Computers, Privacy & the Constitution

Legal Countermeasures against Massive Personal Information Leakage in South Korea

-- By SunghyeOh - 21 Mar 2017

Introduction

When we talk about the protection of personal information, the right of privacy covers the individuals’ ability to control the collection and use of personal information.[1] In South Korea, the right of “self-determination of personal information” has been recognized as a constitutional right, and several related laws such as “Personal Information Protection Act” ("PIPA") have been established. Still, people have experienced repetitive massive personal data leaks. Among the incidents, the devastating one so-called “3-credit card company’s personal information leak” revealed some limitations in relation to the country’s legal system. This stimulated the discussion about how to overcome the systemic shortcomings, therefore, enhance the constitutional value of privacy.

The largest-ever personal information leak

In January 2014, Koreans were furious about the news that the personal data on 104 million credit cards issued by three major credit card corporations—Kook-min, Nong-hyup and Lotte Card—were stolen, which affected 20 million people or 40% of the population. The swiped data included sensitive personal information—names, social security numbers, phone numbers, residential addresses and even credit/financial information like card numbers, expiration dates, and bank accounts. The thief, Park, who was a technician at the credit rating company called Korea Credit Bureau which had contracted with the credit card companies, secretly copied the data onto an USB. Then, a significant amount of stolen data was sold and resold, conveyed to the phone marketing and the capital loan companies.[2][3]

Following the incident, 188,400 people filed 281 lawsuits against the credit card corporations, seeking for the compensation of 75.3 billion Korean won (USD $67.42 million, the currency rate by 03/20/2017, hereinafter the same) in total—generally, each plaintiff requested 0.5 million won ($448). Most trial courts’ decisions, which are still pending before appellate courts, ruled partially in favor of the plaintiffs, awarding each victim 100 thousand won ($90) for the damages for pain and suffering—the damages of the plaintiffs whose data was seized by investigators shortly after the theft were not recognized. Also, the credit card companies were convicted of the violation of the “PIPA,” and fined 10 million won ($8,955) or 15 million won ($13,432), which all defendants appealed. In addition, the administrative sanctions were ordered; each company was subject to the 3-month ban on issuance of new credit cards in combination with the regulatory fine of 6 million won ($5,374).[4] Furthermore, the regulatory penalties were imposed on all companies, the sum of which reached 34 million won ($30,452).

Implications

This scandal indicates the level of awareness of privacy. As for the companies, this incident clearly showed how much they had neglected their responsibilities to protect the customers’ privacy. In particular, it was revealed that they gave Park unencrypted data. The lack of security manuals regarding the encryption or the outsider’s access suggested that they had regarded the cybersecurity programs as expenses. For the customers, it can be inferred that they were somewhat indifferent about the subject, or they just relinquished their right of privacy. Although many victims expressed their anger by requesting the companies to cancel the cards, however, the vast majority of them did not take any further actions—the number of people who actually sued the companies was only 188,400 or less than 1% of the affected.

This phenomenon can be explained by the country’s legal system. First, the civil procedure that lacks the procedure like class-actions prevents people from seeking legal resolutions. To be specific, the system that requires people to literally participate in a lawsuit bothers people for pursuing compensation. Second, the low level of punishment accounts for the indolence of corporations. In this case, it seems that the courts and the executors did their best to punish as harsh as possible within the boundaries of applicable law authorities; the damages ordered by most courts was very common among the related cases; the imposed criminal and the regulatory fines were the highest amounts under the applicable law at that time.

However, the problem is that these recoveries and sanctions were neither effective nor meaningful considering the vastness of the leak and the scale of the companies’ business. This indicates the existence of legal limitations.

Reactions, Remaining Problems, and Solutions

The discussion then raises a question—what legal framework can be done to enhance the standard of protection, therefore, realize the constitutional value of privacy? Increasing the level of punishment by revising the applicable statutes would be plausible. Implementing punitive damages and class-actions would be helpful in forcing corporations to upgrade their cybersecurity protocol and in recovering individual victims from damages.

Fortunately, in the wake of this scandal, the country amended the related statutes. Statutory damages and punitive damages provisions were adopted—consumers became enabled to claim statutory damages of up to 3 million won ($2,687), and courts became entitled to award punitive damages of up to three times the actual damage. Also, the available regulatory penalties increased to up to 3% of a company's revenue, and the available criminal fine also increased from 10 million won ($8,957) to 20 million won ($17,913).[5][6]

This revision is expected to function well in inducing corporations to establish security programs. Nonetheless, still, there is a remaining problem. Under the current civil procedure in the country, the situation that few people who actually participated in the lawsuits are entitled to recover damages would be inevitable. In order not to leave most of the victims to remain uncompensated, introducing class-actions system from which all victims can benefit is strongly recommended.

Conclusion

Some people might not care about their privacy, or they might think that it is impossible to overcome the tragedy of privacy erosion; however, we need to remain hopeful and make every effort to protect our right of privacy.[7] In this regard, to get over the legal systemic limitations can be one of the efficient ways to materialize the constitutional right of privacy.

It's hard for me to correlate the facts with the conclusions. It is obvious that penalty increases are useless. Indeed, following the usual absurd position of Korean corporate management that all activities can be strictly divided into "makers" and "takers," security for customers' data will always be seen as "an expense." Raising penalties in this foolish way merely increases an offset expense, in the hope that the present value of respecting customers' privacy, which is still negative to the business, will be smaller than the present value of likely penalties. That will not happen, as you see, without a system of class actions and one of shareholder activism (which you don't mention, as it is even more unthinkable under Korean conditions) that would actually impose significant costs. That security should be seen as a common good in which it benefits all to participate, the actual improvement in social trust, is evident to non-Korean societies in which more social trust exists and the people who run the society know that social trust is worth more than the value of successful corruption.

Meantime, no actual security standards of any value are in place. Active X controls that can never be made secure are still an unbelievably foolish welded-in-place part of Korean banking and commerce, thus ensuring that every user can be plundered all the time. The technical environment of the Korean Net is about as professionally careful of customer safety as the ferry transportation business, and for the same reasons.

So I can't understand, editorially, why you would be celebrating business as usual as the remedy for the widespread and essentially ineradicable difficulty with business as usual.

References

For the facts regarding the case in Korean:

http://m.news.naver.com/read.nhn?mode=LSD&sid1=001&oid=029&aid=0002388408

http://www.fnnews.com/news/201702071616245220

http://view.asiae.co.kr/news/view.htm?idxno=2015010611215544648

http://www.newsis.com/ar_detail/view.html/?ar_id=NISX20161208_0014569224&cID=10401&pID=10400

http://www.etoday.co.kr/news/section/newsview.php?idxno=868722


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r2 - 30 Apr 2017 - 15:27:13 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM