By Oh Mi-Jeong, Lee International
An amendment to the Act on the Promotion of Information and Communications Network Utilisation and Information Protection, Etc was passed by the National Assembly of the Republic of Korea on May 28, 2018. The Act regulates matters related to information and communications networks (ICNs) and information and communications services (ICS) which use telecommunications. It applies to providers of ICS, such as telecommunications companies and internet portal companies.
The amendment focuses on improving the safety of ICNs and protecting personal information used in ICNs. One noteworthy new requirement under the amendment is a provision that contains new standards for reporting and designating a Chief Information Security Officer (CISO). A CISO is a person who is in charge of the security of an information and communications system and safe management of the information in it. He/she is responsible for the establishment/management/operation of the information protection and management system, prevention of or response to any intrusions into the ICNs, development of pre-emptive information protection measures, design and implementation of security action plans, etc.
While the previous version of the Act required ICS providers to designate a CISO based on the number of employees, users, etc. and then report the designation to the Minister of Science, Information and Communications Technology, the amended Act contains different standards for designating and reporting information about CISOs. It requires ICS providers to designate a CISO based on the amount of total assets, revenue, etc. and then report it to the Minister of Science, Information and Communications Technology (Article 45-3(1) of the Act). The details regarding such standards for ICS providers, including the total amount of assets, revenue, etc. that will trigger the requirements, are expected to be determined in the future under a Presidential Decree related to the Act.
In addition, the amended Act prohibits CISOs from holding other positions and doing work other than work related to information protection (Article 45-3(3) of the Act). Traditionally, many CISOs working for ICS providers have done additional work unrelated to information protection. For example, Chief Information Officers (CIOs) have commonly performed the work of a CISO along with their other duties. Although the work scope of a CIO who is generally in charge of matters related to an ICN often includes the work of a CISO, such a practice has been criticised with the argument made that holding such dual positions can lead to inadequate information protection because a CIO may have insufficient time to devote to that job given the CIO’s many other responsibilities. Therefore, the amendment of the Act is expected to enhance the professionalism of CISOs in their work on information security by prohibiting holding more than one position in any ICS provider over a certain size. For the financial sector, hacking and cyber terrorism events that occurred in 2013 previously led to the prohibition of CISOs from holding more than one position in 2014 under the Electronic Financial Transactions Act.
Other than the provisions on CISOs, major changes made in the amendment of the Act include:
- In connection with personal information protection in the information and communications sector, when the Act and the Personal Information Protection Act compete with each other in their application, the Act shall take precedence (Article 5 of the Act)
- When ICS providers need to access information stored and functions installed in mobile devices of users in order to provide their relevant services, ICS providers shall inform users of the items that will be accessed, the reason for access, and the fact that users may withhold consent for the ICS providers to access their mobile device, and the ICS providers must obtain consent of users to permit the ICS providers to have access authority. The Korea Communications Commission will be given authority under the amended Act to conduct a survey on whether the providers of ICS have complied with applicable laws and regulations related to obtaining access authority from users. (Article 22-2(4) of the Act)
- In order to guarantee payment of damages by ICS providers found liable for breaches of their obligations on protection of personal information, any ICS provider over a certain size shall be required to take necessary measures, such as obtaining appropriate insurance coverage, or creating a reserve fund to pay for damages (Article 32-3 of the Act)
- If mobile device users wish to question/challenge the charges they receive for goods or services purchased using their mobile devices, they will now be given authority to request information from the sellers of those goods/services for which the users were charged, including the identity and other information about the persons who purchased such goods/services. The sellers will be required to provide the requested information within 3 days following the date of request, absent a reasonable cause for delay. The user shall use the information supplied by the sellers only to check the accuracy of the charges received and to submit the information to investigative agencies when the user’s personal information is illegally used. (Article 58-2 of the Act)
T: 82 2 2262 6288
F: 82 2 2279 5020