One of the strictest data protection regimes in the world, South Korea’s Personal Information Protection Act is supported by sector-specific legislation related to:
Thales can help your organization comply with these rules through:
1http://go.thalesesecurity.com/rs/480-LWA-970/images/Act-on-Promotion-of-Information-and-Communication-Network-Utilization-and-Information-Protection.pdf
2https://elaw.klri.re.kr/eng_service/lawView.do?hseq=27972&lang=ENG
Breach Notification: PIPA places many obligations on organizations in both the public and private sectors, including mandatory data breach notification to data subjects and other authorities including the Korean Communications Commission (KCC).
Data Security: PIPA imposes a duty on information managers (i.e., data controllers) to take the "technical, administrative and physical measures necessary for security safety … to prevent personal information from loss, theft, leakage, alteration or damage."
Official Policy Statement: Organizations are required to establish an official statement of those security measures.
Internal Privacy Officer: An internal privacy officer must be appointed (regardless of the size or nature of the organization) to oversee data processing activities. The internal privacy officer will be held accountable and be subject to any criminal investigations following a breach.
Article 24(3) of PIPA places express restrictions on the management of unique identifying information, and requires information managers to take "necessary measures, … including encryption," in order to prevent loss, theft, leakage, alteration, or damage. Similarly, Articles 25(6) and 29 require "necessary measures" to be implemented to ensure that personal information may not be lost, stolen, altered, or damaged.
South Korea also has a track record of enforcing data protection laws. Chapter 9 of PIPA contains severe sanctions for data security breaches including substantial fines and imprisonment – up to 50 million won in fines and imprisonment of up to five years are potential consequences.
The following Thales solutions can help you comply with South Korea’s PIPA.
Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.
Support for smart single sign on and step-up authentication allows organizations to optimize convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.
The following Thales solutions can help you comply with South Korea’s PIPA.
The first step in protecting sensitive data is finding the data wherever it is in the organization, classifying it as sensitive, and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organization does not fall out of compliance.
Thales’ CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks, and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.
With the CipherTrust Data Security Platform, administrators can create strong separation of duties between privileged administrators and data owners. CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators -- including hypervisor, cloud, storage, and server administrators -- can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.
Strong separation of duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
The CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.
Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.