"Immediate Notification to All Subscribers Required Even If Victims Cannot Be Identified"
"Potential for Financial Incidents... Legal Amendments Needed for Penalty Waivers"
On the 28th of last month, customers waiting to replace their SIM cards visited an official SK Telecom authorized dealer in Jung-gu, Seoul.
The National Assembly Research Service has stated that, in light of the recent SK Telecom hacking incident, there is a need to amend the law so that, even if victims of a telecommunications security breach cannot be clearly identified, all subscribers are immediately notified, and compensation rules such as penalty waivers are applied more flexibly.
On May 7, the Research Service made this recommendation in its report titled "Problems and Legislative Tasks in the Aftermath of Telecommunications Company Hacking Incidents." According to the report, if the core systems of a mobile communications network are hacked, it can have a massive impact on society as a whole and pose a serious threat to national security, making the establishment of structural countermeasures urgent.
The report pointed out that the SK Telecom hacking incident exposed the limitations of both corporate self-response and the government's response system. In the early stages of the hacking, SK Telecom only notified users of the data breach through its website, and only after a considerable delay did it begin sending text messages to all subscribers about subscribing to the SIM protection service. This was highlighted as a problem.
The report emphasized, "If the victims of a data breach cannot be identified quickly after a hacking incident, this means the scope and details of the breach are unclear, and the response should be based on the worst-case scenario." Accordingly, it called for an amendment to the Personal Information Protection Act to mandate that, even if the individuals affected by a data breach cannot be identified, all subscribers must be individually notified of the specific situation and how to respond.
In addition, the report raised the need to amend the Information and Communications Network Act or the Framework Act on Broadcasting and Communications Development so that the disaster alert system can be used if a hacking incident is deemed likely to spread widely or pose a significant risk. It was noted that, during the Kakao service disruption caused by the SK C&C data center fire in 2022, the government sent disaster text alerts, but no such action was taken in the recent SK Telecom hacking case.
The report also recommended amending the Information and Communications Network Act to strengthen the government's authority to investigate hacking incidents. Currently, a joint public-private investigation team led by the Ministry of Science and ICT is conducting the investigation, but there is insufficient authority to compel the submission of materials and other cooperation. The Research Service proposed measures to ensure at least a minimum level of investigative authority, such as increasing fines or imposing enforcement penalties, to prevent passive corporate responses or cover-ups and to ensure effective action.
Furthermore, the report added that amendments to the Telecommunications Business Act, the Information and Communications Network Act, and the Personal Information Protection Act are needed to ensure that companies provide victims with practical remedies and that victims can easily receive compensation. In particular, it emphasized the need to consider establishing provisions in the Personal Information Protection Act that would allow for the presumption of causality, given the difficulty victims face in proving the causal link between the data breach and actual damages.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
