Key Amendments to the Network Act and its Enforcement Decree Effective August 14, 2024
The recently amended Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (the “Network Act”), along with its Enforcement Decree (the “Enforcement Decree”), aims to enhance response efficacy to cyber breach incidents such as hacking and to implement necessary preventive measures against recurrence. These amendments took effect on August 14, 2024.
The following is a summary of the key amendments:
|
1. |
Amendments to Reporting Cybersecurity Incidents (Article 48-3 (4) of the Network Act and Article 58-2 of the Enforcement Decree) |
|
(1) |
Timing of Report: Online service providers (“OSPs”) are required to report a cybersecurity incident within 24 hours of becoming aware of it. The initial report should include the date, cause, details of damage and response status. Any subsequent, additional fact needs to be reported within 24 hours of becoming aware of such fact. |
|
(2) |
Details of Report: |
|
(i) |
The date, cause and details of damage caused by the incident |
|
(ii) |
The status of the response provided by the OSP, including measures taken |
|
(iii) |
Contact information for the department within the OSP in charge of the response |
|
(3) |
Method of Reporting: Reports can be made in writing, by e-mail, by phone or by submitting the information through the designated website. |
|
2. |
Orders to Prevent Recurrence and Inspection of Implementation (Articles 48-4 (2), 48-4 (3), 76 (1) 6-7 of the Network Act and Article 58-3 of the Enforcement Decree) |
|
(1) |
The Minister of Science and ICT (“MSIT”) now has the authority to “order” OSPs to take necessary preventive measures, a shift from the previous “recommendation.” |
|
(2) |
The MSIT can inspect whether the required measures have been implemented, issue corrective orders where necessary and impose administrative fines of up to KRW 30 million for non-compliance. |
|
(3) |
Inspections will be notified to relevant OSPs at least seven days in advance, detailing the inspection plan (including the purpose, date/time, method and other details regarding the inspection). However, in urgent cases, such as where there is an imminent threat of an additional breach, prior notification may not be given. |
|
3. |
Revised Standards for Imposing Administrative Fines for Non-Compliance (Item 2 of Annex Table 9 of the Enforcement Decree) |
|
(1) |
For Failure to Report Cybersecurity Incidents: |
|
(i) |
First-time violation: Administrative fine increased from KRW 3 million to KRW 7.5 million |
|
(ii) |
Second-time violation: Administrative fine increased from KRW 6 million to KRW 15 million |
|
(iii) |
Third and subsequent violations: Administrative fine increased from KRW 10 million to KRW 30 million |
|
(2) |
For Non-Compliance with Corrective Orders: |
|
(i) |
First-time violation: KRW 7.5 million |
|
(ii) |
Second-time violation: KRW 15 million |
|
(iii) |
Third and subsequent violations: KRW 30 million |
These amendments set a stringent timeline for reporting cybersecurity incidents (within 24 hours) and significantly increase administrative fines for non-compliance. They also establish substantial grounds for ordering preventive measures and issuing corrective orders. As such, OSPs are advised to diligently monitor these amendments and anticipate rigorous enforcement.
