[Exclusive] "Hacking Insurance" Rendered Useless: Insurers Collected 77 Billion Won, Paid Out Less Than 200 Million Over 5 Years

While corporate personal information leaks are becoming increasingly serious, the mandatory "Personal Information Protection Liability Insurance" has been found to be failing to fulfill its intended role. Over the past five years, companies and public institutions have paid insurance premiums totaling 77 billion won, but have received less than 200 million won in insurance payouts.

According to data on the status of enrollment in Personal Information Protection Liability Insurance obtained from the Personal Information Protection Commission by the office of Kim Hyunjung, a member of the National Assembly's Political Affairs Committee, the number of companies and public institutions enrolled in this insurance decreased by 18.4%, from 9,275 in 2020 to 7,573 last year.

Although the number of policyholders decreased, the insurance companies' premium revenue actually increased. The premium income from Personal Information Protection Liability Insurance collected by 16 non-life insurance companies (Samsung, DB, Hyundai, Meritz, KB, Hanwha, Heungkuk, Lotte, NH Nonghyup, MG, Hana, Seoul Guarantee, AIG, Shinhan EZ, Carrot, Lina) rose by 12.5%, from 15.2 billion won in 2020 to 17.1 billion won last year. During this period, the cumulative premium income of these non-life insurers reached 77 billion won, but the amount paid out to companies and public institutions was only 199.68 million won, or 0.26%. The number of insurance payouts was just 10 cases.

Personal Information Protection Liability Insurance is designed to cover litigation costs, compensation for damages, and administrative fines in the event that a company is held liable for damages due to a personal information leak. Since 2019, businesses with annual sales of 1 billion won or more and that manage personal information of an average of 10,000 or more individuals per day have been required to enroll in this insurance. The mandatory enrollment policy, which was introduced to strengthen corporate liability for personal information leaks, has instead ended up benefiting insurance companies.

The reason Personal Information Protection Liability Insurance is not functioning properly is that the conditions for receiving insurance payouts are extremely strict. The mere occurrence of a personal information leak does not trigger liability for damages. There must be actual economic loss to the consumer, such as unauthorized transactions using the leaked information. Furthermore, the consumer must legally prove the damage, typically through litigation, for the insurance to be processed.

This year, large-scale personal information leaks occurred due to hacking incidents at companies such as SK Telecom, KT, and Lotte Card. Although these companies are also enrolled in Personal Information Protection Liability Insurance, many in the insurance industry believe that compensation through insurance will be difficult. This is because it is hard to prove direct financial loss resulting from the information leak. Even if there is no immediate damage, illegally distributed personal information could later lead to losses such as voice phishing, but it is not easy for consumers to prove this. Due to these structural issues, Personal Information Protection Liability Insurance is effectively rendered useless.

Meanwhile, the number of personal information leak incidents continues to rise. The number of personal information leak reports filed by companies and public institutions required to enroll in Personal Information Protection Liability Insurance increased by 88.3%, from 163 cases in 2021 to 307 cases last year. During this period, reports from companies rose by 44%, from 141 to 203 cases, while reports from public institutions surged by 373%, from 22 to 104 cases. As of August this year, there have already been 169 reports from companies and 82 from public institutions.

Despite this situation, the Personal Information Protection Commission is exhibiting a "throwing out the baby with the bathwater" approach by not enhancing, but rather reducing, the practical utility of Personal Information Protection Liability Insurance. A prime example is the amendment to the enforcement ordinance of the insurance, announced by the commission in March. The amendment significantly raised the mandatory enrollment criteria to "annual sales of 150 billion won and 1 million data subjects." Under this standard, only about 200 large corporations would be required to enroll. If the amendment is implemented, it will become even more difficult for consumers to receive compensation for personal information leaks at small and medium-sized enterprises.

Experts unanimously agree that Personal Information Protection Liability Insurance must now be improved to focus on victims. Choi Kyungjin, a professor of law at Gachon University, stated, "In the case of automobile insurance, claims are processed smoothly even without litigation," and added, "For Personal Information Protection Liability Insurance, it is necessary to enhance effectiveness by allowing the government or relevant agencies to acknowledge liability or by establishing standard insurance terms so that claims can be processed more efficiently."

Assemblywoman Kim pointed out, "The fact that insurance payouts accounted for only 0.26% of premium income over the past five years shows that the current mandatory insurance is failing to fulfill its original purpose of 'protecting the public from harm,'" and added, "There needs to be a discussion to strengthen the system so that mandatory insurance can properly serve its intended function."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.