

[Contribution] National certification has become a corporate impunity; a law is needed for ‘real responsibility’
2025-06-16
![[기고] 기업 면죄부가 된 국가 인증, ‘진짜 책임’을 위한 법이 필요하다](/_next/image?url=https%3A%2F%2Fd1tgonli21s4df.cloudfront.net%2Fupload%2Fboard%2Fbroadcast%2F20250616072600032.webp&w=3840&q=100)
Following SK Telecom, suspicions of personal information leakage were also raised at YES24. YES24 stated immediately after becoming aware of the ransomware attack on the 9th that "there was no personal information leaked," but the seriousness of the matter was revealed when the Personal Information Protection Committee detected abnormal member information inquiry circumstances and began an investigation.
This incident is not just a simple hacking incident. Repeated personal information leaks raise fundamental questions about the actual responsibility of major domestic companies for personal information protection and whether the institutional response system is functioning properly. In particular, both SK Telecom and YES24 had received government-run ISMS (Information Security Management System) or ISMS-P (Integrated Personal Information Protection Certification) certification.
ISMS-P is a system that examines and certifies that a company has certain managerial and technical protection measures in place. However, this system does not evaluate whether a hacking incident occurred or whether the company fulfilled its actual responsibilities after the incident. The damage relief system and practical measures to prevent recurrence are unrelated to the validity of certification. As a result, the certification remains as long as the requirements are met.
The problem is that after the accident, this certification is easily abused by the company's logic of immunity by saying, “We were operating a system that received government certification.” Certification for prevention and strengthening responsibility is actually used as a tool for ‘fulfilling formal responsibility’ when an accident occurs. The certification system is functioning differently than originally intended.
In a situation like this where we rely on a system that neither prevents accidents nor strengthens responsibility, citizens have no choice but to think, “National certification does not protect me.” The system exists, but its effectiveness is weak, and the problem is even more serious in that it is a structure that allows companies to avoid responsibility even after an accident occurs.
It's different overseas. A U.S. federal court ordered Israel's NSO Group to pay approximately $167 million in punitive damages in a case involving unauthorized infringement of WhatsApp users' devices. US telecommunications company T-Mobile also paid a multi-million dollar class action settlement after a large-scale personal information leak. The law and system are structured to actually hold companies accountable.
On the other hand, Korea is still limited to mild punishment. This is because administrative fines, corrective orders, and formal supervision are all that are involved. In civil lawsuits, the burden of proof is excessively placed on the victim, and the level of compensation is far from reality. A more serious problem is that some media outlets and large law firms are spreading the logic that "claiming compensation for personal information leaks is of no benefit," creating an atmosphere that causes citizens to give up exercising their rights.
In order to crack this structure, Daeryun Law Firm is pursuing a class action lawsuit against large corporations for personal information leakage. This decision is by no means a favorable choice if viewed solely from the profit logic of the legal market. However, since its establishment, Daeryun has placed the reason for the existence of legal services not on ‘profit’ but on ‘practical realization of citizens’ rights.’ This class action lawsuit is also an extension of that.
Daeryun dispersed the legal market centered on the metropolitan area to a regional basis and established branch offices nationwide to ensure that all citizens can receive high-quality legal services. We partnered with large law firms in the U.S. and Japan to incorporate advanced legal systems in Korea, and introduced a customer service system (AS system) that allows for customer satisfaction surveys, replacement of lawyers, and even refunds. This SK Telecom class action lawsuit is also an exercise to prove that such a structural experiment is feasible in reality.
There is absolutely no reason why the personal information of citizens of the Republic of Korea should be less important than that of citizens of the United States or Europe. What is needed now is the introduction of a punitive damages system, strengthening the effectiveness of the class action system, and establishing a legal foundation that can lead to actual corporate responsibility. The court must also present clear standards and a strong message so that companies accept personal information protection as the ‘essence of management’ rather than an ‘optional’.
This lawsuit is not just about holding one company legally responsible. This should be the starting point for laws and systems to officially declare that personal information is a fundamental right under the Constitution, not subject to technical management. Personal information is a valuable asset. The rights of the people should never be given away at a cheap price.
[View full article]
Lawleader - [Contribution] National certification has become corporate impunity, a law is needed for ‘true responsibility’ (link)
Korea Law Daily - [Contribution] National certification that has become corporate immunity, a law for ‘true responsibility’ is needed (link)Do you have more questions?
In-Person Consultation Booking
If you have legal concerns, consult with a specialist attorney at the nearest office.
