해킹 및 개인정보 유출 관련 최근 정보보호 이슈와 관련 법제도의 개선 방안

The recent hacking incidents and personal information leaks at SK Telecom and other major telecommunications companies have brought home the looming threat of cyberattacks. This paper examines the current state of affairs and examines the shortcomings of our current legal system related to information protection, proposing several solutions to address them. Recent cyberattacks are no longer simply about stealing information from a single sector, company, or individual within a country and then demanding a ransom. They are escalating into a serious problem directly affecting the security of the entire nation. To effectively address this, we must clearly establish governance that effectively integrates the civilian, public, and military sectors, with the President at the helm. We must establish an integrated organization directly under the President to develop and implement national strategies for information protection and cybersecurity. Furthermore, we must advance the information protection legal framework, centered around a single control tower, such as the National Intelligence Service, with specialized security functions. To support this, regulations currently scattered across various jurisdictions, such as the Information and Communications Network Act and the National Cybersecurity Management Regulations, must be consolidated into a single, unified or basic law to establish a clear legal basis. Furthermore, rather than focusing solely on regulations that continue to increase astronomical fines in the event of a security breach, as in the past, there is a need to institutionalize a soft approach that allows the private sector and the government to seamlessly share information related to security breaches, while also smoothly encouraging private sector investment in security. Furthermore, in the short term, it is necessary to more specifically define the criteria for calculating fines to ensure that the discretionary imposition of fines complies with the principle of proportionality and is a reasonable exercise of discretion. Rather than basing the calculation on total sales, it would be desirable to return the calculation to sales related to the violation, as was done under the previous Information and Communications Network Act. Furthermore, more precise criteria should be established to define the scope of sales indirectly related to the violation. Furthermore, rather than listing the severity of violations on a spectrum of abstract categories such as “slight,” “moderate,” “serious,” and “very serious,” the calculation system in the disposition standards should be revised to clearly list violations by type and apply clear amounts or percentages to each. This will enable the imposition of reasonable fines in a clear and concise manner, regardless of the responsible official.