All appeals are dismissed.

The costs of appeal are assessed against the plaintiffs.

The grounds of appeal are examined.

1.(a)

Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 11322, Feb. 17, 2012; hereinafter “former Information and Communications Network Act”) provides that a provider of information and communications services shall take technical and administrative protective measures to prevent the loss, theft, leakage, alteration or damage of personal information in accordance with the standards prescribed by Presidential Decree.

In addition, the above provision provides that "1. Establishment and implementation of internal management plans to handle personal information safely."

2. Installation and operation of an access control device, such as a system for blocking intrusion to block illegal access to personal information;

3. Measures for preventing fabrication and alteration of access records;

4. Measures for security by using encryption technology and other methods for safe storage and transmission of personal information;

5. Measures for preventing intrusion of computer viruses, including installation and operation of white software;

6. Other protective measures necessary for securing safety of personal information are stipulated.

In addition, the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Presidential Decree No. 23104, Aug. 29, 201; Presidential Decree No. 23104, hereinafter referred to as the "former Enforcement Decree of the Information and Communications Network Act") delegated by Article 28

§ 15. Such technical and administrative measures as may be necessary for ensuring the safety of personal information to be taken by providers of information and communications services

More specifically defined.

Therefore, the provider of information and communications services is legally obligated to take technical and administrative measures necessary to ensure the safety of personal information as stipulated in Article 28(1) of the former Information and Communications Network Act.

Furthermore, a provider of information and communications services concludes a contract for the use of information and communications services with a user.