Recently, the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (the “Network Act“) and the Enforcement Decree to the Network Act (the “Enforcement Decree”) have been amended to improve the Chief Information Security Officer (“CISO“) designation system, privacy-related compensation system, and methods to confirm the consent of legal guardians to process children’s personal information.

The related amendments went into effect on June 13, 2019 and June 25, 2019, whereby service providers are now required to strengthen user protection, and introduced the domestic agent designation system, which took effect on March 19, 2019.

Key Details of the Recently Amended Network Act and the Enforcement Decree:

1.   Improvement of CISO designation system

First, in the past, except for some service providers subject to mandatory obligations, service providers, in principle, designated / voluntarily reported a CISO.  However, this was amended to impose CISO designation/reporting obligations on any and all telecommunications service providers except some service providers, who are exempt from such obligations.  Value-added service providers, small businesses and small enterprises with KRW 100 million or less in capital are excluded from mandatory CISO designation/reporting obligations.

Second, CISO qualifications were strengthened to ensure that a CISO has certain academic background/work experience in information security in addition to the existing “officer status” qualification.  The Enforcement Decree specifies general qualifications including “at least a master’s degree in information security or information technology” and “work experience of ten years or longer.”

Third, among telecommunications service providers with total assets of KRW 5 trillion or those required to obtain Information Security Management System (“ISMS”) certification, the CISO of enterprises with total assets of KRW 500 billion or greater are restricted from serving dual functions within the company, aside from the CISO position.  In this case, such CISO is required to meet the above general qualifications and also, the following qualifications as a full-time officer:

• At least four years of work experience in information security or work experience in information security and information technology, totaling at least five years of work experience

Accordingly, service providers required to newly designate a CISO should report the matter with 90 days from the effective date of the Enforcement Decree (June 13, 2019), and for service providers, which had already designated a CISO, the above qualifications should apply from the next designation/reporting.  Any service provider that violates the obligations to designate/report a CISO with such qualifications may be subject to an administrative fine of up to KRW 30 million.

2.   Building of privacy-related compensation system

Telecommunications service providers with KRW 50 million of sales for the previous fiscal year, and where the personal information of at least 1,000 users is stored and managed on average a day for the three months immediately preceding the end of the previous year should take necessary measures by purchasing insurance or deduction plans or accumulate reserve to ensure compensation for leakage of personal information.

The minimum insurance amount (or minimum accumulated amount) required to service providers differs from at least KRW 50 million to KRW 1 billion, according to the number of users and the amount of sales, and any violation thereof may lead to an administrative fine of up to KRW 20 million.

3.   Preparation of methods to confirm consent from legal guardians to process children’s personal information

To process the personal information of children aged under 14, telecommunications service providers should prepare procedures to confirm the consent from their legal guardians through mobile text message, verification of card information, mobile identification, or by directly obtaining of the necessary consent via written document, phone, or by e-mail.

Any service provider that fails to confirm the consent of legal guardians may be subject to imprisonment of up to five years or a fine of up to KRW 50 million, or surcharge equivalent to 3/100 of sales or less relating to such a violation.

Implications:

The Network Act obliges service providers to take various user protection measures through the recent amendment.

The Korea Communications Commission (“KCC”) announced its plan to implement a grace period, particularly for the domestic agent and CISO designation obligations to encourage service providers to voluntarily correct their default on obligations.  However, the KCC may enforce strict actions if service providers fail to fulfil their obligation after the grace period.  Therefore, it would be prudent to conduct comprehensive review of service providers’ observation with user protection measures under the Network Act and consider how to ensure compliance going forward.