These are the Top 10 Worst Foreign Countries in which to Suffer a Data Breach

As if the direct costs and reputational damage of suffering a cyberattack weren’t enough, governments in various countries also mete out punishment for breaches of customer privacy.

Of course, it’s the hackers who are ultimately responsible for cybercrimes. But governments often hold companies up to high compliance standards that can put their executives in hot water should customer data be stolen.

And some countries enforce much stricter regimes than others, challenging CEOs of multinational companies to adapt internal protocols to cover all their bases.

South Korea has the harshest settings, according to Bloomberg Law, which has just listed the top 10 countries with the highest data breach notification compliance risk.

“While news coverage has made privacy a topic of intense interest in the U.S., understanding the international regulatory environment is no less important to U.S. companies doing business abroad,” the report’s authors said.

Businesses operating in South Korea face a very high compliance burden and intense level of law enforcement. They can face potential criminal fines of $700,000, civil fines of $26,500 and even criminal imprisonment. All together, the country was given an index score of 83 out of a 100 by Bloomberg Law, a very high negative score.

In 2014, dozens of top executives at Korean financial firms including KB Financial Group resigned after hackers stole millions of customer credit card details. A local karaoke chain, K Box, was even fined around $50,000 last year for failing to protect financial data.

“The privacy law regime of South Korea is very complicated and detailed and has been subject to frequent change in recent years. Privacy laws overall have been strictly enforced by regulatory authorities, particularly law enforcement authorities,” the report said.

Tied for second on the list were Columbia and Mexico, while France took out fourth and Japan fifth.

French authorities are especially active in pursuing companies that experience breaches and can impose civil fines of just over $3 million, though the highest fine imposed there last year was €100,000 against Google. Individuals found not following rules in Japan, meanwhile, can face six months imprisonment.

Rounding out the top 10 in descending order were Spain, the Philippines, Belgium, Germany and Hungary.

The regulatory burdens in Germany and Hungary are lighter than the other eight countries in the top 10; though, at up to $11.6 million, Germany had the biggest potential criminal fines.