(영문) 서울남부지방법원 2017.2.16. 선고 2014가합101508 판결

1. Defendant A Co., Ltd. shall pay to each of the Plaintiffs listed in the separate sheet No. 2 the amount of KRW 100,000 as well as 5% per annum from May 1, 2014 to February 16, 2017, and 15% per annum from the next day to the day of complete payment.

2. Each Plaintiffs’ remaining claims against Defendant A Co., Ltd., and their claims against Defendant B Co., Ltd., and their respective claims against the Defendants listed in the separate sheet No. 3 are dismissed.

3. Of the costs of lawsuit:

A. The part arising between each of the plaintiffs and the defendants in the list of plaintiffs listed in attached Form 3 is borne by the above plaintiffs.

B. Attached Table 2/3 of the part arising between each of the plaintiffs and the defendant A Co., Ltd. in the list of plaintiffs and the remaining part are borne by the above plaintiffs, and the above plaintiffs and the defendant B Co., Ltd. are borne by the above plaintiffs.

4. Paragraph 1 can be provisionally executed.

Purport of claim

The defendants jointly pay to the plaintiffs 5 million won and 15% interest per annum from the day after the delivery of a copy of the complaint of this case to the day of complete payment.

Reasons

1. The background leading to the instant lawsuit;

A. Status of the parties

1) Defendant A Co., Ltd. (hereinafter referred to as “Defendant A”) is a company engaged in business such as credit cards, pre-paid cards, debit cards, issuance, sale and management, etc., and Defendant B Co., Ltd. (hereinafter “Defendant B”) is a company established by joint investment by financial institutions, which is engaged in business such as credit inquiry and credit investigation under the Act on the Use and Protection of Credit Information.

2) The Plaintiffs 1) are those who have used or used a credit card, etc. upon entering into a financial transaction agreement with Defendant A on the use of the credit card, etc.

(b) the concept and introduction of a card accident analysis system;

The card accident analysis system ("FDS") is introduced by all domestic card companies as a system for detecting abnormal transactions or fraudulent use due to theft, loss, forgery, etc. of credit cards. According to FDS, it is possible to establish an analysis model based on statistical techniques using large amount of card use information and relevant card customer information based on past accident transactions, and based on the results, it is discovered that the card type transaction has occurred according to the statistical analysis pattern in the time of credit card use.

C. Outflow of customer information on Defendant A Card

1) Conclusion of the FDS development services contract and provision of credit card customer information;

Defendant A introduced FDS around 2006 and requested C or Defendant B to provide FDS services. D was an employee of “C” from October 2009 to April 2010, and from September 201, Defendant B’s employee from September 2013 to December 2013, and was involved in the FDS development and installation of the FDS development and installation project entrusted by Defendant A, and used the said system development and installation work with information on card customers, which was not converted from Defendant A on the ground that it is necessary for work in the FDS development process.

2) Leakage of customer information on cards around April 2010

A) Around April 2010, D used the FDS development work at Defendant A’s headquarters located in Jung-gu Seoul Metropolitan Government, which stored and used Defendant A’s card customer information, stored Defendant A’s member 1,0230,000 card customer information on the hard disk for business purposes, but Defendant A used the hard disc’s hard disc security inspection so that it used the hard disc without a format inspection, and stored the above information on its own computer around July 2010 while keeping it at its own house.

B) After that, at the G office operated by F in Yeongdeungpo-gu Seoul Metropolitan Government on January 201, 201, D visited F’s Nowon-gu’s intent to utilize card customer information on lending brokerage, etc., where approximately approximately KRW 2,52,00,00 of the card customer information from Defendant A’s member cards, which had been deducted as above, was connected to F’s Nowon-gu, with the intent to utilize card customer information on lending brokerage, etc., and stored the card customer information on the Egypt, and then delivered it to F.

3) Leakage of customer information on cards around December 2013

A) On September 2013, Defendant B’s employees did not install a security program for the purpose of preparing a report and other documents on the two computers of Defendant B, which were additionally carried in the office of Defendant B, located in the Jung-gu Seoul Metropolitan Government H building for the FDS development work, and storing them in the USB joints, and, if necessary, sending them to the computer room, or storing data by accessing smartphones, and transmitting e-mail from smartphones to e-mail. The employees of Defendant A knew that the two costs of the computer were additionally carried in, but did not directly verify whether the security program was installed.

B) On December 2013, 2013, D, an employee of Defendant B, connected the Defendant’s office located in the Jung-gu Seoul Metropolitan Government H building with one’s own USB domains, and generated co-locations within the USB domains. Around December 2013, D, who installed a security program and downloaded data such as card card customer information, connected to a computer that is not installed with the said security program through an internal network, and copied the card customer information in the USB domain, which was 26890,00 members of A, and was possessed by Defendant A.

C) While Defendant A’s card’s customer information leaked as above was sought to ask F on the face of the need to keep it in custody, it did not reveal that the said card’s customer information was leaked to another person due to the failure to meet F.

(d) Dissemination and dissemination of other leaked card customer information;

1) The F, upon receipt of customer information leaked from D, provided approximately KRW 95,000 card customer information that was leaked to police officers from November 201, 202, including the issuance of 5,00 card cards to police officers, with which customer information was stored. From that time, the F provided approximately 95,000 card customer information that was leaked to police officers by August 2013.

2) On January 2013, F provided approximately KRW 489,00,00 card customer information in total, up to 32 times until early December 2013, 2013, by means of providing approximately KRW 10,000 card customer information by accessing the said e-mail after having become aware of the card company’s card customer information through K’s request from J to receive the card company’s e-mail, at G office, a consignment sales company located in Yeongdeungpo-gu Seoul, Yeongdeungpo-gu, Seoul.

3) On August 2013, F provided approximately KRW 100,00 card customer information that was leaked by accessing the said e-mail after becoming aware of the e-mail account and password used by K from the above G office at the patrolmen.

4) On November 2012, F provided approximately 3,00 card customer information that was leaked by accessing L to the said e-mail after having become aware of the e-mail account and password used by L from L in the above G office, from that time to November 2013, including providing approximately 4,780,000 card customer information that was leaked by accessing L to the said e-mail, from that time.

5) On March 2013, 2013, F: (a) instructed G employees M to color the information purchaser; (b) provided approximately KRW 5,000 card customer information leaked by using the “O” Meet to N that M was in compliance with the direction; and (c) provided, from that moment, 4 times more than 78,000 card customer information leaked from that time to that of the mid of May 2013.

6) On February 2013, F came to know of the e-mail account and password P from P at the above G office, and provided approximately KRW 100,000 card customer information by accessing the said e-mail, from that time until September 2013, F provided approximately seven times in total.

7) On November 2012, 2012, F issued to S approximately KRW 280,00 of the cards disclosed in the name of approximately 2.80,00 in the vicinity of the office of the RJ in Gangnam-gu Seoul, Gangnam-gu, Seoul, and thereafter provided the card customers with approximately KRW 540,000,000, totaled three times during the period of mid- March 2013.

8) On September 2013, 2013, F issued the USB note with which approximately KRW 500,00 card customer information leaked from V’s loan brokerage office located in T U was stored at the Haman’s Government.

9) On December 2012, F came to know of the e-mail account and password used by W from W at the above G office, and provided approximately KRW 20,000 card customer information by accessing the said e-mail and making it available, from that time to June 2013, including providing approximately 4,10,000 card customer information, which was leaked in total, five times during the period of 20,000 from that time.

10) On March 2013, 2013, F came to know of the e-mail account and password X used by X from the above G office, and provided approximately KRW 30,000 card customer information, which was leaked by accessing the above e-mail, from that time up to August 2013, including providing approximately 30,000 card customer information, which was leaked over six times in total, from that time.

11) On November 2012, F came to know of the e-mail account and password used by Y from Y at the above G office, and provided approximately KRW 50,000 card customer information, which was leaked by accessing the said e-mail, from that time up to August 2013, including providing approximately 195,000 card customer information, in total, five times until early 2013.

12) On October 2012, F issued approximately 67,00 card 20,00 card 20,000 card 20,000 to AB at the AA-dong Z near the Seocho-gu Z, Seoyang-si. On November 2012, F continued to provide AB with approximately 120,00 card 1,00 card 20,000 card 2 times in total, where the card 120,00 card 120,00 card 2,00 card 1,000 card 1,00,000 are stored in the above A-A-dong cafeteria.

13) On August 2012, F came to know of the e-mail account and password used by AC at the above G office, and provided approximately KRW 50,00 card customer information by accessing the said e-mail, and continued to provide approximately KRW 50,00 card customer information in the same manner at the first patrol officer’s office on the same date on January 2013, F provided approximately KRW 50,000,000 in total twice.

14) On February 2013, F came to know of the e-mail account and password used by AD from the above G office, and provided approximately KRW 40,00 card customer information by accessing the said e-mail, and continued to provide card customer information under approximately 50,00 in the same manner at the Haman’s office on August 2013, F provided approximately KRW 90,000,000 in total twice.

15) On September 2013, F provided approximately KRW 50,00 card customer information that was leaked by transmitting it to e-mail used by AE from the above G office to the early policeman.

16) On January 2013, F came to know of the e-mail account and password used by AF from AF at the above G office, and provided approximately KRW 9,00 card customer information by accessing the said e-mail and making it available for business. On January 2013, F continuously provided approximately KRW 29,000 card customer information that was leaked in the same manner at the above Haman’s office, and provided approximately twice in total.

17) On January 2013, F provided approximately 10,00 card customer information by transmitting approximately 10,00 card numbers to e-mail used by AGs at the above G office, and around July 2013, F provided approximately 3,00 card customer information by the same method at the above office, and provided approximately 13,000 card customer information totaled twice.

18) On January 2013, 2013, F sent approximately 5,00 card customer information by accessing e-mail it uses at the above G office, and provided AH with the above information by informing AH of the above e-mail account and password.

19) On February 2013, I provided AK and AL with printed materials containing approximately KRW 300,000 card customer information at the AJ coffee shop located in Songpa-gu Seoul, Songpa-gu, Seoul.

20) On September 2013, I provided the above AK and AL with the USB meta with approximately one million card customer information disclosed at the above AJ coffee shop.

(e) Progress after the divulgence of customer information on cards;

1) Defendant A’s measures

On January 2014, after becoming aware of a credit card customer information leakage accident, Defendant A notified of the divulgence of personal information on his/her website and provided information on how to confirm the leakage of personal information by posting a letter on his/her own website. On January 17, 2014, Defendant A provided a call center information service, extended the operating hours of the call center, operated the call center at the end of the week, and operated the call center on the fact of personal information damage.

2) Scope of disclosed cards customer information

See Attached 2 and 3, each plaintiffs' card customer information stated in the list of plaintiffs was also divulged in the above circumstances. On April 2010, and around December 2013, each of the card customer information leaked in the card customer information leakage accident was partly different for each individual. The name, resident registration number, card number, effective period, settlement account number, address, book address, address, other address, company telephone number, cell phone number, cell phone number, and other card user status are all or part of each individual.

(f) Progress of the relevant criminal procedure;

1) D, etc. shall not damage another person’s information processed, stored, or transmitted through an information and communications network, or infringe, use, or divulge another person’s confidential information. A person who is an executive officer or employee of a credit information company, etc. shall not divulge or use another person’s credit information, etc. known to him/her in the course of performing his/her duties for purposes other than his/her duties. As seen above, Defendant A’s card customer information was infringed and disclosed, and at the same time, Defendant A’s credit information related person was prosecuted due to a crime of

2) Accordingly, on June 20, 2014, the said court sentenced D to three years of imprisonment with prison labor for D, and thereafter appealed by Changwon District Court 2014No1473. However, the appellate court dismissed all appeals by D, etc. on October 8, 2014, and the first instance judgment became final and conclusive on October 16, 2014 due to D’s failure to file an appeal.

【Unstrific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strific- strif

2. The plaintiffs' claims

A. Defendant A’s claim on April 2010 regarding the leakage of customer information on a card.

A around April 2010, Defendant A provided D with card customer information processed, stored, and transmitted in the server without encryptioning the card customer information, which was awarded a contract for the development and installation of FDS to C. In addition, when D ships out the hive disc in which the said card customer information was stored, Defendant A did not confirm or control whether the hive disc was format. As above, Defendant A neglected this despite the due diligence prescribed by the relevant laws and regulations at the time to prevent the leakage of the card customer information of the Plaintiffs listed in the Plaintiff List (hereinafter “Defendant A”) from being leaked. Accordingly, Defendant A is liable to the said Plaintiffs for damages caused by tort under Article 32 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter “Information and Communications Network Act”) and Article 750 of the Civil Act.

B. Defendant A’s claim on the leakage of customer information around December 2013

1) Claim against Defendant A

A) Defendant A provided Defendant A with the card customer information processed, stored, and transmitted on the server while awarding a contract for the development and installation of FDS to Defendant B, and the given card customer information was not encrypted. Defendant A did not have any knowledge of the removal of the security program on the computer used by Defendant A, and did not at all verify the details of the use of the computer. Although D had easily transmitted and stored the card customer information on the number of 2,000 computers used for Defendant A’s business, he did not confirm or control any of the Defendant A’s card customer information-related employees or system development-related employees in the same space, the Defendant A did not confirm or control it, and the Defendant A did not have been negligent in performing its duty of care and supervision, despite the date and time of access to the personal information that was used for Defendant A’s business.

B) The above actions by Defendant A, as a personal information manager under Article 2 subparag. 5 of the Personal Information Protection Act, violates Article 24-2(1) and Article 29. Accordingly, Defendant A is liable to compensate for damages suffered by the Plaintiffs indicated in the 2 Plaintiffs of this case and the 3 Plaintiffs’ List (hereinafter “the third Plaintiffs of this case”) pursuant to Article 39 of the Personal Information Protection Act and Articles 750 and 751 of the Civil Act.

2) Claim against Defendant B

A) At the time of the leakage of customer information by Defendant A around December 2013, 2013, Defendant B was an employee of Defendant B, and D was dispatched to Defendant A for the development and installation of the FDS that Defendant B entered into with Defendant A, and was in the course of performing the said duties, Defendant B was divulged of the card customer information. Thus, Defendant B jointly with Defendant A, bears the employer’s responsibility under Article 756 of the Civil Act for the instant act.

B) Defendant B constitutes a trustee under Article 26(2) of the Personal Information Protection Act, and thus, is liable to compensate the Plaintiffs for damages due to the violation of Articles 24(1) and (3), 24-2(1), and 29 of the same Act, which are applied mutatis mutandis pursuant to Article 26(7) of the same Act; Article 30(1) of the Enforcement Decree of the Personal Information Protection Act

C. Scope of damages

The plaintiffs' mental damage caused by the above joint tort by the defendants amount to 500,000 won. Thus, the defendants are jointly obligated to pay 500,000 won to each of the plaintiffs of this case.

3. Relevant provisions

Attached Table 4 is as shown in the relevant regulations.

4. Determination as to the establishment of liability for damages

A. Determination as to the claim against Defendant A on April 2010 regarding the leakage of customer information on a card

1) Criteria to determine whether the divulgence of personal information was negligent

Inasmuch as an information and communications service provider is legally obligated to take technical and managerial measures necessary to ensure safety of personal information prescribed in each subparagraph of Article 3-3(1) of the former Enforcement Rule of the Information and Communications Network Act (wholly amended by Presidential Decree No. 34, Sept. 23, 2008). Furthermore, if the provider of information and communications services requests users to provide information and communications services through terms and conditions of use, etc., then the provider of information and communications services is obligated to take necessary protective measures such as loss, theft, leakage, alteration, or damage to personal information collected by users, such as information and communications services and communications service providers under the former Information and Communications Network Act (wholly amended by Presidential Decree No. 2010, Sept. 23, 200). Such legal principles are difficult to determine whether the provider of information and communications services is obligated to take necessary protective measures such as providing information and communications services under Article 20 of the former Information and Communications Network Act, taking into account the overall development of information and communications technology or the overall development of information and communications services, etc.

2) Summary of Defendant A’s assertion

The defendant A asserts that the negligence of the defendant A with respect to the leakage of personal information that occurred around April 2010 is difficult to be recognized for the following reasons.

A) In recognizing tort liability on the ground that a personal information manager did not take technical and administrative protective measures to protect personal information, the specific content of the duty of care, which serves as the basis for determining the existence of negligence, shall be deemed to be limited to technical and administrative protective measures that are specifically stipulated by the Act and subordinate statutes.

B) Defendant A made best efforts to take technical, administrative, and physical protective measures required by relevant statutes, such as network, server, security system of each class of devices, intrusion prevention system, personal phish, etc., the promotion of personal information encryption, the storage, preservation, and regular monitoring of access data processing systems such as major data processing systems, the user account control system and access right control system capable of accessing the data processing system in which personal information is stored, the support storage media such as USB Mack Card, security measures and real name system for printed materials including personal information, the change of personal information, the use of information security measures and real name system, the preparation of information protection regulations, and the establishment of personal information protection organization, the management and supervision of external employees, the implementation of regular personal information protection education, the establishment of personnel, organization, the establishment of budgetary security infrastructure, and the control of the shipping of computer equipment.

C) As a project manager (PM), since it was located in a location where the card customer information in an uncrypted state is to be seen as in order to carry out data processing operations, whether Defendant A encrypted the card customer information provided to Defendant B does not have any connection with the instant leakage accident. In order to prevent the leakage of card customer information, Defendant A installed and operated DRM, which is a document encryption crypt, in each personal computer, in order to prevent the leakage of card customer information, and DRM, which is a document encryption crypt, was installed and operated normally on the computers connected to the server and downloaded the card customer information.

D) Defendant A established a DB Access Controler (DB Safer) with respect to FDS operators and stored and managed access routes. With respect to FDS development servers, Defendant A used the log recording function provided by the operating system (OS andO) and stored and managed access records by installing fire walls between computers used by employees of the external company and FDS development servers. Furthermore, the records on the operation of the computer system are used only for tracking the leakage route or criminals when the leakage accident occurred, and do not constitute a precautionary measure against the leakage accident. Thus, there is no proximate causal relation with the occurrence of the leakage accident.

3) Determination

In light of the above legal principles, this case is examined.

A) Whether the Information and Communications Network Act is applied

(1) Article 32 of the Information and Communications Network Act provides that a provider of information and communications services, etc. may claim damages against the provider of information and communications services, if the provider of information and communications services, etc. commits an act in violation of the provisions of this Chapter. In this case, the provider of information and communications services, etc. shall not be exempt from responsibility unless the provider of information and communications services proves that there is no intention or negligence, and Article 2(1)3 of the same Act provides that the provider of information and communications services refers to a telecommunications business operator defined in Article 2(8) of the Telecommunications Business Act and a person who provides or arranges the provision of information using telecommunications services by a telecommunications business operator for profit, and subparagraph 4 of the same Article

(2) In light of the fact that Defendant A recruited card members and provided various services through an information and communications network to card members, Defendant A is deemed to fall under a provider of information and communications services under the Information and Communications Network Act. In addition, leakage of personal information protected under the Information and Communications Network Act refers to the fact that personal information is beyond the management and control of the relevant provider of information and communications services and leads to a situation where a third party becomes aware of the details thereof. The recruitment of card members is made by many offlines, and Defendant A seems to provide related services to the members who joined the Internet homepage operated by Defendant A. Accordingly, it is difficult to conclude that the above Plaintiffs do not fall under the user of information and communications services provided by Defendant A. Accordingly, Defendant A’s disclosure of personal information by means of the Internet homepage operated by Defendant A does not constitute a user of information and communications services.

B) Whether the Public Agency Personal Information Protection Act applies

Article 22 of the former Personal Information Protection Act provides that an individual or organization, other than a public institution, shall take measures to protect personal information in accordance with the example of a public institution in processing personal information using a computer, etc., and the head of a relevant central administrative agency may present or recommend an opinion on the protection of personal information to an individual or organization, other than a public institution, if necessary to protect personal information. Thus, it is reasonable to deem that the defendant A also bears the duty to take measures to protect personal information granted to a public institution by the former Personal Information Protection Act. Thus,

C) Whether Article 9 of the Enforcement Rule of the Electronic Financial Supervision Regulations and Article 5(2) of the Enforcement Rule of the former Personal Information Protection Act are violated

(1) Article 21(2) of the former Electronic Financial Transactions Act provides that "financial institutions, etc. shall comply with the standards set by the Financial Services Commission with respect to the information technology sector and electronic financial services such as human resources, facilities, and equipment for electronic transmission or processing for each type of electronic financial transactions so as to ensure the safety and reliability of electronic financial transactions." Article 9(1) of the former Enforcement Rule of the Regulations on Supervision of Electronic Financial Transactions (wholly amended on May 24, 2012; hereinafter the same) provides that "financial institutions or electronic financial business entities shall establish and operate measures to protect electronic data, including the following, in order to prevent the leakage, destruction, etc. of electronic data." Article 5(2) of the former Enforcement Rule of the Personal Information Protection Act provides that "The head of an institution in possession shall check the current status of possession and management of auxiliary memory media and obtain confirmation from the manager." Article 9(1) of the former Enforcement Rule of the Personal Information Protection Act provides that "the output of data should be immediately discarded and discarded."

(2) However, in light of the aforementioned provisions, Defendant A provided card customer information to C employees engaged in FDS development work on the ground of business necessity, and it should have accurately grasp the quantity of storage media, such as HDS development work by using information recorded on the inside or security program, etc., and where the storage media, such as HD development work, is carried out due to the completion of FDS development work, Defendant A has a duty to thoroughly manage and supervise the format by conducting a format directly. At will, in order to prevent addition, separation, and replacement of storage media, such as HD disc, etc., on the computer or HD disc, the digital disc carried in for FDS development by attaching a security spack (in the event of personal damage, the digital damage remains) to the HS development work.

(3) However, around April 2010, at the time of a credit card customer information leakage accident, Defendant A only received a certificate of the shipment of equipment from the Defendant’s employees to the Defendant’s office for the FDS development work and did not grasp the quantity of the internal and external hard disks imported. Defendant A merely instructed the employees to set the hard disc format at Defendant A’s security team when completing the FDS development work at Defendant A’s office, and did not directly set the hard disc or supervise whether it was format.

(4) As above, as Defendant A neglected to manage the HD disc, D could have used it to develop FDS around April 2010, with the FDS, left the HD disc in which Defendant A’s card customer information was stored. Therefore, Defendant A should be deemed to have violated Article 9(1)7 of the former Enforcement Rule of the Electronic Financial Supervision Regulations, Article 5(2) of the former Enforcement Rule of the Personal Information Protection Act, and Article 5(2) of the former Enforcement Rule of the Personal Information Protection Act.

D) Whether provisions relating to the provision of encrypted information by customers are violated

(1) Article 21(2) of the former Electronic Financial Transactions Act provides that "financial institutions, etc. shall comply with the standards set by the Financial Services Commission with respect to the information technology sector and electronic financial transactions such as human resources, facilities, and equipment for electronic transmission or processing of electronic financial transactions by type of electronic financial transactions so as to ensure the safety and reliability of electronic financial transactions." Article 13(1) of the former Electronic Financial Supervision Regulations provides that "financial institutions or electronic financial business entities shall establish and operate electronic data protection measures including the following in order to prevent the leakage, destruction, etc. of electronic data." Article 21(2) of the former Electronic Financial Transactions Act provides that "a financial institution or electronic financial business entity shall establish and operate electronic data protection measures including the following," and Article 13(1) of the former Electronic Financial Supervision Regulations provides that "a financial institution or electronic financial business entity shall control access to and output of user information and prohibit the use of test information (if it is inevitable to use test, etc., it shall be deleted immediately after the test is terminated)."

On the other hand, Article 15 (4) of the Enforcement Decree of the Information and Communications Network Act provides that "the provider of information and communications services or similar shall take the following security measures so that personal information can be stored and transmitted safely pursuant to Article 28 (1) 4 of the Act, and Article 15 (2) 2 of the same Act provides "crypt storage of financial information, such as resident registration numbers and account information" and "other security measures using encryption technology" respectively.

(2) Nevertheless, Defendant A’s act of providing information on card customers not converted for the FDS development project at the time of the occurrence of a credit card customer information leakage and neglecting without any particular management and supervision on the use thereof constitutes a violation of the enforcement rules of the former Electronic Finance Supervision Act and Article 15(4)2 and 4 of the Enforcement Decree of the Information and Communications Network Act.

However, notwithstanding the above provisions of the Act and subordinate statutes, Defendant A provided card customer information which has not been modified under the existing FDS development practices from the conclusion stage of the contract for the development of FDS, but did not closely examine whether the modified card customer information during the FDS development process is essential and its scope, the possibility of replacing modified card customer information, etc.

(3) Therefore, Defendant A is in violation of the relevant provision that it should not provide encrypted card customer information.

4) Sub-committee

As above, Defendant A provided the cause of an accident involving the personal information of the third party Plaintiffs in this case by violating the enforcement rules of the Information and Communications Network Act and the legal obligations related thereto, and the circumstances cited by Defendant A alone do not interfere with the aforementioned recognition. Therefore, Defendant A is liable to compensate for damages suffered by the said third party on the grounds of the tort under the Civil Act and Article 32 of the former Information and Communications Network Act (amended by Act No. 14080, Mar. 22, 2016) with respect to the divulgence of the customer information of a card around April 2010.

B. Determination as to Defendant A’s divulgence of customer information around December 2013

1) Determination as to Defendant A’s claim

A) The key issue of this part of the claim

Article 39(1) of the Personal Information Protection Act provides that "the subject of information may claim damages against a personal information manager if he/she causes damage to a personal information manager due to a violation of this Act. In such cases, the personal information manager shall not be exempted from liability unless he/she proves that the personal information manager had no intention or negligence." Thus, first, the issue of whether there is a violation of the Personal Information Protection Act and subordinate statutes or whether there is a violation of the Personal Information Protection Act and subordinate statutes is examined. In cases of tort liability under the Civil Act, the defendant A's assertion about the absence of intention or negligence is examined. In the case of tort liability under the Civil Act, the legal principles are equally applied to the case of the outflow accident at around April 2010,

B) Determination on the violation of the Personal Information Protection Act

(1) Whether Article 9 of the Personal Information Safety Standards violates

(A) Article 29 of the former Personal Information Protection Act and Article 30(1)5 of the Enforcement Decree of the same Act provide that a personal information manager shall install and operate a security program, such as back-to-date software, which can prevent and treat malicious programs, etc. (the Ministry of Public Administration and Security Notice No. 2011-43; hereinafter the same shall apply). Meanwhile, Defendant A’s security program prohibits the use of a computer for business purpose by connecting the use of the computer. In addition, Defendant A’s security program has a duty to manage and operate such program, barring special circumstances, where personal information is stored in the computer for business purpose and the function of using the USB camera can be easily carried in and taken out of it. In light of the fact that there is a very high risk of leakage of personal information by using the USB camera, which is small in size and other goods, there is a limit to blocking the entry and removal of the USB camera itself, and there is no possibility that any person can easily use such information by installing and operating it.

(B) Comprehensively taking account of the purport of the entire arguments as seen earlier, D was an additional entry of two computers for Defendant B’s business in September 2013 while working in Defendant A office for FDS development from around December 2012. D was unable to use the function of using USB from the office-based computer when installing a security program provided by Defendant A. However, among the computers additionally introduced, D was not equipped with a document, such as a report, etc., in one of the aforementioned additional computers stored in the USB camera, and sent them to Defendant B, if necessary, or did not install a security program for the purpose of storing data by accessing smartphones, and transmitting them from smartphones to e-mail. Defendant A’s employees did not verify whether the aforementioned computer was additionally introduced, even if Defendant A’s employees were aware of the fact that it was installed in the said additional computer’s access network, which did not have the authority to use the aforementioned digital network access device to make it available to Defendant AB.

According to the above facts, Defendant A did not verify the existence of a computer carried in by Defendant B for the FDS development work at the time of the occurrence of the customer information leakage by Defendant A around December 2013, and whether Defendant B installed and maintained a security program. As such, one of the computers brought in by Defendant A was left unattended to be used for the work without a security program to be continuously installed, and as a result, it could facilitate the leakage of DNA’s customer information. Accordingly, Defendant A violated Article 9 of the Act on the Safety Measures for Personal Information.

(2) Whether a provision relating to the provision of encrypted information is violated

(A) Article 29 of the former Personal Information Protection Act and Article 7(2) of the Enforcement Decree of the same Act provide that "where a personal information manager transmits, receives, or transmits, through an information and communications network, personal information (referring to personally identifiable information, password and bio-information) pursuant to paragraph (1) through an information and communications network, he/she shall encryption it." Article 7(8) of the same Act provides that "where a personal information manager stores and manages personal information on a computer for business purposes, he/she shall store it after encryption using the commercial encryption software or safe encryption algorithm, and the above legislation does not provide exceptions to the duty to decry personal information, including unique and non-discry information."

In addition, Article 21(2) of the former Electronic Financial Transactions Act (amended by Act No. 11814, May 22, 2013; hereinafter the same) provides that "financial institutions, etc. shall comply with the standards set by the Financial Services Commission with respect to personnel, facilities, and electronic equipment for electronic transmission or processing of electronic financial transactions by type of electronic financial transactions so as to ensure the safety and reliability of such electronic financial transactions." Article 13(1) of the former Electronic Financial Supervisory Regulations (amended by Act No. 2013-39, Dec. 3, 2013; hereinafter the same) that embodys such standards provides that "financial institutions or electronic financial business entities shall establish and operate measures to protect electronic data, including the following, in order to prevent the leakage, destruction, etc. of electronic data." Article 21(2) of the same Act provides that "The financial institutions, etc. shall control the access to and output of user information, but shall immediately delete user information (in cases of inevitable use, such as testing, etc. by converting user information.).

(B) Defendant A’s act of providing card customer information, including personally identifiable information not modified by encryption, etc., to Defendant B’s employees conducting the FDS development work at his office, to be used in the FDS development work by storing it in an auxiliary storage medium, such as hard disks, and neglecting the use without any specific management and supervision, constitutes a violation of each provision of the FDS development.

On the other hand, Article 7(5) of the Personal Information Safety Measures Act provides to the effect that encryption may not apply to the storage of personally identifiable information on an internal network, based on the results according to risk analysis. However, it appears to the purport of regulating the method of storing personally identifiable information on the internal network, such as FDS. In particular, Article 7(2) and (8) of the Standards for Measures to Secure the Safety of Personal Information does not provide for exceptions to encryption obligations in cases where personally identifiable information is delivered through auxiliary storage media, etc. or stored and managed on a computer for business purposes, even if it is possible to include inevitably modified card information in the FDS development process, it is not necessary to ensure the safety of personal information, even if it is not modified in the development process, and Article 7(2) and (8) of the former Electronic Finance Supervision Regulations and Article 13(1)10 of the former Electronic Finance Supervision Regulations, which does not necessarily require the development and implementation of the Act and subordinate statutes to ensure the possibility of the use of such information by the relevant employee's personal information to the development and implementation of the Act.

C) Determination on Defendant A’s assertion

Defendant A asserts that there is no negligence of Defendant A for the following reasons, which is similar to the assertion as to the determination of negligence in the outflow accident around April 2010. However, the evidence cited by Defendant A alone is insufficient to acknowledge that there is no negligence of Defendant A, and there is no other evidence to acknowledge that there is no negligence of Defendant A. Therefore, this part of the allegation by Defendant A is without merit.

① There is no provision in the Personal Information Protection Act and the Enforcement Decree of the same Act that controls the entry and exit of USBs, and it is practically impossible to completely control the Bans and entry of a portable storage medium with a very small size like USB domains. Defendant A had all computers carried in in the company to control the use of USB domains installed a medium control program, such as USB domains, on all computers carried in in the company. Defendant A taken measures to ensure that personal information is stored in USB domains due to DRM so that it can not be confirmed from the outside even if it is stored in the USB domains.

② Defendant A established a DB access controler (DB Safer) with respect to FDS operators and stored and managed access routes, and used the log recording function provided by the operating system (OS,O) with respect to FDS development servers, and stored and managed access records by installing fire walls between computers used by employees of the outsourcing company and FDS development servers. Furthermore, the records of the details of the operation of the computer system are used only for the purpose of tracking the leakage route or the offender after the occurrence of the leakage accident, and do not have any prior measures to prevent the leakage accident, and there is no proximate causal relation with the occurrence of the leakage accident.

D) Sub-committee

As above, Defendant A provided the cause of an accident involving the leakage of the card customer information containing the Plaintiffs’ personal information of this case by violating the legal obligations under the Personal Information Protection Act, etc. to be observed by the personal information manager for the protection of personal information. Thus, Defendant A is liable to compensate for damages suffered by the said Plaintiffs due to the occurrence of an accident involving the leakage of card customer information pursuant to the Civil Act and Article 39 of the Personal Information Protection Act.

2) Determination as to the claim against Defendant B

A) Defendant B’s assertion

Defendant B faithfully performed the duty of appointment, management, and supervision of D who has been dispatched to the workplace of Defendant A, and served in the workplace of Defendant B. Defendant B cannot be deemed to bear all the duty of management and supervision of D’s affairs to the extent of all scope in relation to the development of FDS and the service of the Business. Defendant B’s duty of supervision is limited to general and abstract supervision of D’s affairs, but Defendant B’s duty of supervision is limited to the general and abstract supervision of D’s affairs, whereas D’s individual and specific management and supervision of the duties (in particular, receipt and handling of customer information) performed in the course of the development and the service of Defendant A’s FDS. In addition, even if Defendant B fulfilled the duty of management and supervision of FD, it could not avoid the occurrence of the result of the Plaintiffs’ credit card disclosure. Accordingly, Defendant B’s employer’s liability should be exempted pursuant to the proviso or the latter part of Article 756(1) proviso or the latter part of the Civil Act.

B) Determination

(1) Whether a direct liability for damages occurred

The Plaintiffs asserts to the effect that Defendant B is a trustee under Article 26(2) of the Personal Information Protection Act, and thus, he/she did not comply with the relevant statutes even though he/she was obligated to comply therewith. Article 26 of the Personal Information Protection Act does not apply mutatis mutandis to Article 39 of the Personal Information Protection Act, and thus, Defendant B bears a direct liability for damages arising from the violation of the Personal Information Protection Act and the Enforcement Decree of the same Act. Therefore, even if Defendant B’s liability for damages is separate from the liability for damages arising from Defendant B’s employer’s liability, this part of the Plaintiffs’ claim

(2) Relation to performance of affairs

The phrase "in relation to the performance of an employee's business", which is an element for an employer's liability under Article 756 of the Civil Act, means that if an employee's unlawful act appears objectively to be objectively related to the employee's business activity, performance of business, or performance of business affairs, without considering the offender's subjective circumstances, the employee's intentional act is deemed to have been committed with respect to the execution of business affairs. In a case where the employee committed an harmful act to another person based on his/her intent, the employee's intentional act is not itself, but is in close vicinity to the employer's business time and place in the whole or part of the employee's business affairs, or where the motive for the harmful act is related to the employee's business affairs, the employer's liability is established by deeming that it is related to the act of the employee's external and objective performance of business affairs. In such cases, whether the employer has caused the occurrence of danger and the lack of preventive measures may be additionally considered for the fair burden of

In light of the above facts acknowledged in light of the above legal principles, D's act of releasing customer information in the course of performing the FDS development work with other employees of Defendant B at the office provided by Defendant A according to the FDS development contract between Defendant B and Defendant A, who is the employer, and D's act of leaking customer information was related to the act of releasing the card's customer information on December 2, 2013 by Defendant A, because it is related to the act of releasing the card's customer information on the external and objective basis of the FDS development service contract between Defendant B and Defendant A, it is reasonable to deem that Defendant B's act of releasing the card's customer information was conducted with respect to the execution of the work, which is the execution of the FDS development service by Defendant B, even if it is not necessarily necessary to do so even if it is not necessarily necessary to change the card's customer information for the development of FDS.

(3) Due care in appointment and supervision.

With respect to the liability under Article 756(1) and (2) of the Civil Act, if an employer or a supervisor of affairs on behalf of an employer has paid considerable attention to or considerable attention to the appointment and supervision of affairs of such employee, the employer is not liable for damages, but such circumstances must be asserted and proved by the employer, etc. (see, e.g., Supreme Court Decision 97Da58538, May 15, 1998).

It is insufficient to recognize that Defendant B paid considerable attention to appointment and supervision of affairs to Defendant B solely based on the evidence submitted by Defendant B, and there is no other evidence to acknowledge that the damage was caused by the divulgence of the card customer information even though Defendant B paid considerable attention to appointment and supervision of affairs, and there is no other evidence to prove otherwise. Defendant B’s assertion is without merit.

C) Sub-decision

Therefore, Defendant B, an employee of Defendant B, caused damage to each of the Plaintiffs of this case by leaking customer information about the performance of his/her duties on December 2013. Thus, Defendant B, as an employer of Defendant A, is liable to compensate the said Plaintiffs jointly with Defendant A pursuant to Article 756(1) of the Civil Act (However, Defendant A’s demand and supply company for the development of FDS at the time of the leakage of customer information on the card around April 2010, and thus, Defendant B cannot be held liable to compensate for such damage).

5. Determination on the scope of liability for damages

A. The defendants' assertion

1) Defendant A’s assertion

A) In the case of customer information leaked on April 2010, there was a risk of distribution by delivering only 2.55,00 card information among the customer information leaked to a third party. The remaining 7.680,00 card customer information was deleted or seized to an investigation agency without being delivered or distributed to a third party. Therefore, it cannot be said that the data subject of the card customer information, which was not distributed to a third party, suffered mental damage to compensate for consolation money in relation to the divulgence of the card customer information. The remaining part of the card customer information was delivered to a third party, but the plaintiffs did not have any evidence that the information was transferred to a third party, but the plaintiffs did not prove that the plaintiffs' mental damage was caused to the second plaintiffs of this case, unless the plaintiffs prove that they were the data subject of the personal information distributed to a third party.

B) In the case of customer information leaked on December 2013, 2013, it was arrested by D and the pertinent information was seized, and thus did not have been distributed to a third party. Therefore, it cannot be said that the Plaintiffs suffered mental damage that could compensate the Plaintiffs for the damages as consolation money in relation to the leakage of customer information on the said card.

2) Defendant B’s assertion

In this case, customer information leaked in a card is less likely to be used in actual financial transactions, and it is difficult to regard that the relevant information could be used in detail despite the leakage of personal information, and since the information leaked before being distributed to a third party was fully collected, the scope of the leakage of personal information does not extend beyond co-offenders. Therefore, there is little possibility of infringement of infringement of additional rights, and in fact there is no possibility that secondary damage has occurred. Considering the fact that Defendant A promptly copes with the divulgence of personal information and takes measures to prevent the occurrence and spread of damage, it cannot be said that mental damage has occurred to each of the Plaintiffs of the 2 and 3 of this case.

Even if the liability for damages is recognized against Defendant B, the liability of Defendant B is significantly more severe than that of Defendant B with respect to the divulgence of credit card customer information, and the liability of Defendant B with respect to the existence of Defendant B, who has an important role in the field of domestic financial industry credit risk management, needs to be reasonably restricted.

B. Relevant legal principles

1) Where an employee who manages personal information leaks the collected personal information against the intent of the subject of information, the determination of whether the subject of information caused a mental damage to compensate as consolation money shall be based on a specific case, comprehensively taking into account the following: (a) the type and nature of the leaked personal information; (b) the type and nature of the leaked personal information; (c) whether the subject of information could be identified by the divulgence; (d) whether the leaked personal information was perused by a third party; (e) whether the leaked personal information was accessible or could be perused in the future; (e) the extent to which the leaked personal information was spread; (e) whether there was additional infringement of legal interests; (g) the fact that the subject of information managed the personal information; and (e) how the personal information was leaked; and (g) what measures were taken to prevent the occurrence and spread of damage caused by the divulgence (see Supreme Court Decision 2011Da59834, Dec. 26, 2012).

2) A claim for damages arising from a tort is established when the actual damage occurred, and whether the actual damage occurred should be determined objectively and reasonably in light of social norms (see, e.g., Supreme Court Decision 2000Da53038, Apr. 8, 2003).

C. Determination

1) Whether mental damage occurred or not

First, in light of the above legal principles, we examine whether each of the plaintiffs of the second and third cases can be deemed to have suffered mental damage.

A) In the case of Defendant A’s divulgence of customer information around April 2010

(1) On April 2010, Defendant A’s personal information of the 2010 Plaintiffs of this case, which was leaked due to a credit card customer information leakage accident on or around April 2010, includes not only a resident registration number that serves as a basis for identifying individuals in their social and economic activities, but also a part of the Plaintiffs, such as a card number and validity period, a company address, a company address, a company telephone, a company telephone, a portable telephone, etc. The above information constitutes information that is highly likely to cause a high probability of identifying individuals and economic damage.

(2) We examine whether the leaked personal information was perused by a third party due to the divulgence of customer information in a card on April 2010 or whether there was a possibility of access by a third party. ① On April 2010, it is recognized as follows: (i) around January 201, the Defendant A member leaked the personal information under the name of approximately KRW 10,230,000,000 of the card and stored it on the h disc and stored it in the hact; (ii) the F provided the information under the name of approximately 2,50,000 of the card customers around January 201; and (iii) the F provided the personal information delivered to a large number of persons for financial business purposes, etc.

Comprehensively taking account of the purport of the entire arguments as seen earlier, D is acknowledged that: (a) it stated that there was no provision of approximately KRW 1,023,00 to the F, in addition to the provision of approximately KRW 2,52,000 customer information to the other person; and (b) the hard disc on which Defendant A card was stored with approximately approximately approximately KRW 1,023,00,000 customer information, was seized by the investigative agency while being kept by D.

However, in full view of the aforementioned evidence, D was arrested by an investigation agency on December 23, 2013 and began to be investigated by the Changwon District Prosecutors' Office about AM andN's act of leakage of customer information. On the following day, Defendant A made a statement that the investigation agency acknowledged the act of leakage of customer information. However, D had already been prosecuted by the Changwon District Court on January 8, 2014 and the criminal trial was pending on February 25, 2014 due to the seizure of hard disks containing customer information of the said card at the F's office on February 25, 2014 when Defendant A had a statement that recognized the act of leakage of customer information around April 2010.

In light of the records, it is difficult to recognize the credibility of the statement that D only provides F with approximately KRW 1,023,00,000,000, which was leaked from Defendant A to April 2010, based on D's criminal conduct or its sustainability. D is difficult to avoid the possibility of making a statement by setting the amount of customer information provided to F to reduce its own crime only on the card’s hard disc seized from F's office at the latest 3rd time. D's provision of customer information divulged to F around April 201, around 1, 201 for a considerable period of time to 300,000,000,000,000,000,000,000,0000,000,000,000,000,000,000,000,000,000,000,000,000,000,00.

(3) In full view of the fact that Defendant A leaked personal information around April 2010, the fact that Defendant A leaked the card customer information, and the fact that the relevant investigation was initiated on and around December 2013, Defendant A appeared to have failed to fulfill his/her duty of care in handling personal information in the process of making decisions on providing card customer information that was not converted to Defendant A, etc. (in the case of AO corporation which performed the work to improve the FDS system at a similar time, it appears that the method of providing personal information and the status of ex post facto management and supervision were insufficient.

(4) Ultimately, it is reasonable to view that the Plaintiffs 2 of the instant case suffered emotional distress due to the leakage of customer information by means of social norms around April 2010.

B) In the case of Defendant A’s divulgence of customer information around December 2013

(1) Comprehensively taking account of the purport of the entire arguments as seen earlier, D is recognized that around December 2013, Defendant A’s card customer information was leaked and stored and stored in the computer at his own home, and D attempted to deliver it to F in the future, but was arrested by an investigative agency on December 23, 2013, and that D’s card customer information leaked around December 2013 was seized by the investigative agency on the same day.

(2) Examining the aforementioned facts in light of the legal principles as seen earlier, it appears that D would not have any intent to abuse personal information by itself, except for the transfer of personal information leaked to a third party as a professional human resource for the development of FDS, and ② D would have been provided with a card customer information from Defendant A in the FDS development process and use it, but it seems unlikely to have known the specific contents of individual information, and it would have been the same even after the leakage of card and passenger information and stored it in the storage media, such as its own computer. ③ Even if the customer information leaked to Defendant A on December 2, 2013 was leaked, it is difficult to find that there was no possibility that the customer information leaked to another person or that there was little possibility that the customer information could have been provided to another person due to the occurrence of the personal information, in light of the period and circumstances up to the date of seizure and the fact that the customer information leaked to Defendant A 2 did not have any other duty to pay compensation for damages.

(3) Therefore, the part of the claim filed by each of the plaintiffs of this case Nos. 2 and 3 against the defendants on the grounds of the leakage of customer information of the card around December 2013 is without merit.

2) Scope of liability for damages

Furthermore, considering the scope of liability for damages, as seen above, Defendant A’s management status of customer information on around April 2010, including the details of the leaked personal information, the scope of dissemination and dissemination of the leaked personal information, and the details of ex post facto measures taken by Defendant A to prevent damage caused by the divulgence of personal information. Personal information leaked in this case includes resident registration numbers of a permanent and continuous nature, and it is difficult to eliminate the possibility of secondary occurrence and expansion of fraudulent damage caused by the stolen personal information. However, in light of the details of the leaked card customer information in this case or the purpose of acquiring the card customer information by the purchaser, it is not so significant that the possibility of property damage caused by the divulgence of the leaked personal information is not verified, and it seems that there is no need to provide specific customer information to the large number of unspecified customer information in this case, on the other hand, it appears that Defendant A’s use of the leaked personal information can be limited to the extent that it would have been necessary for each customer’s use of the information.

3) Sub-determination

Defendant A is obligated to pay damages for delay calculated at the rate of 15% per annum under the Civil Act from May 1, 2014, which is the date following the delivery date of the copy of the complaint of this case until February 16, 2017, which is the date of the decision of this case, to the extent that the above Defendant’s obligation is in existence and/or scope of such obligation, as claimed by the above Plaintiffs, as the result of leakage of customer information on each of the damages amounting to KRW 100,000 for each of the Plaintiffs of this case and around April 2010.

6. Conclusion

Ultimately, the claim against the 2nd Plaintiffs A is accepted within the scope of the above recognition, and the remainder is dismissed. The claim against the 3rd Plaintiffs is dismissed as it is without merit. It is so decided as per Disposition.

Judges

Judges Lee Jae-tae

Judges Dominh

Judge Lee Sang-hoon

Note tin

1) Attached Table 1 list is the list of all plaintiffs, and where a card customer information was leaked on April 2010 and December 2013, it is classified as the list of plaintiffs attached hereto, and where it was leaked on December 2013, it is classified as the list of plaintiffs attached Table 3.

2) In light of the amended purport of Article 39(3) of the Personal Information Protection Act and Article 39-2 of the same Act after each of the instant accidents occurred, the need to prevent the occurrence of the instant accident is an important area, and it seems reasonable to consider the need to prevent the occurrence of the instant accident in determining the amount of consolation money.