Global Data and Cyber Handbook

South Korea

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 1 January 2025

Yes

☒  general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒  obligation to take specific security measures e.g., encryption

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 1 January 2025

Yes

☒  network information security requirements (broader than telecommunications)

Chapter VI of the Network Act imposes obligations on all network service providers to ensure network stability, conduct information protection pre-checks, designate a Chief Information Security Officer (CISO), and more.

☒  health regulatory requirements

Article 23 of the Medical Service Act and related provisions require medical personnel or medical institution founders to have the necessary facilities and equipment to safely manage and preserve electronic medical records.

☒  financial services requirements

Chapter III of the Electronic Financial Transactions Act requires financial companies or electronic financial businesses to ensure the safety of electronic financial transactions, designate a CISO, analyze and evaluate vulnerabilities in electronic financial infrastructure (information processing systems and networks used for electronic financial transactions), and more.

☒  telecommunication requirements

As telecommunications are included in the definition of network service providers under the Network Act, the network information security requirements mentioned earlier also apply to telecommunications (Network Act, Article 2(1)(iii)). Additionally, Article 32-10 of the Telecommunications Business Act imposes additional obligations on telecommunications operators meeting certain criteria, such as conducting vulnerability analysis and evaluation, managing and monitoring core facilities, and implementing traffic dispersion measures.

☒  providers of critical infrastructure

The Infrastructure Act requires critical infrastructure management agencies (across public and private sectors) to establish and implement protection measures for critical infrastructure (electronic control and management systems and information and communication networks relating to national security, administration, national defense, public security, finance, communications, transportation, energy, etc.), periodically analyze and evaluate vulnerabilities, and take prompt recovery measures in case of incidents.

☒  digital or connected (IoT) products

Article 45 of the Network Act imposes an obligation on manufacturers or importers of digital or connected (IoT) products to protect such systems from cyber attacks by complying with an information protection directive issued by the MSIT, which includes various technical, physical and administrative protection measures.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 1 January 2025

☒  Data privacy

☒  Securities or public company

☒  network information security

☒  health

☒  financial services

☒  telecommunications

☒  critical infrastructure

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 1 January 2025

Yes

Under Korean law, personal data breach refers to the loss, theft, or leakage of personal information that occurs not by the free will of the personal information controller or legal requirements, resulting in personal information leaving the management and control of the personal information controller and becoming known to a third party (Standard Personal Information Protection Guidelines, Article 25). In such cases, the following information must be notified to the authorities or affected individuals:

  • Categories of personal information that have been leaked, etc.
  • Time of the leakage, etc. and its circumstances
  • Information on measures that data subjects can take to minimize the damage that may occur due to the leakage, etc.
  • Countermeasures taken by the personal information controller and remedial procedures
  • Department and contact information for reporting damage to data subjects (PIPA, Article 34).
Controllers/Owners have to notify:

Last review date: 1 January 2025

☒  data protection authorities

In case of a personal data breach, personal information controllers must, in principle, notify the PIPC within 72 hours of becoming aware of the breach in any of the following cases:

  • When personal information of 1,000 or more data subjects has been leaked, etc.
  • When sensitive information or personally identifiable information has been leaked, etc.
  • When personal information has been leaked, etc. due to illegal access from outside to the personal information processing system (PIPA Enforcement Decree, Article 40).

If the leaked personal information is personal credit information, credit information companies, etc. are obligated to notify the FSC only if personal credit information of 10,000 or more credit information subjects has been leaked. General credit information providers and users not supervised by the FSC must notify the PIPC (Credit Information Act, Articles 39-4(3) and (4)).

☒  affected individuals

In case of a personal data breach, personal information controllers must, in principle, notify the affected data subjects within 72 hours of becoming aware of the breach (PIPA Enforcement Decree, Article 39). If the leaked personal information is personal credit information, such credit information companies, etc. are obligated to notify the affected credit information subjects (Credit Information Act, Article 39-4). In either case, unlike the notification to the PIPC or the FSC mentioned earlier, notification to affected individuals is required even if personal information of only one data subject has been leaked.

Processors/Agents have to notify:

Last review date: 1 January 2025

☒  data protection authorities

  affected individuals

As mentioned earlier, PIPA divides the processor concept into person entrusted and personal information handler. PIPA stipulates that the personal data breach notification obligations apply to the person entrusted in the same manner as they apply to personal information controllers (i.e., being applied mutatis mutandis) (PIPA, Articles 26(8) and 34). For personal information handlers, such notification obligations are not explicitly specified.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 1 January 2025

Yes

Non-personal data security breach notification requirements

Under Korean law, electronic intrusion generally refers to an act of attacking a network or related information system by any of the following methods:

  • Methods such as hacking, computer viruses, logic bombs, mail bombs, denial of service, or high-power electromagnetic waves
  • Installing programs or technical devices in a network or related information system that allow access to the network by bypassing normal protection and authentication procedures (e.g., Network Act, Article 2(1)(vii)).

Network service providers must, in principle, report the following matters to the MSIT within 24 hours of an incident caused by the electronic intrusion, regardless of whether the leaked data is personal information (Network Act Enforcement Decree, Article 58-2):

  • Date and time of the intrusion incident, cause, and details of damage
  • Response status including measures taken for the intrusion incident
  • Department and contact information in charge of responding to the intrusion incident

Sector-specific data breach notification requirements

☒  health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

Medical personnel or medical institution founders must immediately notify the MOHW when medical information is leaked or medical institution operations are disrupted or paralyzed due to the electronic intrusion of electronic medical records (Medical Service Act, Article 23-3).

☒  telecommunication requirements

While there are no separate security breach notification requirements for telecommunications under the Telecommunications Business Act regulated by the KCC, as mentioned earlier, telecommunications are included in the definition of network service providers under the Network Act. Therefore, they follow the general cybersecurity authority notification requirements to the MSIT as described above.

☒  providers of critical infrastructure

Critical infrastructure management agencies (across public and private sectors) must notify the relevant administrative agencies (determined individually for each management agency at the time of designation as a management agency), investigative agencies, etc. when they become aware that their critical infrastructure has been disrupted, paralyzed, or destroyed due to electronic intrusion (Infrastructure Act, Article 13).

☒  other

Financial companies or electronic financial businesses must notify the FSC without delay when electronic financial infrastructure is disrupted or paralyzed due to electronic intrusion (Electronic Financial Transactions Act, Article 21-5).

{{ $store.state.loadingScreen.message }} ...