Mandatory Breach Reporting under the Amended APPI
The April 2022 amendment to the Act on the Protection of Personal Information (APPI) made breach reporting a legal obligation rather than merely a guideline-based voluntary practice (Article 26).
Four Categories Triggering Reporting
| Category | Description |
|---|---|
| Sensitive personal information | Medical records, criminal history, disability information |
| Financial harm risk | Credit card numbers, bank account details |
| Malicious purpose risk | Data accessed through unauthorized access |
| 1,000+ records | Large-scale data breach |
Any single category triggers the reporting obligation.
Reporting Deadlines
To the PPC (Personal Information Protection Commission): - Initial report: "Promptly" — approximately 3–5 days after discovery - Full report: Within 30 days (60 days for cyberattacks) of discovery
To affected individuals: "Promptly" after the breach is confirmed. Where individual notification is infeasible, public announcement is an accepted alternative.
Incident Response Steps
- Contain and assess (immediately): Stop additional leakage; preserve logs as evidence
- Internal escalation (within hours): Notify security officer, legal, PR, and senior management
- Initial PPC report (within ~3–5 days): Submit via PPC's electronic filing system
- Individual notification (promptly): Email, postal mail, or website notice
- Full PPC report (within 30/60 days): Include investigation results and preventive measures
Summary
Breach reporting is now a legal obligation with short deadlines. Prepare internal incident response procedures in advance, designate a response team, and maintain contact information for regulators. Concealment leads to compounding reputational damage — timely disclosure is the better approach.