'ISMS-P Certification' Can Be Grounds for Fine Reduction
263 Certified Companies... 10% Have Experienced Data Breaches
Government Launches Review of Coupang's Certification Compliance
The government’s decision on whether to revoke Coupang’s ISMS-P certification-a personal information protection management system-after a data breach affecting 33.7 million customers is drawing significant attention. To date, among the 263 companies that have obtained ISMS-P certification, not a single case of revocation has occurred.
However, given the unprecedented scale of the personal information leak, there is speculation that Coupang could become the first company to have its certification revoked, as the government has decided to closely examine whether the management system submitted by Coupang at the time of certification last year, as well as its actual operations, meet the required standards.
According to the Personal Information Protection Commission and the Korea Internet & Security Agency on December 8, the number of ISMS-P certifications issued has been on the rise, starting with 69 in 2019, 161 in 2021, 278 in 2023, 230 last year, and 248 this year.
Currently, the cumulative number of certified companies stands at 263, and among them, 27 companies-about 10%-have experienced data breaches of varying scale. Nevertheless, there has not been a single case of certification revocation so far, leading to criticism that the certification system is being operated merely as a formality. According to the Personal Information Protection Act, the Personal Information Protection Commission may revoke certification if a certified company falls short of the certification criteria or violates the law, and if the violation is deemed significant.
An official from the Personal Information Protection Commission stated, "Certification can be revoked if a significant defect is confirmed through deliberation and resolution by the Certification Committee," adding, "However, since the ISMS-P certification is currently operated on a voluntary basis, there is no clear alternative, such as requiring a re-certification process, if the certification is revoked."
The issue is that if a company that has violated the Personal Information Protection Act retains its ISMS-P certification, it can be considered a mitigating factor when fines and penalties are later imposed. Efforts made for personal information protection can result in a reduction of up to 50% of the initial adjustment amount for fines, and up to 40% of the standard amount for penalties.
SK Telecom, which violated the Personal Information Protection Act, was not eligible for mitigation because its certification was limited to customer service areas such as T World and T Membership. In contrast, Coupang’s certification, valid for three years from March last year, covers the entire scope of "Coupang services," making it more likely that the company could receive mitigation if the certification is maintained. The Korea Internet & Security Agency, as the certifying body, has begun reviewing Coupang’s compliance with certification standards.
An official from the Personal Information Protection Commission said, "Certification can be revoked in cases of serious legal violations or when the management system for personal information falls significantly short of certification standards," adding, "If a major defect is found during the post-certification review process, we intend to actively consider revoking the certification."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
