The National Assembly Research Service noted that legislation needs to be revised to allow for the "flexible application of damage compensation provisions" following the SK Telecom hacking incident.
On the 7th, the National Assembly Research Service published a report titled "Issues and Legislative Tasks Following Telecom Hacking Incidents," stating that even if victims cannot be identified quickly in telecom security incidents, notice should be given to all subscribers. The reasoning is that "if the core of the mobile network is hacked, it can have a significant impact on society as a whole and pose a serious threat to national security, necessitating a structural response."
The National Assembly Research Service viewed the recent SK Telecom hacking incident as a case where the limitations of corporate self-regulation and government response systems were revealed. It pointed out that SK Telecom inadequately responded to the initial hacking by initially informing only through its homepage and only began sending out comprehensive text messages regarding the subscription to the SIM protection service on the 23rd of last month.
In the report, the National Assembly Research Service stated, "If the victims of the leak cannot be identified shortly after a hacking incident, this means that the scope and content of the leak are not accurately known, and therefore the worst-case scenario must be assumed." It urged the revision of the Personal Information Protection Act to ensure that even if the individuals affected by data leaks are not identified, specific situations and response methods should be individually notified to all subscribers. It also suggested that if hacking incidents are deemed to have widespread or severe risks, the disaster alert system should be utilized, and the Information and Communications Network Act or the Basic Act on Broadcasting and Telecommunications Development should be amended.
A joint investigation team led by the Ministry of Science and ICT is requiring the submission of data related to the incident and is currently investigating, but there are analyses suggesting that it lacks enforcement power. The National Assembly Research Service also argued that the government’s investigative authority regarding hacking incidents should be strengthened by amending the Information and Communications Network Act.
The National Assembly Research Service also stated that to prevent corporations from being passive in their responses or hiding incidents, it is necessary to amend the law to strengthen minimal investigative enforcement power by increasing fines under the Information and Communications Network Act or imposing compliance surcharges. It also noted that corporations should implement substantial relief measures for victims and facilitate easy compensation for victims by amending the Telecommunications Business Act, the Information and Communications Network Act, and the Personal Information Protection Act. Since victims may find it difficult to prove the causal relationship between the data leak and the damage, it urged the review of provisions in the Personal Information Protection Act that allow for the presumption of causality.