Firms stick to bare-minimum data breach insurance despite major leaks

Delivery trucks are parked at a Coupang logistics center in Seoul, Sunday. Yonhap

A series of recent hacking incidents at major companies such as Coupang and SK Telecom has renewed scrutiny of Korea’s legally mandated minimum data breach liability insurance, which falls far short of covering the actual scale of harm, industry officials said Monday.

The gap has intensified calls to amend the Personal Information Protection Act and raise the required coverage level.

Coupang is insured under Meritz Fire & Marine Insurance’s data breach liability policy, but the coverage limit is only 1 billion won ($680,000). In effect, even if the company is ordered to compensate victims, the insurance would pay out no more than 1 billion won, an amount far too small given the magnitude of the breach.

The U.S.-listed e-commerce giant revealed late last month that around 33.7 million customer accounts were deliberately leaked by an internal employee, exposing the personal information of nearly three out of every four adults in Korea.

If a court holds the company liable, its compensation burden could reach at least 3.37 trillion won, based on precedents awarding about 100,000 won per person in large-scale data leak cases.

SK Telecom, which experienced a hacking attack in April that compromised the data of 23 million users, carries a data breach liability policy with Hyundai Marine & Fire, but with the same coverage limit of 1 billion won.

To supplement its limited coverage, the nation’s top mobile carrier purchased a separate cyber insurance policy offering up to 100 billion won in protection at the end of October. However, because the policy was obtained after the April breach, it cannot be applied to that incident, according to industry officials.

SK Group Chairman Chey Tae-won bows in apology over a data hack at SK Telecom during a press briefing at the mobile carrier’s headquarters in central Seoul, May 7. Joint Press Corps

The Personal Information Protection Act requires companies to compensate victims when personal data is leaked and obligates eligible firms to carry data breach liability insurance.

The mandate applies to businesses with annual revenue of at least 1 billion won and more than 10,000 data subjects, with minimum coverage amounts set according to company size.

Coupang falls into the highest tier — companies with annual sales above 80 billion won and more than 1 million data subjects — which sets its minimum required coverage at just 1 billion won.

While already insufficient for large firms, the minimum drops even lower for the smallest tier, where the required coverage is only 50 million won.

Industry insiders argue that the current thresholds are far too low for companies to realistically compensate victims.

“Considering how serious data leak incidents have become, a 1 billion won cap is grossly inadequate to cover victims’ losses,” an official at a non-life insurer said. “Such low limits can even lead firms to delay or avoid compensation when breaches occur.”

In response, the General Insurance Association of Korea plans to urge the Personal Information Protection Commission (PIPC) to raise the minimum requirement for large data-holding companies.

One proposal would set the minimum coverage at about 100 billion won for firms with more than 10 million data subjects or annual revenue exceeding 10 trillion won.

The association also stressed the need for stronger enforcement, including imposing fines on businesses that fail to subscribe to the mandatory insurance.

Although the law requires authorities to issue a corrective order to noncompliant firms and allows fines of up to 30 million won for ignoring the order, PIPC has never imposed such penalties.

As of June, only about 7,000 policies had been sold by the 15 insurers offering data breach liability coverage. PIPC estimates that up to 380,000 companies fall under the mandate, suggesting that as of late May, the subscription rate stood at just 8 percent.