-
IT·SECURITYPersonal Information Protection Laws around the World
Personal information has now become a means of identifying individuals and has developed into a key resource in our society. When companies with personal information interact with foreign countries, there may be cases in which they have to transfer their citizens' personal information abroad or process other people's personal information.Then, how is personal information protection done around the world, which is now becoming a living area? Countries around the world are overhauling laws related to personal information protection. In this post, we will learn about personal information protection laws around the world.United StatesIn the United States, privacy laws are enacted by states, including the California Consumer Privacy Act (CCPA) and the Consumer Data Protection Act (CDPA) in Virginia.Let's take a look at the California Privacy Rights Act, which is considered the most powerful privacy law in the United States. The California Privacy Rights Act strengthens the content of data subjects' rights in the Consumer Privacy Act and the obligation of business operators to comply, passed on November 3, 2020, and went into effect on January 1, 2023. It is significant in that it stipulates California consumers' privacy rights and business obligations, and laid the groundwork for the establishment of the first regulatory agency in the United States in charge of privacy.If you are processing the personal information of residents doing business in California, regardless of whether you have a business in the state, you will be covered by.① If annual sales are equal to or greater than $25 million② Having more than 100,000 personal information about consumers, etc③ Where sales from the sale and sharing of personal information account for more than 50% of the total sales of the enterpriseIn addition, according to the CPRA, data subjects may require operators to exclude the use of automated decision-making technology. In certain circumstances, operators have a strong right to process sensitive information, such as restricting the provision of sensitive information to third parties. Sensitive information in CPRA includes social security numbers, driver's license numbers, state ID numbers, and passport numbers.In addition, the American Privacy Rights Act (APRA) was proposed on April 7 this year to protect personal information at the federal level. If APRA is implemented, APRA will likely take precedence over laws in each U.S. state.ChinaChina's Personal Information Protection Act was drafted in October 2020 and took effect in November 2021. China's Personal Information Protection Act is similar to the EU's GDPR, and it is more stringent because it includes the range of sensitive personal information, the duration of information retention, and provisions for the use of personal information for public safety.The Personal Information Protection Act applies to providing products or services to individuals in China, and it applies to all companies doing business with China. In principle, it is a rule to store data collected by the personal information controller in Korea, and it stipulates that personal information can be transmitted overseas in special cases. In addition, the Personal Information Protection Act is required to be applied if any of the activities that process personal information of Chinese citizens outside of China falls under any of the following.(1) If the purpose is to provide products or services to the people of China(2) To analyze and evaluate the behavior of the Chinese people(3) other circumstances prescribed by law, administrative regulationsChina stipulated the establishment of an internal management system, the classification management of personal information, and the implementation of safety technical measures such as encryption as obligations that the personal information controller must implement. Additionally, when a foreign company processes personal information to provide a product or service to an individual in China, a special organization or representative should be designated to handle personal information protection-related affairs, and matters related to the special organization or representative should be reported to the department in charge of the government.JapanJapan's Personal Information Protection Act was first enacted in May 2003 and came into force in April 2005. Since then, due to the development of IT technology, personal information issues have become important, and the number of cases of transferring personal information overseas has increased, and the improved Personal Information Protection Act came into force on May 30, 2017 after improving the transfer of personal information to foreign countries and strict provision of personal information to third parties.Since then, the partially revised "Act to Revise Part of the Act on the Protection of Personal Information" has been implemented in consideration of domestic and foreign situations.Article 28 of Japan's Personal Information Protection Act stipulates cases where personal information is provided to third parties in foreign countries. Article 28 (Restrictions on Provision of Personal Information to Third Parties in Foreign States) requires a business operator handling personal information to obtain prior consent from the subject of personal information in providing personal data to third parties in foreign countries. In obtaining consent, the person is required to provide information on the foreign name of the place where the personal data is transferred, the foreign personal information protection system, and the measures taken by the third party.Therefore, companies should check whether personal information is transferred outside Japan, and if personal information is transferred outside Japan, they should review whether it is necessary to write the information in the personal information processing policy.VietnamThe Enforcement Decree on Personal Data Protection Decree (PDPD) in Vietnam was enacted on April 17, 2023, and came into force on July 1, 2023. It presents the first comprehensive legal system for personal information protection in Vietnam, and it is significant in that it is the first single law in Vietnam. The PDPD targets domestic and foreign corporations that collect or process personal data of Vietnamese citizens, both online and offline.According to Article 2, Paragraph 14 of the Enforcement Decree of Personal Information Protection, the transfer of personal information abroad refers to the transmission of personal information of Vietnamese citizens outside the territory of Vietnam or the processing of personal information of Vietnamese citizens outside the territory of Vietnam. The transfer of personal information abroad includes the following.1) Transmission by an organization, enterprise, or individual to an overseas organization, enterprise, or management department to process the personal information of Vietnamese nationals in accordance with the purpose agreed by the data subject2) The automatic system of personal information controllers, personal information controllers, and personal information controllers outside the territory of Vietnam processes personal information of Vietnamese citizens according to the purpose agreed by the data subjectAdditionally, the data transmitter must prepare a cross-border information transmission impact assessment document and submit it to the DCHCP of the Ministry of Public Security at the beginning of the processing of personal information in order to transmit personal information across borders. In addition, it includes notification of the data subject before processing sensitive personal information and obtaining consent from the data subject when collecting and processing personal information.Vietnam's privacy enforcement decree should be considered because the rules of Vietnam's privacy enforcement decree apply not only to Vietnam but also to offshore businesses.European Union (EU)The European General Personal Information Protection Act (GDPR) is a data protection law that requires companies and organizations to protect EU citizens' data and personal information in relation to transactions conducted within EU member states. Both the collection and processing of personal information for personal information controllers and EU citizens within the EU are subject to GDPR compliance obligations. Companies that violate GDPR regulations will be subject to legal sanctions, such as paying 20 million euros or 4% of their annual sales as a penalty.On December 17, 2021, the EU's decision on the adequacy of the GDPR for Korea was adopted. As the EU has recognized that Korea's privacy policy is on par with the GDPR, Korean companies will be given the status equivalent to that of EU member states. Due to the decision on the adequacy of the GDPR, Korea can freely transfer the personal information of EU citizens to the EU member states without additional certification or procedures.
-
- 24.05.17
-
IT·SECURITYCyber security trends selected by Gartner in 2024
Gartner, a global research firm that is in charge of research and consultation in the field of IT, publishes important technologies for business in the field of IT every year. This year, it announced six cybersecurity trends in 2024. The materials presented by Gartner also serve as references for many companies and governments, and we will take a look at the 2024 cybersecurity trends presented by Gartner.Generative AI is skeptical in the short term and hopeful in the long termSecurity leaders need to prepare for the rapid evolution of Generative AI. This is because LLM (Large Language Model) applications such as ChatGPT and Gemini are just the beginning of a generative AI transformation. Security leaders also have high hopes for various benefits of generative AI, such as increased productivity, reduced technology gaps, and other new benefits related to cybersecurity. Accordingly, security leaders should actively collaborate with business stakeholders to lay the foundation for ethical and safe use of innovative technologies when utilizing generative AI."The long-term outlook for Generative AI is bright, but in the short term, you're more likely to experience immediate fatigue than double-digit productivity gains," said Gartner senior director analyst Richard Addiscott. "But this will improve gradually, so we need to encourage experimentation and manage expectations, especially outside of the security team."Closing communication gap with board through performance-oriented indicatorsAs the negative impact and frequency of cybersecurity incidents on businesses continue to increase, the trust among the board and management in cybersecurity strategies is decreasing. Outcome-Driven Metrics (ODM) is increasingly being adopted to help stakeholders intuitively understand cybersecurity investments and their level of defense.ODM plays a key role in developing a defensible cybersecurity investment strategy, because it reflects the level of protection agreed upon based on its strong properties and provides an easy language for non-IT executives to understand. It supports direct investment in adjusting the level of defense by providing a reliable and defensible representation of risk propensity.Increasing importance of security behavior and cultural programsSecurity managers within the enterprise recognize that facilitating employee behavioral changes rather than raising employee awareness helps reduce cybersecurity risks. By 2027, 50% of CISOs at large corporations are expected to adopt people-focused security design approaches to minimize friction from cybersecurity and maximize control application. Security behavior and culture programs are a recap of a company-wide approach to minimizing cybersecurity incidents associated with employee behavior."Companies using SBCP have improved security controls, reduced unsafe behavior, and increased speed and agility," Addiscott said. "Our employees have the ability to make independent decisions in the area of cybersecurity, allowing them to leverage their cybersecurity resources more effectively."Resilience-focused third-party risk managementAs third-party cybersecurity incidents become inevitable, security leaders are under pressure to focus more on resilience-driven investments and move away from preemptive due diligence. In this situation, third-party risk management must be strengthened and mutually beneficial relationships with critical external partners must continue to protect the most critical assets. "We need to start by strengthening contingency plans for contracts with third-party riskiest cybersecurity," Adiscott said. "We need to define clear offboarding strategies such as creating incident playbooks by third-party, conducting tabletop exercises, revoking access in a timely manner, and destroying data."Gain momentum from ongoing threat exposure management programsContinuous Threat Exposure Management (CTEM) is a practical and systematic approach that organizations can use to continuously assess the accessibility, exposure, and exploitation of digital and physical assets. By aligning the assessment and modification to threats or business projects rather than infrastructure components, vulnerabilities and non-patchable threats can be highlighted.Gartner predicts that by 2026, companies that prioritize security investments based on the CTEM program will be able to reduce two-thirds of breaches. Security leaders should continually monitor their hybrid digital environments to identify vulnerabilities early and prioritize them best to help strengthen the surface on which they can be attacked.Expanding IAM roles to improve cybersecurity performanceAs more businesses move to an ID-first approach to security, the focus shifts from network security and other traditional controls to identity and access management (IAM), playing an important role in cybersecurity and business performance. IAM's role in security programs is expected to be more emphasized, but at the same time, we need to focus on fundamental security and system enhancements to improve resilience.As a result, security leaders must focus on strengthening and leveraging identity fabric, and ID threat detection and response to ensure that IAM capabilities are best placed to support the entire security program.
-
- 24.03.06
-
IT·SECURITYRegulation of Artificial Intelligence
In 2023, interest in AI was hotter than ever. In particular, starting with ChatGPT, research and development on Generative AI were conducted at various big tech companies. AI makes our lives convenient, but it also creates unexpected variables. Examples include security issues such as generating false information through AI, discriminatory speech, personal information leakage, and deepfake phishing. Because of these problems, countries around the world are implementing regulations to prevent problems caused by AI and to use AI properly.The biggest problem with Generative AI is Hallucination. Hallucination refers to the Generative AI generating information that is not related to facts, and it is a typical error that occurs when AI processes information. Specifically, when asked about a historical event that has never happened to ChatGPT, ChatGPT generates plausible but incorrect answers based on data from learning about an event similar to that event. This Hallucination can lead to the spread of misinformation and ethical and moral problems.In response, Nature, a world-renowned international academic journal, banned the publication of photos, videos, illustrations, and graph images using generative AI in June. Nature banned the use of data or images obtained using Generative AI because legal copyright issues and the spread of false information could accelerate.There is also the risk of spreading false information through false news produced through generative AI, in practiceI n the bureau, certain groups manipulated President Biden's voice through Generative AI. In the original video, the statement was "Let's support tanks to help Ukraine," but it was transformed into a statement criticizing transgender people through voice-generating AI technology.Europe's AI ActIn 2021, the European Commission (EC) first proposed a regulatory and legal framework for AI. Then, on December 8, 2023, the European Commission, the European Parliament, and representatives of the 27 EU member states agreed on the AI bill, becoming the first in the world to pass the AI Act for regulating artificial intelligence.The AI Act, which will take effect in 2026, is the first law to target AI, and also includes regulations on biometric authentication tools such as facial recognition and fingerprint scanning, including Generative AI such as ChatGPT.The AI Act classifies risks of AI, enhances transparency, and imposes fines on companies that fail to comply with regulations. In addition, companies must comply with comprehensive regulations on AI, including writing technical documents, complying with EU copyright laws, and providing specific summaries of content used in training.Companies that violate the rules will be fined between 7.5 million euros (about 10.7 billion won) and up to 35 million euros (about 49.7 billion won) or 7% of global sales. If this is applied to companies such as Google and Microsoft, the fine alone amounts to billions of dollars (trillion won).Regulatory Trends Related to Artificial Intelligence in KoreaThe Personal Information Protection Committee announced the Policy Direction of Safe Use of Personal Information in the Age of Artificial Intelligence in 2023. This policy focuses on using data necessary for the development of AI safely while minimizing the risk of privacy infringement through AI. In addition, the following bills have been proposed in response to the need to strengthen personal information on artificial intelligence data and regulate high-risk AI.In addition, the U.S. announced the introduction of federal measures to reduce the social and economic toll of AI. It is expected to investigate human jobs to be replaced by AI and write guidelines to prevent AI-led hiring systems from creating various discriminations. It will also include the federal government's use of AI to disclose how AI technology is used to collect citizens' information regarding the protection of personal information. Seven AI companies, including Google, Meta, and MS, have announced that they will develop a "digital watermarking" system that helps users distinguish voice and video contents created and altered by AI.Digital watermarking refers to a technology that inserts information such as copyright into data such as photos and manages them. In particular, false photos or videos using AI can affect the upcoming U.S. presidential election Google will require AI technology to be disclosed if it is used in U.S. presidential election content.
-
- 24.01.23
-
IT·SECURITYChat GPT Appears in a Year, Change brought about by Generative AI
Artificial intelligence (AI) had previously considered creative activities such as writing, drawing, and coding to be activities that only humans can do. However, with the development of artificial intelligence (AI), it is now the time for Generative AI to look beyond the human realm. Now, Generative AI is leading the transition to a new technological paradigm, starting with ChatGPT.What is Generative AI?Generative AI, which means generative artificial intelligence, generates original and realistic content such as images or texts without humans entering large amounts of data. OpenAI's ChatGPT played a big role in the reason Generative AI became a hot topic. ChatGPT has been used by 100 million people a month in two months since its launch last year, and is now used by 100 million people a week.Change brought about by Generative AI?Work productivity improvementMore and more businesses use ChatGPT to increase productivity. Some 92 percent of Fortune 500 companies use ChatGPT. Microsoft also recently released Generative AI Copilot in the form of ChatGPT. Not only does Copilot write code on behalf of MS programs, but it also works on Word, Excel, and PowerPoint in conjunction with MS programs. Some predict that the gap in work productivity between workers who use these generated AI technologies and those who do not will widen in the future.A chatbot who doesn't know how to codeAnyone, not even a developer, can now create AI chatbots. OpenAI released a service called GPT Builder on Nov. 9, which allows users to create customized AI chatbots. By setting the desired purpose and entering materials for AI to learn about the topic, they can create their own custom chatbots without coding.GPT-4 TurboOn Nov. 6, OpenAI announced its latest AI model, GPT-4 Turbo, at a conference. The GPT series is a large-scale language model on which ChatGPT is based, and the GPT-4 Turbo offers significant performance improvements over the previous model. Key improvements to the GPT-4 Turbo are as follows.1. Up to 16x the amount of information you can enter at a time2. Can analyze the content of uploaded images and generate image responses3. Allows text to be made natural audio4. Fine-tuning and introducing a copyright protection system for businessesIn addition, it is trained with data up to April 2023, allowing up-to-date answers over the existing model GPT-4, which was learned with data up to September 2021. In addition, OpenAI has also unveiled GPTs, a service that allows ordinary users to create their own ChatGPTs themselves. GPTs can be programmed in everyday language without coding, and OpenAI has announced that it will upload the service to the GPT Store for transaction.Google's Generative AI-Based Search ServiceGoogle also announced that it will expand its Generative AI based Search Generative Experience (SGE) to 120 countries, including Korea. Following Google's interactive chatbot "Bad" supported Korean from its first launch, Generative AI's search service is now available in Korean. Generative AI search is a new feature that allows users to check information directly by displaying a link from the source along with the search results.Matter of Generative AIDue to the popularization of Generative AI, not only companies but also the general public have more access to AI. However, Generative AI is creating various social problems such as privacy issues and criminal use.In particular, there is a growing risk of hacking and personal information leakage using AI. Open AI leaked personal information such as names, e-mail addresses, and credit card numbers of some users around the world who accessed ChatGPT in March, and the leaked information included information on 687 Korean users. In response, the Personal Information Commission fined OpenAI for violating its reporting obligations that did not report within 24 hours of recognizing the leak, pointing out that it was insufficient to comply with its obligations under the domestic protection law.AI phishing scams using AI are also popular. AI phishing is a method that uses AI technology such as deep voice and deepfake to falsify faces and voices into victims' acquaintances and then trick the other person into stealing money. The threshold for crime using Generative AI is lowered because it is not difficult to create human voices and videos.In this situation where AI has penetrated into life, the U.N. has adopted a resolution titled "Human Rights Standards in the Age of AI" to consider the human rights implications of AI technology and prevent side effects caused by reckless use. Responsible evaluation of the impact on AI human rights is needed, and AI technology should have transparency and accountability.In the EU, companies that want to build generative AI systems such as ChatGPT by passing the AI Act must disclose the source and copyright of the data they put into machine learning, and if they want to sell AI services, they must first submit them to the EU before launch to be investigated for risk. Once the legislation is signed, regulations will be applied to EU countries from 2026.Prospects for generative AI marketIDC, a market research firm, predicts that the global AI market, including super-giant AI, will reach USD 554.3 billion (W700 trillion) by 2024. The domestic AI market is also expected to grow by an annual average KRW 3.66 trillion in 2023, reaching an annual growth of KRW 4.4636 trillion by 2027. In addition, the demand for generated AI is expected to continue to grow as AI is accelerated in various industries. The Generative AI is already having a great impact on our lives and playing an important role in greatly improving work efficiency and information accessibility. However, it seems that there are still issues to be solved, such as ethical issues, criminal abuse issues, and information security issues.
-
- 23.11.28
-
IT·SECURITYThe Amendment to the Personal Information Protection Act that Security Officers Must Know
The Personal Information Protection Act was enacted to protect data subjects and to make personal information controllers take responsibility for personal information protection. Since the establishment of the Personal Information Protection Act in 2011, it has been protecting data subjects from personal data breach damage.The Personal Information Protection Commission (PIPC) submitted a government bill to the National Assembly in September 2021 and mediated differences of opinions through communication with domestic and overseas stakeholders such as relevant ministries, the academic and industrial circles, and civic groups. After two years of in-depth discussion, the bill was finally passed at the National Assembly. The amended Act was announced on March 14, 2023 and will take effect six months later, on September 15, 2023.Backgrounds to the Amended Personal Information Protection ActThe amendments to the three data acts (Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, and Credit Information Use and Protection Act), which took effect in August 2020, mainly focused on establishing a control tower for personal information protection and revitalizing the data economy. However, there is an opinion that the rights of the people need to be strengthened in the changing data environment.The second amendment to the Personal Information Protection Act is the first government bill that has reflected opinions of the relevant ministries, the academic and industrial circles, civic groups, etc. after the establishment of the Act. It is meaningful in that the amendment is the full-scale revision of the Act to strengthen and protect data subjects' rights and secure compatibility with the international standards.What is New in the 2023 Amendment to the Personal Information Protection ActExpansion of data subjects’ rightsIn the amendment to the Personal Information Protection Act, the right to demand personal information transmission was newly inserted as part of the expansion of data subjects' rights. With the newly established right to demand personal information transmission, a data subject is now able to demand the transmission of their information to themselves or third parties (other personal information controllers or personal information management institutions). As a result, limited MyData services now can be expanded with the newly established right to demand personal information transmission.Article 35-2 of the Personal Information Protection Act (Request for Personal Information Transmission)(1) A data subject may demand to transmit their personal information items that satisfy all of the following requirements to themselves from a personal information controller meeting the criteria prescribed by Presidential Decree, taking personal information processing competences, etc., into account. [This Article Newly Inserted, Mar. 14, 2023]In addition, a new article about the right to demand an explanation about an automated decision and the right to deny such a decision has been inserted. Based on the newly established article, a data subject can demand an explanation about an automated decision or deny such a decision where a decision made from personal information processing by an automated system have a crucial impact on their rights or obligations.Article 37-2 of the Personal Information Protection Act (Data Subjects’ Right, etc. to Automated Decision)(1) A data subject can request the suspension of the processing of his/her personal information from the personal information controller or withdraw his/her consent to personal information processing. In such cases, the data subject can request the suspension of the processing of his/her personal information items subject to registration from the public institution or withdraw his/her consent to personal information processing under Article 32. <Amended on Mar. 14, 2023>(2) Where a personal information controller receives a request for the suspension of information processing, referred to in paragraph (1), the personal information controller shall suspend the whole or part of the processing of the personal information as requested: Provided, That the personal information controller may deny the data subject’s request, if falling under any of the following subparagraphs. <Amended on Mar. 14, 2023>Improvement in unreasonable consent systemsIn the past, a personal information controller could collect personal information without a data subject's consent where it is inevitably necessary to execute and perform a contract with the data subject. However, the amended Act stipulates that a personal information controller can collect or use personal information of a data subject where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject.Article 15 of the Personal Information Protection Act (Collection and Use of Personal Information) <Amended on Mar. 14, 2023>(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:4. Where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject;Deletion of the special provisions concerning providers of information and communications servicesIn the past, where a person collected personal information without the consent of a data subject, an offline enterprise was subject to a fine not exceeding 50 million won and an online enterprise was subject to a fine equivalent to less than three-hundredths of total sales.However, the amended Act stipulates the same penalties applies to all personal information controllers regardless of the types of their businesses, online or offline.In addition, the amended Act unifies “personal information controllers” and “providers of information and communications services” which used to be distinguished from each other. Special provisions similar to or overlapping general provisions, such as consent to the collection and use of personal information, the collection of personal information of children aged under 14, and data breach notification, are integrated into general provisions and are expanded to all fields.Establishment of portable visual data processing device operation standardsAs the use of portable visual data processing devices such as CCTVs, drones, and self-driving cars is growing, relevant provisions were newly inserted. A person who intends to operate any portable visual data processing device for part of his/her activities was allowed for filming of persons or images of things related to the persons at open spaces only when satisfying certain requirements.Article 25-2 of the Personal Information Protection Act (Limitation to Operation of Portable Visual Data Processing Devices)(1) A person who intends to operate any portable visual data processing device for part of his/her activities shall not take pictures of or film persons or images of things related to the persons with the device at open places, except in any of the following circumstances:From penalty-centered restrictions to economy-centered restrictionsThe amended Act has changed the penalty-centered restrictions to the economy-centered restrictions. In the amended Act, the excessive penalty provisions were revised, the upper limit of administrative fines was increased, and lastly penalty targets were expanded.To impose an administrative surcharges proportional to the severity of the violation, the amended Act has changed the administrative surcharges calculation standard from total sales to sales except the sales not related to the violation.In the past, a fine was equivalent to less than three-hundredths of the sales related to the violation. However, the amended Act stipulates that a fine shall be equivalent to three-hundredths of the total annual sales, which is more strict.Article 64-2 of the Personal Information Protection Act (Imposition of Penalty Surcharges)(1) The Commission may impose a fine equivalent to less than three-hundredths of total sales on the personal information controller in any of the following circumstances: Provided, That up to 2 billion won may be imposed as administrative surcharges on the personal information controller having no sales or sales difficult to calculate as prescribed by Presidential Decree.(2) Where the Commission imposes a fine pursuant to paragraph (1), the fine shall be calculated on the basis of the sales except the sales not related to the violation.[This Article Newly Inserted, Mar. 14, 2023]Overseas transfer of personal information and the order to suspend overseas transfer In the past, personal information could be transferred abroad only where additional consent was obtained from the data subject. However, the amended Act stipulates that personal information may be transferred without additional consent of the data subject to a nation having a similar standard of a personal information protection system to that of the Republic of Korea. In the amended Act, the order to suspend overseas information may be issued where there is a concern that overseas transfer of personal information may cause additional damage on the data subject.SECTION 4 Overseas Transfer of Personal Information of the Personal Information Protection Act <Newly Inserted, Mar. 14, 2023>Article 28-8 (Overseas Transfer of Personal Information)(1) A personal information controller shall not provide or keep personal information aboard or outsource the processing of such information abroad: Provided, That the personal information may be transferred abroad, in any of the following circumstances;Article 28-9 (Order to Suspend Overseas Transfer of Personal Information)(1) The Commission may order to personal information controllers to suspend overseas transfer of personal information where personal information is continuously transferred abroad or additional overseas transfer is expected, in any of the following circumstances;The Personal Information Protection Commission (PIPC) said that the amendment to the Personal Information Protection Act could become a foothold for the growth of the data industry and enterprises by effectively guaranteeing the rights of the public and resolving legal uncertainties with reasonable regulatory maintenance in the process of accelerating digital transformation.
-
- 23.08.24
-
SINSI STORYThe First Half of 2023 of SINSIWAY
It’s almost halfway through 2023, the year of the black rabbit. The first half of 2023 has passed and now we are preparing for the second half of the year in the midst of hot summer.What were some of the important events that took place in SINSIWAY in the first half of 2023? In this post, we will briefly introduce key events of the first half of the year.The third open recruitment employees have joined SINSIWAYIn January 2023, nine new employees have joined SINSIWAY through the third open recruitment. SINSIWAY HR Training Team provides new employees training for three months for new employees' understanding of our products and their duties. New employees recruited through the third open recruitment were assigned to Technical Support Headquarters and R&D Headquarters after three months' training. We hope that our new employees adapt to the workplace and grow with a passionate mindset!2023 Kick OffIn the first half of the year, we could go back to our daily lives with COVID-19 endemic. In January 2023, the kick off event, which had been suspended for a while, was held with all employees. The kick off event consisted of the awards ceremony for workers in long-term service, the draw for handing over the company cars, the survival quiz program, etc. It was a meaningful event in which all employees could gather in one place after three years. We could start the new year more cheerfully through the kick off event.SINSIWAY applied for a patent on the method and system for SaaS-based database access control gateway servicesAfter applying a domestic patent in September 2022, we have also applied for a PCT patent on “The Method and System for a SaaS-based Database Access Control Gateway Services” in February 2023. The PCT, standing for the Patent Cooperation Treat, provides a unified procedure for filing patent applications with the PCT members at one go. By applying for a PCT patent, we could establish a foothold for overseas business expansion based on our advanced technology.SINSIWAY received a citation as an outstanding enterprises participating in SaaS transformation and utilization trainingOn February 8, SINSIWAY received a citation as an outstanding enterprises participating in SaaS transformation and utilization training provided by the Korea Software Technology Association (KOSTA).SINSIWAY technical staff members participated in the SaaS transformation and utilization training program provided by the KOSTA for six months, from June to December 2022. SINSIWAY is making aggressive investment in HR training and R&D projects required for SaaS transformation, with the goal of developing data security software programs for cloud. In addition, we have newly organized Cloud Development Group and Cloud Business Team. We will expand our cloud business more aggressively in line with the expansion of the cloud security market.The employee birthday party has resumedThe employee birthday party, which had been suspended due to the COVID-19 pandemic, has resumed in April. A birthday part is held every month at the head office lounge and birthday employees receive a gift certificate. During a party, all employees gather together and have a conversation, enjoying party food such as chicken, pizza, and cake. Employees have a chance to talk and network with unfamiliar coworkers.The unstructured encryption solution Petra File Cipher V3.2 has obtained GS Certification Grade 1On May 4, SINSIWAY's unstructured encryption solution Petra File Cipher V3.2 has obtained GS Certification Grade 1, the highest grade, from the Telecommunications Technology Association (TTA). As GS (Good Software) certifies good quality software, SINSIWAY's advanced technology and outstanding security have achieved recognition by obtaining GS Certification Grade 1 for Petra File Cipher.
-
- 23.08.24
-
IT·SECURITYHow Will ChatGPT Change the World?
What is ChatGPT?ChatGPT, receiving the greatest attention these days, is an AI chatbot developed by the American AI startup OpenAI. ChatGPT is a search tool that shows search results requested by users. You may think that it sounds similar to other chatbots. But why is ChatGPT is in the limelight now? One of the biggest differences between ChatGPT and other portal sites such as Google and NAVER is that it learns large language model-based data, answers questions and talks like humans, and provides information about a wide range of topics.Source: OpenAI, ChatGPT screenLearning over 300 cases of data from the Internet, ChatGPT can make daily conversation, write theses, write codes, and conduct a test. It is capable of creating unique products with a variety of content such as text, audio, and images. In addition, it can prepare report and theses and conduct programming like a smart assistant. As of February 2023, you can use ChatGPT for free once you sign up. If you want faster service even during the peak time, you can use ChatGPT Plus with a monthly subscription plan available for USD 20 (KRW 25,000). ChatGPT Plus provides higher quality answers and information than the general version.Why is ChatGPT So Powerful?ChatGPT is built upon GPT-3.5, super AI that learns data with 175 billion parameters. GPT-4, planned to be launched by OpenAI in 2023, is expected to become even more precise than GPT-3.5 since it is predicted to use over 1 trillion parameters.Unlike preexisting chatbots, ChatGPT learns by itself with undergoing trial and error through reinforcement learning from human feedback (RLHF). Since ChatGPT reflects human feedback, it can continue conversation. Foreign press evaluated ChatGPT as the best chatbot to talk with.How Big is the Market Power of ChatGPT?The number of ChatGPT users reached 1 million in four days. Taking into account that it took 3.5 years, 10 months, and 8 months for Netflix, Facebook, and YouTube, respectively, to secure 1 million users, it shows that the market power of ChatGPT is tremendous.According to a report published by the global financial company UBS, the number of daily users reached 13 million and the number of monthly active users (MAU) is estimated to be over 100 million. Taking into consideration that it took six and nine months for Instagram and TikTok, respectively, to reach 100 million users, ChatGPT is the application that has secured 100 million users in the shortest period.Microsoft has been making continuous investments in OpenAI, the developer of ChatGPT, and has recently started the initial test of its new ChatGPT-based Bing Mobile. In addition, Google announced a plan to launch the conversational AI chatbot Bard based on its language model LaMDA. Some predict that Bard will become more powerful than ChatGPT since it can learn a tremendously huge amount of data from Google's daily search results surpassing 3.5 billion views.What Would be the Limitations of ChatGPT?Of course, ChatGPT has limitations. ChatGPT does not provide information generated after 2021 since it is based on data generated in 2021 or earlier. Therefore, it may not be able to create accurate responses to questions about information after 2021.If ChatGPT's training data contains biased information, its responses may be biased as well and ethical issues may arise.Since numerous people are using ChatGPT around the globe, sometimes unethical answers and political answers are induced. OpenAI has set the AI Code of Ethics which prohibits ChatGPT from answering any political, discriminative, or hateful questions. However it is difficult to block false information completely since numerous users are using ChatGPT all over the world. It is obvious that ChatGPT will change our daily lives, but we need to think about the ethical aspect as well based on its limitations.
-
- 23.08.24
-
IT·SECURITY2023 Prospect of Cyber Security Threats
What kinds of technologies and attacks will threat cyber security in 2023? The Ministry of Science and ICT and the Korea Internet & Security Agency jointly published 2022 Cyber Security Threat Analysis and 2023 Cyber Security Threat Prospect.2022 Cyber Security ThreatsCyber attacks causing national and social chaosIn 2022, global enterprises, government agencies, etc. have been globally damaged by continuous cyber attacks by global hacking groups such as LAPSUS$. In Korea, cyber attacks used accidents and incidents on which national attention has focused, such as the data center fire at Pangyo and Seoul Halloween crowd crush.In addition, attackers extorted the official YouTube accounts of the government agencies and broadcasting companies, posted virtual asset videos, and distributed hacking e-mails impersonating government agencies.Attacks using the changes in the IT environment such as telecommuting and cloud transformationSince the COVID-19 outbreak, working environments has changed to non-face-to-face environments in which important data was divulged through infiltration into enterprises. As more and more enterprises use cloud and major systems are replaced by cloud, cloud security incidents are increasing. Representative security incidents include hacking into Alibaba Cloud leading to the divulgence of 1 billion users' personal information and the airport data divulgence incident resulting from Amazon Cloud setting errors.Ransomware and DDoS attacks paralyzing the digital societySecurity incidents reported to the KISA in 2022 increased by around 1.6 times year on year. 29% of the reports received were ransomware incidents. Small and medium enterprises and manufacturing businesses account for 88.5% and 40.3% of the total ransomware damage, respectively. It is necessary to expand security support for and investment in small and medium enterprises.DDoS attacks are also continuously increasing. It was confirmed that most of devices used for such attacks were video storage media, set-top boxes, etc. infected with IoT malware.2023 Prospect of Cyber Security ThreatsAn increase in global hacking groups' attacks threatening national industry and securityIt is forecasted that global hacking groups will become more active and cyber attacks targeting global enterprises will continue with the prolonged Russo-Ukrainian War. In particular, it is predicted that attacks targeting virtual assets and cyber criminal organizations' activities will grow, including posting their attacks on social media.Continued cyber attacks using sensitive cyber issues such as disasters and disabilitiesPhishing, smishing, and advanced persistent threats using social issues are expected to grow and activities affecting the entire society with fake news using cutting-edge technology are prospected to increase as well. In addition, it is predicted that attacks using personal channels such as e-mail and social media will grow.Evolution of ransomware armed with advanced persistent threats and multiple extortionRansomware attacks are evolving into advanced persistent threats (APT) which are a type of hacking technique to attack a specific target persistently with an advanced method.Since attacks are evolving into multiple extortion such as the use of hacking e-mails, web server vulnerabilities, remote access, etc., the damage on back-up storage devices, and the threat against corporate customers with the restoration of encrypted files, the disclosure of divulged data, and DDoS attacks, it is necessary to take proper action against evolving ransomware attacks.Increasing threats with cloud transformation in the digital eraThe merits of cloud are that there is no physical limitation and it is easy to expand business. Therefore, the current trend is that many enterprises are replacing their on-premise environments with cloud. Security threats such as security vulnerabilities and data divulgence are revealed in the process of cloud transformation. Enterprises should formulate systematic cloud security management strategies and establish cloud security measures, taking into account their business characteristics and cloud operation types such as hybrid cloud and multicloud.Growing threats and corporate SW supply networks getting more and more complicatedIt is predicted that malware injection and source code extortion will increase since more and more SW developers are using development sharing websites such as Github.With the increasing use of open sources, attackers may use the vulnerabilities of popular open sources such as Log4j or inject malware into libraries. They are also predicted to attack supply networks by directly infiltrating into SW development companies, forging update servers and source codes, and stealing certificates.
-
- 23.08.24
-
SINSI STORYSINSIWAY Accelerates the Expansion of Its Cloud Business
With an increase in non-face-to-face environments and smart work environments resulting from the COVID-19 pandemic, the demand for cloud services has risen as well as accelerated cloud transformation by companies. According to the “Korea Cloud Opportunity Forecast by Industry, 2021–2025” published by IDC Korea, the annual growth rate of the domestic public cloud market will reach 14.8% by 2025 and the market size is expected to reach KRW 3.8952 trillion.SINSIWAY is providing DB access control and DB encryption services through around 10 cloud marketplaces. We are the only enterprise providing DB access control and encryption services in the Korean cloud marketplaces. Since we first launched cloud service in 2017, we have been making a new record of sales every year by 2023.Strengthening the Cloud Research & Development Team in 2022 and Establishing the Cloud Business Team in 2023, we are preemptively responding to changes in the cloud environment and enhancing our market competitiveness.The newly organized Cloud Business Team consists of staff members responsible for technical support, sales, and marketing. Team leader Park Byeong-min directs cloud sales, technical support, and marketing. Sales representative Kim Han-byeol will strengthen systematic partnerships with CSP and MSP and cloud sales in the public and financial sectors. Senior managers Gang Ah-hyeon and Bae Yun, responsible for technical support, will focus on developing cloud competences for SaaS transformation, including technical support for cloud clients and partners. The 2023 goals of senior manager Yi So-yeong is to establish marketing strategies for expanding the cloud market and to conduct joint marketing more aggressively with the domestic cloud service provider CSP.More and more Korean enterprises are providing cloud-based services, instead of physical servers, and the government is focusing on developing cloud technology. As cloud transformation is accelerating, it is expected that we can expand our cloud business even more through our Cloud Business Team.
-
- 23.08.24
-
IT·SECURITYAnyone Can Become the Target of Cyber Crimes
Global Cyber Crimes After the COVID-19 PandemicCyber crimes refer to all types of crimes taking place in cyberspace, including computer crimes and cyber terrors. Cyber crimes are increasing day by day with the expansion of ICT such as cloud, AI, and big data and the growing utilization of cyberspace during the COVID-19 pandemic.Source: Cybersecurity VenturesThe market research service provider Statista predicted that the global cyber security market would grow with the raising awareness of cyber threats. In 2021, the global cyber security market size is estimated to be approximately USD 217.9 billion. With an annual average growth rate of 9.65%, the market size is expected to grow to USD 345.4 billion by 2026. The American cyber security research company Cybersecurity Ventures estimates that the size of global cyber crime damages will triple from USD 3 trillion in 2015 to USD 10.5 trillion in 2025.Cyber Attack Damage CasesZoom meetings for video conferences, classes, etc., recorded more than 200 million daily users, thereby growing fast during the COVID-19 pandemic. However, a phenomenon called “Zoombombing” has happened all over the world. Zoombombing refers to a phenomenon where uninvited participants join a meeting to cause disruption. An uninvited user joined a remote learning class of the University of Texas at Austin and made racist remarks. In Singapore, a hacker uploaded pornographic pictures during an online class of a middle school. Since users can access Zoom meetings only via a specific Internet address or a conference ID consisting of numbers, hackers are assumed to have accessed via any other routes. Data and personal information divulgence incidents have been continuously happening through cyber attacks. According to the Cost of a Data Breach Report 2022 published by IBM Security, as a result of studying 550 organizations impacted by data breaches for one year, the total damage of data breaches was found to be USD 4.35 million, which was the highest for 17 years. From Facebook having 2.2 billion users all over the world, the personal information of 533 million users was divulged. The cause for the incident was found to be information divulgence resulting from web scraping. Web scraping is the technology of automatically extracting and collecting desired data from the database of a system or a website, which may be the start of hacking and infringement.Types of Global Cyber CrimesRansomwareRansomware is a compound word consisting of “ransom” and “software.” It is a type of malware that blocks access to a computer system or data and demands a ransom. In 2021, the number of ransomware attacks increased by 141.7% year on year. In February 2022, the Ministry of Science and ICT and the Korea Internet & Security Agency issued a ransomware attack warning. As ransomware attacks are occurring often all over the world and the damages are gradually expanding as well. they are considered severe crimes.PhishingIt was reported that phishing attacks increased by over 62% after the COVID-19 outbreak. Many attackers extort information by making people click on a malicious URL about COVID-19 or distributing malware. Starting from demanding money by impersonating a family member or an acquaintance, phishing techniques are evolving day by day, including making victims install a remote control application in their smartphones. It was found that over 85% of the victims are in their 40s or older. Middle-aged or older people should be more careful not to become phishing victims.Distributed Denial of Service (DDoS) AttacksA distributed denial of service attack, commonly abbreviated to a DDoS attack, is a cyber attack in which the perpetrator seeks to make a server unavailable by exploding the traffic. It is a representative denial-of-service attack that causes failures in a specific server or a network by generating a large amount of data. Recently, DDoS attacks have been expanded to the IoT devices such as AI speakers, routers, and home appliances. According to the American market research service provider Market Research, the DDoS security market is expected to grow by 14% every year and its size is forecasted to reach USD billion by 2028, taking into consideration the current continuous growth in DDoS attacks since 2017.Source & ReferenceIBM Security, Cost of a Data Breach Report 2022Cybersecurity Ventures, Global Cyber Crime Report
-
- 23.08.24
PR
Provides the latest information on Sinsiway
and a variety of IT/security information.