Following a massive data leak in January, S. Korean financial regulators will impose strict rules on the sharing of personal information between credit card companies and their partners. The rules are due to come into affect in April, after three major credit card firms were found guilty of the theft of personal information of 20 million customers. The three firms (KB Kookmin, NH Nonghyup & Lotte) have also been suspended from operating for 3 months each as punishment for the breach.
The Financial Supervisory Service (FSS), the regulatory body in S. Korea, is behind the change in the law and the punishment to the three firms. The FSS acted after there was huge anger shown towards the credit card companies from the S. Korean public, with offices and call centres of the firms heavily bombarded with complaints. These complaints came after the FSS had tried to reassure customers that data had not actually been circulated by those responsible.
The theft of data was actually committed by former temporary consultants for the companies, one of which had stolen the data by copying it on to mobile device which could then be taken off site from the firms. This particular theft is alleged to have gone on between 2012 and 2013.
The regulator’s proposals include giving customers a choice over whether their information can be shared to third parties and mandatory deletion of customers’ data after they cancel a particular credit card.
The punishment of suspending business for 3 months is the first of its kind for 10 years, showing the severity of the breach. The FSS also promised that bans of 6 months and punishments for top executives of firms would be enforced in the event of future breaches of this level and nature. Fines of up to 1% of revenue would also be issued if data was stolen, or if stolen data was used to sell products.
In another measure to stop malicious intent going unchecked in future, the financial regulator is pushing to strengthen monitoring of staff at financial companies and their contractors involved in customer data management, and bar financial firms from sharing client data with their affiliates beyond a set limit.