-
IT·SECURITY
The Amendment to the Personal Information Protection Act that Security Officers Must Know
The Personal Information Protection Act was enacted to protect data subjects and to make personal information controllers take responsibility for personal information protection. Since the establishment of the Personal Information Protection Act in 2011, it has been protecting data subjects from personal data breach damage.The Personal Information Protection Commission (PIPC) submitted a government bill to the National Assembly in September 2021 and mediated differences of opinions through communication with domestic and overseas stakeholders such as relevant ministries, the academic and industrial circles, and civic groups. After two years of in-depth discussion, the bill was finally passed at the National Assembly. The amended Act was announced on March 14, 2023 and will take effect six months later, on September 15, 2023.Backgrounds to the Amended Personal Information Protection ActThe amendments to the three data acts (Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, and Credit Information Use and Protection Act), which took effect in August 2020, mainly focused on establishing a control tower for personal information protection and revitalizing the data economy. However, there is an opinion that the rights of the people need to be strengthened in the changing data environment.The second amendment to the Personal Information Protection Act is the first government bill that has reflected opinions of the relevant ministries, the academic and industrial circles, civic groups, etc. after the establishment of the Act. It is meaningful in that the amendment is the full-scale revision of the Act to strengthen and protect data subjects' rights and secure compatibility with the international standards.What is New in the 2023 Amendment to the Personal Information Protection ActExpansion of data subjects’ rightsIn the amendment to the Personal Information Protection Act, the right to demand personal information transmission was newly inserted as part of the expansion of data subjects' rights. With the newly established right to demand personal information transmission, a data subject is now able to demand the transmission of their information to themselves or third parties (other personal information controllers or personal information management institutions). As a result, limited MyData services now can be expanded with the newly established right to demand personal information transmission.Article 35-2 of the Personal Information Protection Act (Request for Personal Information Transmission)(1) A data subject may demand to transmit their personal information items that satisfy all of the following requirements to themselves from a personal information controller meeting the criteria prescribed by Presidential Decree, taking personal information processing competences, etc., into account. [This Article Newly Inserted, Mar. 14, 2023]In addition, a new article about the right to demand an explanation about an automated decision and the right to deny such a decision has been inserted. Based on the newly established article, a data subject can demand an explanation about an automated decision or deny such a decision where a decision made from personal information processing by an automated system have a crucial impact on their rights or obligations.Article 37-2 of the Personal Information Protection Act (Data Subjects’ Right, etc. to Automated Decision)(1) A data subject can request the suspension of the processing of his/her personal information from the personal information controller or withdraw his/her consent to personal information processing. In such cases, the data subject can request the suspension of the processing of his/her personal information items subject to registration from the public institution or withdraw his/her consent to personal information processing under Article 32. <Amended on Mar. 14, 2023>(2) Where a personal information controller receives a request for the suspension of information processing, referred to in paragraph (1), the personal information controller shall suspend the whole or part of the processing of the personal information as requested: Provided, That the personal information controller may deny the data subject’s request, if falling under any of the following subparagraphs. <Amended on Mar. 14, 2023>Improvement in unreasonable consent systemsIn the past, a personal information controller could collect personal information without a data subject's consent where it is inevitably necessary to execute and perform a contract with the data subject. However, the amended Act stipulates that a personal information controller can collect or use personal information of a data subject where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject.Article 15 of the Personal Information Protection Act (Collection and Use of Personal Information) <Amended on Mar. 14, 2023>(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:4. Where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject;Deletion of the special provisions concerning providers of information and communications servicesIn the past, where a person collected personal information without the consent of a data subject, an offline enterprise was subject to a fine not exceeding 50 million won and an online enterprise was subject to a fine equivalent to less than three-hundredths of total sales.However, the amended Act stipulates the same penalties applies to all personal information controllers regardless of the types of their businesses, online or offline.In addition, the amended Act unifies “personal information controllers” and “providers of information and communications services” which used to be distinguished from each other. Special provisions similar to or overlapping general provisions, such as consent to the collection and use of personal information, the collection of personal information of children aged under 14, and data breach notification, are integrated into general provisions and are expanded to all fields.Establishment of portable visual data processing device operation standardsAs the use of portable visual data processing devices such as CCTVs, drones, and self-driving cars is growing, relevant provisions were newly inserted. A person who intends to operate any portable visual data processing device for part of his/her activities was allowed for filming of persons or images of things related to the persons at open spaces only when satisfying certain requirements.Article 25-2 of the Personal Information Protection Act (Limitation to Operation of Portable Visual Data Processing Devices)(1) A person who intends to operate any portable visual data processing device for part of his/her activities shall not take pictures of or film persons or images of things related to the persons with the device at open places, except in any of the following circumstances:From penalty-centered restrictions to economy-centered restrictionsThe amended Act has changed the penalty-centered restrictions to the economy-centered restrictions. In the amended Act, the excessive penalty provisions were revised, the upper limit of administrative fines was increased, and lastly penalty targets were expanded.To impose an administrative surcharges proportional to the severity of the violation, the amended Act has changed the administrative surcharges calculation standard from total sales to sales except the sales not related to the violation.In the past, a fine was equivalent to less than three-hundredths of the sales related to the violation. However, the amended Act stipulates that a fine shall be equivalent to three-hundredths of the total annual sales, which is more strict.Article 64-2 of the Personal Information Protection Act (Imposition of Penalty Surcharges)(1) The Commission may impose a fine equivalent to less than three-hundredths of total sales on the personal information controller in any of the following circumstances: Provided, That up to 2 billion won may be imposed as administrative surcharges on the personal information controller having no sales or sales difficult to calculate as prescribed by Presidential Decree.(2) Where the Commission imposes a fine pursuant to paragraph (1), the fine shall be calculated on the basis of the sales except the sales not related to the violation.[This Article Newly Inserted, Mar. 14, 2023]Overseas transfer of personal information and the order to suspend overseas transfer In the past, personal information could be transferred abroad only where additional consent was obtained from the data subject. However, the amended Act stipulates that personal information may be transferred without additional consent of the data subject to a nation having a similar standard of a personal information protection system to that of the Republic of Korea. In the amended Act, the order to suspend overseas information may be issued where there is a concern that overseas transfer of personal information may cause additional damage on the data subject.SECTION 4 Overseas Transfer of Personal Information of the Personal Information Protection Act <Newly Inserted, Mar. 14, 2023>Article 28-8 (Overseas Transfer of Personal Information)(1) A personal information controller shall not provide or keep personal information aboard or outsource the processing of such information abroad: Provided, That the personal information may be transferred abroad, in any of the following circumstances;Article 28-9 (Order to Suspend Overseas Transfer of Personal Information)(1) The Commission may order to personal information controllers to suspend overseas transfer of personal information where personal information is continuously transferred abroad or additional overseas transfer is expected, in any of the following circumstances;The Personal Information Protection Commission (PIPC) said that the amendment to the Personal Information Protection Act could become a foothold for the growth of the data industry and enterprises by effectively guaranteeing the rights of the public and resolving legal uncertainties with reasonable regulatory maintenance in the process of accelerating digital transformation.
-
- 23.08.24
-
SINSI STORY
The First Half of 2023 of SINSIWAY
It’s almost halfway through 2023, the year of the black rabbit. The first half of 2023 has passed and now we are preparing for the second half of the year in the midst of hot summer.What were some of the important events that took place in SINSIWAY in the first half of 2023? In this post, we will briefly introduce key events of the first half of the year.The third open recruitment employees have joined SINSIWAYIn January 2023, nine new employees have joined SINSIWAY through the third open recruitment. SINSIWAY HR Training Team provides new employees training for three months for new employees' understanding of our products and their duties. New employees recruited through the third open recruitment were assigned to Technical Support Headquarters and R&D Headquarters after three months' training. We hope that our new employees adapt to the workplace and grow with a passionate mindset!2023 Kick OffIn the first half of the year, we could go back to our daily lives with COVID-19 endemic. In January 2023, the kick off event, which had been suspended for a while, was held with all employees. The kick off event consisted of the awards ceremony for workers in long-term service, the draw for handing over the company cars, the survival quiz program, etc. It was a meaningful event in which all employees could gather in one place after three years. We could start the new year more cheerfully through the kick off event.SINSIWAY applied for a patent on the method and system for SaaS-based database access control gateway servicesAfter applying a domestic patent in September 2022, we have also applied for a PCT patent on “The Method and System for a SaaS-based Database Access Control Gateway Services” in February 2023. The PCT, standing for the Patent Cooperation Treat, provides a unified procedure for filing patent applications with the PCT members at one go. By applying for a PCT patent, we could establish a foothold for overseas business expansion based on our advanced technology.SINSIWAY received a citation as an outstanding enterprises participating in SaaS transformation and utilization trainingOn February 8, SINSIWAY received a citation as an outstanding enterprises participating in SaaS transformation and utilization training provided by the Korea Software Technology Association (KOSTA).SINSIWAY technical staff members participated in the SaaS transformation and utilization training program provided by the KOSTA for six months, from June to December 2022. SINSIWAY is making aggressive investment in HR training and R&D projects required for SaaS transformation, with the goal of developing data security software programs for cloud. In addition, we have newly organized Cloud Development Group and Cloud Business Team. We will expand our cloud business more aggressively in line with the expansion of the cloud security market.The employee birthday party has resumedThe employee birthday party, which had been suspended due to the COVID-19 pandemic, has resumed in April. A birthday part is held every month at the head office lounge and birthday employees receive a gift certificate. During a party, all employees gather together and have a conversation, enjoying party food such as chicken, pizza, and cake. Employees have a chance to talk and network with unfamiliar coworkers.The unstructured encryption solution Petra File Cipher V3.2 has obtained GS Certification Grade 1On May 4, SINSIWAY's unstructured encryption solution Petra File Cipher V3.2 has obtained GS Certification Grade 1, the highest grade, from the Telecommunications Technology Association (TTA). As GS (Good Software) certifies good quality software, SINSIWAY's advanced technology and outstanding security have achieved recognition by obtaining GS Certification Grade 1 for Petra File Cipher.
-
- 23.08.24
-
IT·SECURITY
How Will ChatGPT Change the World?
What is ChatGPT?ChatGPT, receiving the greatest attention these days, is an AI chatbot developed by the American AI startup OpenAI. ChatGPT is a search tool that shows search results requested by users. You may think that it sounds similar to other chatbots. But why is ChatGPT is in the limelight now? One of the biggest differences between ChatGPT and other portal sites such as Google and NAVER is that it learns large language model-based data, answers questions and talks like humans, and provides information about a wide range of topics.Source: OpenAI, ChatGPT screenLearning over 300 cases of data from the Internet, ChatGPT can make daily conversation, write theses, write codes, and conduct a test. It is capable of creating unique products with a variety of content such as text, audio, and images. In addition, it can prepare report and theses and conduct programming like a smart assistant. As of February 2023, you can use ChatGPT for free once you sign up. If you want faster service even during the peak time, you can use ChatGPT Plus with a monthly subscription plan available for USD 20 (KRW 25,000). ChatGPT Plus provides higher quality answers and information than the general version.Why is ChatGPT So Powerful?ChatGPT is built upon GPT-3.5, super AI that learns data with 175 billion parameters. GPT-4, planned to be launched by OpenAI in 2023, is expected to become even more precise than GPT-3.5 since it is predicted to use over 1 trillion parameters.Unlike preexisting chatbots, ChatGPT learns by itself with undergoing trial and error through reinforcement learning from human feedback (RLHF). Since ChatGPT reflects human feedback, it can continue conversation. Foreign press evaluated ChatGPT as the best chatbot to talk with.How Big is the Market Power of ChatGPT?The number of ChatGPT users reached 1 million in four days. Taking into account that it took 3.5 years, 10 months, and 8 months for Netflix, Facebook, and YouTube, respectively, to secure 1 million users, it shows that the market power of ChatGPT is tremendous.According to a report published by the global financial company UBS, the number of daily users reached 13 million and the number of monthly active users (MAU) is estimated to be over 100 million. Taking into consideration that it took six and nine months for Instagram and TikTok, respectively, to reach 100 million users, ChatGPT is the application that has secured 100 million users in the shortest period.Microsoft has been making continuous investments in OpenAI, the developer of ChatGPT, and has recently started the initial test of its new ChatGPT-based Bing Mobile. In addition, Google announced a plan to launch the conversational AI chatbot Bard based on its language model LaMDA. Some predict that Bard will become more powerful than ChatGPT since it can learn a tremendously huge amount of data from Google's daily search results surpassing 3.5 billion views.What Would be the Limitations of ChatGPT?Of course, ChatGPT has limitations. ChatGPT does not provide information generated after 2021 since it is based on data generated in 2021 or earlier. Therefore, it may not be able to create accurate responses to questions about information after 2021.If ChatGPT's training data contains biased information, its responses may be biased as well and ethical issues may arise.Since numerous people are using ChatGPT around the globe, sometimes unethical answers and political answers are induced. OpenAI has set the AI Code of Ethics which prohibits ChatGPT from answering any political, discriminative, or hateful questions. However it is difficult to block false information completely since numerous users are using ChatGPT all over the world. It is obvious that ChatGPT will change our daily lives, but we need to think about the ethical aspect as well based on its limitations.
-
- 23.08.24
-
IT·SECURITY
2023 Prospect of Cyber Security Threats
What kinds of technologies and attacks will threat cyber security in 2023? The Ministry of Science and ICT and the Korea Internet & Security Agency jointly published 2022 Cyber Security Threat Analysis and 2023 Cyber Security Threat Prospect.2022 Cyber Security ThreatsCyber attacks causing national and social chaosIn 2022, global enterprises, government agencies, etc. have been globally damaged by continuous cyber attacks by global hacking groups such as LAPSUS$. In Korea, cyber attacks used accidents and incidents on which national attention has focused, such as the data center fire at Pangyo and Seoul Halloween crowd crush.In addition, attackers extorted the official YouTube accounts of the government agencies and broadcasting companies, posted virtual asset videos, and distributed hacking e-mails impersonating government agencies.Attacks using the changes in the IT environment such as telecommuting and cloud transformationSince the COVID-19 outbreak, working environments has changed to non-face-to-face environments in which important data was divulged through infiltration into enterprises. As more and more enterprises use cloud and major systems are replaced by cloud, cloud security incidents are increasing. Representative security incidents include hacking into Alibaba Cloud leading to the divulgence of 1 billion users' personal information and the airport data divulgence incident resulting from Amazon Cloud setting errors.Ransomware and DDoS attacks paralyzing the digital societySecurity incidents reported to the KISA in 2022 increased by around 1.6 times year on year. 29% of the reports received were ransomware incidents. Small and medium enterprises and manufacturing businesses account for 88.5% and 40.3% of the total ransomware damage, respectively. It is necessary to expand security support for and investment in small and medium enterprises.DDoS attacks are also continuously increasing. It was confirmed that most of devices used for such attacks were video storage media, set-top boxes, etc. infected with IoT malware.2023 Prospect of Cyber Security ThreatsAn increase in global hacking groups' attacks threatening national industry and securityIt is forecasted that global hacking groups will become more active and cyber attacks targeting global enterprises will continue with the prolonged Russo-Ukrainian War. In particular, it is predicted that attacks targeting virtual assets and cyber criminal organizations' activities will grow, including posting their attacks on social media.Continued cyber attacks using sensitive cyber issues such as disasters and disabilitiesPhishing, smishing, and advanced persistent threats using social issues are expected to grow and activities affecting the entire society with fake news using cutting-edge technology are prospected to increase as well. In addition, it is predicted that attacks using personal channels such as e-mail and social media will grow.Evolution of ransomware armed with advanced persistent threats and multiple extortionRansomware attacks are evolving into advanced persistent threats (APT) which are a type of hacking technique to attack a specific target persistently with an advanced method.Since attacks are evolving into multiple extortion such as the use of hacking e-mails, web server vulnerabilities, remote access, etc., the damage on back-up storage devices, and the threat against corporate customers with the restoration of encrypted files, the disclosure of divulged data, and DDoS attacks, it is necessary to take proper action against evolving ransomware attacks.Increasing threats with cloud transformation in the digital eraThe merits of cloud are that there is no physical limitation and it is easy to expand business. Therefore, the current trend is that many enterprises are replacing their on-premise environments with cloud. Security threats such as security vulnerabilities and data divulgence are revealed in the process of cloud transformation. Enterprises should formulate systematic cloud security management strategies and establish cloud security measures, taking into account their business characteristics and cloud operation types such as hybrid cloud and multicloud.Growing threats and corporate SW supply networks getting more and more complicatedIt is predicted that malware injection and source code extortion will increase since more and more SW developers are using development sharing websites such as Github.With the increasing use of open sources, attackers may use the vulnerabilities of popular open sources such as Log4j or inject malware into libraries. They are also predicted to attack supply networks by directly infiltrating into SW development companies, forging update servers and source codes, and stealing certificates.
-
- 23.08.24
-
SINSI STORY
SINSIWAY Accelerates the Expansion of Its Cloud Business
With an increase in non-face-to-face environments and smart work environments resulting from the COVID-19 pandemic, the demand for cloud services has risen as well as accelerated cloud transformation by companies. According to the “Korea Cloud Opportunity Forecast by Industry, 2021–2025” published by IDC Korea, the annual growth rate of the domestic public cloud market will reach 14.8% by 2025 and the market size is expected to reach KRW 3.8952 trillion.SINSIWAY is providing DB access control and DB encryption services through around 10 cloud marketplaces. We are the only enterprise providing DB access control and encryption services in the Korean cloud marketplaces. Since we first launched cloud service in 2017, we have been making a new record of sales every year by 2023.Strengthening the Cloud Research & Development Team in 2022 and Establishing the Cloud Business Team in 2023, we are preemptively responding to changes in the cloud environment and enhancing our market competitiveness.The newly organized Cloud Business Team consists of staff members responsible for technical support, sales, and marketing. Team leader Park Byeong-min directs cloud sales, technical support, and marketing. Sales representative Kim Han-byeol will strengthen systematic partnerships with CSP and MSP and cloud sales in the public and financial sectors. Senior managers Gang Ah-hyeon and Bae Yun, responsible for technical support, will focus on developing cloud competences for SaaS transformation, including technical support for cloud clients and partners. The 2023 goals of senior manager Yi So-yeong is to establish marketing strategies for expanding the cloud market and to conduct joint marketing more aggressively with the domestic cloud service provider CSP.More and more Korean enterprises are providing cloud-based services, instead of physical servers, and the government is focusing on developing cloud technology. As cloud transformation is accelerating, it is expected that we can expand our cloud business even more through our Cloud Business Team.
-
- 23.08.24
-
IT·SECURITY
Anyone Can Become the Target of Cyber Crimes
Global Cyber Crimes After the COVID-19 PandemicCyber crimes refer to all types of crimes taking place in cyberspace, including computer crimes and cyber terrors. Cyber crimes are increasing day by day with the expansion of ICT such as cloud, AI, and big data and the growing utilization of cyberspace during the COVID-19 pandemic.Source: Cybersecurity VenturesThe market research service provider Statista predicted that the global cyber security market would grow with the raising awareness of cyber threats. In 2021, the global cyber security market size is estimated to be approximately USD 217.9 billion. With an annual average growth rate of 9.65%, the market size is expected to grow to USD 345.4 billion by 2026. The American cyber security research company Cybersecurity Ventures estimates that the size of global cyber crime damages will triple from USD 3 trillion in 2015 to USD 10.5 trillion in 2025.Cyber Attack Damage CasesZoom meetings for video conferences, classes, etc., recorded more than 200 million daily users, thereby growing fast during the COVID-19 pandemic. However, a phenomenon called “Zoombombing” has happened all over the world. Zoombombing refers to a phenomenon where uninvited participants join a meeting to cause disruption. An uninvited user joined a remote learning class of the University of Texas at Austin and made racist remarks. In Singapore, a hacker uploaded pornographic pictures during an online class of a middle school. Since users can access Zoom meetings only via a specific Internet address or a conference ID consisting of numbers, hackers are assumed to have accessed via any other routes. Data and personal information divulgence incidents have been continuously happening through cyber attacks. According to the Cost of a Data Breach Report 2022 published by IBM Security, as a result of studying 550 organizations impacted by data breaches for one year, the total damage of data breaches was found to be USD 4.35 million, which was the highest for 17 years. From Facebook having 2.2 billion users all over the world, the personal information of 533 million users was divulged. The cause for the incident was found to be information divulgence resulting from web scraping. Web scraping is the technology of automatically extracting and collecting desired data from the database of a system or a website, which may be the start of hacking and infringement.Types of Global Cyber CrimesRansomwareRansomware is a compound word consisting of “ransom” and “software.” It is a type of malware that blocks access to a computer system or data and demands a ransom. In 2021, the number of ransomware attacks increased by 141.7% year on year. In February 2022, the Ministry of Science and ICT and the Korea Internet & Security Agency issued a ransomware attack warning. As ransomware attacks are occurring often all over the world and the damages are gradually expanding as well. they are considered severe crimes.PhishingIt was reported that phishing attacks increased by over 62% after the COVID-19 outbreak. Many attackers extort information by making people click on a malicious URL about COVID-19 or distributing malware. Starting from demanding money by impersonating a family member or an acquaintance, phishing techniques are evolving day by day, including making victims install a remote control application in their smartphones. It was found that over 85% of the victims are in their 40s or older. Middle-aged or older people should be more careful not to become phishing victims.Distributed Denial of Service (DDoS) AttacksA distributed denial of service attack, commonly abbreviated to a DDoS attack, is a cyber attack in which the perpetrator seeks to make a server unavailable by exploding the traffic. It is a representative denial-of-service attack that causes failures in a specific server or a network by generating a large amount of data. Recently, DDoS attacks have been expanded to the IoT devices such as AI speakers, routers, and home appliances. According to the American market research service provider Market Research, the DDoS security market is expected to grow by 14% every year and its size is forecasted to reach USD billion by 2028, taking into consideration the current continuous growth in DDoS attacks since 2017.Source & ReferenceIBM Security, Cost of a Data Breach Report 2022Cybersecurity Ventures, Global Cyber Crime Report
-
- 23.08.24
-
IT·SECURITY
Encryption and Encryption Algorithms
What is Encryption? Encryption is the process of converting the plain text into an alternative through specific algorithms or methods. This technology blocks unauthorized persons’ access to important information by converting such information into illegible values. Encryption is a generic technology that directly protects significant information in terms of security.Original data to be protected through encryption is called plain text and the encrypted text is called cipher text. This process is called encryption. The conversion of encrypted data into the plain text again is called decryption.One-Way and Two-Way EncryptionEncryption can be largely divided into one-way and two-way encryption algorithms. In a one-way algorithm, only the encryption is possible and decryption is not possible, whereas a two-way algorithm can decrypt cipher text. Two-way encryption can be divided into symmetric-key encryption and asymmetric-key encryption.Symmetric-Key EncryptionSymmetric-key encryption is also called secret key encryption, in which the same encryption key is used for both encryption and decryption. In symmetric-key encryption, data is encrypted and decrypted with the secret key. Although the symmetric-key encryption boasts fast computing speeds thanks to its simple internal structure, it is difficult to manage numerous keys when exchanging information between multiple people since the sender and receiver should share the identical key. Representative symmetric-key encryption algorithms include DES, 3DES, and AES.Types of Symmetric-Key Encryption AlgorithmsThe Data Encryption Standard (DES) is a symmetric-key algorithm that was developed at IBM in 1975 and designated as a national standard encryption algorithm by the NIST in 1979. It divides plain text into 64 bits and creates cipher text of 64 bits again by using a 56-bit key. 3DES algorithm is the Triple Data Encryption Algorithm, which applies the DES cipher algorithm three times. However, the DES is vulnerable to brute force since it uses 56-bit key size. To replace it, the AES appeared as its alternative algorithm.The Advanced Encryption Standard (AES) was adopted since it complies with the selection standards of the U.S. NIST: safety, costs, and implementation efficiency. The AES is being widely used all over the world because of its outstanding safety and speed.Asymmetric-Key EncryptionAsymmetric-key encryption is also called public-key encryption. Unlike symmetric-key encryption, different keys are used for encryption and decryption, respectively. In public-key encryption, complicated math operations are used for encryption and decryption. Therefore, its efficiency may be lower than symmetric-key encryption. However it is easier to manage the keys even when there is a large number of users, since multiple senders perform encryption with one public key. Representative algorithms include RSA, EIGamal, and ECC.One-Way EncryptionOne-way encryption literally means encrypting plain text in one direction. It is possible to encrypt plain text into cipher text, but not possible to decrypt the cipher text into plain text. Hash functions are generally used for one-way encryption.A hash is a function that produces fixed-sized hash values from an input text of any size. Even though the input sizes are different, the outputs are converted into a fixed size. Since encryption keys are not used, an identical output is guaranteed from an identical input. Representative hash functions include MD5, SHA-1, SHA-2, and SHA.MD5 (Message-Digest algorithm5) produces a 128-bit hash value with no limit in the length of input messages. MD5 can be used for data integrity verification which identifies whether a program or a file is original as it is.SHA (Secure Hash Algorithm) was designed to improve the vulnerabilities of MD5. A SHA was first designed by the National Security Agency (NSA) in 1993 and was designated as an American national standard. SHA-256, one of Secure Hash Algorithms 2, is a standard hash algorithm published by the National Institute of Standards and Technology (NIST). It is widely used for blockchains and evaluated to be safe.Why Should Personal Information Be Encrypted?The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files as part of its activities.Personal information controllers should take security action to prevent personal information from being divulged, exposed, or forged for safe storage when the information of other persons is utilized. The Personal Information Protection Act and the Credit Information Use and Protection Act stipulate personal information controllers’ obligations in relation to the necessity of personal information encryption as follows.Article 24 of the Personal Information Protection Act(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.Article 28-4 of the Personal Information Protection Act(1) When processing the pseudonymized information, a personal information controller shall take such technical, organizational and physical measures as separately storing and managing additional information needed for restoration to the original state, as may be necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.Article 7 of the Standards for Measures to Secure Safety of Personal Data(1) A personal data controller shall encrypt and save personally identifiable information, passwords, and biometrics information when transmitting and receiving via a telecommunications network or sending via external memory.Article 17 of the Credit Information Use and Protection Act(4) In providing any personal credit information to an agent in order to outsource the processing of credit information under paragraph (2), a credit information company, etc. shall take measures to protect information by which a particular owner of credit information can be identified, such as encryption, as prescribed by Presidential Decree.The Personal Information Protection Act and the Credit Information Use and Protection Act differently define personal information encryption targets. It is divided depending on the storage and transmission of personal information.Nowadays, personal information is being utilized as significant data in all industries as well as big data, IoT, and AI technologies. Individuals and enterprises should pay attention to security when utilizing the personal information of others. In particular, enterprises handling a huge amount of personal information need to encrypt such information.Source & ReferenceKISA Encryption Promotion WebsitePIPC and KISA, Personal Information Encryption Guide
-
- 23.08.24
-
IT·SECURITY
CBPR Certification, the Rules on Personal Information Transfer Between the APEC Member Economies
The Cross Border Privacy Rule, commonly abbreviated as the CBPR, is a certification system that evaluates enterprises’ personal information protection systems for smooth personal information transfer between the Asia-Pacific Economic Cooperation (APEC) member economies.In 2011, the APEC established the CBPR in order to protect personal information and guarantee free cross-border data transfers. The difference from the GDPR of the EU is that the CBPR establishes a personal information transfer system, instead of changing the personal information protection laws or systems of other states.Currently, nine economies participate in the system: the Republic of Korea, the U.S., Mexico, Japan, Canada, Australia, Singapore, Taiwan, and the Philippines. Korea’s joining in the CBPR was approved in 2017. In May 2022, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) jointly introduced the CBPR system for Korean enterprises. As a result, Korean enterprises are now able to obtain the CBPR certification without an overseas institution.Utility of the CBPR SystemThe CBPR system (a) does not change the legal system of each country, but (b) can be adapted to their legal environment. In addition, the CBPR is (c) based on the voluntary participation of the states or enterprises and (4) the purpose of this system is to encourage the utilization of personal information.CBPR-certified enterprises can improve their corporate images in terms of personal information protection by promoting their outstanding personal information protection systems. When they select overseas affiliates or subcontractors or expand their business abroad, they can save time and costs required for complying with the personal information regulations of the target countries. Through this certification system, Korean companies will be able to ensure international trust and strengthen their global competitiveness. In particular, Japan and Singapore allows overseas data transfer for CBPR-certified enterprises without a separate contract. Therefore, Korean enterprises running business in the two countries can transfer the personal information of local customers to Korea more conveniently.Personal data subjects can decide whether an enterprise has a proper level of personal information protection through the CBPR certification. In addition, they can easily exercise their rights as data subjects and request damage remedies.Being certified for the CBPR system does not mean that the obligation to obtain consent to data collection, required by local laws, are reduced or exempted. Relevant details are stipulated in Article 28-8 (Cross-Border Transfer of Personal Information) of the Personal Information Protection Act.Article 28-8 (Cross-Border Transfer of Personal Information)(2) The personal information controller may transfer personal information abroad, if falling under any of the following subparagraphs:1. Where consent to overseas information transfer is obtained from a data subject;2. Where special provisions about overseas information transfer exist in other laws, treaties, or other international agreements signed by the Republic of Korea;5. Where personal information is transferred to a state or an international organization whose personal information protection system is considered by the Personal Information Protection Commission being on par with the personal information protection level stipulated in the Act.CBPR Application TargetsEnterprises applied with the Personal Information Protection Act of the Republic of KoreaEnterprises transferring personal information to other countries including the Asia-Pacific region or receiving personal information from abroad for processingEnterprises who need an enterprise-wide personal information protection system that can apply to their subsidiaries, affiliates, etc. located in the Asia-Pacific regionEnterprises who want to achieve recognition by establishing a personal information protection system complying with the global standards of the APEC privacy protection principleRequirements for CBPR CertificationThe APEC has developed the APEC Privacy Framework (APF) and established the personal information transfer principle and system for reliable trade between its member economies. The APF contains the nine principles including Notice and Collection Limitation.Requirements for CBPR CertificationThe APEC has developed the APEC Privacy Framework (APF) and established the personal information transfer principle and system for reliable trade between its member economies. The APF contains the nine principles including Notice and Collection Limitation.APEC Privacy FrameworkDescriptionRequirements for CBPR Certification (50 Clauses)NoticeNotice should be provided “either before or at the time” of collection of personal information or may be provided “as soon after as” is practicable.Personal information protection policy notice items, notice methods, etc.Collection LimitationPersonal information should be relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.Personal information collection methods, collection minimization, lawful collection, etc.Uses of Personal InformationPersonal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes.Use of personal information only for the intended purposes, provision of information to third parties, etc.ChoiceWhere appropriate, data subjects should be provided with the right of choice in relation to the collection, use, and disclosure of their personal information.How to provide data subjects with the right of choice in relation to the collection, use, and disclosure of their personal informationIntegrity of Personal InformationPersonal information should be accurate, complete, and kept up-to-date.Correction to maintain the accuracy and completeness of records and keep them up to date, notification to outsourcees, etc.Security SafeguardsSafeguards taken should be proportional to the likelihood and severity of the harm threatened and the sensitivity of the information.*No specific safeguard standardsSafeguards proportional to the sensitivity of the personal information and the likelihood and severity of the harm threatened, safeguard assessment, etc.Access and CorrectionPersonal information can be accessed or corrected upon the request of data subjects. The request may be denied where the burden or expense of doing so would be unreasonable or the information should not be disclosed to protect confidential commercial information.Procedures, etc. for data subjects’ request for access, correction, and deletionAccountabilityWhen personal information is to be transferred, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to examine the information protection level of the organization (individual) receiving such information.Designation of responsible personnel, procedures for handling of complaints and damage remedies, the management and supervision over outsourcees and third parties, etc.Preventing HarmRemedial measures should be proportionate to the likelihood and severity of the harm threatened.(The content about “Preventing Harm” is contained in other principles including Accountability.)CBPR Application CasesAs of July 2022, of the APEC member economies subject to the CBPR, 39 American enterprises, six Singaporean enterprises, and three Japanese enterprises were certified for the CBPR system.The U.S. has the greatest number of enterprises certified for the CBPR system, including digital technology-based enterprises and global enterprises such as Apple, HP, and IBM. Korea’s joining in the CBPR was approved in 2017. In May 2022, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) jointly introduced the CBPR system for Korean enterprises. As a result, Korean enterprises are now able to obtain the CBPR certification without an overseas institution.Source & ReferencePersonal Information Protection International Cooperation CenterPress Release of the PIPC, PIPC Launches the APEC CBPR SystemKIEP Preliminary Data 21-12, The Trend and Implications of APEC CBPR Operation
-
- 23.08.24
-
SOLUTION
Access Control, A Way to Protect Important Data
Continuous Personal Information Divulgence and Exposure IncidentsSeoul National University Hospital has more personal information divulgence cases (Asia Today, Jul. 13, 2022)The online shopping mall ‘Brandi’ responsible for 6,390,000 cases of personal information breach subject to an administrative fine of KRW 380 M (The Korea Economic Daily, Jul.13, 2022)Hana Tour responsible for personal data divulgence of 460,000 customers faces a fine of KRW 10 M (Seoul Economic Daily, Jul. 21, 2022)The titles above are news articles about personal information divulgence incidents that had occurred for the past one month. It seems that personal information divulgence and exposure incidents are reported on a regular basis. Can you give your information to an enterprise that has ever experienced data breaches?Minimum measures to be taken by personal information controllers are stipulated as shown below, in the Standards for Technical and Managerial Measures for Personal Information Protection and the Standards for Securing the Safety of Personal Information.Standards for Technical and Managerial Measures for Personal Information Protection Article 4(1) The information and communication service provider shall only grant access permission to personal data handling systems to the privacy officer or personal data controller for providing services.Standards for Securing the Safety of Personal Information Article 6(1) A personal data controller shall take measures including the following functions to prevent unlawful access and infringement through a telecommunication network:1. Restriction of unauthorized access by limiting access permission to personal data handling systems via internet protocol (IP) address; and2. Detection of and response against attempts for unlawful exposure of personal data by analyzing IP addresses accessing a personal data handling systemPersonal information and data security are of growing importance in line with the amendments to the three data acts in 2020, the adoption of the EU GDPR adequacy decision on the Republic of Korea in 2021, and the implementation of MyData 2022. Since the information technology general control (ITGC) audit of the internal accounting management system, which is a corporate IT audit, was expanded and the security and control activities of IT operation systems are subject to an audit, companies should formulate an IT security plan.What is Access Control?How can enterprises protect their data from a variety of threats such as hacking and security incidents? One of the most representative ways is data access control.Access control allows or refuses persons or processes’ access to systems or files for reading, writing, execution, etc. As the necessity for access control arises in corporate data, the corporate DB security market for database access control solutions is being expanded.According to “2021 Survey on Domestic Information Protection Industry” published by the Korea Internet & Security Agency (KISA), the sales of the domestic information protection industry in 2020 grew by 6.4% year on year due to the expanded non-face-to-face environment, telecommuting, etc. during the COVID-19 pandemic, and the demand for access control solutions increased accordingly.SINSIWAY's Access Control Solution, PETRASINSIWAY’s database access control solution PETRA allows authorized persons only such as personal information handlers to access data, in order to prevent data divulgence and damage. It supports Gateway, Sniffing, Agent, and Hybrid for the optimized configuration in a diversity of environments. Its self-developed DBMS facilitates swift rule processing. In addition to access control functions by segmented user type, including ID, IP, and access tool-based access control, role-based access control, and SQL-based control, it provides a variety of functions for data protection such as convenient UI, real-time monitoring, report publication, auditing, and SQL masking.PETRA is taking care of DB security of numerous enterprises and institutions including public organizations and financial institutions. Its performance and stability were proved through CC certification, GS certification, and nine patents. You can protect your company’s DB safely with our access control solution PETRA which is optimized for DB security and management. Visit our website (https://www.sinsiway.com) for further details or inquiries.
-
- 23.08.24
-
IT·SECURITY
What is the Difference Between Personal Information Divulgence and Exposure?
“Personal information divulgence” and “personal information exposure” are easily seen in newspaper headlines. The words divulgence and exposure seem similar, but they are two difference concepts.What is Personal Information Divulgence?Personal information divulgence refers to a situation in which a legal person, organization, individual, etc. operating personal information or relevant statutes loses its control over personal information or in which unauthorized parties’ access is allowed. Personal information divulgence, defined in the Personal Information Protection Act, is subject to criminal penalties.In accordance with the Personal Information Protection Act, it is considered personal information divulgence if falling under any of the following circumstances.1. Where any written documents, portable storage devices, portable computers, etc. containing personal information are lost or stolen;2. Where a person with no normal authority for access to personal information processing systems such as database accesses such a system;3. Where any files, paper documents, or other storage media containing personal information are wrongly delivered to an unauthorized person due to wrongful intent or negligence of a personal information controller;4. Where personal information is delivered to any unauthorized person.One of the recent personal information divulgence incidents is the BALAAN case that happened on March 16, 2022. An unauthorized person accessed the personal information of the members of the luxury brand online shopping mall BALAAN in an abnormal way and the personal information of customers such as e-mails, telephone numbers, and dates of birth were divulged. BALAAN said that they introduced an additional intrusion prevention system and conducted 24-hour monitoring to minimize secondary damage. However, additional hacking damage occurred in April, one month after the initial incident, which showed security vulnerabilities. In addition, there were other customer information divulgence incidents including the Jeju Air passengers’ payment information (Mar. 2021), personal information of Seoul National University Hospital’s patients and employees (Jul. 2021), and personal information of Millie’s members (Jun. 2022).What is Personal Information Exposure?Personal information exposure refers to a situation in which personal information leaks out and is disclosed by hackers, etc. Sometimes personal information is exposed due to a data subject’s mistake, instead of wrongful intent of a third party. Unlike personal information divulgence, personal information exposure is not legally defined and not subject to criminal penalties.As one of the personal information exposure cases, the personal information of around 310,000 Coupang members were exposed in October 2021. In Coupang App, other members’ names and addresses were exposed at the product order confirmation step for one hour. Coupang said that the incident occurred during the app improvement work and all necessary security measures were taken.Personal Information Divulgence and Exposure Increased During the COVID-19 PandemicAs online activities increased after 2022 when the COVID-19 pandemic began, data and personal information divulgence and exposure incidents have continuously occurred both at home and abroad. According to “2021 Survey on Personal Information Protection” jointly published by the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA), it was found that 44.3% of the Korean people have experienced personal data breaches for one year. According to the Cost of a Data Breach Report 2021 published by IBM Security to analyze data breaches that occurred in 500 enterprises and organizations all over the world, the average loss of data breach incidents were found to be approximately KRW 4.9 billion. In particular, the damage from ransomware attacks was around KRW 5.3 billion, which is greater than other types of hacking damages. It was found that cyber incidents were not properly handled since the level of security for telecommuting and cloud migration increasing during the COVID-19 pandemic was not high enough yet. What is the Solution for Enterprises?Personal information divulgence and exposure incidents are occurring regardless of the sizes of enterprises, whether they are large enterprises or middle-standing enterprises. To protect significant data and information, enterprises need proper measures such as information encryption and access control that allows only authorized users’ access to data. SINSIWAY’s access control solution PETRA allows you to establish an effective corporate security system through its outstanding functions including integrated audit log management, central security policy management, audit logging, and authority separation by security manager. In addition, the encryption solution PETRA CIPHER protects important information safely by encrypting data and files based on its certified encryption module and duplication encryption prevention technology. Enterprises will be able to prevent data divulgence and exposure incidents and protect corporate data and customers’ personal information safely through the access control and encryption solutions. It is important to take prior action for protecting significant data, but follow-up action such as notification and proper remedies should be proactively conducted as well.Source & ReferencePersonal Information Protection ActPersonal Information Protection Commission
-
- 23.08.24