South Korea Introduces Stricter Standards to Revoke Security and Privacy Certifications

South Korea has announced tougher measures to revoke Information Security Management System (ISMS) and ISMS-P (Personal Information & Information Security Management System) certifications. It is pointing towards a decisive shift in its approach to corporate accountability following a series of high-profile data breaches. The new standards, which were made public in December 2025 by the Ministry of Science and ICT and the Personal Information Protection Commission (PIPC), will allow regulators to immediately strip certifications from companies found responsible for major security incidents such as hacking or large-scale personal data leaks. 

Previously, ISMS and ISMS-P certifications were considered a mark of compliance and reliability, often required for telecom operators, online platforms, and public institutions. However, recent breaches at certified firms, including SK Telecom and e-commerce giant Coupang, exposed vulnerabilities in the certification system. Critics argued that certifications were being treated as static achievements rather than ongoing obligations, allowing companies to retain them despite serious lapses. 

Under the revised framework, regulators will conduct post-certification audits to identify flaws and enforce compliance. Certifications will be revoked if companies fail to meet updated standards or are implicated in significant violations. The reforms also make ISMS-P certification mandatory for high-risk operators, including telecom providers and large online platforms. It will ensure that organisations handling large amounts of personal data are subject to stricter oversight. 

The government emphasised that the changes are intended to restore public trust in digital services and strengthen South Korea’s cybersecurity posture. The Financial Security Institute and the Korea Internet & Security Agency (KISA) will play key roles in implementing the new regime, alongside private experts and industry stakeholders. 

📰 Mini Headlines 

• Dutch Privacy Watchdog Warns of Rising AI Chatbot Data Leaks 

  
  

  The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has issued a warning about increasing risks of personal data leaks through AI chatbots. Regulators noted that users often share sensitive information with conversational AI systems, which may be stored or misused without adequate safeguards. The watchdog emphasised that companies deploying chatbots must comply with the EU General Data Protection Regulation (GDPR) to ensure transparency, lawful processing, and strong security measures. The authority urged consumers to exercise caution when interacting with AI tools and highlighted that improper handling of chatbot data could lead to identity theft, profiling, and privacy violations.  

  
  

AI Chatbots 

Read More →  https://nltimes.nl/2025/12/30/dutch-privacy-watchdog-warns-rising-ai-chatbot-data-leaks  

• Florida Governor DeSantis Proposes Citizen Bill of Rights for AI 

  
  

  On December 29, 2025, Florida Governor Ron DeSantis introduced a proposal for a Citizen Bill of Rights for AI. The bill aimed at challenging federal authority over artificial intelligence regulation. The initiative seeks to guarantee Floridians' rights, such as transparency in AI decision-making, opt-out options for data use, and protections against algorithmic bias. DeSantis argued that states should retain control over AI governance rather than ceding authority to Washington. The proposal reflects growing political debate in the U.S. over AI oversight, with critics warning of potential conflicts between state and federal frameworks. Legislative review in Florida is expected in 2026. 

  
  

Citizen Bill of Rights for AI 

Read More → https://markets.financialcontent.com/wral/article/tokenring-2025-12-29-florida-governor-ron-desantis-proposes-citizen-bill-of-rights-for-ai-to-challenge-federal-authority.  

• French Software Company Fined $2 Million for Cybersecurity Failings 

France’s data protection regulator, the CNIL, has fined software company Nexpublica €1.7 million (about $2 million) after a major data breach exposed sensitive customer information. Investigators found that the company failed to implement adequate encryption, access controls, and monitoring systems, leaving sensitive data vulnerable to unauthorised access. The breach affected thousands of users, prompting CNIL to impose one of its largest penalties in recent years. Regulators stressed that companies must treat cybersecurity as a continuous obligation under the GDPR.  

Data Breach 

Read More →      French software company fined $2 million for cyber failings leading to data breach | The Record from Recorded Future News