Computers, Privacy & the Constitution

View   r3  >  r2  >  r1
SunghyeOhFirstPaper 3 - 05 May 2017 - Main.SunghyeOh
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

Legal Countermeasures against Massive Personal Information Leakage in South Korea

>
>

Review of Massive Personal Information Leakage Case and Underlying Problems in South Korea

 -- By SunghyeOh - 21 Mar 2017

Introduction

Changed:
<
<
When we talk about the protection of personal information, the right of privacy covers the individuals’ ability to control the collection and use of personal information.[1] In South Korea, the right of “self-determination of personal information” has been recognized as a constitutional right, and several related laws such as “Personal Information Protection Act” ("PIPA") have been established. Still, people have experienced repetitive massive personal data leaks. Among the incidents, the devastating one so-called “3-credit card company’s personal information leak” revealed some limitations in relation to the country’s legal system. This stimulated the discussion about how to overcome the systemic shortcomings, therefore, enhance the constitutional value of privacy.
>
>
When we talk about the protection of personal information, the right of privacy covers the individuals’ ability to control the collection and use of personal information.[1] In South Korea, the right of “self-determination of personal information” has been recognized as a constitutional right, and several related laws such as “Personal Information Protection Act” (“PIPA”) have been established. Still, people have experienced repetitive massive personal data leak incidents. Among them, so-called “3-credit card company’s personal information leak” especially stimulated the discussion: what are underlying problems, and how should the country proceed to realize the constitutional value of privacy?
 

The largest-ever personal information leak

Changed:
<
<
In January 2014, Koreans were furious about the news that the personal data on 104 million credit cards issued by three major credit card corporations—Kook-min, Nong-hyup and Lotte Card—were stolen, which affected 20 million people or 40% of the population. The swiped data included sensitive personal information—names, social security numbers, phone numbers, residential addresses and even credit/financial information like card numbers, expiration dates, and bank accounts. The thief, Park, who was a technician at the credit rating company called Korea Credit Bureau which had contracted with the credit card companies, secretly copied the data onto an USB. Then, a significant amount of stolen data was sold and resold, conveyed to the phone marketing and the capital loan companies.[2][3]
>
>
In January 2014, Koreans were furious about the news that the personal data on 104 million credit cards issued by three major credit card corporations—Kook-min, Nong-hyup and Lotte Card—were stolen, which affected 20 million people or 40% of the country’s population. The swiped data included the sensitive personal information—names, social security numbers, residential addresses and even credit/financial information such as card numbers, expiration dates, and bank accounts. The thief, Park, who was a technician at the credit rating company called Korea Credit Bureau which had contracted with the credit card companies, secretly copied the data onto an USB. Then, a significant amount of stolen data was sold and resold, conveyed to the phone marketing and the capital loan companies.[2][3]
 
Changed:
<
<
Following the incident, 188,400 people filed 281 lawsuits against the credit card corporations, seeking for the compensation of 75.3 billion Korean won (USD $67.42 million, the currency rate by 03/20/2017, hereinafter the same) in total—generally, each plaintiff requested 0.5 million won ($448). Most trial courts’ decisions, which are still pending before appellate courts, ruled partially in favor of the plaintiffs, awarding each victim 100 thousand won ($90) for the damages for pain and suffering—the damages of the plaintiffs whose data was seized by investigators shortly after the theft were not recognized. Also, the credit card companies were convicted of the violation of the “PIPA,” and fined 10 million won ($8,955) or 15 million won ($13,432), which all defendants appealed. In addition, the administrative sanctions were ordered; each company was subject to the 3-month ban on issuance of new credit cards in combination with the regulatory fine of 6 million won ($5,374).[4] Furthermore, the regulatory penalties were imposed on all companies, the sum of which reached 34 million won ($30,452).
>
>
Following the incident, 188,400 people filed 281 lawsuits against the credit card corporations, seeking for the compensation of 75.3 billion Korean won ($67.42 million, the currency rate by 03/20/2017, hereinafter the same) in total—generally, each plaintiff requested 0.5 million won ($448). Most trial courts’ decisions, which are still pending before appellate courts, ruled partially in favor of the plaintiffs, awarding each victim 100 thousand won ($90) for the damages for pain and suffering. Also, the credit card companies were convicted of the violation of the “PIPA,” and fined 10 million won ($8,955) or 15 million won ($13,432), which all defendants appealed. In addition, the administrative sanctions were ordered; each company was subject to the 3-month ban on issuance of new credit cards with the regulatory fine of 6 million won ($5,374).[4] Furthermore, the regulatory penalties were imposed on all companies, the sum of which reached 34 million won ($30,452).
 

Implications

Changed:
<
<
This scandal indicates the level of awareness of privacy. As for the companies, this incident clearly showed how much they had neglected their responsibilities to protect the customers’ privacy. In particular, it was revealed that they gave Park unencrypted data. The lack of security manuals regarding the encryption or the outsider’s access suggested that they had regarded the cybersecurity programs as expenses. For the customers, it can be inferred that they were somewhat indifferent about the subject, or they just relinquished their right of privacy. Although many victims expressed their anger by requesting the companies to cancel the cards, however, the vast majority of them did not take any further actions—the number of people who actually sued the companies was only 188,400 or less than 1% of the affected.

This phenomenon can be explained by the country’s legal system. First, the civil procedure that lacks the procedure like class-actions prevents people from seeking legal resolutions. To be specific, the system that requires people to literally participate in a lawsuit bothers people for pursuing compensation. Second, the low level of punishment accounts for the indolence of corporations. In this case, it seems that the courts and the executors did their best to punish as harsh as possible within the boundaries of applicable law authorities; the damages ordered by most courts was very common among the related cases; the imposed criminal and the regulatory fines were the highest amounts under the applicable law at that time.

However, the problem is that these recoveries and sanctions were neither effective nor meaningful considering the vastness of the leak and the scale of the companies’ business. This indicates the existence of legal limitations.

Reactions, Remaining Problems, and Solutions

The discussion then raises a question—what legal framework can be done to enhance the standard of protection, therefore, realize the constitutional value of privacy? Increasing the level of punishment by revising the applicable statutes would be plausible. Implementing punitive damages and class-actions would be helpful in forcing corporations to upgrade their cybersecurity protocol and in recovering individual victims from damages.
>
>
This scandal has revealed the problems of Korea’s personal data protection system in all directions. With respect to the companies, this incident showed how much they had neglected their responsibilities to protect the customers’ privacy. It was reported that the companies gave Park unencrypted data, and such lack of security manuals regarding the encryption or the outsider’s access suggested that the companies had regarded the cybersecurity programs as an expense. The absence of actual or any workable standard of cybersecurity also attributed to this matter. Also, as for the customers, the incident hinted that they were somewhat indifferent about the privacy issue, or they just relinquished their right of privacy. Although many victims expressed their anger by requesting the companies to cancel their cards, however, the vast majority of them did not take any further actions—the number of people who actually sued the companies was only 188,400 or less than 1% of the affected.
 
Changed:
<
<
Fortunately, in the wake of this scandal, the country amended the related statutes. Statutory damages and punitive damages provisions were adopted—consumers became enabled to claim statutory damages of up to 3 million won ($2,687), and courts became entitled to award punitive damages of up to three times the actual damage. Also, the available regulatory penalties increased to up to 3% of a company's revenue, and the available criminal fine also increased from 10 million won ($8,957) to 20 million won ($17,913).[5][6]
>
>

Responses

After the scandal, what the government had done was to amend the related statutes in a way to increase the level of punishment under the consideration that imposed punishment was too weak compared to the companies’ scale of business (even though most criminal and regulatory sanctions were the strongest ones in the range of the applicable laws at that time). Statutory damages and punitive damages were adopted; these allowed consumers to claim statutory damages of up to 3 million won ($2,687) without proving damages and courts to award punitive damages of up to three times the actual damages. Also, the available regulatory penalties were increased to up to 3% of a company's revenue, and the available criminal fine was also increased from 10 million won ($8,957) to 20 million won ($17,913).[5][6]
 
Changed:
<
<
This revision is expected to function well in inducing corporations to establish security programs. Nonetheless, still, there is a remaining problem. Under the current civil procedure in the country, the situation that few people who actually participated in the lawsuits are entitled to recover damages would be inevitable. In order not to leave most of the victims to remain uncompensated, introducing class-actions system from which all victims can benefit is strongly recommended.
>
>
These revisions were made in a hope that they would induce companies to upgrade their cybersecurity protocol, however, it is clear that the penalty increases could not be effective nor meaningful measures under the situation where corporations see the protection of customers' personal information as expenses; the companies would rather choose to bear the risks of likely penalties than establishing any quality security system since they could expect the former would be less costly. Unless there exists an actual possibility of meaningful and significant penalties, it is hard to think that Korean companies would change their business strategies. In this sense, one of the plausible remedies is the introduction of class-actions system, by which meaningful costs can be imposed on the companies that neglected to protect customers’ data protection.
 
Changed:
<
<

Conclusion

Some people might not care about their privacy, or they might think that it is impossible to overcome the tragedy of privacy erosion; however, we need to remain hopeful and make every effort to protect our right of privacy.[7] In this regard, to get over the legal systemic limitations can be one of the efficient ways to materialize the constitutional right of privacy.
>
>
A lack of workable standards of security is another issue. Of course, theoretically, there has been security standards in Korea, however, they have been so much disregarded as we can see from this case that the thief was able to access and get the unencrypted data. Even worse, some are harmful to cybersecurity—for example, Korean banks’ pervasive usage of "archaic financial security software,”[7] Active X, which is very prone to cyberattacks. In this regard, establishing and improving security standard in combination with technological efforts are strongly recommended.
 
Added:
>
>
Lastly, we should never forget the importance of education, which has the power to enhance people's awareness. In this case, if the level of awareness of privacy at that time was higher, victims would not have reacted that passively. By education, we can let individuals know the realities and seriousness of privacy invasion, and it is also possible to make a society that values companies that handle their customers’ privacy carefully. Correspondingly, under this condition, corporations would change their conception regarding customers’ privacy and associated costs.
 

SunghyeOhFirstPaper 2 - 30 Apr 2017 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Deleted:
<
<
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
 

Legal Countermeasures against Massive Personal Information Leakage in South Korea

Line: 35 to 34
 

Conclusion

Some people might not care about their privacy, or they might think that it is impossible to overcome the tragedy of privacy erosion; however, we need to remain hopeful and make every effort to protect our right of privacy.[7] In this regard, to get over the legal systemic limitations can be one of the efficient ways to materialize the constitutional right of privacy.
Added:
>
>

It's hard for me to correlate the facts with the conclusions. It is obvious that penalty increases are useless. Indeed, following the usual absurd position of Korean corporate management that all activities can be strictly divided into "makers" and "takers," security for customers' data will always be seen as "an expense." Raising penalties in this foolish way merely increases an offset expense, in the hope that the present value of respecting customers' privacy, which is still negative to the business, will be smaller than the present value of likely penalties. That will not happen, as you see, without a system of class actions and one of shareholder activism (which you don't mention, as it is even more unthinkable under Korean conditions) that would actually impose significant costs. That security should be seen as a common good in which it benefits all to participate, the actual improvement in social trust, is evident to non-Korean societies in which more social trust exists and the people who run the society know that social trust is worth more than the value of successful corruption.

Meantime, no actual security standards of any value are in place. Active X controls that can never be made secure are still an unbelievably foolish welded-in-place part of Korean banking and commerce, thus ensuring that every user can be plundered all the time. The technical environment of the Korean Net is about as professionally careful of customer safety as the ferry transportation business, and for the same reasons.

So I can't understand, editorially, why you would be celebrating business as usual as the remedy for the widespread and essentially ineradicable difficulty with business as usual.

 

References

For the facts regarding the case in Korean:

SunghyeOhFirstPaper 1 - 21 Mar 2017 - Main.SunghyeOh
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FirstPaper"
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Legal Countermeasures against Massive Personal Information Leakage in South Korea

-- By SunghyeOh - 21 Mar 2017

Introduction

When we talk about the protection of personal information, the right of privacy covers the individuals’ ability to control the collection and use of personal information.[1] In South Korea, the right of “self-determination of personal information” has been recognized as a constitutional right, and several related laws such as “Personal Information Protection Act” ("PIPA") have been established. Still, people have experienced repetitive massive personal data leaks. Among the incidents, the devastating one so-called “3-credit card company’s personal information leak” revealed some limitations in relation to the country’s legal system. This stimulated the discussion about how to overcome the systemic shortcomings, therefore, enhance the constitutional value of privacy.

The largest-ever personal information leak

In January 2014, Koreans were furious about the news that the personal data on 104 million credit cards issued by three major credit card corporations—Kook-min, Nong-hyup and Lotte Card—were stolen, which affected 20 million people or 40% of the population. The swiped data included sensitive personal information—names, social security numbers, phone numbers, residential addresses and even credit/financial information like card numbers, expiration dates, and bank accounts. The thief, Park, who was a technician at the credit rating company called Korea Credit Bureau which had contracted with the credit card companies, secretly copied the data onto an USB. Then, a significant amount of stolen data was sold and resold, conveyed to the phone marketing and the capital loan companies.[2][3]

Following the incident, 188,400 people filed 281 lawsuits against the credit card corporations, seeking for the compensation of 75.3 billion Korean won (USD $67.42 million, the currency rate by 03/20/2017, hereinafter the same) in total—generally, each plaintiff requested 0.5 million won ($448). Most trial courts’ decisions, which are still pending before appellate courts, ruled partially in favor of the plaintiffs, awarding each victim 100 thousand won ($90) for the damages for pain and suffering—the damages of the plaintiffs whose data was seized by investigators shortly after the theft were not recognized. Also, the credit card companies were convicted of the violation of the “PIPA,” and fined 10 million won ($8,955) or 15 million won ($13,432), which all defendants appealed. In addition, the administrative sanctions were ordered; each company was subject to the 3-month ban on issuance of new credit cards in combination with the regulatory fine of 6 million won ($5,374).[4] Furthermore, the regulatory penalties were imposed on all companies, the sum of which reached 34 million won ($30,452).

Implications

This scandal indicates the level of awareness of privacy. As for the companies, this incident clearly showed how much they had neglected their responsibilities to protect the customers’ privacy. In particular, it was revealed that they gave Park unencrypted data. The lack of security manuals regarding the encryption or the outsider’s access suggested that they had regarded the cybersecurity programs as expenses. For the customers, it can be inferred that they were somewhat indifferent about the subject, or they just relinquished their right of privacy. Although many victims expressed their anger by requesting the companies to cancel the cards, however, the vast majority of them did not take any further actions—the number of people who actually sued the companies was only 188,400 or less than 1% of the affected.

This phenomenon can be explained by the country’s legal system. First, the civil procedure that lacks the procedure like class-actions prevents people from seeking legal resolutions. To be specific, the system that requires people to literally participate in a lawsuit bothers people for pursuing compensation. Second, the low level of punishment accounts for the indolence of corporations. In this case, it seems that the courts and the executors did their best to punish as harsh as possible within the boundaries of applicable law authorities; the damages ordered by most courts was very common among the related cases; the imposed criminal and the regulatory fines were the highest amounts under the applicable law at that time.

However, the problem is that these recoveries and sanctions were neither effective nor meaningful considering the vastness of the leak and the scale of the companies’ business. This indicates the existence of legal limitations.

Reactions, Remaining Problems, and Solutions

The discussion then raises a question—what legal framework can be done to enhance the standard of protection, therefore, realize the constitutional value of privacy? Increasing the level of punishment by revising the applicable statutes would be plausible. Implementing punitive damages and class-actions would be helpful in forcing corporations to upgrade their cybersecurity protocol and in recovering individual victims from damages.

Fortunately, in the wake of this scandal, the country amended the related statutes. Statutory damages and punitive damages provisions were adopted—consumers became enabled to claim statutory damages of up to 3 million won ($2,687), and courts became entitled to award punitive damages of up to three times the actual damage. Also, the available regulatory penalties increased to up to 3% of a company's revenue, and the available criminal fine also increased from 10 million won ($8,957) to 20 million won ($17,913).[5][6]

This revision is expected to function well in inducing corporations to establish security programs. Nonetheless, still, there is a remaining problem. Under the current civil procedure in the country, the situation that few people who actually participated in the lawsuits are entitled to recover damages would be inevitable. In order not to leave most of the victims to remain uncompensated, introducing class-actions system from which all victims can benefit is strongly recommended.

Conclusion

Some people might not care about their privacy, or they might think that it is impossible to overcome the tragedy of privacy erosion; however, we need to remain hopeful and make every effort to protect our right of privacy.[7] In this regard, to get over the legal systemic limitations can be one of the efficient ways to materialize the constitutional right of privacy.

References

For the facts regarding the case in Korean:

http://m.news.naver.com/read.nhn?mode=LSD&sid1=001&oid=029&aid=0002388408

http://www.fnnews.com/news/201702071616245220

http://view.asiae.co.kr/news/view.htm?idxno=2015010611215544648

http://www.newsis.com/ar_detail/view.html/?ar_id=NISX20161208_0014569224&cID=10401&pID=10400

http://www.etoday.co.kr/news/section/newsview.php?idxno=868722


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Revision 3r3 - 05 May 2017 - 19:49:16 - SunghyeOh
Revision 2r2 - 30 Apr 2017 - 15:27:13 - EbenMoglen
Revision 1r1 - 21 Mar 2017 - 21:54:25 - SunghyeOh
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM