Where the personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, the standard for determining whether the subject of information suffered mental damage.

Articles 750 and 751 of the Civil Act

Supreme Court Decision 2011Da59834, 59858, 59841 Decided December 26, 2012 (Gong2013Sang, 219)

See Attached List of Plaintiffs (Law Firm Ulul, Attorneys Gu-US et al., Counsel for the plaintiff-appellant)

Korea National Card Co., Ltd. and one other (Law Firm Sejong & one other, Counsel for the plaintiff-appellant)

Seoul High Court Decision 2016Na2049021 decided January 12, 2018

All appeals are dismissed. The costs of appeal are assessed against the Defendants.

The grounds of appeal are examined.

1. As to the ground of appeal No. 1 by Defendant KNB Card

가. 원심은 그 판시와 같은 사실을 인정한 다음, 피고 주식회사 케이비국민카드(이하 ‘피고 국민카드’라고 한다)가 구 개인정보 보호법(2015. 7. 24. 법률 제13423호로 개정되기 전의 것)이 정한 개인정보처리자 또는 구 전자금융거래법(2013. 5. 22. 법률 제11814호로 개정되기 전의 것)이 정한 금융기관으로서 각 법률과 시행령 및 이를 구체화한 고시 등 관련 법령에서 정한 개인정보의 안전성 확보 또는 이용자 정보 보호에 필요한 조치를 취할 의무를 부담한다고 판단하였다. 그리고 피고 국민카드가 피고 코리아크레딧뷰로 주식회사(이하 ‘피고 크레딧뷰로’라고 한다)와 카드사고분석시스템(Fraud Detection System, 이하 ‘FDS’라고 한다) 개선 관련 용역계약을 체결하고, 피고 크레딧뷰로의 개발인력들에게 피고 국민카드 고객의 개인정보를 제공하여 취급하도록 하는 과정에서, 위 법령 규정을 위반하여 보안프로그램 설치 및 관리·감독의무, 개인정보 처리업무 위탁 시 기술적·관리적 보호조치에 관한 서면 약정 및 수탁자에 대한 교육·감독의무, 개인정보 암호화 의무, 단말기에 이용자 정보를 보관·공유하지 않을 의무, 접근권한 제한 등 보안조치를 취할 의무 등을 다하지 않았으므로, 이로 인해 개인정보가 유출된 원고들에 대하여 손해배상책임을 부담한다고 판단하였다.

B. Examining the relevant provisions and records, the lower court’s aforementioned determination is justifiable. In so doing, contrary to what is alleged in the grounds of appeal, the lower court did not err by misapprehending the legal doctrine regarding each of the above provisions, or by failing to exhaust all necessary deliberations, thereby exceeding the bounds

2. 피고 크레딧뷰로의 상고이유 제1, 2, 3점에 관하여

가. 원심은 그 판시와 같은 이유로, 피고 크레딧뷰로와 피고 국민카드의 FDS 개선 용역계약에 따라 피고 크레딧뷰로의 직원 소외인이 FDS 개발업무를 수행하는 과정에서 그 사무집행에 관하여 피고 국민카드의 고객정보를 유출하였고, 피고 크레딧뷰로가 사용자로서 소외인에 대하여 선임 및 사무감독에 상당한 주의를 하였거나 상당한 주의를 하였어도 고객정보 유출로 인한 손해가 발생하였을 것이라는 사실을 인정할 증거가 부족하므로, 피고 크레딧뷰로는 피고 국민카드와 공동하여 민법 제756조 제1항 에 따라 원고들에게 개인정보 유출로 인한 손해를 배상할 책임이 있다고 판단하였다.

B. Examining the relevant legal principles and records, such determination by the lower court is justifiable. In so doing, contrary to what is alleged in the grounds of appeal, the lower court did not err by misapprehending the legal doctrine regarding the performance of duties, exemption from liability, and causal relationship, or by exceeding the bounds of the principle of free evaluation of evidence against logical and empirical rules

3. 피고 국민카드의 상고이유 제2점, 피고 크레딧뷰로의 상고이유 제4점에 관하여

A. In a case where the personal information collected by a person who manages the personal information was divulged against the intent of the subject of information, whether there was a mental damage that can compensate the subject of information as consolation money should be determined on an individual basis based on a case-by-case basis, comprehensively taking into account the following: (a) the type and nature of the leaked personal information; (b) the type and nature of the leaked personal information; (c) the likelihood of perusal by the subject of information; (d) whether the leaked personal information was accessible or could be perused in the future; (e) the scope of the leaked personal information was spread; (e) whether there was additional infringement of rights due to the divulgence; (e) the situation in which the subject of information managed the personal information; and (e) what measures were taken to prevent the occurrence and spread of damage caused by the divulgence of personal information (see, e.g., Supreme Court Decision 2011Da59834, 598, 59841, Dec. 26, 2012).

B. After recognizing the facts as stated in its holding, the lower court determined that the personal information leaked in the instant card’s customer information leakage accident is not only recognizable to the Plaintiffs, but also can be abused for the second crime using it as closely related to the individual’s privacy and is highly likely to be perused or used by a third party. Therefore, it is determined that the Plaintiffs suffered mental damage due to the leakage of personal information by social norms has actually occurred, and that the Defendant determined consolation money to compensate the Plaintiffs as KRW 100,000,000, respectively, in consideration of various circumstances.

C. In light of the aforementioned legal principles and records, the above determination by the court below as to whether mental damage occurred is just, and the amount of consolation money determined by the court below is difficult to be deemed to have exceeded the bounds of discretion by significantly violating the principle of equity. In so doing, contrary to what is alleged in the grounds of appeal, the court below did not err by omitting judgment, misapprehending relevant legal principles, or failing to exhaust all necessary deliberations,

4. Conclusion

Therefore, all appeals are dismissed, and the costs of appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices on the bench.

[Attachment] List of Plaintiffs: Omitted

Justices Park Jung-hwa (Presiding Justice)