🚨 Hacking Prevention Act

Today Korean Social News for Beginners | 2025.11.27

0️⃣ Fines for Repeated Telecom Hacking, Strengthened Information Security Obligations

📌 Telecom Companies Face Fines for Repeated Hacking… 'Hacking Prevention Act' Close to Passing Parliament

💬 After major telecom companies like SK Telecom, KT, and LG Uplus experienced repeated hacking incidents, the National Assembly's Science, ICT, Broadcasting and Communications Committee passed the 'Hacking Prevention Act.' This bill strengthens telecom companies' information security obligations and imposes fines of up to 3% of revenue if hacking occurs two or more times within 5 years. Additionally, companies that conceal hacking incidents or delay reporting will face penalties of 50 million won. The amendment, created through bipartisan agreement, is likely to pass the plenary session and will serve as an opportunity to reform telecom companies' hacking response systems. The committee established an 'Infringement Incident Investigation Committee' to prevent concealment of hacking incidents and enabled investigations even without company reports. However, critics point out that the fine reduction clause weakens effectiveness, and the level of sanctions for repeated incidents is too low.

💡 Summary

• The Hacking Prevention Act imposes fines on telecom companies for repeated hacking and strengthens information security obligations.
• Fines of up to 3% of revenue are imposed if hacking occurs two or more times within 5 years.
• User protection is strengthened through 50 million won penalties for concealing hacks and establishing an Infringement Incident Investigation Committee.

1️⃣ Definition

The Hacking Prevention Act is an amendment to strengthen information security obligations and impose fines for repeated incidents to prevent hacking of telecom and information communication service providers and enhance user protection when incidents occur. It is being pursued as amendments to the Information and Communications Network Act and the Telecommunications Business Act. Telecom companies must establish information security committees, secure security personnel, and notify users when incidents occur.

As major telecom companies experienced repeated hacking incidents and personal information leakage damage spread, there was a consensus that institutional measures were needed to strengthen telecom companies' security responsibilities and protect users. The core purpose of this law is to encourage telecom companies to invest in security by imposing fines or penalties when hacking is repeated or concealed.

💡 Why is this important?

• Personal information leakage can lead to secondary damage like financial fraud and voice phishing.
• Telecom companies hold most citizens' information, so the scale of damage from security incidents is enormous.
• Effective sanctions are needed for repeated hacking incidents.
• Strengthening information security obligations can increase trust in telecommunication services.

2️⃣ Main Contents and Issues of the Hacking Prevention Act

📕 Core Contents of the Bill

• Fines are imposed for repeated hacking. Main contents are as follows:

  • If hacking incidents occur two or more times within 5 years, fines of up to 3% of revenue are imposed.
  • Fines are economic sanctions to encourage telecom companies' security investment and prevent recurrence.
  • However, fines already imposed by the Personal Information Protection Commission are subject to reduction, allowing avoidance of duplicate sanctions.
  • Some experts point out that the reduction clause may weaken actual sanctions effectiveness.

• Penalties are imposed for concealing hacking. Main contents are as follows:

  • If telecom companies conceal hacking incidents or delay reporting, a penalty of 50 million won is imposed.
  • This is a measure to prevent companies from hiding hacking incidents due to concerns about reputation loss.
  • The purpose is to enable users to respond quickly through prompt reporting.
  • However, there is criticism that 50 million won is not a significant burden for large companies and the sanction level is low.

• An Infringement Incident Investigation Committee is established. Main features are as follows:

  • An Infringement Incident Investigation Committee is established under the Ministry of Science and ICT.
  • It can independently decide whether to investigate hacking incidents even without company reports.
  • User protection is strengthened as the government can initiate investigations even if companies conceal incidents.
  • The committee will be composed of experts and related agencies to conduct objective investigations.

📕 Strengthening Telecom Companies' Information Security Obligations

• Establishing information security committees becomes mandatory. Main contents are as follows:

  • Telecom companies must establish information security committees as dedicated security organizations.
  • Committees are responsible for establishing security policies, responding to infringement incidents, and conducting security inspections.
  • CEOs and other executives must participate directly to manage security at the management level.
  • This is a mechanism to recognize security as corporate responsibility, not just a technical issue.

• Securing security personnel is required. Main contents are as follows:

  • Telecom companies must secure sufficient information security professionals.
  • Regular security education and training must be conducted to strengthen response capabilities.
  • Continuous investment in security systems and equipment is necessary.
  • Cooperation systems with external security expert organizations must be established.

• User notification obligations are strengthened. Main contents are as follows:

  • Users who suffered damage must be immediately notified when infringement incidents occur.
  • Notification content must include the types of leaked information, time of occurrence, and response measures.
  • Specific response methods must be guided so users can prevent secondary damage.
  • Penalties may be imposed for delaying or omitting notification.

📕 Limitations and Criticisms of the Bill

• The fine reduction clause weakens effectiveness. Main problems are as follows:

  • Duplicate sanctions are weakened as fines are reduced if already received from the Personal Information Protection Commission.
  • 3% of revenue is not a significant burden for large companies, limiting deterrent effects.
  • There are criticisms that the sanction level is low compared to the scale of social damage from hacking.
  • Some argue that the fine cap should be raised or the reduction clause deleted.

• Criteria for repeated incidents are ambiguous. Main problems are as follows:

  • The standard of two or more times within 5 years is clear, but the scale or severity of hacking is not considered.
  • There is controversy over whether it is reasonable to count minor incidents and large-scale leakage incidents equally.
  • There is also the reality that even if telecom companies actively invest in security, it is difficult to completely prevent external attacks.
  • There are opinions that criteria for evaluating incident prevention efforts and response levels should be prepared together.

• The penalty level is insufficient. Main problems are as follows:

  • A 50 million won penalty for concealing hacking is not a significant burden for large companies.
  • If penalties are lower than reputation loss or lawsuit costs, the incentive to conceal still exists.
  • Some argue that penalties should be set as a percentage of revenue or significantly increased.
  • There are also criticisms that criminal punishment provisions should be strengthened for effectiveness.

💡 Main Issues of the Hacking Prevention Act

1. Fine effectiveness: Sanction effects weakened by reduction clauses and low caps
2. Penalty level: 50 million won is not burdensome for large companies, concealment incentive remains
3. Repeated incident criteria: Only counting frequency without considering incident scale or severity
4. Prevention investment inducement: Need for prevention investment promotion policies rather than sanctions-centered approach
5. User damage relief: Lack of practical compensation system for security incident victims

3️⃣ Hacking Prevention and User Protection Enhancement Measures

✅ Expanding Telecom Companies' Security Investment

• Security systems must be continuously improved. Main directions are as follows:

  • Investment in the latest security technology and equipment should block hacking attempts in advance.
  • Artificial intelligence and big data technology should be used to detect abnormal signs early.
  • Security vulnerabilities should be regularly inspected and immediately improved.
  • Regular simulated hacking tests by external security expert organizations should be conducted.

• Security personnel must be sufficiently secured and trained. Main tasks are as follows:

  • Information security experts should be actively recruited and provided with competitive treatment.
  • Regular security awareness education should be conducted for all employees.
  • Response capabilities should be developed through infringement incident response training.
  • Educational programs should be operated to continuously improve security personnel's expertise.

✅ Strengthening Government Supervision and Support

• Infringement incident investigation and supervision must be strengthened. Main directions are as follows:

  • The Infringement Incident Investigation Committee should conduct independent and professional investigations.
  • Telecom companies' security levels should be regularly evaluated and improvements required.
  • Causes of hacking incidents should be thoroughly analyzed and recurrence prevention measures established.
  • International cooperation should respond to overseas cyber attacks.

• Support for small and medium businesses is needed. Main tasks are as follows:

  • Small telecom operators with less security investment capacity than large companies should be supported.
  • The government should support security technology and consulting to raise the overall telecom network security level.
  • A cooperation system for sharing security information among small and medium businesses should be established.
  • Tax benefits or financial support for security investment should be expanded.

✅ Strengthening User Rights Protection

• Damage relief procedures must be clarified. Main directions are as follows:

  • A system should be established for users damaged by hacking to receive prompt compensation.
  • Telecom companies should provide appropriate compensation according to the scale of damage.
  • User rights should be protected by activating class action lawsuits or dispute mediation systems.
  • Services like credit information monitoring should be provided to prevent secondary damage.

• Users' information security awareness must be raised. Main tasks are as follows:

  • Public campaigns should be conducted to inform about the importance of personal information protection.
  • Methods for users to strengthen security themselves should be guided.
  • Basic security rules like password management and two-factor authentication use should be educated.
  • Methods to prevent secondary damage like voice phishing should be actively promoted.

4️⃣ Related Terms Explanation

🔎 Information and Communications Network Act

• The Information and Communications Network Act is a law that ensures safe use of information communication services.
  • The Information and Communications Network Act's official name is 'Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.' It was enacted to create a safe usage environment for information communication services and prevent infringement acts like personal information leakage and hacking. It regulates the obligations of information communication service providers and the rights of users.
  • Main contents of this law include: First, information communication service providers must safely manage users' personal information. Second, they must immediately report to the Korea Internet & Security Agency when infringement incidents occur. Third, they must notify users of infringement incident facts and response methods. Fourth, they must establish information security management systems and deploy professional personnel.
  • In this Hacking Prevention Act amendment, telecom companies' information security obligations were further strengthened, and immediate reporting and user notification were mandated when infringement incidents occur. Additionally, the government can now regularly evaluate telecom network stability and reliability, and legal grounds for imposing fines for repeated hacking incidents have been established.

🔎 Telecommunications Business Act

• The Telecommunications Business Act is a law regulating fair operation of telecommunication services.
  • The Telecommunications Business Act was enacted to promote proper operation of the telecommunications business and efficient management of telecommunications. It comprehensively covers telecom company business permits, rate regulation, and user protection. It emphasizes the public nature of telecommunication services and has user rights protection as an important purpose.
  • Main contents include: First, telecom companies cannot refuse to provide services without justifiable reasons. Second, rates and service conditions must be clearly disclosed. Third, user complaint handling and dispute resolution procedures must be established. Fourth, telecom network stability and reliability must be maintained.
  • This amendment includes strengthening management and supervision of telecom company branches, mandating user protection manuals, and obligating guidance on optimal rate plans. The Hacking Prevention Act, together with this law, establishes an institutional foundation for telecom companies' security responsibilities and builds a comprehensive system to increase trust in telecommunication services and protect users.

🔎 Fines

• Fines are economic sanction measures for law violations.
  • Fines are monetary sanctions imposed by the state to recover economic benefits or deter violations when companies or individuals violate laws. Unlike criminal fines or penalties, they can be imposed as administrative sanctions separately from criminal punishment and are calculated based on profits gained from violations or revenue.
  • Characteristics of fines include: First, they directly impact companies' economic benefits to induce legal compliance. Second, amounts vary according to the severity and repetition of violations. Third, they can be imposed separately from criminal punishment, allowing double sanctions. Fourth, they may be reduced if overlapping with fines from other agencies.
  • In the Hacking Prevention Act, fines of up to 3% of revenue are imposed if hacking incidents occur two or more times within 5 years. However, fines already imposed by the Personal Information Protection Commission are subject to reduction, and there are criticisms that actual sanction effects decrease. Some experts argue that the fine cap should be raised or the reduction clause deleted to strengthen effectiveness.

🔎 Infringement Incident Investigation Committee

• The Infringement Incident Investigation Committee is a government agency responsible for investigating hacking incidents.
  • The Infringement Incident Investigation Committee is a committee established under the Ministry of Science and ICT that decides whether to investigate hacking incidents of telecom companies and other information communication service providers and conducts actual investigations. This is an institutional mechanism to enable the government to independently initiate investigations even if companies conceal incidents.
  • Main functions of the committee include: First, it independently decides whether to investigate hacking incidents even without telecom company reports. Second, it thoroughly investigates causes and circumstances of infringement incidents. Third, it can recommend improvements for preventing recurrence. Fourth, it can suggest administrative measures like imposing fines based on investigation results.
  • The committee will be composed of information security experts, legal experts, consumer organization representatives, and government officials from related agencies to conduct objective and professional investigations. This prevents telecom companies from concealing or downplaying incidents and enables prompt measures to prevent user damage from spreading. Ensuring the committee's independence and expertise is an important task for successful operation of the system.

5️⃣ Frequently Asked Questions (FAQ)

Q: Will telecommunication rates increase if the Hacking Prevention Act passes?

A: While increased security investment costs by telecom companies may have some impact on rates, it is not a direct reason for rate increases.

• With the Hacking Prevention Act, telecom companies must invest additional costs in establishing information security committees, expanding security personnel, and improving security systems. From the corporate perspective, operating costs increase, so there may be incentives to reflect this in rates. However, telecommunication rates are regulated by the government and do not automatically increase just due to cost increases. Telecom companies must report to or receive approval from the Ministry of Science and ICT when raising rates and present reasonable grounds.
• Additionally, since security investment is a basic obligation of telecom companies, it is difficult to justify passing this on to users. Rather, considering compensation costs from hacking incidents, reputation losses, and lawsuit costs, preventive investment is more economically rational. The government needs to review tax benefits or support policies for security investment together to ease rate increase pressure. As users, we should monitor telecom companies' rate policies and exercise consumer rights against unjust increases.

Q: How should I respond if I am damaged by hacking?

A: Immediately change passwords, check financial transactions, and take additional damage prevention measures.

• If you receive hacking damage notification from a telecom company or suspect personal information leakage, you should respond immediately. First, immediately change all passwords related to leaked accounts. Especially if you used the same password on multiple sites, change them all. Second, check financial account and credit card transaction details to see if there are suspicious transactions. Third, contact financial institutions to temporarily suspend account and card use or apply for monitoring services.
• Fourth, be careful of suspicious contacts as there may be secondary damage attempts like voice phishing or smishing texts. Fifth, report damage to the telecom company and inquire about compensation procedures. Sixth, report to the Korea Internet & Security Agency (118 counseling center) for expert consultation. Seventh, if the damage scale is large or financial loss occurred, report to police and receive legal consultation. Preventive measures like setting up two-factor authentication and regularly changing passwords in advance are also important.

Q: Do other countries have similar laws?

A: Major countries like Europe and the United States enforce stronger personal information protection regulations.

• Information protection and hacking response are treated very importantly overseas. First, the European Union's General Data Protection Regulation (GDPR) mandates reporting within 72 hours of personal information leakage and imposes fines of up to 4% of global revenue or 20 million euros, whichever is higher, for violations. This is higher than Korea's 3%. Second, the United States applies different laws by state, and California's Consumer Privacy Act (CCPA) imposes fines of up to $7,500 per case for violations and allows consumer class actions.
• Third, Japan mandates immediate reporting of leakage incidents under its Personal Information Protection Act and enables criminal punishment for violations. Fourth, Singapore can impose fines of up to 1 million Singapore dollars under its Personal Data Protection Act (PDPA). All these countries impose aggravated punishment for concealing incidents and clearly regulate companies' security investment obligations. Korea's Hacking Prevention Act is moving in a direction that meets international standards, but there are evaluations that the fine reduction clause and penalty levels have room for improvement.

View Table of Contents

• Go to Guide