[1] Whether the “auxiliary storage medium” under Article 9(1)7 of the former Enforcement Rule of the Electronic Financial Supervision Regulations includes a “auxiliary storage medium” that is brought in from outside due to the financial institution’s business needs (affirmative), and whether a new storage medium, including a hard disc drive, constitutes “a auxiliary storage medium” (affirmative)

[2] The subject of the duty to protect personal information to be borne by a provider of information and communications services pursuant to Article 28(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (i.e., personal information of users using the relevant information and communications services) and the meaning of “information and communications services” as mentioned above

[3] The case holding that in a case where Gap corporation, which is engaged in issuing and managing credit cards, requested Eul corporation to provide Eul corporation with services related to the operation of the card accident analysis system, provided Eul corporation's employees with credit card members' personal information on the ground of business necessity; Byung company's employees stored and used credit card members' personal information, including stud disks in Gap company's office, and then delivered the above personal information to Eul company's office without using the stud disc without using the stud disc for business purpose; and due, Gap et al. sought compensation for damages caused by leakage of personal information against Eul company's employees, the case holding that Gap company's duty of care to prevent leakage of personal information constitutes violation of Article 9 (1) 7 of the former Enforcement Rule of the Financial Supervision Regulations, and it cannot be deemed that Gap company's employees' relationship with information and communications service providers such as Gap company was established, and thus Gap company's liability for damages was not established under the Information and Communications Network Act.

[4] In a case where personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, the standard to determine whether the subject of information caused mental damage to compensate for consolation money, and whether the calculation of consolation money for mental suffering caused by tort constitutes the discretionary matter of the fact-finding court (affirmative)

[1] Article 21 of the former Electronic Financial Transactions Act (wholly amended by Act No. 11814, May 22, 2013) provides that a financial institution shall exercise due care as a good manager so that it can safely process electronic financial transactions (Paragraph 1), and that it shall comply with the standards set by the Financial Services Commission with respect to the information technology sector and electronic financial transactions so as to ensure the safety and reliability of electronic financial transactions (Paragraph 2). Accordingly, Article 9 of the former Enforcement Rule of the former Electronic Financial Supervision Regulations (wholly amended by Act No. 2011-18, Oct. 10, 201; hereinafter the same) delegated by the Financial Services Commission (wholly amended by Act No. 2011-18, May 24, 2012) stipulates that “The status of possession and management of auxiliary storage media should be inspected and verified by the person in charge of management” as one of the electronic data protection measures to be formulated by a financial institution to prevent the leakage, destruction, etc. of electronic data.

The term “auxiliary storage media” includes not only those directly owned and managed by financial institutions, but also those brought from outside as a good manager to secure the safety of electronic financial transactions. This is because it is necessary for financial institutions to regularly check and confirm the current status of possession and management of the auxiliary storage media brought from outside to the outside in order for them to fulfill their duty of care as a good manager to ensure the safety of electronic financial transactions. Moreover, Article 2 of the former Electronic Financial Supervision Regulations defines auxiliary storage media, the term “the magnetic tapes, disks, diskettes, compact disks, etc.” in which “the magnetic tapes, diskettes, etc.” is merely an example. Therefore, new storage media, including the hard disc drive dyb, etc.

[2] The Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter “Information and Communications Network Act”) is a law enacted for the protection of personal information in the field of information and communications. The purpose of the personal information protection provision is to protect the subject of information as the other party using information and communications services provided by information and communications service providers. Article 28(1) of the Information and Communications Network Act provides for a legal obligation to take technical and managerial measures necessary to ensure the safety of personal information when a information and

A provider of information and communications services does not necessarily have to collect personal information from a provider of information and communications services for the first time. However, the obligation of a provider of information and communications services to take protective measures pursuant to Article 28(1) of the Information and Communications Network Act is not premised on collection and use of an unspecified number of personal information, but rather on handling personal information of users using the relevant information and communications services. Here, information and communications services refer to the act of directly providing a series of information, such as posting, transmission, lending, sharing, etc. of various information provided by the provider of information and communications services, or mediating the provider of information and

In addition, in the modern society where the means of information and communications are highly developed, most of the personal information processing is conducted through information and communications networks and information transmission occurs frequently. In light of the relationship with the individual laws that deal with personal information in each of the relevant fields, such as finance, electronic transaction, health and medical services, including the Personal Information Protection Act, and the legislative intent of the Information and Communications Network Act and the relevant regulations, all users of information and communications services, which use information and communications networks or are mediating the provision of information, cannot be deemed as users

[3] In a case where Company A, who operates business such as issuance and management of credit cards, requested Company B to provide credit card companies with services related to the credit card accident analysis system (FDS), provided Company B’s employees with credit card members’ personal information for reasons of business necessity, and Company B used Company B’s employees’ personal information by storing and using credit card members’ personal information, including office hard disks, at Company B’s office, and delivered Company A’s intent to use the personal information for loan brokerage, etc. after storing and using the above personal information, and Company B’s personal information with intent to use the personal information for business purpose and for the purpose of protecting information and communications networks under the former Act on Information and Communications Network Utilization and Information Protection and Communications Network (amended by the Enforcement Decree of the Act No. 1500, Feb. 19, 200). The case held that Company B’s employees were managed in the area of control of Company B’s personal information leakage and other information and communications services under the former Act on Information and Communications Network Protection and Communications Network Utilization and Information Protection and Information Protection (hereinafter “Act”).

[4] In a case where the personal information collected by a person who manages the personal information was leaked against the intent of the subject of information, the issue of whether the subject of information caused a mental damage to compensate as consolation money shall be determined on a case-by-case basis, comprehensively taking into account the following: the type and nature of the leaked personal information; the type and nature of the leaked personal information; whether the subject of information could be identified due to the divulgence; whether the leaked personal information was perused by a third party; whether the leaked personal information was accessible or could be perused in the future; whether the leaked personal information was spread to any extent; whether there was an additional possibility of infringement of legal interests; how the leaked personal information was leaked; how the personal information was managed; how the personal information was leaked; and how the personal information was leaked; and what measures were taken to prevent the occurrence and spread of the damage caused by the divulgence of personal information. Moreover, the amount of consolation money for mental suffering caused by a tort can be determined at the discretion of

[1] Article 21(1) and (2) of the former Electronic Financial Transactions Act (Amended by Act No. 11814, May 22, 2013); Article 2(1)2 of the former Electronic Finance Supervision Act (Amended by Act No. 2011-18, Oct. 10, 201); Article 6 of the Enforcement Rule of the former Electronic Finance Supervision Act (see Article 7 of the current Act); Article 9(1)7 of the former Enforcement Decree of the Information and Communications Network Act (wholly amended by Act No. 130, May 24, 2012); Article 13(1)5 of the former Enforcement Decree of the Information and Communications Network Act (wholly amended by Act No. 11814, May 24, 201); Article 21(1) and (2) of the former Enforcement Decree of the Information and Communications Network Act (wholly amended by Act No. 1065, Apr. 1, 2013) / [2] Article 7 of the former Information and Communications Network Regulation (former Regulation)

[4] Supreme Court Decision 98Da41377 Decided April 23, 1999 (Gong1999Sang, 998) Supreme Court Decision 201Da59834, 59858, 59841 Decided December 26, 2012 (Gong2013Sang, 219)

See the attached list of plaintiffs (Attorneys Lee He-soo et al., Counsel for the plaintiff-appellant)

Lawing Card Co., Ltd. (Attorneys Kim Jin-hwan et al., Counsel for the plaintiff-appellant)

Seoul High Court Decision 2016Na209012, 209029, 209036 decided February 2, 2018

All appeals are dismissed. The costs of appeal are assessed against the defendant.

The grounds of appeal are examined.

1. As to the third ground for appeal

A. Article 21 of the former Electronic Financial Transactions Act (wholly amended by Act No. 11814, May 22, 2013) provides that a financial institution shall exercise due care as a good manager so that it can safely process electronic financial transactions (Paragraph 1), and that it shall comply with the standards set by the Financial Services Commission with respect to the information technology sector and electronic financial transactions so as to ensure the safety and reliability of electronic financial transactions (Paragraph 2). Accordingly, Article 9 of the former Enforcement Rule of the former Electronic Financial Supervision Regulations (wholly amended by Act No. 2011-18, Oct. 10, 201; hereinafter the same) delegated by the Financial Services Commission (wholly amended by Act No. 2011-18, May 24, 2012; hereinafter the same) stipulates that “the status of possession and management of auxiliary storage media and the status of management manager of electronic financial transactions shall be inspected and verified as one of the measures for protection of electronic data to prevent the leakage, destruction, etc. of electronic data.”

The term “auxiliary storage media” includes not only those directly owned and managed by financial institutions, but also those brought from outside as a good manager to secure the safety of electronic financial transactions. This is because it is necessary for financial institutions to regularly check and confirm the current status of possession and management of the auxiliary storage media brought from outside to the outside in order for them to fulfill their duty of care as a good manager to ensure the safety of electronic financial transactions. Moreover, Article 2 of the former Electronic Financial Supervision Regulations defines auxiliary storage media, the term “the magnetic tapes, disks, diskettes, compact disks, etc.” in which “the magnetic tapes, disks, etc.” is merely an example. Therefore, new storage media, including the hard disc drive drive drum, are also the auxiliary

B. The reasoning of the lower judgment and the evidence admitted by the lower court reveal the following facts.

1) The Plaintiffs are those who have used or used credit cards, etc. upon entering into a financial transaction contract with the Defendant engaging in the business of issuing, selling, and managing credit cards, pre-paid cards, debit cards, and credit cards.

2) In 2006, the Defendant introduced a card accident analysis system (FDS) to detect abnormal transactions or fraudulent use due to theft, loss, forgery, alteration, etc. of the card, and then performed regular improvement work. The Defendant requested the FDS business operation to the FDB around October 2009, and Nonparty 1, who was an employee of boobyps, was involved in the said work as the project overall manager.

3) On April 2010, the Defendant provided the Defendant’s personal information to the booby-tra employees on the grounds of business necessity. However, around April 2010, the Defendant received a certificate of operating equipment entry only for the computer that the employees carried into the Defendant’s office for FD business, and did not grasp the quantity of the internal and external boo disks. When the employees completed work at the Defendant’s office and did not directly form or supervise the boo disc format.

4) Nonparty 1 did not thoroughly control and supervise the Defendant’s personal information stored in the hard disc brought in by the Defendant so that the personal information of the Defendant’s member could not be carried out, and around April 2010, Nonparty 1 stored and used the personal information in the Defendant’s office (including the Plaintiffs) on the hard disc for business purposes, and stored the said personal information on the Defendant’s own computer without formating the hard disc for business purposes. Around July 2010, Nonparty 1 stored the said personal information.

5) On January 201, Nonparty 1 delivered approximately KRW 2,50,00,00 to Nonparty 2, who had an intention to utilize personal information in loan brokerage business, etc., as above, the personal information in the name of approximately KRW 1,02,00 among the Defendant’s members who had deducted as above.

C. The lower court determined that: (a) around April 2010, 2010, the Hoo disc brought into Korea by the employees for work was managed in the controlled area of the Defendant according to the Defendant’s business needs; (b) the Defendant’s failure to grasp the quantity of the Hoo disc or conduct or supervise format work constitutes a violation of Article 9(1)7 of the former Enforcement Rule of the Electronic Financial Supervision Regulations.

Examining the above facts in light of the legal principles as seen earlier, the lower court did not err by misapprehending the legal doctrine on Article 9 of the former Enforcement Rule of the Electronic Financial Supervision Regulations, contrary to what is alleged in the grounds of appeal.

2. Regarding ground of appeal No. 1

A. The Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter “Information and Communications Network Act”) is a law enacted for the protection of personal information in the field of information and communications. The purpose of this provision is to protect the subject of information as the other party using information and communications services provided by information and communications service providers. Article 28(1) of the Information and Communications Network Act provides for a legal obligation to take technical and managerial measures necessary to ensure the safety of personal information when a provider of information and communications services handles

A provider of information and communications services does not necessarily have to collect personal information from a subject of information for the first time. However, the obligation of a provider of information and communications services to take protective measures pursuant to Article 28(1) of the Information and Communications Network Act is not premised on collection and use of an unspecified number of personal information, but rather on handling personal information of users using the relevant information and communications services. Here, information and communications services refer to the act of directly providing a series of information, such as posting, transmission, lending, sharing, etc. of various information provided by the provider of information and communications services, or mediating the provider of information to connect the person who

In addition, in the modern society where the means of information and communications are highly developed, most of the personal information processing is conducted through information and communications networks and information transmission occurs frequently. In light of the relationship with the individual laws that deal with personal information in each of the relevant fields, including the Personal Information Protection Act, or the legislative intent and relevant provisions of the Information and Communications Network Act, it cannot be said that all users of information and communications services, including those who receive information or intermediate the provision of information, are users of information and communications services planned in the Information and Communications Network Act.

B. The lower court determined that the Information and Communications Network Act applies to a personal information leakage accident occurred around April 2010, since information and communications services that provide or intermediate certain settlement information or personal information, such as name, etc., have been made to a chain store or a lending company when the Plaintiffs settle the price of goods, etc. or obtain credit loans using a card issued by the Defendant.

C. However, in light of the above legal principles, it is difficult to accept the judgment of the court below for the following reasons.

1) As to the application of the Information and Communications Network Act, the Defendant’s violation of the duty to protect personal information, which the lower court recognized by the first instance court, is liable for damages under the Civil Act due to the violation of technical and administrative protective measures by the provider of information and communications services prescribed by Article 28(1) of the Information and Communications Network Act and Article 15 of the Enforcement Decree thereof. This is premised on the relationship between the provider

2) However, the Plaintiffs’ personal information leaked from a personal information divulgence around April 2010 is personal information collected and used for the purpose of using a credit card, etc. or obtaining a credit card, etc. upon entering into a contract with the Defendant for the use of such personal information as a credit card, etc., and is stored in a business hard disc carried into the Defendant office. This is a credit card member’s personal information that is a credit card member, even though the aforementioned facts alone are subject to other laws and regulations on the protection of personal information between the Plaintiffs and the Defendant, it cannot be deemed that the relationship between the provider and the user of information and communications services under the Information and Communications Network Act is established, and there is no evidence to acknowledge that the Plaintiffs used the information and communications services by using it

3) Meanwhile, Article 5 of the Information and Communications Network Act specifically provides for the promotion of information and communications networks and information protection, etc., if any other Act specifically prescribes, such other Act shall apply. Where the Plaintiffs are provided and used through an information and communications network in the course of receiving settlement services, such as goods prices, or credit loans using a credit card, such personal information constitutes a credit information provided in the Credit Information Use and Protection Act (hereinafter “Credit Information Act”), not the Information and Communications Network Act, but the Credit

4) Therefore, in order to determine that the Information and Communications Network Act applies to the divulgence of personal information around April 2010, the lower court should separately examine whether the Plaintiffs, a credit card member, are users of information and communications services prescribed in the Information and Communications Network Act by using information and communications services provided by the Defendant separately. Therefore, the lower court erred by misapprehending the legal doctrine on the Information and Communications Network Act, which led

5) However, as seen earlier, the Defendant is found to have failed to perform its duty of care to prevent the leakage of personal information in the course of requesting services for FDS business in boo-rap and providing the development personnel of the above company with personal information by Defendant card holders, and thus, is still liable to compensate for tort under the Civil Act. Ultimately, the lower court’s error did not affect the conclusion of the judgment. Accordingly, the allegation in the grounds of appeal on this part is unacceptable.

3. Regarding ground of appeal No. 2

A. In a case where the personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, the determination should be made on a case-by-case basis in full view of the following: (a) the type and nature of the leaked personal information; (b) the type and nature of the leaked personal information; (c) the likelihood of perusal by the subject of information; (d) whether the leaked personal information was accessible or could be perused in the future; (e) the scope of the leaked personal information was spread; (e) the possibility of additional infringement of legal interests; (e) the status of the leaked personal information manager’s personal information management; and (e) the details of the leaked personal information; and (e) what measures were taken to prevent the occurrence and spread of damage caused by the divulgence (see, e.g., Supreme Court Decision 2011Da59834, 59858, 59841, Dec. 26, 2012); and (e) the amount of damages for mental distress inflicted by the victim of information is determined by a fact-finding court.

B. The lower court acknowledged the facts as indicated in its reasoning by comprehensively taking account of the adopted evidence, and determined that the Plaintiffs suffered a real mental damage due to the leakage of personal information on the following grounds, and determined consolation money to be paid by the Defendant to the Plaintiffs as KRW 70,000,000

1) A personal information leaked from a personal information divulgence accident around April 2010 includes a resident registration number of a permanent, permanent, and non-exclusive character, and it is difficult to eliminate the occurrence and possibility of secondary damage that stolen it.

2) In full view of the overall circumstances, etc. of the divulgence accident, it is likely that personal information has already been perused by a third party or is likely to be perused in the course of its propagation and propagation.

C. Such determination by the lower court is justifiable. The amount of consolation money determined by the lower court may not be deemed excessive to recognize that the amount exceeded the bounds of discretion by significantly violating the principle of equity. Therefore, contrary to what is alleged in the grounds of appeal, the lower court did not exhaust all necessary deliberations, thereby exceeding the bounds of the principle of free evaluation of evidence in violation of the logical and empirical rules, or misapprehending the legal doctrine on the occurrence of mental damage caused by the divulgence of personal information, burden of proof, and degree

4. Conclusion

Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

[Attachment] List of Plaintiffs: Omitted

Justices Park Sang-ok (Presiding Justice)