Hello. This is Attorney Shin Jun-seon from Cheongchul Law Firm.

Recently, an incident occurred at Samsung Biologics where personal information of over 5,000 employees was unlawfully exposed through a shared folder on the company’s intranet. It was confirmed that sensitive information such as names, resident registration numbers, and performance evaluations were accessible to unauthorized employees, and the union claims that documents related to union activities were also included, escalating the controversy. After becoming aware of the situation, the company released an official statement from the CEO stating that there was no external leak and apologized for the controversy.

According to the Personal Information Protection Act and standard personal information protection guidelines, "personal information leakage" refers to the state in which personal information is disclosed to a third party without the intent of the personal information handler, meaning that it is outside the management and control authority of the handler. Additionally, some commentaries describe the related concept of “personal information exposure” as a state in which personal information is publicly accessible or left unattended, allowing users to easily verify or obtain their personal information through public telecommunications networks without special means like hacking.

However, even in cases of personal information exposure, it remains within the scope of "personal information infringement." Therefore, in situations like the Samsung Biologics case, where employees without access rights to other employees' personal information could view all target information, it is likely to be judged as leakage in the broader sense.

If a personal information handler becomes aware that personal information has been leaked, they must notify the data subject within 72 hours of the leak, including details such as the fact of the leak, items affected, circumstances, measures to minimize damage, response actions, and contact information for notifications, as stipulated in Article 34 of the Personal Information Protection Act and Article 39 of the Enforcement Decree.

In addition, when personal information of more than 1,000 data subjects is leaked or sensitive information or unique identification information is leaked, or if a leak occurs due to illegal intrusion from outside on devices used for personal information processing (such as hacking), there is also an obligation to report to the Personal Information Protection Commission or the Korea Internet & Security Agency. Violation of this obligation may result in fines of up to 30 million won or administrative penalties.

Such repeatedly occurring incidents of personal information leakage are not merely the result of a single company's mistake, but a composite result of structural vulnerabilities and a lack of awareness regarding personal information protection. Accordingly, the Personal Information Protection Commission is strengthening legislative and policy responses to enhance corporate accountability, and companies need to establish effective countermeasures.

<Commission's Position – A System Centered on Strong Punishment and Prevention>

The Personal Information Protection Commission has taken a firm stance on leakage incidents. Commissioner Song Kyung-hee recently stated at a press conference, “In the AI era, personal information protection should shift from a post-sanction focus to preventive measures.” Furthermore, “If companies invest proactively in personal information protection, they will be given certain incentives, and strong penalties will be imposed for repeated and significant leaks,” she emphasized. She also indicated plans to increase investigative personnel related to the Commission's organization, suggesting that the intensity of the Commission’s response to incidents is expected to strengthen over time.

The Commission decided to impose a fine of over 130 billion won on SKT for its personal information leak in August, and around November 10, the decision regarding the fine was sent to SKT. SKT is expected to contest this fine through administrative lawsuits after payment.

Incidents of personal information leakage in companies handling a large amount of individuals' data are occurring continuously, and even if internal protective systems are established, it is nearly impossible to completely control damage from external hacking. Moreover, as AI technology advances, cyber-attack techniques become more sophisticated, leading to a continuous increase in the frequency and scope of damages. Considering this situation, the level of personal information protection required by the Personal Information Protection Commission is expected to be enforced even more stringently in the future, and companies should focus more on establishing preventive systems and swift response mechanisms when incidents occur.

<Five Response Tasks Companies Should Address>

Amidst this trend, for companies to effectively comply with the Personal Information Protection Act and manage substantial risks, they must concentrate on the following five tasks.

1. Enhancing Access Control and Permission Settings: A significant number of leakage cases stem from poor access rights management. Sensitive information such as personnel documents and customer information should only be accessible within the minimum scope necessary for job duties, and procedures for recording and approving changes in permissions must be established.

2. Establishing Internal Control and Personnel Management Systems: As incidents of insider leaks are increasing, it is necessary to block access to information unrelated to job functions, monitor access records, and implement an automatic alert system for abnormal signs. Especially, related guidelines such as personal information processing policies should be organized and adhered to, with designated responsibility for each department (HR, sales, IT, etc.) while minimizing the scope of access rights granted.

3. Regular Employee Training and Strengthening Ethics: Incidents often result from employees' mistakes or lack of security awareness. Establishing and mandated compliance with in-house personal information protection principles, sanctions for violations, and regularly educating on external leak incident cases are essential. It is necessary to promote personal information protection as part of corporate ethics.

4. Establishing Incident Response Systems and Streamlining Reporting Processes: Since reporting to supervisory authorities within 72 hours of leakage is mandatory, a sequential procedure from incident detection → containment → authority reporting → customer notification → recovery and follow-up response should be systematized, complemented by simulation training.

5. Strengthening External Management of Outsourcing/SaaS/Cloud Services: In an environment where utilization of external systems is increasing, organizing contracts with personal information processors and entrusting contractors, conducting security evaluations for cloud service providers, and regular internal checks and vulnerability remediation are essential.

<Conclusion>

Since the enactment of the Personal Information Protection Act in 2011, relevant laws and various guidelines have been continuously amended and established as practical norms, with sanctions (penalties) becoming a reality for violations. Repeated leak incidents and the imposition of hefty fines are no longer the risk of only specific companies. Personal information is the cornerstone of trust for businesses in the digital age, and efforts to protect it are an investment in corporate sustainability rather than merely a cost. Therefore, it is now imperative that all companies, regardless of size, regard personal information protection not just as a formal legal compliance issue, but as part of their corporate strategy, while clearly understanding the policy direction of the Personal Information Protection Commission and societal expectations, and proactively establishing countermeasures.

Cheongchul Law Firm has been providing comprehensive legal advice on improving corporate personal information processing policies, building personal information protection systems, organizing internal regulations, and responding to leakage incidents and investigations. Please feel free to contact us if you wish to review your response systems or need legal strategies for response when incidents occur.