[1] Standard for determining whether a provider of information and communications services breached his/her legal or contractual duty to take necessary protective measures to ensure safety of personal information pursuant to Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[2] Where a provider of information and communications services takes technical and administrative protective measures stipulated in the “Standards for Technical and Administrative Protective Measures for Personal Information” (Korea Communications Commission Notice No. 2011-1), whether such provider may be deemed to have breached a legal or contractual duty to take necessary protective measures to ensure the safety of personal information (negative in principle)

[3] In a case where Party B et al., who entered into a contract for the use of information and communications services with Party A, sought damages against Party A, the case holding that the lower court erred by misapprehending the legal doctrine in determining that Party A et al. failed to take technical and administrative measures to take technical and administrative measures as stipulated in the above notice, and thereby caused the leakage of information, even if Party A did not cancel the right to access the personal information processing system of the person responsible for handling personal information retired, it is difficult to find proximate causal relations between the two and the occurrence of the information leakage accident, and that Party A complied with the “Standards for Technical and Administrative Measures for Personal Information” (Korea Communications Commission Notice No. 201

[1] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Act No. 11322, Feb. 17, 2012); Articles 390 and 750 of the Civil Act / [2] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Act No. 11322, Feb. 17, 2012); Article 15 of the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Presidential Decree No. 25789, Nov. 28, 2014); Articles 390 and 750 of the Civil Act / [3] Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Amended by Act No. 11322, Feb. 17, 2012); Article 28(15) of the former Enforcement Decree of the Act

[1] [2] Supreme Court Decision 2013Da4394, 44003 Decided February 12, 2015 (Gong2015Sang, 453) Supreme Court Decision 2015Da24904, 24911, 24928, 24935 Decided January 25, 2018 (Gong2018Sang, 491)

It is as shown in the attached list of plaintiffs.

KT Co., Ltd. (Bae, Kim & Lee LLC, Attorneys Hong-tae et al., Counsel for the defendant-appellant)

Seoul Central District Court Decision 2014Na70589 Decided July 21, 2017

The judgment below is reversed, and the case is remanded to the Seoul Central District Court.

The grounds of appeal are examined.

1. A. A. According to Article 28(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 11322, Feb. 17, 2012; hereinafter “former Information and Communications Network Act”), when a provider of information and communications services handles personal information, he/she is obligated to take technical and managerial measures, such as measures to prevent loss, theft, leakage, alteration, or damage of personal information in accordance with the standards prescribed by Presidential Decree.

B. Determination as to whether a provider of information and communications services breached a legal or contractual duty to take necessary protective measures to ensure safety of personal information in accordance with Article 28(1) of the former Information and Communications Network Act and a contract for information and communications services, shall be based on whether the provider of information and communications services has taken protective measures to the extent reasonably expected by generally accepted social norms at the time of the intrusion, by comprehensively taking into account the following: (a) the level of information security technology generally known at the time of hacking and other intrusion; (b) the type of business and size of business of the provider of information and communications services; (c) overall security measures taken by the provider of information and communications services; (d) the economic cost and utility necessary for information security; (e) the degree

C. Meanwhile, Article 15 of the former Enforcement Decree of the Information and Communications Network Act (amended by Presidential Decree No. 25789, Nov. 28, 2014; hereinafter “former Enforcement Decree”) provides for technical and administrative measures to be taken by a provider of information and communications services pursuant to Article 28(1) of the former Information and Communications Network Act, and Article 28(6) provides that “the Korea Communications Commission shall determine and publicly notify the matters provided for in paragraphs (1) through (5) and Article 28(1)6 of the Act as well as other specific standards for measures necessary to ensure the safety of personal information.” Accordingly, the criteria for technical and administrative protective measures for personal information prepared by the Korea Communications Commission (see Article 2011-1; hereinafter “instant public notice”) are difficult, barring special circumstances, to deem that a provider of information and communications services breached its contractual obligation to take technical and administrative protective measures, such as hacking, pursuant to Article 28(1) of the former Information and Communications Network Act.

2. Regarding ground of appeal No. 3

Article 4(2) of the Notice of this case provides that the provider of information and communications services, etc. shall alter or cancel the authority to access the personal information processing system without delay if there is a change in personal information handler due to the change of personnel, such as transfer or retirement.

According to the records, on September 201, 201, before Nonparty 2 retires, Nonparty 1 has already sought a voluntary value equivalent to the value of data hedging variables necessary to communicate with the ESB server, and if Defendant’s VN is connected, Nonparty 1 is able to immediately communicate with the ESB server without the need to obtain N-SETP portal certification and N-SETP UI certification. The instant hacking program was designed to access the ESB server to directly access the ESB server without obtaining the above certification and to release Defendant’s customer information, and the N-SETP system did not have access authority certification procedures after the ESB server.

However, under such structure, even if the Defendant’s access authority to the N-SETP system was cancelled by destroying Nonparty 2’s N-SETD (ID number omitted) after Nonparty 2’s retirement, the ESB server is unable to prevent leakage of customer information using the instant hacking program since it did not verify whether the access authority was cancelled. Moreover, even if Nonparty 1, instead of Nonparty 2’s ID, input a voluntary seven number of customer information in compliance with N-SETPD standards, he could have access to the ESB server through the instant hacking program. Therefore, even if the Defendant failed to cancel Nonparty 2’s access authority and violated the above notification regulations, it is difficult to acknowledge a proximate causal relationship between the Plaintiff and the instant information leakage accident.

Nevertheless, solely on the grounds indicated in its reasoning, the lower court determined that the Defendant caused the instant information leakage incident by failing to take all the measures stipulated in Article 4(2) of the Notice. In so determining, the lower court erred by misapprehending the legal doctrine on proximate causal relationship, etc. with the aforementioned Notice, thereby adversely affecting the conclusion of the judgment.

3. Regarding ground of appeal No. 2

Article 5(1) of the Notice of this case provides that a provider of information and communications services, etc. shall regularly verify and supervise records access to the personal information processing system by a person responsible for handling personal information at least once a month.

According to the records, when the users of the N-SETP system inquires of customer information, it is difficult for the Defendant to anticipate and supervise the possibility of access to the N-SETP system by a third party’s access to the N-TSP system, which is the access channel of the N-TSP system, and the Defendant, at the stage of the AUT server, discovered the details of inquiry about customer information exceeding 1,00 items a day in excess of 1,00 items, including sending a warning message, etc. In addition, the N-TSP system was designed to access the N-SETP portal and the AUTP server through N-STPP UI, and it was difficult for the Defendant to expect and supervise the possibility of access to the N-SPPP system by avoiding the AU server to the third party. Even if following the lower judgment, the Defendant could not be deemed to have failed to take any special measures such as the above non-compliance of access systems at the stage of the AUP server’s non-compliance of access and management measures.

Nevertheless, the lower court determined that the Defendant failed to take technical and administrative measures under Article 5(1) of the Notice. In so doing, the lower court erred by misapprehending the legal doctrine on Article 28(1) of the former Information and Communications Network Act and the said Notice, thereby adversely affecting the conclusion of the judgment. The allegation contained in the grounds of appeal on this point is with merit.

4. Conclusion

Therefore, without further proceeding to decide on the remaining grounds of appeal, the judgment of the court below is reversed, and the case is remanded to the court below for a new trial and determination. It is so decided as per Disposition by the assent of all participating Justices

[Attachment] List of Plaintiffs: Omitted

Justices Park Jung-hwa (Presiding Justice)