CFE Home
Issues
Commentary Op-Ed(Opinion-Editorial) Freedom Forum CFE Report Issue & Free Economic Legislation Review Editorial
Groups
Market Economy Colloquium Corporate Law Research Society Law and Economics Research Society Agora Economica Future Labor Reform Forum Culture and Economy Forum Legal Club LEAD Liberalism Reading Group for Beginners Internship
Competitions
Market Economy Essay Contest Book Review Contest
Videos
Seminar Lecture
Publication
Bookstore Liberalism Series Recommended Reading
About CFE
About CFE News
Activities
Seminars Events
KOR

Strengthen Corporate Security, Review Government Policy Effectiveness, and Redesign the Personal Data Protection System

Writer
Sang-yeop Kim

Large-scale personal data breaches in the telecommunications sector continue to occur, deepening public anxiety. Companies must strengthen security, and the government must examine the effectiveness of existing systems. Repeated incidents are difficult to explain as the responsibility of only one side, and they show that both corporate management and institutional responses need to improve together.


The Personal Information Protection Commission imposed a record-high administrative fine of 134.8 billion won on SK Telecom. Even considering the seriousness of the incident, it is hard to avoid criticism that the process for calculating the fine lacked transparency. Although it was calculated based on total sales, it is unclear whether only sales actually related to the violation were reflected, and there are also claims that some unrelated sales were included. The reduction process likewise undermines the credibility of the system, as only a general explanation has been offered—that damage recovery and corrective measures were taken into account—without revealing any concrete standards.


The problem lies in how companies respond to such sanctions. As seen in the cases of KT and Lotte Card, delays in reporting or announcements downplaying the scale of the damage have been repeated. In fact, according to the “2024 Information Security Survey,” only 20% of companies that experienced security breaches reported them. If companies have an incentive to avoid punishment, simply strengthening administrative fines is unlikely to ensure effectiveness.


Repeated cases in the financial and telecommunications sectors show that stronger fines do not automatically lead to better security. Companies should be encouraged to pursue fundamental security improvements rather than expend resources merely responding to regulation. What is needed is not just administrative fines, but a multilayered system that combines victim relief with corporate improvement.


Corporate responsibility is fundamental. This incident should serve as a wake-up call for IT companies to strengthen their security systems. At the same time, government policy must also be rational and predictable. The standards for calculating fines and the grounds for reductions should be clearly defined, and procedures should be disclosed transparently.


Civil remedies such as class actions and damages may be more appropriate than punitive administrative fines. In the United States, T-Mobile, following a massive hacking incident, reached a compensation settlement worth around 4 trillion won and separately carried out additional security investments. Through such measures, it should be possible to achieve both victim relief and corporate improvement at the same time.


Repeated personal data breaches demand change from both companies and the government. Companies must continue making responsible security investments, and the system must be predictable. In addition, victims must be given a direct path to relief. Only when these three pillars are balanced can punishment go beyond mere sanctions and become a means of prevention and restoring trust.


Sang-yeop Kim

Researcher, Center for Free Enterprise (CFE)

Original title: 기업-보안 강화, 정부-제도 실효성 점검, 개인정보보호 제도 재설계해야

Author: Sang-yeop Kim

Date: 2025-09-29

Source: https://www.cfe.org/bbs/bbsDetail.php?cid=press&idx=28138

LIST
Prev.