Article by a lawyer in the excellent Game Meca on security-related legislation of customer data. It ties together with some of my posts on governmental regulation on the games industry and is worth a read (Korean).
As I mentioned in my previous post, there have recently been two large-scale hacks on the customer databases of Korean-telecom SKT and game-publisher Nexon.
As with SKT 2 months ago, the press have been busy speculating on the extent of the breach and customers are anxious. Some are speaking of group lawsuits. But will people gradually forget the incident? Will anything change to prevent future incidents?
This is the juncture at which Lawyer Byung-chan Lee, the author of said article, provides a concise and engaging overview of the regulatory background and possible changes. First, Lee points out that government regulations to gather detailed customer information have been in place since the early 2000s.
Sign-up: Real name & citizen registration number, please
I was surprised when I first came to Korea on the level of information required to sign up for even basic services – why I do I need to enter my citizen registration add “heh, heh, heh (ㅋㅋㅋ)” at the end of an amusing post by a friend. The info usually required are real name, citizen registration number (which also reveals age and gender), address, and telephone number.
As Mr. Lee points out, companies have been able to use this valuable source of information to set and refine their product and marketing strategies. Enter the latter half of 2011, however, and two massive security beaches potentially expose the personal information of over half the population. Have companies had it too easy? Implicit in this privileged access to customer data over the years (even if it is government mandated) is the responsibility to protect it as well. And this is what has people up in arms.
Ironically, the game companies themselves can’t do a lot about it. They can’t reduce the amount of customer data people must enter to sign-up for a service. Anyone who’s been reading my previous blogs will know well about the Korean Game Rating Board and shutdown system – both require at least the age of the customer, which can only be verified with the user’s name and citizen registration number.
The article asks the question how can further customer-date incidents be prevented? The conclusion is the government should try and make it possible for companies to change the way they acquire and store customer information. Instead of having to verify everything in-house and store all user data, the verification could be handled by an external party. Once a user is registered, that data would no longer be stored or available to the company. In such a regulatory environment, any companies that refused to process customer data in such a way would be an easier target for group lawsuits than in the current climate, where culpability is difficult to prove.
Certainly more constructive than abolishing the age-rating and shutdown system. But I wonder if anything will change, and if not, who’s next?
Games in Korea 