Government to Introduce Fines of Up to 10% of Sales for Repeated, Serious Data Breaches; to Respond Firmly

\r\n
[The Financial News] A new "punitive fine" system that imposes penalties of up to 10% of total sales for repeated or serious violations of the Personal Information Protection Act will take effect in September. At the same time, incentives will be offered for companies that make voluntary investments in protection, and a risk-based oversight system will be established to closely manage institutions handling high-risk personal data.
\r■ From post-incident sanctions to preventive measures 
The Personal Information Protection Commission (PIPC) reported the plan, titled the "Transition Plan for a Prevention-Centered Personal Information Management System," at a State Council of South Korea meeting presided over by the president on the 12th. The move comes as major data breaches at Coupang, KT, and Duo Matchmaking have occurred one after another, while concerns are also growing over AI-based automated attacks. The government aims to overhaul the existing response system, which has focused mainly on post-incident sanctions.
PIPC said it will first strengthen the effectiveness of economic penalties by imposing fines of up to 10% of sales on repeated or serious violations of the Personal Information Protection Act. However, the rule will not apply uniformly to all incidents. It will be applied only in cases such as repeated breaches within three years or serious incidents at businesses with more than 10 million users.
The commission will also calculate fines based on the higher of the previous year's sales or the average sales over the past three years. Until now, it had used the three-year average sales figure. It also plans to introduce enforcement fines and a reporting reward system to improve compliance. Small businesses that commit minor violations will be given a chance to correct them, but repeated breaches will be met with a firm response.
On the other hand, companies that make proactive security investments will receive incentives. If they have protection measures that exceed legal standards, active security spending, and a sound safety management system, fine reductions will be applied. The idea is to shift toward a "regulation that encourages investment." In addition, the government plans to institutionalize "privacy by design (PbD)," which reflects privacy protection from the service design stage, and incorporate it into Personal Information Impact Assessments and ISMS-P certification standards.
\r■ "Coupang and KT investigations in the final stage"The victim relief system will also be strengthened. In the event of a personal data breach, companies and institutions will be held liable for damages as a rule, and the burden of proof will be placed on companies to improve the effectiveness of compensation. Practices that make it difficult for users to change personal information, withdraw consent, or leave a service, such as dark patterns, will be closely monitored. The Personal Information Infringement Report Center will also expand its functions, including specialized counseling, consulting, and support for damage mitigation. In particular, when sensitive information is leaked, the government will monitor illegal distribution on social network services and other platforms, detect and delete it, and work with law enforcement to track down and punish those who illegally spread or use personal data.
Starting in the second half of this year, the government will directly conduct regular inspections of about 1,700 high-risk systems that handle major public systems and large volumes of personal data. PIPC will establish a "risk-based management system" that differentiates inspection intensity according to risk level. The commission plans to directly manage 387 major public systems and sectors that concentrate personal data, including telecommunications, finance, healthcare, and welfare. The scope of inspections will also be expanded across the supply chain, including cloud providers, specialized contractors, and system vendors.
At the same time, investigations into Coupang and KT, both of which were recently embroiled in large-scale breach controversies, are entering the final stage. In a briefing at the Government Complex Seoul on the day, Song Kyung-hee said, "For both Coupang and KT, we completed the investigation and issued prior notice, and we are currently reviewing the companies' responses." She added, "We will ensure that appropriate measures are taken in line with their level of responsibility."
Song also addressed AI-based hacking threats, including Anthropic's recent "Claude Mythos" case, saying, "In the future, not only attacks but also defenses will move at the speed of AI." She added, "We need to quickly shift from a human-centered management system to an AI agent-based detection and response system." She went on to emphasize, "If we properly build a preventive system, we can detect attacks early and block the spread of damage."
"Once personal information is leaked, it is difficult to fully reverse the damage, and recovery takes a long time," Song said. "We will build a system in which preventive measures work effectively alongside post-incident accountability, creating a personal data environment that the public can trust."
\r\n
\r\n
yjjoe@fnnews.com Jo Yoon-joo Reporter