The ruling party and the government are taking steps to reinforce corporate liability in data breach cases, regardless of whether negligence can be proven.

During a two-way meeting Wednesday following a recent series of data breach incidents, the ruling Democratic Party and the Personal Information Protection Commission agreed to revise existing regulations and delete the requirement to prove ill intent or negligence on the part of the company before it can be held liable for damages.

An official from the state agency said businesses will be exempt from liability only under very limited circumstances if they can prove they took all possible precautions to protect users’ data and bear no blame at all for a breach. 

Companies will face penalties if they fail to cooperate in data breach investigations or comply with corrective orders from the government, and orders to preserve evidence will be issued.

To prevent leaked data from being used in cybercrime, a new provision will also be included in the Personal Information Protection Act to enable penalties against those who buy, provide or disseminate personal information despite being aware it is leaked data.