In a case where the personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, the standard for determining whether the subject of information caused mental damage to compensate for consolation money, and whether the calculation of consolation money for mental suffering caused by a tort is a discretionary matter of the fact-finding court (

Articles 393, 750, 751, and 763 of the Civil Act

Supreme Court Decision 98Da41377 Decided April 23, 1999 (Gong1999Sang, 998) Supreme Court Decision 201Da59834, 59858, 59841 Decided December 26, 2012 (Gong2013Sang, 219)

See Attached List of Plaintiffs (Law Firm LLC, Attorneys Kim Jong-san et al., Counsel for the plaintiff-appellant)

Korea National Card Co., Ltd. and one other (Law Firm Sejong & one other, Counsel for the plaintiff-appellant)

Suwon District Court Decision 2016Na55780 decided January 11, 2018

All appeals are dismissed. The costs of appeal are assessed against the Defendants.

The grounds of appeal are examined.

1. As to the ground of appeal No. 1 by Defendant KNB Card

가. 원심은 그 판시와 같은 사실을 인정한 다음, 피고 주식회사 케이비국민카드(이하 ‘피고 국민카드’라 한다)가 구 개인정보 보호법(2015. 7. 24. 법률 제13423호로 개정되기 전의 것)이 정한 개인정보처리자 또는 구 전자금융거래법(2013. 5. 22. 법률 제11814호로 개정되기 전의 것)이 정한 금융회사로서 각 법률 및 시행령, 이를 구체화한 고시(개인정보 안전성 확보조치 기준) 등 관련 법령에서 정한 개인정보의 안전성 확보 또는 이용자정보의 보호에 필요한 조치를 취할 의무를 부담한다고 판단하였다. 그리고 피고 국민카드가 피고 코리아크레딧뷰로 주식회사(이하 ‘피고 크레딧뷰로’라 한다)와 카드사고분석시스템(Fraud Detection System, 이하 ‘FDS’라 한다) 업그레이드 관련 개발용역계약을 체결하고, 피고 크레딧뷰로의 개발인력들에게 카드고객의 개인정보를 제공하여 취급하도록 하는 과정에서, 위 법령들을 위반하여 보안프로그램 설치 및 관리·감독의무, 개인정보 처리업무 위탁 시 기술적·관리적 보호조치에 관한 문서약정 및 그 관리·감독의무, 암호화된 카드고객정보 제공의무, 단말기에 이용자 정보를 보관·공유하지 않을 의무, 접근권한 제한 등 보안조치를 취할 의무 등을 다하지 않았으므로, 이로 인해 개인정보가 유출된 원고들에 대하여 불법행위로 인한 손해배상책임을 부담한다고 판단하였다.

B. In light of relevant provisions and records, the above determination by the court below is just, and contrary to the allegations in the grounds of appeal, there were no errors of misapprehending the legal principles regarding the establishment of liability for damages by erroneous interpretation of the standards for measures to ensure the safety of personal information, or failing to exhaust all necessary deliberations,

2. 피고 크레딧뷰로의 상고이유 제1, 2, 3점에 관하여

가. 원심은 그 판시와 같은 이유로, 피고 크레딧뷰로와 피고 국민카드의 FDS 개발용역계약에 따라, 피고 크레딧뷰로의 직원인 소외인이 FDS 개발업무를 수행하는 과정에서 그 사무집행에 관하여 피고 국민카드의 카드고객정보를 유출하는 행위를 저질렀고, 피고 크레딧뷰로가 제출한 증거들만으로는 피고 크레딧뷰로가 사용자로서 소외인에 대하여 선임 및 사무감독에 상당한 주의를 하였거나 상당한 주의를 하였어도 카드고객정보 유출로 인한 손해가 발생하였음을 인정하기에 부족하여, 피고 크레딧뷰로는 피고 국민카드와 공동하여 민법 제756조 제1항 에 따라 원고들에게 개인정보 유출로 인한 손해를 배상할 책임이 있다고 판단하였다.

B. Examining the relevant legal principles and records, the above determination by the court below is just, and contrary to the allegations in the grounds of appeal, there were no errors in the misapprehension of legal principles as to the relationship of office performance and exemption from liability.

3. 피고 국민카드의 상고이유 제2점 및 피고 크레딧뷰로의 상고이유 제4점에 관하여

A. In a case where the personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, the determination of whether the leaked personal information causes a mental damage to the subject of information as consolation money should be made on an individual case-by-case basis, comprehensively taking into account the following: (a) the type and nature of the leaked personal information; (b) the type and nature of the leaked personal information; (c) the likelihood of perusal by the subject of information; (d) the access of the leaked personal information; (e) the third party’s access to the leaked personal information; (e) the extent to which the leaked personal information was available; (e) the likelihood of additional infringement of legal interests; (e) the situation in which the subject of information managed the personal information was leaked; and (e) the details of the leaked personal information; and (e) what measures were taken to prevent the occurrence and spread of damage caused by the divulgence (see Supreme Court Decision 2011Da59834, 598, 59841, Dec. 26, 2012).

B. After finding the facts as stated in its holding, the court below determined that the personal information leaked in the instant card customer information leakage accident is not only recognizable to the plaintiffs, but also information closely related to the privacy and credit of the individual. In full view of the overall circumstances of the leakage accident, etc., it is reasonable to view that the mental damage caused by the leakage of personal information has been actually caused to the plaintiffs by social norms, since it has already been perused by a third party in the process of its propagation and diffusion or it is highly probable that the personal information has been perused in the future. Considering various circumstances, the court below determined consolation money to be compensated for the plaintiffs

C. In light of the aforementioned legal principles and records, the above determination by the court below as to whether mental damage occurred is just, and the amount of consolation money determined by the court below is not excessive to the extent that it is recognized that the amount exceeded the limits of discretion significantly against the principle of equity. Therefore, the court below did not err in the misapprehension of legal principles as to the scope of liability for damages, contrary to

4. Conclusion

Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

[Attachment] List of Plaintiffs: Omitted

Justices Noh Jeong-hee (Presiding Justice)