non-action opinion means that although current regulations generally do not allow it, an exception is temporarily permitted under special circumstances. Previously, Samsung Life Insurance inquired with financial authorities about exemption from sanctions if remote work is implemented for call center counselors to prevent COVID-19 spread, considering that even with enhanced security measures by the company, individuals might still leak personal information.
Following the financial authorities' opinion, Samsung Life Insurance plans to temporarily relax network separation rules to allow general employees to access the internal communication network externally during remote work.
To this end, they will use work devices with applied security policies and establish physical security systems such as network security equivalent to dedicated lines, control of external device connections like USBs and external hard drives, prohibition of printing and output, prevention of screen capture, file encryption (DRM), and blocking unauthorized software installations.
Additionally, they have prepared remote work guidelines that include separating workspaces, prohibiting entry of outsiders, forbidding unauthorized departure from the work location, conducting compliance checks on remote workers when necessary, and requiring submission of daily security checklists.
A financial authority official explained, "Samsung Life Insurance will be exempted from responsibility only if they implement physical security and security awareness enhancement measures," but added, "However, this measure will not apply to other financial companies."
Following cluster infections at financial company call centers in Daegu and Guro-gu, Seoul last month, urgent demands for countermeasures surged inside and outside the financial sector. The poor working environment of call centers, where dozens of counselors work in cramped spaces, was identified as the cause of cluster infections.
Financial authorities recommended maximizing the use of remote, flexible, and distributed work for call centers, but actual cases of remote work implementation were rare. This was due to concerns that security levels would inevitably drop if counselors with access to customer information worked remotely, increasing the risk of personal information leaks.
Financial companies have implemented flexible and distributed work for call center counselors, citing that while the company is responsible for preventing personal information leaks, control becomes impossible with remote work. Even if security pledges or checklists are used for remote workers, they argued it is difficult to prevent rapid spread of information leaks.
An insurance industry official said, "The company can protect personal information through internal systems, but has concluded that the same level of security cannot be established during remote work, so remote work is not conducted," adding, "There is practically no way to prevent family members or third parties from accessing work PCs, illegal copying, or filming with mobile phones."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
