beta
(영문) 대법원 2018. 1. 25. 선고 2015다24904, 24911, 24928, 24935 판결

[손해배상(기)·손해배상(기)·손해배상(기)·손해배상(기)]〈네이트·싸이월드 회원들의 개인정보 유출로 인한 손해배상 청구사건〉[공2018상,491]

Main Issues

[1] Standard for determining whether a provider of information and communications services breached his/her legal or contractual duty to take necessary protective measures under Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. or information and communications services contract

[2] Where a provider of information and communications services took technical and administrative protective measures as stipulated in the “Standards for Technical and Administrative Protective Measures for Personal Information” (Korea Communications Commission Notice No. 2011-1), whether such provider may be deemed to have breached his/her legal or contractual duty to take necessary protective measures to ensure the safety of personal information (negative in principle), and where the provider of information and communications services, even if the provider took technical and administrative protective measures as stipulated in the said notice, is deemed to have committed an unlawful act or is liable under Article

[3] In a case where Gap corporation, which provides portal service on the Internet, disclosed the personal information of its members who joined the online service provided by Gap corporation, and Eul et al. claimed damages against Gap corporation, the case holding that Gap corporation's liability for damages is not acknowledged since there is no proximate causal relation between the non-performance of the above protective measures and the occurrence of hacking accident since the information and communications service provider's act of allowing the personal information handler who connected the information processing system to log out after the completion of work

Summary of Judgment

[1] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 11322, Feb. 17, 2012; hereinafter “former Information and Communications Network Act”) provides that a provider of information and communications services shall take technical and administrative measures to prevent the loss, theft, leakage, alteration, or damage of personal information when he/she handles personal information in accordance with the standards prescribed by Presidential Decree. Furthermore, the aforementioned provision provides that “1. Establishment and implementation of an internal management plan to safely handle personal information; 2. Establishment and implementation of an internal management plan to prevent illegal access to personal information; 3. Installation and operation of an access control device; 4. Measures to prevent fabrication and alteration of access records; 5.00 new software for safe storage and transmission of personal information; 6. Other necessary protective measures to ensure safety of personal information; and, in accordance with Article 28(1) of the former Information and Communications Network Act, a provider of information and communications services delegated with the duty to take technical and administrative measures to ensure safety of personal information.

Furthermore, if a provider of information and communications services collected personal information, such as personal information, from a user who intends to use information and communications services upon request through the terms and conditions of use, etc., the provider of information and communications services is obligated under the information and communications services contract to take necessary protective measures to prevent loss, theft, leakage, alteration, or damage to the user’s personal information collected as above.

However, networks, systems, and operating systems, etc., which are performed through the Internet with the characteristic of “openness” by information and communications services, are inevitably exposed to unlawful intrusion, such as so-called “hacker,” etc., and it is not easy to expect perfect security, considering the speed of technological development or overall transaction cost, etc. of society. Furthermore, hackers, etc. intrudes on the information and communications service provider’s information and communications network and its related information system by means of bypassing or nullifying security measures taken by the information and communications service provider through various means of attacking the information and communications service provider’s information and communications network and its related information system, and security technology to prevent hackers’ intrusion is generally implemented by means of ex post response to new attack methods. As such, special circumstances need to be considered regarding necessary protective measures to be taken by the information

Therefore, in determining whether a provider of information and communications services breached a legal or contractual duty to take necessary protective measures to ensure the safety of personal information under Article 28(1) of the former Information and Communications Network Act or a contract for the use of information and communications services, the determination shall be based on whether the provider of information and communications services took protective measures to the extent reasonably expected by social norms at the time of hacking, etc., by comprehensively taking into account the following: (a) level of information security technology generally known at the time of hacking and other intrusion; (b) type of business and scale of business of the provider of information and communications services; and (c) overall security measures taken by the provider of information and communications services; (d) the degree of economic costs and utility necessary for information security; (e)

[2] Article 15(6) of the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Presidential Decree No. 23104, Aug. 29, 201) provides that “The Korea Communications Commission shall determine and publicly notify the matters provided for in paragraphs (1) through (5) and other specific criteria for measures necessary to ensure the safety of personal information pursuant to Article 28(1)6 of the Act.” Accordingly, “Standards for Technical and Administrative Measures for Personal Information (Notice of the Korea Communications Commission; hereinafter “Public Notice”) formulated by the Korea Communications Commission” (see Article 2011-1; hereinafter “Public Notice”) is difficult to deem that a provider of information and communications services has breached the contractual obligation to take technical and administrative protective measures, etc., under Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Act No. 11322, Feb. 17, 2012). Therefore, if a provider of information and communications services provided technical and administrative measures.

However, it is reasonable to view that an information and communications service provider has set the minimum standard to be observed. Therefore, even if a provider of information and communications services took technical and administrative protective measures as stipulated in the notice, it may be assessed as an illegal act if the provider of information and communications services could have easily anticipated that the provider of information and communications services should comply with such measures, and failed to take reasonable and anticipated protective measures in light of social norms. Furthermore, even if a provider of information and communications services took technical and administrative protective measures as stipulated in the notice, it may not be exempt from liability under Article 760(3) of the Civil Act, if the provider of information and communications services was aware of a tort committed by another person in breach

[3] In a case where Gap corporation engaged in portal service online disclosed personal information of its members who joined the online service provided by Gap corporation as a hacking accident, and Eul et al. claimed damages against Gap corporation, the case holding that Gap corporation's liability for damages can not be exempted as joint tortfeasor because it violated the duty of care not to assist the illegal act, and if proximate causal relation between the aiding and abetting act and the illegal act of the service user and Eul et al. were acknowledged, since it does not fall under the technical and administrative protective measures provided by the "Standards for Technical and Administrative Protective Measures of Personal Information" (Korea Communications Commission Notice No. 2011-1) but it can be easily expected that the information and communications service provider should comply with such protective measures, and since the information and communications service provider's failure to take such protective measures and allowing a third party who did not have access authority to the information processing system to engage in the theft of personal information, and thus, it cannot be acknowledged that there was reasonable causal relation between the above aiding and abetting act and the unlawful act of the service provider at the time of hacking accident.

[Reference Provisions]

[1] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Presidential Decree No. 11322, Feb. 17, 2012); Article 15 of the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Presidential Decree No. 23104, Aug. 29, 201); Article 390 of the Civil Act / [2] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Act No. 1132, Feb. 17, 2012); Article 15 of the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Presidential Decree No. 23104, Aug. 29, 201); Article 390, 750, and 760(3) of the Civil Act / [3] Article 2013 of the former Enforcement Decree of the Act on Promotion of Information and Information Protection, Etc.

Reference Cases

[1] [2] Supreme Court Decision 2013Da4394, 44003 decided Feb. 12, 2015 (Gong2015Sang, 453) / [2] Supreme Court Decision 2005Da32999 decided Jun. 14, 2007 (Gong2007Ha, 1045)

Plaintiff (Appointed Party) and appellant

Plaintiff (Appointed Party) 1 and 3 others (Law Firm Min-young, Attorneys Choi Jong-soo et al., Counsel for the plaintiff-appellant)

Defendant-Appellee

KS Communications Co., Ltd. (Attorneys Kang Jong-tae et al., Counsel for the defendant-appellant)

Judgment of the lower court

Seoul High Court Decision 2013Na20047, 20054, 20061, 20078 decided March 20, 2015

Text

All appeals are dismissed. The costs of appeal are assessed against the plaintiffs (appointed parties) and the appointed parties.

Reasons

The grounds of appeal are examined (to the extent of supplement in case of supplemental appellate briefs not timely filed).

1. As to the assertion that the application for resumption of pleading was illegally rejected

A. In principle, the issue of whether to accept an application for resumption of oral proceedings when the parties filed an application for resumption of oral proceedings to submit arguments and evidence after the closing of oral arguments belongs to the court’s discretion. However, as the parties who filed the application for resumption of oral proceedings failed to properly obtain an opportunity to submit arguments and evidence due to the reasons that it is difficult to impose their responsibility before the closing of oral arguments, and the subject matter of such assertion and certification constitutes an open fact-finding fact that can determine the outcome of the judgment, the court is obliged to resume oral proceedings and continue deliberation in a case where it goes against the procedural justice pursued by the Civil Procedure Act (see Supreme Court Decision 2010Da20532, Oct. 28, 2010, etc.).

B. The record reveals the following circumstances.

(1) The Plaintiff (Appointed Party; hereinafter “Plaintiff”) filed a lawsuit against the chief prosecutor of the Seoul Central District Prosecutor’s Office seeking revocation of a disposition rejecting information disclosure of the investigation records related to the instant hacking incident, which became final and conclusive after the closing of argument in the lower court.

(2) Accordingly, the Plaintiffs filed an application for resumption of pleadings to submit part of the investigation records which became possible to peruse and copy only as evidence.

(3) In addition, the Plaintiffs submitted as reference materials the daily security control report prepared by the employees of the Kanby Co., Ltd. Co., Ltd. in the first instance trial (hereinafter “Yanby”), traffic-related materials submitted by the Defendant to the police, and Nonparty 1’s statement of the police, who is an employee of the Defendant’s database technology team, etc. In that regard, the Plaintiffs sought to assert and prove that, at the time of the instant hacking incident, the leakage of large volume files that far exceeded the ordinary level of view at the time of the instant hacking incident, and that rap reported it to the Defendant immediately, and that Nonparty 1 did not have access to the Lanbybya server.

(4) However, the lower court declared the lower judgment without resumption of pleading.

C. We examine these circumstances in light of the legal principles as seen earlier.

Since the plaintiffs can peruse and copy the investigation records including the above daily security control report only after the closing of argument in the court below, they were unable to properly obtain the opportunity to present arguments and evidence due to the reasons that are difficult to impose responsibility on the plaintiffs. However, in full view of the following circumstances, it is difficult to view that the subject of the argument and certification is an objective fact-finding that can determine the outcome of the judgment, and otherwise, it is difficult to find out any circumstances that holding the plaintiffs a judgment against them without providing the plaintiffs an opportunity to present their arguments and evidence, which contradicts the procedural justice pursued by the Civil Procedure Act.

(1) At the time of the instant hacking incident, the Plaintiffs asserted that traffic volume has already occurred due to file transmission pursuant to the file transfer protocol (FTP) at the time of the instant hacking incident, and Nonparty 1 had no authority to access the trademark server, prior to the closing of argument in the lower court.

(2) On July 26, 201, from 05:40 to 05:50 on July 26, 201, at the time of the instant hacking incident, the traffic volume at the bottom of ○○ Borrowing increased by 15 times more than the normal level, which is anticipated by the electronic file transmission, and it is necessary to verify communications using the FTP No. 21 at the time of the traffic increase.

(3) However, at the time of the instant hacking incident, the hacker intruded into the Defendant’s database server in which the personal information of the hacker and hacker users was stored (hereinafter “DB”), and created and compresseded the users’ personal information into a hump file, and the file capacity was lower than 10GB. Moreover, the point at which the hacker was released from the hacker’s computer via the FTP and then transmitted the file to the outside is inconsistent with the point at which traffic increase as stated in the said daily report.

(4) Meanwhile, there are parts of the statement statement by Nonparty 1 to the effect that the database server managed by himself does not have access to the database.

(5) However, there are parts of the above statement statement to the effect that Nonparty 1’s data base that he manages is unable to memory his name, etc. In addition, the lower court found that Nonparty 1’s data server connected to the pertinent DB server was connected with the EB server, and Nonparty 1 was in charge of the Eblus DB server, and thus Nonparty 1 was able to access the Eblus database on the computers of Nonparty 1. However, at the time of the preparation of the above statement, it did not directly examine whether Nonparty 1 was authorized to access the Eblus DB server.

D. Therefore, since the plaintiffs' application for resumption of pleadings cannot be deemed to meet the exceptional requirements to resume pleadings and continue the hearing, the court below's rejection of the application cannot be deemed to have erred by law or procedural violation as alleged in the grounds of appeal.

2. As to the assertion that he/she violated an explanation or intellectual duty

A. The gist of this part of the grounds of appeal is as follows.

The lower court did not provide the Plaintiffs with an opportunity to state their opinions regarding the omission of notification or confirmation to the effect that the personal information was leaked by each of the designated parties listed in the [Attachment 1] List Nos. 1 through 17, 1800 through 2241, 2653 through 2827, and 2855 through 2882 (hereinafter “part of the designated parties”). Nevertheless, the lower court dismissed some of the designated parties’ claims on the ground that there was no evidence to acknowledge that the personal information of certain designated parties was leaked due to the instant hacking incident. Accordingly, there was an error of failing to perform the duty to explain or point out under Article 136(4) of the Civil Procedure Act.

B. In a case where it is evident that the parties concerned were not proven due to negligence or misunderstanding, or where there is no explicit dispute between the parties as to the matter that may be a issue, the court shall request an explanation and urge the parties to testify. If the court seeks to determine the propriety of the claim on the grounds of a legal point that the parties could not be aware of or could not have anticipated, it shall give the parties an opportunity to state their opinions regarding the legal point of view. It is unlawful that the court’s failure to perform its duty of explanation and failure to properly conduct a trial due to a trial other than anticipated trials is illegal (see Supreme Court Decision 2006Da50338, Sept. 11, 2008, etc.).

C. According to the records, the plaintiffs submitted a letter of party appointment by classifying the designated parties with evidentiary data on the leakage of personal information at the time of the filing of the lawsuit in this case and the designated parties, and since the defendant submitted a written reply seeking a dismissal judgment, the facts alleged by the plaintiffs have been completely denied. Therefore, it is difficult to deem that the failure to prove due to negligence or misunderstanding is evident or that there is no clear dispute between the parties as to the issues. Therefore, even if the court below did not ask the plaintiffs for explanation or confirmation as to the omission of notification or confirmation to the effect that the personal information of certain designated parties was leaked, it cannot be deemed that there was an error of violating the duty of tin or intellectual duty, as alleged in the grounds of appeal.

3. As to the remaining grounds of appeal

A. (1) Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 11322, Feb. 17, 2012; hereinafter “former Information and Communications Network Act”) provides that a provider of information and communications services shall take technical and administrative protective measures to prevent loss, theft, leakage, alteration, or damage of personal information when he/she handles personal information in accordance with the standards prescribed by Presidential Decree. In addition, the said provision provides that “1. Establishment and implementation of an internal management plan to safely handle personal information; 2. Establishment and implementation of an internal management plan to prevent illegal access to personal information; 3. Installation and operation of an access control system to prevent fabrication and alteration of access records; 4. Measures to safely store and transmit personal information; 5. 6. Other necessary protective measures to secure safety of personal information, such as installation and operation of back-to-date software; and accordingly, the provider is obligated to take technical and administrative measures necessary for ensuring safety of personal information under Article 28(1)28(1) of the former Information and Communications Network Act.

Furthermore, if a provider of information and communications services collected personal information, such as personal information, from a user who intends to use information and communications services upon request through the terms and conditions of use, etc., the provider of information and communications services is obligated under the information and communications services contract to take necessary protective measures to prevent loss, theft, leakage, alteration, or damage to the user’s personal information collected as above.

(2) However, inasmuch as information and communications services are performed through the Internet with the characteristic of “openness” and networks, systems, operation systems, etc. established by information and communications service providers inevitably have inherent inherent vulnerability, it is difficult to expect that complete security should be exposed to illegal intrusion, such as so-called “hacker,” and that it is not easy to expect considering the speed of technological development or overall transaction cost, etc. of society. Furthermore, hackers, etc. intrudes on the information and communications networks and related information systems of information and communications service providers by means of bypassing or nullifying security measures taken by the information and communications service providers through various attacking methods, and security technologies to prevent hackers’ intrusion are generally made by means of ex post responding to new attack methods. Such special circumstances need to be considered regarding protective measures necessary for securing the safety of personal information to be taken by information and communications

Therefore, in determining whether a provider of information and communications services breached a legal or contractual duty to take necessary protective measures to ensure the safety of personal information under Article 28(1) of the former Information and Communications Network Act or a contract for the use of information and communications services, the determination shall be based on whether the provider of information and communications services has taken protective measures to the extent reasonably expected by social norms at the time of hacking, etc., by comprehensively taking into account the following: (a) the level of information security technology generally known at the time of hacking and other intrusion; (b) the type of business and scale of business of the provider of information and communications services; and (c) overall security measures taken by the provider of information and communications services; (d) the economic cost and utility necessary for information security; (e)

(3) In particular, Article 15(6) of the former Enforcement Decree of the Information and Communications Network Act provides that “The Korea Communications Commission shall determine and publicly notify the matters prescribed in paragraphs (1) through (5) and other specific criteria for protective measures necessary to ensure the safety of personal information pursuant to Article 28(1)6 of the Act.” Accordingly, the criteria for technical and administrative protective measures of personal information formulated by the Korea Communications Commission (Korea Communications Commission Notice No. 2011-1; hereinafter “instant public notice”) specifically provides for technical and administrative protective measures to be taken by a provider of information and communications services pursuant to Article 28(1) of the former Information and Communications Network Act, taking into account the level of technology at the time of hacking or other intrusion. Therefore, if a provider of information and communications services took technical and administrative protective measures stipulated in the instant public notice, barring special circumstances, it is difficult to deem that the provider of information and communications services breached legal or contractual obligations to take necessary protective measures to ensure the safety of personal information (see, e.g., Supreme Court Decision 2013Da403).

(4) However, it is reasonable to view that the instant public notice has set the minimum standard to be observed by the provider of information and communications services. Therefore, even if the provider of information and communications services took technical and administrative protective measures as stipulated in the instant public notice, it may be assessed as an illegal act if the provider of information and communications services could have easily anticipated that the provider should take such measures and failed to take reasonably expected protective measures in light of social norms. Furthermore, even if the provider of information and communications services took technical and administrative protective measures as stipulated in the instant public notice, if the provider of information and communications services breached the duty of care not to assist in the illegal act, thereby facilitating other person’s illegal act, and proximate causal relation is acknowledged between the aiding and abetting act and the victim’s damages caused by the illegal act, liability under Article 760(3) of the Civil Act cannot be exempted (see, e.g., Supreme Court Decision

B. On the grounds delineated below, the lower court rejected the Plaintiffs’ assertion that “the Defendant, a provider of information and communications services, failed to take technical and administrative protective measures stipulated in Article 4(4) and (5) of the Notice, and breached the legal or contractual duty to take necessary protective measures to ensure the safety of personal information.”

(1) As to the technical and administrative protective measures under Article 4(4) of the Notice of this case

(A) Article 4(4) of the instant notice provides that “A provider of information and communications services, etc. shall apply safe means of certification, such as an authorized certificate, if a personal information handler needs to access the personal information processing system outside through an information and communications network.”

(B) The entire network can be seen as a single internal network if the network connects the two spatial network located far from a place via a virtual commercial network (Virtual PVN network, a virtual network technology that guarantees safe communications, such as private networks, by establishing a virtual network and a virtual network that provides a virtual network (hereinafter “VPN”). The connection of one network from such internal network to the other network does not constitute “the connection to the personal information processing system from an external network” as stipulated in Article 4(4) of the Notice of this case.

(C) The computers of Nonparty 2, a personal information handler, etc. are located in the Seodaemun-gu Seoul Metropolitan Government △△dong building located in the Defendant’s office, and the pertinent database, etc. are located in the Internet Data Center located in Seongdong-gu Seoul Metropolitan Government ○○○○○dong (hereinafter “IDC”). However, the Defendant connects the network and IDC to VPN.

(D) Therefore, Article 4(4) of the instant public notice does not apply to the instant hacking incident, not directly connected to the ○○○○dong, which is an individual information processing system, from the outside of the Internet network, but into the computers of Nonparty 1 and Nonparty 2, located in △ Building, and connected to the server of the instant case via VPN, such as normal connection route, on the computers.

(2) As to the technical and administrative protective measures under Article 4(5) of the Notice of this case

(A) Article 15(2)2 of the former Enforcement Decree of the Information and Communications Network Act provides for the installation and operation of a system for blocking intrusion and a system for detecting intrusion to block illegal access to the personal information processing system as one of the protective measures.

(B) Accordingly, Article 4(5) of the Notice of this case provides that a provider of information and communications services, etc. shall establish and operate a system that restricts access to the personal information processing system by restricting access to IP addresses, etc. to prevent illegal access and intrusion via an information and communications network (Article 4(5) of the Notice of this case, including the function of detecting illegal personal information leakage attempts (Article 4(2)), and “a system including the function of detecting illegal personal information leakage attempts by analyzing IP addresses, etc. connected to the personal information processing

(C) In light of the contents and purport of the above provisions, it is difficult to deem that the establishment and operation of a database (DLP solution) with a function to real-time monitoring information leaked from the pertinent database, or to detect, block, monitor, and track the external leakage of electronic documents and data stored on the user’s computer. It is also difficult to deem that the aforementioned provision provides for the installation and operation of a database (DLP solution) with a function to block and prevent the leakage of confidential or important information.

(D) Also, it is difficult to view that the technical and administrative protective measures that the Defendant is obliged to observe include real-time monitoring of information leaked in the personal information processing system in the technical and administrative protective measures for the protection of personal information under the Information and Communications Network Act.

(E) Even if the Defendant was obligated to carry out real-time monitoring of large volume traffic and FTP file transmission, or to install and operate a DLP solution, the evidence submitted by the Plaintiffs alone is insufficient to find that the Defendant violated technical and administrative measures to detect abnormal signs by real-time monitoring of traffic and FTP file transmission through the intrusion detection system and DLP solution, and there is no other evidence to acknowledge otherwise.

(3) As to Article 4(5)1 of the Notice of this case

(A) In order to access the pertinent database, access to the database should first be made through the VPN. However, the Defendant took measures to limit the IP address available to the database to the IP address of a computer used by the employees who are entitled to access the database, and to limit the IP address available to the database to the IP address of the computer used by the employees who are entitled to access the database, and to make it possible to access the database or the database through the IP address not permitted by limiting the IP address available to the IP address of the database.

(B) The instant piracy had already obtained the ID and password of Nonparty 2, a manager of the instant DB server, using the Round server via a keyging unit (a hacking method, e.g., a user’s entry into a kid computer). Therefore, it cannot be deemed that the Defendant had a duty to prevent the access by recognizing that the pertinent act was commenced from the first Nonparty 1’s computer at the stage after the Roundg server, or that the Defendant violated the technical and administrative protective measures to block illegal access to personal information.

(4) As to the fact that a personal information manager did not either logouts or set up automatic logouts at the time of retirement.

(A) The evidence submitted by the Plaintiffs alone is insufficient to recognize that the manager of the DNA server at the time of the instant hacking incident was obligated to either log out or set the automatic logout time after the completion of the work, and there is no other evidence to acknowledge otherwise.

(B) Since hacker had already obtained the ID and password of Nonparty 2, a manager of the pertinent DB server through a keyging, it seems that Nonparty 1 could have used Nonparty 2’s ID and password to use the pertinent DB server at any time, regardless of whether Nonparty 1 was hacker out from his own computer.

(C) Therefore, it cannot be deemed that there was negligence in violation of the technical and administrative protective measures under the Information and Communications Network Act and subordinate statutes, or there was a proximate causal relationship between the occurrence of the instant hacking accident, on the grounds that Nonparty 1 did not automatically set the streetout from his own computer for business purposes when he retired.

(5) As to the use of the FTPP

(A) Article 26(4) of the Defendant’s Personal Information Protection Work Guidelines provides that “A security establishment shall be made to make it impossible to access personal information access PC, and security vulnerable services, such as telnet and ftp services, shall not be provided.” (NUL access refers to access to the system without obtaining user certification).

(B) Article 2 of the former Information and Communications Network Act provides for the establishment of security, such as the removal of unnecessary protocols and services, with the details of protective measures specified in [Attachment Table 1] 2.2.8 (Access Control and Security Management). However, subject to the foregoing provision, the subject of removal of unnecessary protocols, etc. is major information and communications service providers, Internet connection service providers, and integrated information and communications facility operators. However, given that the Defendant does not fall under each of the above operators, the Defendant does not ultimately bear any legal obligation to delete the FTP program from the server manager’s computer.

(C) Article 26(4) of the Defendant’s Personal Information Protection Work Guidelines prohibits the act of providing FTP services in a personal information access PC, that is, the act of setting up a personal information access PC as a FTP server. However, the instant hacking incident is the case where the instant hacking incident transmits personal information using a personal information access PC as a FTP cleanra, and thus, it cannot be deemed that the instant hacking incident violated Article 26(4) of the Personal Information Protection Work Guidelines.

(D) It is difficult to readily conclude that the Defendant breached its duty of care solely on the fact that the Defendant used the FTP program to transmit large amounts of information, as long as it is possible to transmit such information using various programs or methods, such as the Meart Meet, large-scale web mail service, web server service, simple e-mail transmission protocol, etc.

C. First, we examine the lower court’s determination on the fact that a personal information manager did not log out at the time of retirement or did not set the automatic logout function. In light of the legal doctrine as seen earlier, allowing a personal information controller connected to an information processing system to log out after the completion of the work is not deemed technical and administrative measures stipulated in the instant public notice, but constitutes measures that can be easily anticipated that the provider of information and communications services should comply with, and reasonably expected measures under social norms and social norms. Furthermore, if a provider of information and communications services, by failing to take such protective measures, allows a third party, who did not have access to the information processing system, to easily access to the information processing system and perform the act of theft, etc., of personal information, it violates the duty of care not to assist in tort. If proximate causal link is acknowledged between the act of aiding and abetting and the act of aiding and abetting the victim, the provider cannot be exempt from liability as joint tortfeasor.

Therefore, it is inappropriate in the judgment of the court below that the provider of information and communications services does not bear the above protective measures solely on the ground that the notice of this case does not provide for such protective measures. However, considering the records, considering the reasoning of the judgment below, it seems that, regardless of whether Nonparty 1 was using Nonparty 2’s ID and password, the manager of the pertinent DB server through the LB server, as Nonparty 1 had already obtained the ID and password from his own computer, it would have been able to go to the DB server of this case by using the LB server at any time, regardless of whether Nonparty 1 had log out from his own computer. Accordingly, the court below rejected the Plaintiffs’ assertion as to the non-performance of the above protective measures, contrary to what is alleged in the grounds of appeal, it did not err by misapprehending the legal principles on tort and proximate causal relation under Article 750 of the Civil Act, thereby affecting the conclusion

In addition, in light of the aforementioned legal principles and the record, the remaining part of the judgment of the court below did not err by interpreting the instant notice, as otherwise alleged in the grounds of appeal.

4. Conclusion

Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

[Attachment] List of Appointeds: Omitted

Justices Kim Shin (Presiding Justice)

본문참조조문