Coway operates a privacy protection body in charge of protecting private information. The Information Protection Committee carries out discussions and makes decisions on major issues related to privacy protection.As an executive-level body, the Information Protection Committee is chaired by the chief information protection staffer and comprises the heads of relevant departments as members. The Committee is chaired by the Chief Information Security Officer (CISO), who has "at least 10 years of experience in the field of information protection or information technology", which is the requirement specified for the CISO under the Act on Promotion of Information and Communications Network Utilization and Information Protection.
The Committee helped build an integrated management system to protect and manage private information more efficiently. All bodies related to privacy and information protection are led by the Information Security Team, and work closely with relevant departments for thorough information protection.
Externally, there has been an increase in the threat of cyberattacks and the transition to a digital society due to the COVID 19 pandemic;internally, there is a need to establish security policies adapted to the expansion of online services and the evolving cloud environment. In 2022, the Information Protection Committee completely revised the Privacy Protection Policy and guidelines to reflect the evolving internal and external information protection environment and processes, and established new security guidelines for cloud services, which lay the foundation for more practical and systematic operation of the Information Protection Management System.
We operate an information security system based on the information security policy and guidelines we drew up for protection of customers’ information in all business areas. We divided our privacy protection regulations into policy on basic principles regarding protection of private information and detailed areas for the practice of privacy protection, so that they can be readily applied in the workplace. The information security policy and guidelines are enacted and revised on a regular basis in order to reflect them in the realm of privacy protection that is growing wider in line with changes in the business environment.
In 2022, we subdivided the policy and three guidelines into one policy and 17 guidelines by incorporating the latest issues concerning privacy protection, such as the active use of in-firm cloud system and increase of the location-based services. We are determined to protect private information by applying the related guidelines and measures to all our business areas and fiduciaries and suppliers, as well as marketing bodies.
Coway responds promptly to requests for deletion of personal information from information subjects or matters received through the e-Privacy Clean Service to ensure the rights of the information subject.
In 2023, we completed the implementation of privacy labeling on Coway.com and cosmetics sites to make it easier for information subjects to understand the key points of our privacy policy.
(Effective date: Coway.com_ May 12, 2023/ Cosmetics_ April 25, 2023)
System for Management of Private Information Protection and Information Protection Measures
We operate a privacy protection lifecycle management system in order to manage our customers’ information as safely as possible throughout the entire process from data collection to storage, utilization, and disposal. In order to maintain the upgraded privacy protection system, we have divided the privacy protection lifecycle management system into management, physical, and technology areas. In terms of the management area, we categorize data and provide training on information protection. The physical area includes access control, CCTV surveillance, and Clean Desk Policy, and the technology area includes system control, management of privacy infringement, IT system-based diagnosis and disaster recovery.
In 2022, Coway conducted activities such as security campaigns, distribution of security posters, and information protection slogan contests to award outstanding employees. We conduct Clean Desk checks and malicious email simulation drills regularly to check the information security status of employees and educate them on behavioral tips to prevent security incidents.
Category
When
Whom
What
Implement Clean Desktops
May, September, December (3 times)
Headquarters, labs, and factories (Distribute self-inspection checklists on-site)
Prevent security incidents at the workplace through Clean Desk activities
Malicious email simulation drills
April, July, October (3 times)
Employees of the entire company
wareness-raising activities to prevent malware infections and information leaks due to malicious emails
Information protection slogan contest
September (Once)
Employees of the entire company
Createa slogan that is creative and appropriate for building Coway's information protection culture
Coway has acquired capabilities to fulfill domestic and international standards for personal information security and privacy protection by obtaining information protection certifications from reputable third-party organizations, and strengthens its information protection level every year through post-examination (1 year) and renewal examination (3 years).
Certifications Coway holds
ISMS-P
ISO/IEC 27001:2013
Standard
Domestic
International
International
2022.06.15 ~ 2025.06.14
2020.12.20 ~ 2023.12.20
Certification organization
Korea Internet & Security Agency (KISA)
DNV
Scope of certification
Coway’s internet shopping mall service (Coway.com, Cosmetics)
ISMS on IT Activities
Certification effect
Contribution and effect on business
Systematic prevention and improvement by holding certifications in order to protect personal information from hacking and eliminate threats to internal infringement. Furthermore, contribution to business stability through protection from violation of related laws and prevention of risks related to financial aspects (fines, etc.) and reputation.
Conduct "security checks" to check and improve information protection laws and vulnerabilities proactively when a new system is established or major changes are made to internal and external services.
Prevent legal risks and security vulnerabilities proactively by conducting security checks in accordance with the Personal Information Protection Act and ISMS-P certification standards
Monitor whether there are files containing personal information on employees' PCs, encrypt files in use, recommend deletion of files when their purpose of use has ended, and secure the safety of the PC environment through My PC Guardian.
In 2022, we identified risk issues, such as mass inquiries and export of personal data and activities after office hours. As a result, we identified some cases involving suspicion of privacy violation and managed the risk factors. We also reinforced our activities to raise awareness on information privacy in order to prevent potential risks to information protection in the process of employees’ working from home due to COVID 19,and ran malicious email simulation training for employees, suppliers, and partners. In addition, we checked the continuity of our information protection system by diagnosing infrastructure weaknesses, reviewing security, and validating disaster recovery procedures.
We operate a privacy incident response system to take initial action promptly, minimize damage and prevent secondary damage in cases where a data leak or breach occurs. We classify privacy incidents into data breach and data leak (leaks of private data and inside information), respectively, and take appropriate measures for each type of incident. Above all, we alert the information protection staff immediately after we detect an incident through security control and periodic monitoring and form a response team. Next, we conduct a detailed analysis of how the information leak occurred through fact-checking and evidence-collection and preservation after taking initial action. This is followed by measures to prevent recurrence and ensure we get back on track. Equipped with this response system, we inform relevant departments of the incident and our responses, and provide training in order to prevent similar incidents.
Coway monitors information security activities on a monthly basis, identifies areas needing improvements, and reports and manages ongoing information security activities. In 2022, a total of 34 information security activities were conducted, exceeding the target of 90% and achieving 100%.
100%
100%
100%
100%
100%
100%
100%
100%
Category
Key Activities and Achievements
Evaluation Indicators
Measurement Results
Compliance
Percentage of mandatory compliance activities performed
100%
Operation of management system
Rate of coverage for internalization of security standards
100%
Operation of security system
Execution rate for the improvement plan
100%
Prevention of information security breaches
Risk detection response rate
100%
Raising awareness
Execution rate for the awareness plan
100%
Enhancement of trainings
Rate of completion compared to the number of training participants
100%
Risk management
Rate of security vulnerability measures/removal
100%
Internal audit
Rate of management-level diagnosis
100%