CFE Home
About CFE
News
Activities
Seminars Events Newsletter
Issues
Columns CFE Report Issue&Liberty Published Columns
Books
About Our Publications Published Books
Media
Colloquium
Corporate Law Research Society Future Labor Reform Forum Market Economy Colloquium Agora Economica Law and Economics Research Society Cultural Economy Forum Legal Club LEAD Academic Research Support Program
KOR
Issues
About CFE News Activities Issues Books Media Colloquium
Published Columns
Columns CFE Report Issue&Liberty Published Columns

Companies Need Stronger Security, Government Must Ensure Institutional Effectiveness and Redesign Personal Information Protecti

Writer
KIM SANG-YEOP

Public anxiety is growing as large-scale personal data breaches continue to occur in the telecommunications sector. Companies must strengthen their security measures, and the government must reassess the effectiveness of existing institutions. Repeated incidents cannot be explained by the responsibility of either side alone; they demonstrate the need for simultaneous improvements in corporate management and institutional responses.

The Personal Information Protection Commission (PIPC) imposed a record-high fine of 134.8 billion won on SK Telecom. Even considering the seriousness of the incident, criticism is unavoidable regarding the lack of transparency in how the fine was calculated. While the calculation was based on total revenue, it remains unclear whether only revenue directly related to the violation was considered, and there are concerns that unrelated revenue may have been included. Similarly, the reduction process was explained only in general terms—such as taking remediation and corrective actions into account—without disclosing concrete criteria, undermining trust in the system.

Another concern lies in how companies respond to such sanctions. As seen in cases involving KT and Lotte Card, delays in reporting or understatement of damage have occurred repeatedly. According to the 2024 Information Security Survey, only 20 percent of companies that experienced security breaches actually reported them. If firms have strong incentives to avoid punishment, strengthening fines alone is unlikely to ensure effective enforcement.

Repeated cases in the financial and telecommunications sectors show that tougher fines do not automatically lead to better security. Policy should encourage firms to invest resources in fundamental security improvements rather than merely responding to regulatory penalties. What is needed is a multi-layered framework that combines administrative sanctions with victim compensation and meaningful corporate remediation.

Corporate responsibility is fundamental. This incident should prompt IT companies to strengthen their security systems. At the same time, government制度 must be reasonable and predictable. The criteria for calculating fines and granting reductions should be clearly defined, and procedures should be disclosed transparently.

Civil remedies such as class-action lawsuits and damage compensation may be more appropriate than punitive administrative fines. In the United States, for example, T-Mobile agreed to compensation totaling roughly 4 trillion won following a major hacking incident and undertook additional investments in cybersecurity. Such approaches allow both victim relief and corporate improvement to be achieved simultaneously.

Repeated personal data breaches demand change from both companies and the government. Firms must sustain responsible investment in security, institutions must ensure predictability, and clear pathways for victim compensation must be established. Only when these three pillars are balanced can punishment evolve beyond mere sanction into a tool for prevention and trust restoration.

Sang-yeob Kim
Research Fellow, The Center for Free Enterprise



Korean version: https://www.cfe.org/bbs/bbsDetail.php?cid=press&pn=2&idx=28138


LIST
Prev.