• Review of KIISC
• /
• v.14 no.1
• /
• pp.107-122
• /
• 2004

세계 각 국은 산업 및 정보의 의존성에 의해 모든 정보를 한눈에 볼 수 있는 시대로 변모하였으며, 사이버 공간 그 자체가 정치, 경제사회, 문화 등의 기본적인 생활 공간으로 자리 매김하고 있다. 따라서 사이버 공간을 보호하지 않을 경우 안정된 정보사회 구축은 불가능하다. 특히, 정보보호의 대상이 특정 국가적인 정보 보안에 국한되지 않고 기업 및 사회의 정보 등으로 확대되고 있어, 국가적으로 국가 안보뿐만 아니라 개인의 정보보호를 위한 새로운 제도와 조치가 절실히 요구되는 시점이다. 따라서 본 고에서는 복합 기능을 갖는 정보보호 제품의 보호 프로파일 개발을 위한 기반 연구로 요구되는 대체 평가 방법론에 대해 고찰해 보고자한다. 특히 북미를 중심으로 표준화가 진행 중에 있는 CEM을 기준으로, 영국을 중심으로 유럽의 적합성 표준으로 추진 중에 있는 SCT와 ISO/IEC에서 제시되고 있는 적합성 테스트 방법론인 ISO/IEC 9496 및 보증 프레임워크인 ISO/IEC 15443에 대한 자체 취약성 분석을 수행하고 자각의 평가 방법론간의 상호 연관성과 비교 분석을 통해 복합 기능을 갖는 정보보호 제품의 보호 프로파일 개발의 가이드라인을 제시하고자 한다.

• Review of KIISC
• /
• v.12 no.6
• /
• pp.68-80
• /
• 2002

세계 각국에서는 산업 및 정보의 의존성에 의해 전세계의 모든 정보를 한눈에 볼 수 있는 시대가 도래하였으며, 사이버 공간 그 자체가 정치, 경제사회, 문화 등의 기본적인 생활 공간으로 자리매김 하고 있다. 따라서 이를 보호하지 않을 경우 안정된 정보사회 구축은 불가능하다. 특히, 정보보호의 대상이 특정 국가적인 정보 보안에 국한되지 않고 기업 및 사회의 정보등으로 확대되고 있어, 국가적으로 국가 안보 뿐만 아니라 개인의 정보보호를 위한 새로운 제도와 조치가 절실히 요구되는 시점이다. 본 고에서는 정보보호 제품을 평가하기 위해 단일화된 국가 평가 기준을 기반으로한 국외 평가 스킴 중에서 미국의 평가 스킴을 예로 들어 그에 대한 분석하고자 한다. 분석된 내용은 국내 정보보호 관리체계를 위한 국내 평가 스킴 개발을 위한 바람직한 추진 방향과 향후 발전방향에 대하여 살펴보고자한다

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.719-734
• /
• 2020

This paper proposes a new measurement scheme for estimating the processing level according to risk when performing de-identification in the use of personal information by practitioners in the organization in line with the recently revised Data 3 Act. Our proposed methods considered the surrounding circumstances surrounding the data, not just the data, for risk measurement, and divided the data situation into three categories more systematically so that it can be applied in all areas in a general-purpose environment, the data utilization environment, and the data (self) so that it can be calculated quantitatively based on each context risk according to the presented classification. The proposed method is designed to calculate the risk of existing de-identifiable information in a quantitative manner so that personal information controller in general organizations can use it in practice, not just in the qualitative judgment of experts.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.2
• /
• pp.243-252
• /
• 2020

Recently, the proportion of housing lease has been increasing to an overwhelming level in line with the increase of single-person households and the change in the form of housing. In the normal case, the use of rental-type housing is subject to a housing lease agreement through a licensed real estate agent. In the event of a transaction conclusion, licensed real estate agent shall issue a contract containing the personal information of the lessee, the renter, and the licensed real estate agent to the transaction party. In this case, it is necessary for the lessee to provide the contract to a third party. This paper analyzes relevant laws and regulations and the status of housing transactions, focusing on personal information processed between offline housing lease agreements. And when issuing a contract through IRTS, we propose a way to protect personal information by providing a third party in three forms: information Data Subject-based, Purpose of usage-based De-identification, and Certificate of Contract.

• The Korean Society of Law and Medicine
• /
• v.24 no.4
• /
• pp.67-101
• /
• 2023

The utilization of generative AI in the medical field is also being rapidly researched. Access to vast data sets reduces the time and energy spent in selecting information. However, as the effort put into content creation decreases, there is a greater likelihood of associated issues arising. For example, with generative AI, users must discern the accuracy of results themselves, as these AIs learn from data within a set period and generate outcomes. While the answers may appear plausible, their sources are often unclear, making it challenging to determine their veracity. Additionally, the possibility of presenting results from a biased or distorted perspective cannot be discounted at present on ethical grounds. Despite these concerns, the field of generative AI is continually advancing, with an increasing number of users leveraging it in various sectors, including biomedical and life sciences. This raises important legal considerations regarding who bears responsibility and to what extent for any damages caused by these high-performance AI algorithms. A general overview of issues with generative AI includes those discussed above, but another perspective arises from its fundamental nature as a large-scale language model ('LLM') AI. There is a civil law concern regarding "the memorization of training data within artificial neural networks and its subsequent reproduction". Medical data, by nature, often reflects personal characteristics of patients, potentially leading to issues such as the regeneration of personal information. The extensive application of generative AI in scenarios beyond traditional AI brings forth the possibility of legal challenges that cannot be ignored. Upon examining the technical characteristics of generative AI and focusing on legal issues, especially concerning the protection of personal information, it's evident that current laws regarding personal information protection, particularly in the context of health and medical data utilization, are inadequate. These laws provide processes for anonymizing and de-identification, specific personal information but fall short when generative AI is applied as software in medical devices. To address the functionalities of generative AI in clinical software, a reevaluation and adjustment of existing laws for the protection of personal information are imperative.

• The Korean Society of Law and Medicine
• /
• v.22 no.4
• /
• pp.117-157
• /
• 2021

This research reviewed the HIPAA/HITECH, 21st Century Cures Act, Common Law, and private Guidances from the perspectives in protecting and utilitizing the medical data, while implications were followed. First, the standards for protection and utilization are relatively clearly regulated through single law on personal medical information in the United States. The HIPAA has been introduced in 1996 as fundamental act on protection of medical data. Medical data was divided into personally identifiable information, non-identifying information, and limited dataset under HIPAA. Regulations on de-identification measures for medical information, objects for deletion of limited data sets, and agreement on prohibition of data re-identification were stipulated. Moreover, in the 21st Century Cures Act regulated mutual compatibility for data sharing, prohibition of data blocking, and strengthening of accessibility of data subjects. Common Law introduced comprehensive consent system and clearly stipulates procedures. Second, the regulatory system is relatively simplified and clearly stipulated in the United States. To be specific, the expert consensus and the safe harbor system were introduced as an anonymity measure for identifiable medical information, which clearly defines the process while increasing trust. Third, the protection of the rights of the data subject is specified, the duty of explanation is specified in detail, while the information right of the consumer (opt-out procedure) for identification information is specified. For instance, the HHS rule and FDA regulations recognize the comprehensive consent system for human research, but the consent procedure, method, and requirements are stipulated through the common rule. Fourth, in the case of the United States, a trust-based system is being used throughout the health and medical data legislation. To be specific, Limited Data Sets are allowed to use in condition to the researcher's agreement to prohibit re-identification, and de-identification or consent process is simplified under the system.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.11
• /
• pp.395-402
• /
• 2022

In case of violation of the Personal Information Protection Act, administrative dispositions will be taken according to the legal standards, and the results will be announced. However, the current method has limitations in its effectiveness as repeated administrative dispositions are increasing despite the announcement by the disclosure system of the Personal Information Protection Act. In this paper, we deploy the introduction of the 'public announcement commandment' against violators by analyzing the administrative disposition results according to the violation of the Personal Information Protection Act. It is able to strengthen the existing disclosure system for self-disclose violations by providing easy recognition to the people about the fact of violation itself against the Personal Information Protection Act. Furthermore, we analyze major industries through the industry groups and violations of laws that were subject to publication, and data published on the results of administrative dispositions for violation of the Personal Information Protection Act. Finally, we propose the legal basis for the 'public announcement commandment' which allows the violator to publish by oneself for the announcement of the fact that the corrective action has been taken.

• The Journal of the Korea Contents Association
• /
• v.14 no.6
• /
• pp.1-10
• /
• 2014

Through the development of internet mobile devices and online business activation, sensitive data of unspecified user is being easily exposed. In such an open business environment, the outflow of sensitive personal information has often been remarked on recently for which adoption of encryption solution for database became top priority in terms of importance. In 2011, government also legislated for the protection of personal information as an information network law, and is now applying the law to a variety of industries. Firms began to comply with these regulations by establishing various measures for protection of personal information and are now quickly introducing encryption solution to reinforce security of personal information they are managing. In this paper, I present architecture and technological parts that should be considered when introducing security solution.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.129-145
• /
• 2017

This study proposes a methodology to estimate the financial damages by personal information breach of a company and to analyse risk systematically through a case study of a company which experiences private information breach. Using FAIR(Factor Analysis of Information Risk) model, estimate the loss amount and to analyse risk objectively of a company by personal information breach. This study estimates adequacy and importance of corresponding factors applying AHP(Analytic Hierarchy Process) on each factors for assessing loss amount. By adopting proposed methodology in this study, the person in charge of actual work can assess and prove the loss amount though the latest risk estimation methodology. In addition, the person in charge can select the proper parameters for the corresponding company and can obtain the objective quantitative estimation. Hence it can be reported to the management by accurately assessing loss amount caused by personal information breach.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.97-106
• /
• 2014

CCTV(Closed Circuit television) is one of the widely used physical security technologies and video acquisition device installed at specific point with various purposes. Recently, as the CCTV capabilities improve, facial recognition from the information collected from CCTV video is under development. However, in case these technologies are exploited, concerns on major privacy infringement are high. Especially, a computer connected to a particular space images taken by the camera in real time over the Internet has emerged to show information services. In the privacy law, safety measures which is related with biometric template are notified. Accordingly, in this paper, for the protection of privacy video information in the video surveillance system, the technical and managerial requirements for video information security are suggested.