On March 20, 2015. The judgment delivered during the 2nd ruling at the Western District Court in Seoul in favor of SK Communications stopped short the notorious case that shook the nation which involved leaking of the personal information of 35 million people affecting the company responsible nearly to its fate.  If SK Communications lost the case, the compensation was expected to reach maximum up to 7 trillion won (USD 7 Billion) thus rightly drew a tremendous focused attention.  So on what basis was SK Communications able to prevail? In some ways, now the companies can look to two elements to take them as lessons to be learned.

First, satisfy the conditions that law requires.  SK Communications consistently claimed that it observed all the laws related to the personal information protection, and provided evidence in order to prove their committed efforts.  Unlike information security laws of other countries, Korean regulatory requirements are very specific for companies or government agencies to comply.  In other words, if applicable standards are satisfied, it also means that one can be cleared of legal liability should there be any accidents.  Therefore, satisfying the conditions that the law requires from the companies then becomes the standard, de facto minimum for the companies.

Second, be watchful of its own industry.  The Judges responsible for the judgment must rely on variety of resources for the ruling because they are not IT and security professionals. They gather expert opinions, or will refer to current status of the industry standard on information security for the ruling.   Even though the law does not state specifically, if it is found that the company does not meet to the conditions otherwise satisfied by the most similarly situated companies in the same industry, then it could be adjudged that there is insufficiency in security or information protection activities. It means that may act as detrimental factors in the judgment. Therefore, a company must be alert and be up to date on security trends in the industry and must not be behind.

If a company loyally practices these two elements, even in the worst situation of IT infringement resulting information security breaches, one can be assured that this will serve as the lifeline to escape the crisis. 

This is not limited to just criminal proceedings but also can affect the civil suits. However, companies all chorus in unison, complaining that there are too many restrictive laws about security, and as soon as economy slows a bit, they do not hesitate to cut the security budget and its personnel.

It is clear that such companies do not look at the security as an essential requirement in corporate management, but as an expendable section. But when one can see that such very law complained of actually serves as the lifeline to save the company, I cannot but feel that the cries from the companies are exaggerated.  Or is it that the companies are just confident that they will not have any security breach to happen to them?

IT security breach may or may not happen to a company.  However, one thing that should not be forgotten.  If an accident occurs, the result will not be same for all the businesses.

Im Hong Cheol Cyber ​​Team (AhnLab Senior Consultant) (sunwoodowoo@gmail.com)
Translating Reporter Chang Kyong (globalwinner77@gmail.com)