Measures aim to minimize leaks

The government unveiled detailed measures to improve information security policies at financial companies by imposing hefty fines on those found to have lax management in regard to customers’ personal information and limiting the collection of resident registration numbers.

Hyun Oh-seok, the nation’s deputy prime minister and finance minister; Shin Je-yoon, chairman of the Financial Services Commission; Choi Mun-kee, minister of science, ICT and future planning; and the heads of relevant ministry agencies announced the measures, which come nearly two months after Korea suffered its worst personal data leak earlier this year across three major credit card companies.

The need for such a plan was only underscored by last week’s data leak at KT, the nation’s second-largest mobile carrier.

“The latest data leak incident happened because the government and financial companies didn’t perform their basic duties,” Hyun said at a press conference yesterday in Gwanghwamun, central Seoul. “Now the government will make sure consumers can check how their information is being used at financial companies at any time and require the removal of that information, strengthening citizens’ rights to their own information.”

The primary goal of the latest measures is to ensure consumers’ rights to protect their personal information. Clients will also be able to demand that financial companies reveal how their information is being used and can choose to have those businesses remove it. They can also demand companies suspend checking their credit information.

Additionally, all financial companies must establish “do-not-call” systems from June that allow customers to opt to refuse calls from telemarketers. Currently, the system is only used at a few insurance companies.

Even if they have previously agreed to share information, companies must discard a client’s information if he or she has demanded it be withdrawn. A punitive system will also be introduced, which has stricter regulations than anticipated.

Financial companies will be required to pay 3 percent of their sales raised by activities using illegally shared customer information as a penalty, up from the expected 1 percent.

“Stringent penalties will be ordered,” Hyun said, “including the dismissals of chief executive officers if they didn’t carry out their duties to protect customer information.”

The collection of resident registration numbers will also be limited; its use will be required only once in the first financial transaction with a new company.

“Excessive exposure of citizens’ resident registration numbers will be corrected by limiting its use to the first financial transactions,” Chairman Shin said.

“After the first collection, consumers need not provide their numbers anymore, which will minimize the exposure of that information. The collected numbers will also be encrypted and safely stored,” he added.

The numbers can only be processed and collected using the keyboard or keypad of a computer, or the dial pad of a telephone.

“Consumers are exposed to the risks of data leaks not only in the financial sector, but also others, as seen in the recent incident with mobile carrier KT,” Hyun said. “The government will come up with additional measures that can be applied to all industries soon.”

The government previously postponed the announcement of the measures twice, with the initial announcement scheduled for two weeks ago. Hyun said it took longer than expected to make the new measures more effective for all customers.

However, experts remain skeptical about what they see as delayed government action.

“Most of the measures announced yesterday were discussed immediately after the credit card leak incident broke out,” said Lee Dong-hoon, a professor at Korea University.

“An important policy will be fostering talent in the information security field, but it is [going] nowhere. Without professional experts, increased control and regulations are not going to be very effective.”

BY SONG SU-HYUN [ssh@joongang.co.kr]