[1] Whether providers of information and communications services assume the legal or duty under the information and communications service contract to take necessary measures to ensure the safety of users’ personal information

[2] The standard for determining whether a provider of information and communications services breached his/her legal or contractual duty to take necessary protective measures to ensure safety of personal information under Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. or information and communications service contract

[1] The provider of information and communications services is legally obligated to take technical and administrative measures necessary to ensure the safety of personal information under each subparagraph of Article 3-3(1) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Ordinance of the Ministry of Public Administration and Security No. 34 of September 23, 2008)

Furthermore, if the provider of information and communications services collected personal information, such as personal information, from a user who intends to use information and communications services, through the terms and conditions of use, etc., the provider of information and communications services is obligated under the information and communications service contract to take necessary protective measures to prevent loss, theft, leakage, alteration, or damage to the collected personal information, etc.

[2] As the network, system, operation system, etc. which the information and communications service provider performs through the Internet with the characteristic of "openness" inevitably contains inherent vulnerability, it is difficult to expect to be exposed to unlawful intrusion such as the so-called "hacker". The complete security of the network is not easy considering the speed of technological development or overall transaction costs, etc. of the society. piracy, etc. intrudes upon the information and communications service provider's information and communications network and its related information system by means of bypassing or nullifying security measures taken by the provider of information and communications services through various attack methods, and the security technology to prevent piracy takes measures to supplement it after response to the new attack method of the hacker's new attack, the determination of whether the provider of information and communications services reasonably takes measures such as the possibility of leakage of personal information and communications service provider's personal information and the level of utility of the information and communications service provider's personal information protection measures such as the overall development of the information and communications service provider's information and communications technology at the time of hacking and the level of information and communications service provider's risk and its legal utility.

In particular, Article 3-3(2) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Ordinance of the Ministry of Public Administration and Security No. 34, Sept. 23, 2008) provides that “The Minister of Information and Communication shall determine and publicly notify the specific criteria for protective measures under each subparagraph of paragraph (1).” Accordingly, the criteria for technical and administrative protective measures of personal information (Public Notice No. 2005-18 and 2007-3; hereinafter “Public Notice”) established by the Minister of Information and Communication, based on the level of technology at the time of hacking intrusion, etc., specifically provides technical and administrative protective measures to be taken by the provider of information and communications services pursuant to Article 28(1) of the former Information and Communications Network Act, barring any special circumstance, if the provider of information and communications services took technical and administrative protective measures stipulated in the public notice, it is difficult to deem that the provider of

[1] Article 3-3 (1) (see current Article 15 of the Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Ordinance of the Ministry of Public Administration and Security No. 34, Sept. 23, 2008) / [2] Article 28 (1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Act No. 8852, Feb. 29, 2008); Article 3-3 (2) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Ordinance of the Ministry of Public Administration and Security No. 34, Sep. 23,

Attached 1 and 2 Plaintiffs’ List (Law Firm KON-ro, Attorneys Park Jin-sik et al., Counsel for the plaintiff-appellant)

Lee Ben Korea Co., Ltd. and one other (Attorneys Son Ji-yol et al., Counsel for the plaintiff-appellant)

Seoul High Court Decision 2010Na31510, 31527 decided May 2, 2013

All appeals are dismissed. The costs of appeal are assessed against the plaintiffs.

The grounds of appeal are examined.

1. As to the claim for damages against Ebea Korea Co., Ltd. (hereinafter “Defendant Ebea”) which is the taking-off of the lawsuit of Ebea Auction Co., Ltd.

A. 1) Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 8852, Feb. 29, 2008; hereinafter “former Information and Communications Network Act”) provides that “In handling user’s personal information, providers of information and communications services, etc. shall take technical and administrative measures necessary for ensuring safety as prescribed by the Ordinance of the Ministry of Information and Communications so that personal information is not lost, stolen, leaked, altered, or damaged.” Furthermore, Article 3-3(1) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Ordinance of the Ministry of Information and Communications No. 34, Sept. 23, 2008; hereinafter “former Information and Communications Network Act”) provides for the duty to safely install and operate an internal management plan for safe handling of personal information (No. 1); and Article 3-3(1) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (No. 3, etc. 4).

Furthermore, if the provider of information and communications services collected personal information, such as personal information, from a user who intends to use information and communications services, through the terms and conditions of use, etc., the provider of information and communications services is obligated under the information and communications service contract to take necessary protective measures to prevent loss, theft, leakage, alteration, or damage to the collected personal information, etc.

2) However, since the network, system, operation system, etc. established by the information and communications service provider is inevitably exposed to unlawful intrusion of information and communications services, etc. because the network, system, and its operation system, etc., which are characterized by “openness,” inevitably contain inherent inherent vulnerability, it is difficult to expect complete security when considering the development speed of technology, overall transaction cost, etc., and piracy, etc., which are conducted by the provider of information and communications services through various attack methods, intrudes on the information and communications network and its related information system by means of bypassing or nullifying security measures taken by the provider of information and communications services, and the security technology to prevent piracy takes measures after response to new attack methods, it is general that the provider of information and communications services can supplement such information and communications services after the response. Determination of whether the provider of information and communications services breached the legal or contractual duty to take necessary protective measures for securing safety of personal information under Article 28(1) of the former Information and Communications Network Act or the information and communications service contract should be made based on the level of information and communications service provider’s technological development, etc.

In particular, Article 3-3(2) of the former Ordinance of the Ministry of Information and Communication provides that “The Minister of Information and Communication shall determine and publicly notify the specific criteria for the protective measures provided for in each subparagraph of paragraph (1).” Accordingly, the criteria for technical and administrative protective measures of personal information (Articles 2005-18 and 2007-3 of the Ministry of Information and Communication; hereinafter “instant public notice”) established by the Minister of Information and Communication are specifically stipulated in Article 28(1) of the former Information and Communications Network Act, taking into account the level of technology at the time of intrusion such as hacking, etc., as the provider of information and communications services has taken the technical and administrative protective measures stipulated in the instant public notice, barring special circumstances, it is difficult to deem that the provider of information and communications services breached the legal or contractual duty to take protective measures necessary

B. As to the grounds of appeal Nos. 1 through 8, and 10

1) Review of the reasoning of the lower judgment and the record reveals the following circumstances.

가) 원고들은 피고 옥션이 제공하는 상품 중개서비스를 이용하기 위하여 피고 옥션과 서비스 이용계약을 체결하고 피고 옥션의 인터넷 오픈마켓 사이트(이하 ‘이 사건 사이트’라 한다)에 온라인 회원으로 가입하면서, 피고 옥션의 이용약관 제8조에 따라 피고 옥션에 이름, 주민등록번호, 휴대전화번호, 이메일 주소 등을 제공하였다. 2008. 1. 초경 피고 옥션의 서버에 해킹사고가 발생하였는데, 경찰수사결과에 의하면 위 해킹사고는 중국인 해커로 추정되는 소외인 등이 2008. 1. 3.경 피고 옥션의 웹 서버 중 하나인 이노믹스 서버에 설치된 웹 어플리케이션 서버인 톰캣 서버에 초기설정상태인 아이디와 비밀번호로 접속하여 위 톰캣 서버의 관리자 페이지에 ‘job.war'라는 백도어 프로그램을 올렸고, 각종 해킹기법을 통해 이노믹스 서버에 침입하고 이 사건 데이터베이스 서버의 관리자 아이디와 암호화된 비밀번호를 알아낸 다음, 2008. 1. 4.경부터 2008. 1. 8.경까지 네 차례에 걸쳐 이 사건 데이터베이스 서버에 저장되어 있던 회원의 이름, 주민등록번호 등 피고 옥션의 회원정보를 누출한 것으로 추정된다.

B) Meanwhile, Defendant Auction established and implemented a personal information management plan by stipulating the matters concerning the organization and operation of a personal information protection organization, detailed matters concerning access control, and other matters necessary for the protection of personal information (hereinafter “instant management plan”), such as having executive officers and employees comply with the management guidelines. The system for detecting intrusion and the intrusion prevention system for network was established and operated. The instant management plan formulated and implemented the rules for the preparation of a failure failure, and the technical and administrative measures for the protection of personal information required by Article 28(1) of the former Information and Communications Network Act were taken in order to control illegal access to personal information by installing and operating multiple white software.

C) At the time of the instant hacking incident, Defendant Auction took various security measures, such as: (a) implementing authentication and authorization procedures, such as the entry of ID and passwords, and providing various access control methods, with respect to the double-mixed server, which had been in need of external connection through the Internet due to the characteristics of the company’s work; (b) in addition, the web fireproof wall claimed by the Plaintiffs as requiring the installation of the double-mixed server, etc. is merely an alternative security measures determined in consideration of the characteristics of the system; and (c) failing to impose an obligation to install web fire walls under the relevant Acts and subordinate statutes, such as the former Information and Communications Network Act; and (d) therefore, it cannot be deemed that Defendant Auction failed to take the necessary protective measures to the extent reasonably expected under social norms

라) 수백 대의 웹 서버와 수십 대의 데이터베이스 서버를 운영하고 있는 피고 옥션의 시스템 구조 특성상, 피고 옥션이 이노믹스 서버의 웹 서비스를 지원하기 위해 설치된 톰캣 서버의 아이디와 비밀번호 설정 등 개개 항목의 취약점을 전부 파악하여 보완하기가 쉽지 않으므로 스캐너와 같은 자동화된 도구를 통해 취약점을 점검하는 것이 보편적인 보안업무의 처리방식이다. 그런데 톰캣 서버의 아이디와 비밀번호의 취약점은 이 사건 해킹사고 이후에야 피고 옥션이 사용하던 스캐너의 취약점 점검 목록 등에 포함되었다. 또한 피고 옥션이 운영하고 있던 네트워크에 대한 침입탐지시스템이나 이 사건 데이터베이스 서버의 인증 및 접근 제어장치 등 피고 옥션이 취하고 있던 전체적인 보안조치의 내용을 고려하면, 위와 같은 개개 항목의 취약점만을 이유로 피고 옥션이 개인정보의 안전성 확보에 필요한 보호조치를 다하지 않았다고 볼 수는 없다.

E) Defendant Auction operated various certification and access control systems on the database server, etc. of this case. Through various security measures, such as database server security chain, etc., monitoring the implementation beyond the normal range of the database server, which is a request for abnormal access to, or information inquiry. Moreover, considering Defendant Auction’s duties or system characteristics, and the level of security technology at the time of the hacking accident, it is difficult to deem that the conditions were erroneous for Defendant Auction to be established as abnormal signs at the time of the instant hacking accident. However, considering the quota or data transmission amount generated in the course of leakage of personal information does not exceed the average level when considering the characteristics of Defendant Auction’s duties, etc., and thus, Defendant Auction failed to detect the quota implementation, etc. at the time of the instant hacking accident, it cannot be deemed that Defendant Auction did not take such protective measures to the extent reasonably expected under social norms solely on the ground that Defendant Auction failed to detect the implementation of the quota implementation, etc. of piracy.

F) In light of the fact that around January 3, 2008, Defendant Auction found abnormal signs of the instant site and appeared to have taken reasonable response measures in accordance with the procedures for responding to the intrusion that had been established by it, and that it was the type and form that it is difficult to easily discover the web server (Webshboard), which is a malicious program used by hackers, and that Defendant Auction was used generally at the time, it is difficult to view that Defendant Auction was unable to detect the web server at the time of the instant hacking incident, on the ground that Defendant Auction was unable to detect the web server in real time at the time.

G) The use of various high-class hacking techniques, such as the eths and implementation of variable web servers that are difficult to detect, the distribution system for bypassing fire walls, the attack of “ARP Spoing”, and the use of a fashing program, etc., is presumed to have leaked personal information stored in the database server of this case after identifying the ID and encrypted password of the database server of this case. Considering the method of the hacking of this case, the level of security technology at the time of the hacking of this case, and the overall security measures taken by Defendant Auction, it was difficult for Defendant Auction to fundamentally prevent the hacking of this case.

2) Examining the aforementioned circumstances in light of the legal principles as seen earlier, it is difficult to deem that Defendant Auction violated the duty to take technical and managerial measures under Article 28(1) of the former Information and Communications Network Act or the duty to take necessary protective measures to ensure the safety of personal information under the information and communications service contract, as alleged by the Plaintiffs, and it is difficult to readily conclude that Defendant Auction did not take necessary protective measures to ensure the safety of personal information as seen above, thereby preventing the instant hacking incident.

The judgment of the court below to the same purport is just and acceptable, and contrary to what is alleged in the grounds of appeal, there were no errors by exceeding the bounds of the principle of free evaluation of evidence against logical and empirical rules, or by misapprehending the legal principles as to the

C. As to ground of appeal No. 9

Article 5(1) of the Notice of this case provides that “A provider, etc. of information and communications services, etc. shall save the personal information that certifies himself/herself, such as a par with a par with a failure or biological information, in a single direction so that it may not be recovered,” and on the ground that Article 15(4)2 of the Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Presidential Decree No. 21278, Jan. 28, 2009; and Article 15(4)2 of the Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Presidential Decree No. 21278, Jan. 28, 2010), a resident registration number does not fall under the personal authentication information provided for in Article 5(1) of the Notification of this case, and the technical level of the encrypted product at the time of the hacking accident, even if Defendant Auction did not have any legal or contractual obligation to Defendant Auction

In light of the relevant legal principles and records, the judgment of the court below is just and acceptable. Contrary to the allegations in the grounds of appeal, there were no errors by misapprehending the interpretation of the notice of this case or the legal principles as to the provider of information

D. As to ground of appeal No. 11

The lower court rejected the Plaintiffs’ assertion that Defendant Auction violated the duty under Article 7(1) of the Notice on the ground that Article 7(1) of the Notice provides that “A provider, etc. of information and communications services shall specify the purpose of printing personal information in the personal information processing system (such as printing, screen display, file format, etc., and minimize output items according to the purpose of use)” provides protective measures to be observed when printing personal information files, etc. through normal channels by a person with authority. In the case of leakage of personal information by a person without authority, such as hacking incident, such as this case’s hacking incident, Article 7(1) of the Personal Information Disclosure Act cannot be applied.

In addition, the lower court rejected Defendant Auction’s assertion that Defendant Auction violated its duty under Article 2 of the Guidelines on Protection of Information, Safety Inspection Methods, Procedures, and Fees (Notice No. 2004-54; hereinafter “instant Guidelines”) and the instant Guidelines [Attachment 1], on February 8, 2002, providing for the details of protective measures to ensure stability of information and communications networks used in providing information and communications services and reliability of information under Article 45(2) of the former Information and Communications Network Act, and the establishment of security such as unnecessary protocol and removal of services, etc. to the information and communications service providers. However, the “DTS dispute” of the Emmmixed server used in the instant hacking incident is ordinarily used in the basic database work such as data management, extraction, transmission, etc., and it is difficult to view it as an unnecessary service. Considering the security measures taken by Defendant Auction at the time of the instant hacking incident, it did not delete or limit the function of the “DTS”, etc., on the ground that Defendant Auction violated its duty under the former Information and Communications Network Act.

In light of the relevant legal principles and records, the judgment of the court below is just and acceptable. Contrary to the allegations in the grounds of appeal, there were no errors in the misapprehension of legal principles as to the public notice of this case, the interpretation of guidelines, or the liability

2. As to the claim for damages against Defendant Mad-a-a-law corporation

The lower court rejected the Plaintiffs’ claim on the grounds that it could not be seen as preventing the instant hacking incident by neglecting the duty of security control, as indicated in its reasoning.

In light of the relevant legal principles and records, the fact-finding and judgment of the court below are just and acceptable. In so doing, there were no errors by exceeding the bounds of the principle of free evaluation of evidence against logical and empirical rules, or by misapprehending the legal principles as to the company's liability

3. Conclusion

Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

[Attachment 1] List of Plaintiffs: Omitted

[Attachment 2] List of Plaintiffs: Omitted

Justices Lee In-bok (Presiding Justice)