beta
(영문) 서울고등법원 2018. 2. 2. 선고 2016나2090012, 2016나2090029(병합), 2016나2090036(병합) 판결

[손해배상(기)][미간행]

Plaintiff, Appellant

Attached 1-1, 2-1, 3, 3-1-1 list is as shown in Attached 1-1, 2-1, 3-1. (Attorneys Lee E-Support et al., Counsel for

Plaintiff, Appellant and Appellant

Plaintiff 1 and one other (Attorney Kim Jae-sung, Counsel for the plaintiff-appellant)

Plaintiff and appellant

Plaintiff 3 and one other (Attorney Kim Jae-sung, Counsel for the plaintiff-appellant)

Defendant, appellant and appellee

Lawing Card Co., Ltd. (Attorney Kim Sung-sung, Counsel for the defendant-appellant)

Conclusion of Pleadings

August 16, 2017

The first instance judgment

Seoul Central District Court Decision 2014Gahap51956, 2014Gahap526255 (merged), 2015Gahap9788 (Consolidated) Decided October 13, 2016

Text

1. Of the judgment of the first instance court, the part of the plaintiffs' claims against the defendant is modified as follows.

A. The Defendant shall pay to the Plaintiffs listed in the separate sheet No. 1-1, 2-1, 3, and 3-1 each of KRW 70,00 per annum to the Plaintiffs listed in the separate sheet No. 1-1, from March 19, 2014, to the Plaintiffs listed in the separate sheet No. 2-1, from August 29, 2014, to the Plaintiffs listed in the separate sheet No. 2-1, from January 31, 2011, to the Plaintiffs listed in the separate sheet No. 3-1, from January 31, 201, from December 31, 2013 to the Plaintiff, from February 2, 2018; and 15% per annum from the following day to the date of full payment.

B. The defendant shall pay to the plaintiffs 1, 2, and 4 70,000 won each and 5% per annum from January 31, 2011 to February 2, 2018, and 15% per annum from the next day to the day of complete payment.

C. All of the plaintiffs except the plaintiff 3's claims and the plaintiff 3's remaining claims are dismissed.

2. Of the total litigation costs, the part arising between the plaintiff 3 and the defendant shall be borne by the plaintiff 3, and the remaining part arising between the plaintiffs except the plaintiff 3 and the defendant shall be borne by the above plaintiffs, and 30% by the defendant, respectively.

3. The provisional execution may be effected in accordance with the first A, and the second B.

Purport of claim and appeal

1. Purport of claim

A. The defendant shall pay to the plaintiffs listed in the separate sheet No. 1-1, 2-1 the amount of KRW 200,000 per annum from the day following the delivery of a copy of the complaint of this case to the day of the judgment of the court of first instance, and 20% per annum from the next day to the day of complete payment.

B. The Defendant shall pay to each of the Plaintiffs listed in the separate sheet No. 300,000 won and the amount equivalent to 300,000 won per annum from January 31, 2011 to the Plaintiff listed in the separate sheet No. 3-1, and 5% per annum from December 31, 2013 to the date the judgment of the first instance court is rendered, and 15% per annum from the following day to the date of full payment.

C. The Defendant shall pay to Plaintiffs 1 and 2 30,000 won each of them from January 31, 2011, 30,000 won to Plaintiff 3, and 30,000 won to Plaintiff 4 from December 31, 2013, 30,000 won per annum from January 31, 201 to the date the judgment of each party is rendered, and 5% per annum from January 31, 201 to the date of full payment, and 15% per annum from the next day to the date of full payment.

2. Purport of appeal

A. Of the judgment of the court of first instance, the part against the above plaintiffs falling under the order to pay is revoked. The defendant shall pay to plaintiffs 1 and 2 2 5% per annum from January 31, 201 to the date of the final judgment of the court of first instance, and 15% per annum from the next day to the date of full payment.

B. The judgment of the court of first instance is revoked. The defendant shall pay to the plaintiff 3 KRW 300,00 and the amount equivalent to 300,000 and the amount equivalent to 5% per annum from January 31, 201 to the date of the final judgment of each party, and 15% per annum from the next day to the date of full payment.

C. Defendant: The part against the Defendant in the judgment of the first instance is revoked, and the Plaintiffs’ claims corresponding to the revoked part are all dismissed.

Reasons

1. Basic facts, 2. The allegations and issues of the Parties

This Court's reasoning is the same as the corresponding part of the judgment of the first instance except for partial revision as follows. Thus, this Court's reasoning is acceptable in accordance with the main sentence of Article 420 of the Civil Procedure Act.

o Article 14 of the first instance court Decision No. 2 of the 14th instance court's decision, "(the representative of Plaintiff 4 submitted the screen of the personal information leakage inquiry of the said Plaintiff at the time of the trial, and thus, it can be recognized that the said Plaintiff received the power of attorney in connection with the instant lawsuit from the said Plaintiff)."

3. Whether liability for damages is established;

This Court's reasoning is the same as the corresponding part of the reasoning of the judgment of the first instance except for partial revision as follows. Thus, this Court's reasoning is acceptable in accordance with the main sentence of Article 420 of the Civil Procedure Act.

o Parts 6 to 28, 26, 6, 28, 12 of the first instance court judgment shall be added to the following:

1) Whether the Information and Communications Network Act applies

The Defendant asserts that the Information and Communications Network Act cannot be applied to information leakage accidents around April 2010, since most of the plaintiffs of this case are members who received cards as off-line card and cannot be "user" under the Information and Communications Network Act.

Article 2(1)3 of the Information and Communications Network Act provides that “The provider of information and communications services” refers to a telecommunications business operator defined in subparagraph 8 of Article 2 of the Telecommunications Business Act and a person who provides or arranges the provision of information through telecommunications services provided by a telecommunications business operator for profit.” Article 2(1)4 of the same Act refers to a person who uses information and communications services provided by a provider of information and communications services. “Personal Information” refers to information about an individual, which can be identified by his/her name, resident registration number, etc., and includes information such as codes, letters, voice, sound, video, etc. (if the information alone cannot identify a specific individual but can be identified by easily combining it with other information). However, in each of the above provisions, it does not have a premise on the first collection of personal information processed by the provider of information and communications services from the provider of information and communications services under the Information and Communications Network Act. The defendant does not provide or intermediate credit loans issued by the plaintiffs to a user or a user of information and communications services under the Information and Communications Network Act, regardless of whether the plaintiffs are entitled to pay or user information and communications services.

2) Whether the former Personal Information Protection Act applies

Around April 2010, the Defendant asserts that the aforementioned statutes are not applicable since the Defendant’s personal information leakage accident does not correspond to “public agencies” under the former Personal Information Protection Act. According to Articles 1 and 2 subparag. 1 of the former Personal Information Protection Act, and Article 2 of the Enforcement Decree of the same Act, etc., the above statutes are specified as public agencies. Article 22 of the same Act provides that individuals or organizations, other than public agencies, may present their opinions or recommend their recommendations to individuals or organizations. However, even according to the language and text thereof, individuals or organizations, other than public agencies, can not be deemed as being included in the above statutes. Accordingly, since the above statutes cannot be applied to the Defendant, the Plaintiffs’ assertion in this case premised on the Defendant’s violation of the above statutes is without merit.

3) Whether Article 9 of the Enforcement Rule of the Electronic Financial Supervision Regulations has been violated

Article 21(2) of the former Electronic Financial Transactions Act provides that “a financial institution, etc. shall comply with the standards set by the Financial Services Commission with respect to human resources, facilities, the information technology sector, such as electronic devices, and electronic financial transactions for each type of electronic financial transactions so as to ensure the safety and reliability of electronic financial transactions.” Article 9(1) of the former Enforcement Rule of the Electronic Financial Supervision Regulations (wholly amended on May 24, 2012; hereinafter the same shall apply) stating that “a financial institution or electronic financial business entity shall establish and operate measures to protect electronic data including the following, in order to prevent the leakage, destruction, etc. of electronic data.” Article 21(2) of the former Electronic Financial Transactions Act provides that “any financial institution, etc. shall regularly check the current status of possession and management of auxiliary memory media

The Defendant asserts that Article 9 of the Enforcement Rule of the Electronic Financial Supervision Regulations regulates “a auxiliary memory medium directly owned and managed by a financial institution, etc.” As such, the foregoing provision is irrelevant to a leakage accident on April 2010. However, unlike the Defendant’s assertion, the language and text of Article 9(1)7 does not necessarily impose a restriction on the financial institution that it should keep and manage the relevant auxiliary memory medium. Furthermore, even if the above language and text require the confirmation of the person in charge of inspection and management conducted periodically and continuously for a certain period of time according to the financial institution’s business needs, it is also managed in the area of the control of the financial institution. Accordingly, it is necessary to regularly check and confirm the person in charge of management by taking care of the same manner as the auxiliary memory medium directly owned by the financial institution. According to the above findings, the Defendant’s assertion that the employees at issue carried in and supervised the FDS development work for the FD and carried in the area of the Defendant’s office is not acceptable.

4) Whether provisions relating to the provision of encrypted information by customers are violated

Article 9(1) of the Enforcement Rule of the Electronic Financial Supervisory Regulations, which embodys Article 21(2) of the former Electronic Financial Transactions Act and Article 21(1) of the former Electronic Financial Transactions Act, provides that “The purpose of Article 9(1)10 is to convert and use major user information at the time of inquiry, output control and test of user information.” Meanwhile, Article 15(4) of the Enforcement Decree of the Information and Communications Network Act provides that “the provider of information and communications services or similar shall take the following security measures so that personal information can be safely stored and transmitted.” Article 2(2) provides that “the encryption storage of financial information, such as resident registration numbers and account information,” and Article 9(1)10 of the former Enforcement Rule provides “other security measures using encryption technology” respectively.

In light of the above provisions, the Defendant’s act of providing information on card users that was not converted to the Defendant and neglecting without managing and supervising the use thereof by reason of business necessity constitutes a violation of the Enforcement Rule of the Electronic Financial Supervision Act and Article 15(4)2 and 4 of the Enforcement Decree of the Information and Communications Network Act.

o Defendant’s customer card information leaked in December 2013 to Nonparty 18 of the first instance trial No. 29, stating that “In the case of leakage of customer information by Nonparty 3, even if the above information was distributed only among offenders and not exposed to a general third party, it should be deemed that the damage to the Plaintiff was inflicted on the Plaintiff. However, as seen earlier, Nonparty 1’s personal card information leaked in December 2013 was stored in Defendant 2,6890, which was leaked in December 2013, but was not leaked to Nonparty 2 by an investigative agency, but was not leaked to others. In light of this, it was difficult to accept Plaintiff 3’s aforementioned assertion.

4. Scope of liability for damages

A. As seen earlier, the Defendant’s management status of customer information, details of the leaked personal information, scope of dissemination and dissemination thereof, and details of ex post facto measures taken by the Defendant to prevent damage and spread of personal information leaked in this case include resident registration numbers with a permanent and continuous nature, and it is difficult to eliminate the possibility of secondary damage occurrence and expansion thereof. However, in light of the details of customer information leaked in this case or the purpose of acquiring customer information on the cards by the acquisitors, it is not so difficult to find out the possibility of property damage caused by the leakage of the leaked card or its fraudulent use, and it is difficult to view that the Defendant’s efforts to prevent the leakage of the leaked personal information was considerably limited to the Plaintiff’s 10th day prior to the occurrence of the leaked personal information, and it appears that the Defendant’s efforts to prevent the leakage of the leaked personal information by using the leaked card’s card’s 10th day on account of the fact that it appears that it would have been necessary for each customer’s personal information leaked to an unspecified number of people.

B. Therefore, the defendant is obligated to pay 70,00 won each to the plaintiffs listed in the separate sheet No. 1-1, 2-1, 3, 3-1, 3-2, and 4 as well as to the plaintiffs listed in the separate sheet No. 1-1 from March 19, 2014, the following day after the copy of the complaint is served to the defendant, and the plaintiffs listed in the separate sheet No. 2-1 from August 29, 2014, the following day after the copy of the complaint is served to the defendant; from January 31, 2011 to December 31, 2013 to the plaintiff; and from December 31, 2013 to December 25, 2015, the amount of delay damages for each of the plaintiffs listed in the separate sheet No. 2-1 shall be paid to the plaintiff at the annual rate from the next day after the judgment No. 2015% per annum No. 25, 2015.

5. Conclusion

Therefore, the remaining plaintiffs' claims except the plaintiff 3 are justified within the scope of the above recognition, and the remaining claims shall be dismissed as it is without merit, and the plaintiff 3's claims of this case shall be dismissed as it is without merit. Therefore, the judgment of the court of first instance is unfair by accepting some appeals from the plaintiff 4 and the defendant and changing the judgment of the court of first instance as above. It is so decided as per Disposition.

Judges Yang Sung-ju (Presiding Judge)

본문참조조문