2. GW;

3. LN;

2. Pstrupt Co., Ltd.;

The costs of appeal are assessed against the plaintiffs.

1. A. Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 11322, Feb. 17, 2012; hereinafter “former Information and Communications Network Act”) provides that a provider of information and communications services shall take technical and administrative protective measures under each subparagraph in accordance with the standards prescribed by Presidential Decree in order to prevent loss, theft, leakage, alteration, or damage of personal information. In addition, the aforementioned provision provides that a provider of information and communications services shall take technical and administrative protective measures in order to safely handle personal information; 3. Installation and operation of an access control device to prevent unlawful access to personal information; 4. Measures for preventing fabrication and alteration of access records; 5.0 billion won of personal information; and 2.0 billion won of the former Enforcement Decree of the Information and Communications Network Act (amended by Presidential Decree No. 2518, Jun. 1, 2008; Presidential Decree No. 20320, Jan. 28, 2012>

Furthermore, if a provider of information and communications services collected personal information, such as personal information, from a user who intends to use information and communications services under the terms and conditions of use, by necessarily requesting the user to provide such information through the terms and conditions of use, the provider of information and communications services is obligated under the information and communications services contract to take necessary protective measures to prevent loss, theft, leakage, alteration or damage of the collected user’s personal information, etc.

B. However, it is not easy to expect that information and communications services are exposed to unlawful intrusion acts, such as so-called hacker, as networks, systems, operation systems, etc. established by information and communications service providers inevitably contain inherent vulnerability, and that complete security is not easy when considering the speed of technological development or overall transaction cost, etc. of society. Furthermore, hackers, etc. intrudes on the information and communications network and its related information system of the information and communications service provider through multiple attack methods bypassing or nullifying security measures taken by the information and communications service providers, and the security technology to prevent hackers’ intrusion by means of ex post response to new attack methods. As such, there are special circumstances to consider protective measures necessary for information providers to secure the safety of personal information.

Therefore, in determining whether a provider of information and communications services breached a legal or contractual duty to take necessary protective measures to ensure the safety of personal information under Article 28(1) of the former Information and Communications Network Act, or a contract for the use of information and communications services, the information and communications service provider’s reasonable view of the following factors: (a) level of information security technology generally known at the time of hacking and other intrusion; (b) type of business and scale of business of the provider of information and communications services; (c) overall security measures taken by the provider of information and communications services; (d) economic costs and utility necessary for information security; (e) likelihood of avoiding damage arising from the development of hacking technology and information security technology;

It should be determined on the basis of whether the protective measures to the expected extent have been taken.

C. In particular, Article 15(6) of the former Enforcement Decree of the Information and Communications Network Act provides that “the Korea Communications Commission shall establish and publicly notify the matters stipulated in paragraphs (1) through (5) and the other necessary measures to ensure the safety of personal information pursuant to Article 28(1)6 of the Act.” Accordingly, the Standards for Technical and Administrative Measures for Personal Information (Notice of the Korea Communications Commission No. 2011 - 1; hereinafter referred to as the “instant notice”) established by the Korea Communications Commission provides specific technical and administrative measures to be taken by information and communications service providers pursuant to Article 28(1) of the former Information and Communications Network Act, taking into account the level of technology at the time of hacking or other intrusion. Therefore, if a provider of information and communications services took technical and administrative measures stipulated in the instant notice, barring any special circumstance, it is difficult to deem that the provider of information and communications services breached legal or contractual obligations to take necessary measures to ensure the safety of personal information (see, e.g., Supreme Court Decision 2013Da43904, Feb. 12, 2015).

D. However, it is reasonable to view the instant public notice to have set the minimum standard to be observed by the provider of information and communications services. Therefore, even if the provider of information and communications services took technical and administrative protective measures as stipulated in the instant public notice, it may be assessed as an illegal act if the provider of information and communications services could have easily anticipated that the provider should take measures, and did not fully take reasonable protective measures that can be reasonably anticipated

2. The reasoning of the lower judgment and the evidence duly admitted by the lower court reveal the following facts and circumstances.

A. According to Article 5(1) of the Service Use Terms and Conditions, the service contract between Defendant Es Communications Co., Ltd. (hereinafter “Defendant Es Communications”) and the customer is established upon the customer’s consent to the service terms and conditions and the Privacy Policy, and Defendant Es Communications’s consent to the use.

B. Article 23(2) of the Terms and Conditions on the Use of Services provides that “A company shall establish and operate a security system to protect member information of its members, and “I will publicly notify and observe the Privacy Policy”. In addition, the Company provides that “I will establish and operate technical and managerial measures necessary to ensure stability in handling member information in accordance with the Privacy Policy.”

C. Article 28(1)2 of the former Information and Communications Network Act and Article 15(2)2 of the former Enforcement Decree of the Information and Communications Network Act provide that a provider of information and communications services shall install and operate a system for blocking intrusion and a system for detecting intrusion to block illegal access to an information processing system.

D. In addition, Article 4(5)1 and 2 of the Notice of this case provides that the provider of information and communications services shall establish and operate a system including the function of restricting access to the personal information processing system without authorization by restricting access to IP addresses, etc. in order to prevent illegal access and intrusion through the information and communications network.

E. Accordingly, at the time of the instant hacking incident, Defendant Sc Communications installed and operated a system for blocking intrusion by installing fire walls that restrict unauthorized access by restricting access to the personal information processing system to AB address, etc., and installed and operated a system for detecting illegal personal information leakage attempts by analyzing AB address, etc. connected to the personal information processing system.

F. In addition, Defendant KS Communications installed and operated a DNA LSP solution (Datoss Pums Pump hardware or software that implements activities to block and prevent the leakage of confidential or important information; hereinafter referred to as “DLP solution”). This is a data leakage prevention system that enables users’ PC to detect, block, or create an external leakage of electronic documents and data stored in the PC, thereby preventing the leakage of data and providing monitoring and tracking functions.

G. The above DLP solution can identify files containing information of a specific pattern pattern, such as name, address, telephone number, e-mail address, resident registration number, account number, etc., and where these information is leaked more than a certain number of times, there was a function such as sending a warning to the manager or blocking the leakage thereof.

H. At the time of the instant hacking incident, the hacker intruded the personal information into the database server of Defendant Sc Communications, created and compressed the personal information into a dump file, and then hacked the data, and transmitted the said personal information files to China via the V site using the file transmission protocol (FTP) (FTP).

I. The above dump file contains an uncrypted name, address, telephone number, and e-mail address, etc. However, the above dLP dump solution had an error in the program (bug) that could not detect the leakage of personal information, such as name, address, telephone number, and e-mail address, when the file is sent by implementing the FTP order in the condition ofcommand (one name DOS window), which is a method used by the dump at the time of the instant hacking incident.

j. Meanwhile, at the time of the instant hacking incident, the installation of the DLP solution was not a technical measure that was commonly used between Defendant SDR and business operators in the same industry as that of Defendant SDR.

3. We examine these facts or circumstances in light of the legal principles as seen earlier.

A. First, the allegation in the grounds of appeal that there was no program error (bug) in the DLP solution installed and operated by Defendant SDR at the time of the instant hacking incident is merely a dispute over the selection of evidence and fact-finding, which are the matters of the lower court’s exclusive authority, and thus, cannot be a legitimate ground of appeal.

B. Next, we examine the remaining grounds of appeal.

In order to prevent illegal access and intrusion through the information and communications network at the time of the instant hacking incident, Defendant S Communications, a provider of information and communications services, installed and operated a system for blocking intrusion and a system for detecting intrusion pursuant to the relevant laws and regulations, such as the instant notice, and the said system included the function prescribed in Article 4(5)1 and 2 of the instant notice. In addition, Defendant S Communications was also establishing and operating a data leakage prevention system, which is a data leakage prevention system. However, in light of the contents prescribed in the service terms and conditions, the technical level of information security, the level of hacking technology, and the possibility of avoiding damage according to the degree of development of information security technology, etc., even if Defendant SDR Communications failed to detect personal information leakage, it cannot be deemed that it failed to take protective measures to the extent reasonably expected by social norms at the time of the instant hacking incident. Therefore, it is difficult to deem that Defendant S Communications violated the duty to take necessary protective measures or legal duty to take necessary protective measures to ensure the safety of personal information.

Although the reasoning of the lower judgment is somewhat inappropriate, the lower court did not err by misapprehending the legal doctrine regarding the duty to protect personal information pursuant to the service terms and conditions, or by misapprehending the bounds of the principle of free evaluation of evidence against logical and empirical rules, contrary to what is alleged in the grounds of appeal, thereby adversely affecting the conclusion of the judgment.

4. Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

Justices Park Sang-ok

Chief Justice Lee Ki-taik

Justices Park Il-san