Legal Issues and Challenges Related to Hacking and Data Breach Incidents

Recent hacking and data breaches have evolved beyond simple server intrusions, diversifying and becoming more sophisticated through attacks on communication networks, authentication procedures, and account takeovers. In 2025, the breaches of the Journal Article Management System, the hacking of SK Telecom’s voice-call authentication and identification server (HSS), and the credential-stuffing attacks on GS Retail and GS25 each involved different attack vectors. These incidents exposed a structural limitation: it takes a prolonged period to determine the exact causes and scale of damage.

Looking at the key characteristics shared by these recent, successive data breaches, they can be summarized into five points: (1) concerns over disruptions to national budget execution, (2) questions about the effectiveness of ISMS certification, (3) difficulties in identifying the cause and scope of hacking incidents, (4) increasingly sophisticated hacking techniques, and (5) the dual position of companies as both data handlers and victims in personal data breaches. This reality highlights that the current personal data protection framework is overly focused on post-incident sanctions and remediation, calling for a comprehensive re-examination of regulatory design.

Although the legislative intent of maintaining a “balance between protection and utilization” should be preserved, stronger punishment alone is insufficient to respond to increasingly advanced cyber threats. An accumulation of outcome-oriented sanctions can discourage early reporting and transparent disclosure by companies, while weakening incentives for the technical and organizational investments needed to prevent recurrence. There is a need to realign the objectives and instruments of sanctions in accordance with the principle of proportionality, and to shift policy emphasis toward prevention-centered measures that effectively reduce repeat incidents.

The penalty surcharge system should clearly reaffirm its fundamental purpose as a means of disgorging unjust enrichment. Applying revenue-linked penalties uniformly—even to cases of simple data leakage caused by external hacking where no unjust gains were obtained—risks undermining proportionality and predictability. In such cases, it would be more reasonable to switch to fixed (or tiered) surcharges, while reserving revenue-linked penalties exclusively for violations accompanied by actual gains. A systematic separation of these categories is warranted.

Traditional consent-based regulation is losing effectiveness in an era of large-scale, real-time data processing and the rapid spread of artificial intelligence. What is required instead is a preventive approach that achieves both protection and utilization through Privacy by Design—embedding data minimization, purpose limitation, and security from the design stage—and through privacy-enhancing technologies (PETs) such as homomorphic encryption, differential privacy, and federated learning. This represents an institutionalization of ex-ante prevention rather than ex-post remediation, and can be gradually disseminated through relevant certifications and guidelines.

Governance should move toward integration by overcoming fragmentation. Control-tower models such as the United Kingdom’s National Cyber Security Centre (NCSC) centrally oversee public- and private-sector security policy, incident response, and information sharing. Korea likewise needs an integrated cybersecurity governance framework, consolidating experienced personnel and organizational capabilities, to respond to hyper-connected environments and national-security-level threats, while strengthening international cooperation. While the state should retain ultimate responsibility for assessing the legality and appropriateness of personal data processing and conducting oversight, a hybrid model that links practical operations to private self-regulation through industry associations is a realistic alternative.

Ultimately, the focus of responses to hacking and data breaches should shift from “harsher punishment” to “proportionate sanctions and effective prevention of recurrence.” Through separating penalties by purpose and adopting fixed surcharges where unjust enrichment is absent; transitioning toward ex-ante prevention (including a national responsibility framework for data protection, mandatory Privacy by Design, and the promotion of PETs) alongside recalibrated ex-post regulation (such as delegating certain operational tasks to industry associations under self-regulatory models); and reorganizing integrated governance (including stronger efforts to apprehend hackers and institutional reforms such as establishing a dedicated cybersecurity authority), early reporting and rapid recovery can be encouraged, while user trust and data-driven innovation are strengthened together. Only with such a transformation can the balance between personal data protection and data utilization be restored, enhancing both society’s overall security level and economic efficiency simultaneously.

I. Introduction

1. Recent Trends in Personal Data Breaches

2. Key Characteristics of Recent Data Breaches

3. Business and Legal Risks Faced by Companies in Security Incidents

II. Current Legal and Regulatory Framework for Hacking and Data Breaches

1. Data Breach Notification Obligations under the Personal Information Protection Act

2. Liability for Damages Arising from Data Breaches

3. Administrative Fines

III. Legal Issues and Policy Challenges Arising from Hacking and Data Breaches

1. The Nature of Administrative Fines

2. Balance of Sanctions

3. Ex Ante Prevention and Ex Post Regulation

4. Governance Reform

IV. Conclusion

References

Korean version: https://www.cfe.org/20251030_28241