(영문) 서울고등법원 2015.3.20.선고 2013나20047 판결

1. Revocation of the part against the defendant among the judgment of the court of first instance, and the plaintiff (designated party) corresponding to the revoked part

All claims are dismissed.

2. The costs of the lawsuit shall be borne by both the first and second instances by the Plaintiff (Appointed Party).

Purport of claim and appeal

1. Purport of claim

Defendant: 1,000,000 each to the Appointors listed in the Selection List of Plaintiffs (Appointeds) and Annex 1.

from July 26, 201 to the service date of a copy of the complaint of this case from July 26, 201, 5% per annum, and the following:

D. It shall pay 20% interest per annum from the day of full payment to the day of full payment.

2. Purport of appeal

The order is as set forth in the text.

Reasons

1. Determination as to the claim of some of the designated parties

Plaintiff (Appointed Party) and the designated parties listed in the Selection List (hereinafter Plaintiff (Appointed Party)

The defendant as the cause of the claim in this case is a member of the Committee.

(b) The plaintiffs' personal information collected by the Corporation is leaked by a piracy in which the names of the plaintiffs are unknown.

In the event of hacking incident, the defendant is an individual under the relevant law or contract mentioned in attached Form 2.

Since the defendant was due to a mistake in failing to fulfill his duty of care to protect information, the defendant

The claimant asserts that there should be damages equivalent to the property damage and consolation money suffered by the above hacking accident.

First of all, among the plaintiffs, Nos. 1 through 117 and 1800 to 2241

each of the designated parties listed in 2653 to 2827, 2855 to 2882(hereinafter referred to as "part of the designated parties").

In the case of the plaintiffs, other than some of the designated parties, "the remaining plaintiffs"

any evidence that each personal information has been leaked due to the above hacking accident.

No. (In the case of the remaining plaintiffs, the purport that their personal information was leaked from the defendant

of this case, the notice or confirmation is accompanied by each party’s appointment; and some of the designated parties

The claim is without merit without further examining the remainder of the claim.

2. Basic facts

The following facts do not conflict between the parties, or there is evidence No. 1, No. 3, and No. 43

A Evidence (No. 54, Gap evidence 57, respectively), Gap evidence 56, Eul evidence 17-1 through 14,

Eul evidence 18-1 to 4, Eul evidence 30, Eul evidence 42, Eul evidence 51, Eul evidence 54

Results of the verification of each entry of the evidence 1 to 4 and of the access records of the database server of this court

the whole purport of the pleading shall be considered as a whole.

A. Status of the party

1) The Defendant’s portal that provides various information on the Internet based on search, community, etc.

NTE 1), NTN (NE 2), CYORL (AY) as a company conducting a service business.

D) provide online services such as 3).

2) The remaining Plaintiffs are the Defendant prior to the occurrence of hacking incident as examined below.

a person who has joined a service with the set provided by the Corporation or both services; a person who has joined the service;

Name, resident registration number, ID (ID), password, e-mail address, address, telephone number, etc. to the defendant;

Personal information was provided.

(b) A hacking incident;

1) Mayer’s identity presumed to be residing in China is unknown (hereinafter “instant case”).

DB at around 40:40 on July 21, 201, the Defendant’s database (hereinafter referred to as “DB”)’s technological team action

Using the Commission’s reservation work on F’s computer, which is a member of the Commission, to establish this case’s piracy in advance.

Corporation, as a voluntary domain name, has a function to attempt reverse connection on the OO.com

N Rateon. ex 'E', and the place in China from July 26, 201 to July 27, 2011.

The defendant's information and communications network by connecting the F with his own computer at a place where it is not known.

Intrusiond, the database server with which the NAE member information was stored, and the supper member information was stored;

the DB server, the N.N., the duplicate member information that all of the DB servers, the N.N. and the H.D. are stored.

DB servers (hereinafter referred to as the "DB servers of this case") into the DB servers, and the DB of this case

On November 115, 215, 00 . 00 . 000 . 000 This allotted for personal information processed and kept in the server.

컴퓨터인 ◎◎◎◎◎ 서버 ( www . ⑨0 0 0 ③ . co . kr ) 로 전송 ( 이하 ' 이 사건 해킹사고 ' 라 한

C) was made.

2) The rest of the plaintiffs among the members of the Nitrate or Packaging due to the instant hacking accident

34, 954, 887 personal information was leaked, and the identity of the member in the case of leaked personal information

name, resident registration number, ID (ID), password, e-mail address, address, telephone number, etc. are included;

(2).

3) On July 28, 2011, the Defendant reported the instant hacking incident to the police and the Korea Communications Commission.

J. The fact of leakage of personal information by the hacking accident of this case to the N.N. and H. T. T. B. members

I tried to refer.

C. Access method to the database of the instant case

IDC (Internet) located in Seoul at the Defendant’s Staff’s computer located in Seoul.

The channels of normal access to the database of this case, which are located in the database 4) are as follows.

1) The Defendant’s employee computers in the Defendant’s office and the employee’s computers are used for the employee’s computer.

D. Rosters shall be stamped with a password.

2) htps following the implementation of web slaber: / / Slyn.comms. sk.co. k. km;

If the password is a password, limited to the virtual commercial computer network (VPN hereinafter referred to as Virtualwork);

3) The next Defendant’s staff computers implementing telescop6) Rowegs

B7) When entering a ASEAN address, access to the Logwa server and entry of the ID and passwords

If you have the power, it would be possible to use the remote database.

4) The store database connected to the pertinent database was 4 in total, and the pertinent database was dB server.

in order to connect to the Corporation, the Corporation must access to any one of the above 4 storewa servers.

In addition, the address of VPN, which can be connected to the Logwa server, was limited. On the other hand, HGN was limited.

B. The structure in which a number of servers related to personal information are linked to the franchise server.

In Indian. In the case of the Logwa server connected to the pertinent DB server, the Eglus DB server is also connected to the Eglus DB server.

F was in charge of Eglus DB servers, and F was in charge of F’s computer.

It was possible to access the wa server.

5) For the DB servers, including the DB servers of the instant case, the DB access control chain; and

008) access may be made only upon obtaining a certification from the Corporation. In the case of the Logwa server, the OODR9

There is a function to restrict a database that is installed and accessible to each ○○ ID.

G and H, who are managers of the pertinent DB server, can access the pertinent DB server to the OOID.

While the authority has been granted, the F ○○○D did not have such authority.

6) Through ○○○’s certification of authority, the instant database via the Scure CTRT10)

If you enter the ID, password, etc. of the clinic, which is the operating system, they are affixed to the database of this case.

7) If sqlpus user account / c.s. are entered under the above logs, the instant case

DB servers may be connected to the DB servers; 11)

D. Details of the instant hacking incident

On July 28, 2011, the police launched an investigation into the instant hacking incident, and the police conducted the investigation.

According to the results, the instant sea dynasty is an individual with the following route:

It is understood that information is leaked.

1) A corporation I (hereinafter referred to as "I") is not available for disclosure in the Republic of Korea among the ○○, which is a compressed program.

instead of distributing at fee, advertising shall be posted in part of the creation of the program in implementation of the program.

In order to replace the above advertisement, I has used the ○○ Business Center server to change the above advertisement ○.

It transmits to the program the files "ALAD. d. d."

2) The instant piracy is a malicious program of the same name, not a normal ALAD. Down file.

JAD. d. ○○○, Inc., made a Dol file, and through I’s ○○, ○○○’s private use in the Republic of Korea.

In order to install a user computer, I used the I's I's ○○ Work Center server as follows:

3) The purpose of this case is to set up a transit land on a computer located in China.

Y Its own “Y” connection with telescopic hynabs without sharing the dynabs, and stored “Y” in the dynab.

s g g g g gg gg gg gg g g g g g g g g l m l. dm g g g g g g g g g g g n

B. The first copy of the ○○○ Round website’s ISO 12) smpxl. dl. dl., etc.

The results are as follows: (a) once again copy the other four servers among the ○○ ○○ ○○ ○○; and (b) the same method;

As a result, the smpxml. dll file was registered on the ISPI pen.

4) When the smpxl. dl. dll file is registered on the ISO Handet, it is used in the IP address selected by the Defendant and others.

the computer is the primary multi-road route established by I, if the computer is requested to do so.

“htp: / / aldn. altools.co. kr, not “htp”, which is the destination of the malicious program established by the instant piracy.

“htp: / infixon. softsum.org “htp” received a downloading a LAD. dward file, a malicious program.

ALAD. ex-e files are created and carried out, and the above program is a keyging program (ke ylgling) program.

N Rateon. ex-e Program is implemented so that the key input value is stored in a computer as a file.

5) July 18, 201: 08: 58: Around 27, the Defendant’s employee computer process ○○○.

“htp: / infixon. softum.org.” For the first time download the ALAD. Down file, a malicious program.

On July 20, 201, 201. 14: N Rateon on F’s computer, an employee of the Defendant, around 59

Production and 02 July 21, 201: N Rateon. ex and infected on July 23, 201: F at 09:

The computer was carried out ex e files and wiredowsc. d. d. d.

6) Subsequent to July 26, 2011: around 02:07 the computers used by the instant piracy are F.

As a result, G, the Defendant’s DB manager, had access to G’s database.

7) The instant sea dump (rum) upon the Defendant’s intrusion on the DB server of this case

P) 14) Creation into and compression into a file, and the transmission and reception of files after being landed into a store server.

using FTP (FTP 15) which is a telecommunications agreement to provide the files of the above personal information, using the FTP 15

트웨이에서 F의 컴퓨터와 G의 컴퓨터로 내려받은 다음 , 이를 대한민국 내 경유지인 ◎

◎◎◎◎ 사이트를 거쳐 중국으로 전송하였다 . 그 자세한 유출 경로는 다음과 같다 .

A) The course for the leakage of personal information by the N.N. members

The instant seaer, on July 26, 201, 03: around 42, 201: Liveer’s custb2 computers, DB0

exp16) Order dB of NAE member personal information DB / data/ cust. dmp. dmp format

Storage as a file, and 04: 18 pinfedb computer, in which the file is returned from one another to another.

/ data/ cust. dmp. dmp. dmp. / BACKUP by order issued by custdb2

At 04: pinfed computers up to 25 / BACUP/ Cus. dmp.

“/BACKUP/ Cus. dmp. Bz2” files, and stored in Pdinb at around 05:36

- / BACKUP/ cus. dmp. bz2 : Witweg’s servers : Wtemp, Witk 06 : 22 p.

WtempWcus. dmp. bz2's files were received from the F's computer to the Litwe server.

고 , 06 : 33경 F의 컴퓨터에 저장된 ' cus . dmp . bz2 ' 파일을 ◎◎◎◎◎ 사이트로 전송하였

으며 , 10 : 03경 ◎◎◎◎◎ 사이트에서 중국으로 ' cus . dmp . bz2 ' 파일을 전송하였다 .

B) The route of the leakage of personal information by a scaming member

This case’s Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime Maritime

Carry-over member personal information DB stored / dat cyme . Dmp as a dump format file; and

05: 08 Datb1 stored in Custdb1 by means of a scat order at the pinfdb computer around 08. dmp. Dmp files.

/ BACKUP route, 05 : 05 : BACKUP/ cymem. dmp on a pinfedb computer at 15 ;

BACKUP/ cymem. Dmp. Bz2's files, 05: stored in Pdinb around 36:36

BACKUP / cymem. dmp. bz2’s file server C: Wtemp, 06:21

Wtempwcyme . dmp. bz2's files within Wtempbcyme . bz2

려받았고 , 06 : 32경 F의 컴퓨터에 저장된 ' cymem . dmp . bz2 ' 파일을 ◎◎◎◎◎ 사이트로

전송하였으며 , 09 : 44경 ◎◎◎◎◎ 사이트에서 중국으로 ' cymem . dmp . bz2 ' 파일을 전송

was made.

C) the course of the leakage of overlapping information on storage members;

Carry-over member personal information DB stored / tmp / dmp . Dmp as a dmp format file, and 04: 24

- / tmp/ Pits. dmp in a light-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-based medium-

and 05 : 41 / BACKUP / Pits. Dmp. bz2 / Litweg’s server

C: Wtemps were awarded, and on July 27, 2007, 01: Litwe servers from G’s computer around 13:

stored “C”: WtempWits. dmp. bz2’s files, and stored in G computers around 30:0

'pits . dmp . bz2 ' 파일을 00000 사이트로 전송하였으며 , 06 : 30경 ◎◎◎◎◎ 사이트

From China to China, ‘pits. dmp. bz2' files were transmitted.

8) Meanwhile, the instant piracy extends over 30 times from July 7, 2010 to 30 times before the instant hacking incident.

Due to the malicious program with a function to attempt connection to the domain name established by the instant piracy

At least 24 times from September 14, 2010 to 24 times, each information box between the defendant and I without access authority.

Many information and communication networks, including a new network, have been invaded.

9) The police officer on June 20, 2012. The Seoul Central District Prosecutor’s Office as the Seoul Central District Prosecutor’s Disposition suspending prosecution against the instant seahacker

The case was forwarded to the inspection agency, and technical and administrative measures related to the defendant's hacking accident of this case are taken.

It was determined that the requirements prescribed in the relevant statutes were not violated.

3. Determination on the remaining plaintiffs' claims

A. Summary of the remaining plaintiffs' assertion

The defendant, as a provider of information and communications services, is operated by the defendant in accordance with the attached Form 2.

name, resident, and resident provided at the time of membership by the remaining plaintiffs who are members of the net or wald;

Despite the obligation to protect personal information, such as registration number, ID, password, etc., the following number shall be

section which violates technical and administrative protection measures to block illegal access to personal information;

In fact, the occurrence of the hacking accident of this case is not prevented due to the failure to prevent the occurrence of the hacking accident of this case, and the remaining plaintiffs

Since personal information has been leaked, promotion of the use of the Gu information and communications network and information protection, etc.

The former Information and Communications Network Act (amended by Act No. 11322, Feb. 17, 2012; hereinafter referred to as the "former Information and Communications Network Act")

C) Pursuant to Article 32(18) of the Act, the remaining Plaintiffs are obligated to compensate for damages arising from the divulgence of personal information.

In addition, the defendant entered into a membership contract with the other plaintiffs on the franchis.

The security system to protect the remaining plaintiffs' personal information in accordance with the service terms and conditions;

technical and administrative measures necessary to ensure safety in establishing and handling personal information;

of this section, in violation of any of the following obligations, even though the contractual obligation to establish and operate this section:

The occurrence of a serious hacking accident does not prevent the occurrence of such a hacking accident, and thereby the remaining plaintiffs' personal decision

Since it was leaked, liability for damages due to non-performance of obligation under the membership contract shall also be borne.

of this section.

1) It is adequate to establish a intrusion detection system or DLP solution 19) without real-time monitoring.

negligence that has not been used

Standard for technical and administrative protective measures of personal information (Korea Communications Commission Notice)

2011 - Personal information processing system pursuant to Article 4(5)2 of the Notice of this case (hereinafter referred to as the "Notice of this case").

The function of detecting illegal personal information leakage attempt by re analysis of IP addresses, etc. connected to the Corporation (20)

In other words, it is necessary to establish and operate a system, including a system, that is, a intrusion detection system.

In the sense that monitoring becomes the premise for detection, it shall be leaked from the server of this case to the outside.

section 45 of the former Information and Communications Network Act includes a real-time monitoring obligation for information.

Guidelines on the Methods, Procedures, and Fees for Information Protection Measures and Safety Inspection (broadcasting and Communications)

Information and communications services under the Commission’s notice No. 2010 - 3, hereinafter referred to as “information protection guidelines”)

A factory operator shall install and operate an information protection system, such as a system for blocking intrusion and a system for detecting intrusion;

Technical and administrative protections to conduct real-time monitoring of major lines using the C Monitoring Tools;

. In addition, at the time of the instant hacking incident, the Defendant’s use of the hacking at the time of the instant hacking incident

According to the various functions of this case, it is located in FTP files used to release information of this case.

for the purpose of identifying or decrypting uncrypted personal information;

FTP file transmission could have been identified and could have been controlled by the FTP file transmission.

Gohap does not set up the above functions in the above DLP sos, or completes at will the establishment of security.

The error that was operated by putting it into account.

While personal information of approximately 30 million members is leaked at the time of the instant hacking incident, it is large that the personal information of approximately 5 million members is leaked.

Since transmission has occurred, the defendant's intrusion detection system or DLP solution has been properly established.

IP addresses related to the DB server of this case, in real time monitoring abnormal climate through the management and operation of the headquarters, and T.

If traffic, FTP file transmission, etc. are analyzed, a reproduction order, transmission order, and transmission order, for all personal information;

The defendant could sufficiently prevent the leakage of information by ascertaining that information was conducted. However, the defendant in this case

At the time of hacking accident, traffic is not high due to the use of such function;

2GB, 2GB, and 6GB aggregate of 10GB disclosure of large volume of personal information in the outside.

In this case, it is obvious that the defendant's security control policy has been mitigated.

DB servers for real-time monitoring or detection of traffic volume (FTP file transmission) in the DB servers

This is because it has violated technical and administrative protective measures.

2) Fruits in the use of the FTPP program and in the detection of the FTPP file transmission;

FTP plays a role in easily transmitting and receiving large numbers of files as a protocol for file transmission.

In relation to a server that keeps personal information due to the conduct of security and security vulnerability,

section 2. Paragraph 8 of [Attachment I] of the Information Protection Guidelines and Paragraph 8 of this section and the defendant inside the same section.

According to Article 26(4) of the Personal Information Protection Work Manual, the defendant is in accordance with the stability of the information and communications network.

In order to secure such information, from the computer of the Logwa server and the DB server manager, the FTP cleanra

The Defendant is obligated to remove the Roypt Program. Nevertheless, the Defendant’s Roypt server and the DB server server.

The Maritime Affairs Commission did not remove FTP Cloat program on Liby’s computers, and therefore the Maritime Affairs Commission did not remove the FTP Cloat program

In addition, FTP method established on each computer of G, which is the Twewa server and DB server manager.

Using professional call, personal information was leaked from DB servers.

In addition, while the Maritime Surveyer sent personal information files using FTP, IDC

In addition to the intrusion detection system installed in the defendant's office, the intrusion detection system established in the defendant's office

In the absence of any detection of the file transmission, the error was found.

3) Negligence that did not take prior approval when printing personal information.

According to Article 8 of the Notice of this case and Article 31 of the Defendant’s Personal Information Protection Work Manual

In the case of printing personal information, it shall be subject to prior approval from the person in charge of personal information management.

In order to make output of personal information impossible without obtaining prior approval from a person in charge of personal information management;

The approval system shall be prepared. Nevertheless, the defendant shall have such approval system.

As a result, the piracy in this case was negligent, and as a result, personal information in the database of this case is electromagnetic wave.

It was possible to output and leak out to the outside.

4) Fruits of not controlling IP or of sharing accounts among employees.

Of the Defendant’s employees, the authority to access the pertinent database was only G and H.

F merely did not have the authority to access the pertinent database, and therefore F was through F’s computer.

In spite of the absence of access to the DB server of this case, the DB server of this case uses F’s computers

In light of the fact that access to the database of this case was made, Article 4 of the notification of this case by the defendant

It does not comply with the statutory obligations under which the IP control provided for in paragraph 5 should be carried out, and

Han F was sharing G’s ID and password even in usual, and this is a DB server.

This is also a violation of the duty to restrict access to the DB. Accordingly, the DB of this case

A hacking by exercising the authority of a manager at a F’s computer without access authority for a server;

could have been said.

In addition, when the defendant's DB server managers access the DB server, they are the ID of the user's account when accessing the DB server.

In order to reduce any inconvenience in which the password is entered every day, environmental theory of the ID and password in advance.

Quick Connect function automatically Round if you enter and choose to do so.

The G G G's ID and password was known as a result of the use.

In addition, by using the above Quick Conct function, access to the pertinent database can be made to the pertinent database.

As such, the Defendant did not neglect the use of the function that is vulnerable to such security, which led to the mistake of the Defendant.

There was a serious hacking accident.

5) Fruits not using an authorized certificate, etc.

The defendant is located far away from his computer located in Seodaemun-gu Seoul Western Dong-gu, Seoul.

Access to the database of this case by the IDC located in Seongdong-gu Seoul, Seongdong-gu, to the outside.

Article 4 of the Notice of this case because the defendant constitutes a case of connection to the personal information processing system

Pursuant to paragraph (4), an authorized certificate, etc. shall be issued along with the certification of a personal information handler via a ID and password.

application of provisional means of certification, not introducing such additional means of certification;

For this reason, the DB server of this case can be easily conducted by the Maritime Raging method.

It was possible to hacking.

6) Fruits that did not block connection

According to the circumstances of the instant hacking incident, F’s computers that received a malicious program are bad.

Pursuant to the implementation of the sex program, the entry into the IP address at will, which is established in advance by the implementation of the program.

By trying to be successful, the instant hacking accident became possible. However, K Co., Ltd.

(hereinafter referred to as "K") computers of the same room, which are operated by the portal site, such as a company that operates the ▽▽▽▽▽△, etc.

Defendant, although he attempted to access food, in light of the fact that it was cut off by the intrusion detection system,

the security of the intrusion detection system, in violation of technical and administrative protective measures, is more than K

Since the foregoing reverse connection was inevitably created, resulting in the instant hacking accident because it was impossible to prevent such reverse connection.

was found to have been erroneous.

7) Fruits that did not cut off all computers at the time of retirement.

The instant piracy is a computer of F while F is using a computer during working hours.

As it is virtually impossible to access, F has attempted to access after leaving the country, and if F

If he turns off his own computer and turns out, the instant sea dialer’s distance connection to F’s computer

(2) If the information and communications service provider manages personal information, he/she has left his/her office.

When no longer computer is used, it is basic to block all of them.

This case, even though the F shall be governed by its rules, is the wind to leave without extinguishing all of its own computers.

The instant case is a method of linking the instant store server through F’s computer.

It was possible to block hacking accidents.

8) Fruits which did not go through the formation of a streetout or do not set up automatic streetouts at the time of leaving the country.

On July 25, 201, the day immediately before the occurrence of the instant hacking incident, F from April 48 to 17:29

(DB servers on its own computer, and even after the completion of the work;

DB server did not log out in the Round. At the time of the instant hacking incident, G at the time of the instant hacking incident

because there is a high possibility that the DB manager account could have been unaware of the ID, par value, and so F would have not been known.

DB servers led to the Rogia-out from the DB servers, or the DB servers manager up to the DB servers; and

If the time work is not performed, it is automatically set up to set up a route, then the piracy of this case

Although the Defendant could not access the DB server using F’s computer, the Defendant could not take such measures.

The error that did not take place may be found.

9) Fruits that failed to properly keep DB security using the functions of ○○○○.

Information on intrusion detection systems and OO programs used by the Defendant for the security of DB

exp order management, FTP program, specific SPL21), which functions as a key part of the outflow, gather the use of order management

personal information from the DB server of this case to the Roywa server

When stored or output outside, prior approval may be obtained, and various monitoring and information shall be conducted.

access to the server or DB information other than business hours;

the defendant has a variety of functions to prohibit the storage and output of the goods, but the defendant is found to have a view to detection of the failure.

The instant hacking incident is not caused by the use of all the aforementioned functions of the items and ○○ Program.

There is an error resulting from such a mistake.

B. Relevant legal principles

Article 28 (1) of the former Information and Communications Network Act ("Information and Communications Service Providers")

In order to prevent the loss, theft, leakage, alteration, or damage of personal information, Presidential Decree;

The following technical and administrative measures shall be taken in accordance with the standards prescribed by the Regulations:

at the same time, the internal management system for the safe handling of personal information as its technical and administrative measure;

When blocking intrusion to block illegal access to personal information (as referred to in subparagraph 1), 'the establishment and implementation of capture' (as referred to in subparagraph 1)

Installation and operation of access control devices, such as items (paragraph (2) 2), and Article to prevent fabrication and alteration of access records.

security using encryption technology, etc. that can safely store and transmit personal information (No. 3);

Measures (No. 4). Measures against infringement by computer viruses, such as the installation and operation of white software;

(No. 5) ',' 'other protective measures necessary to ensure the safety of personal information (No. 6)'

The provider of information and communications services is therefore stipulated in each subparagraph of Article 28(1) of the former Information and Communications Network Act.

laws to take technical and administrative measures necessary for the protection of personal information in

provider of information and communications services. Furthermore, the provider of information and communications services seeks to use the information and communications services.

When entering into a contract for the use of information and communications services with users, the terms and conditions of use shall be available to users.

information if requested to provide personal information, such as personal information, and collected such information;

A telecommunications service provider shall lose, theft, leak, or change the personal information, etc. of the user collected as above.

Necessary protective measures to ensure the safety of personal information, etc. so as not to harm or damage it;

Obligations under a contract for the use of information and communications services are borne.

However, information and communications services are made through the Internet with the characteristics of "openness".

network, system, operation system, etc. established by the provider of telecommunications services is unavoidable;

Being exposed to illegal intrusion, such as so-called ‘hacker', in containing the vulnerability;

The development speed of technology or the overall transaction cost of society to ensure that there is no other complete security.

Considering the fact that it is not easy to expect, piracy, etc., information and communications through various means of attack.

An information and communications document bypassing or nullifying security measures taken by a service provider;

Intrusion upon the information and communications network of a lus provider and the information system related thereto, and intrusion upon a lusator;

Security technology to prevent piracy after the ex post facto response to the new attack methods of piracy.

under special circumstances, such as general circumstances, to supplement the person’s

Information and Communications Service Providers under Article 28 (1) of the former Information and Communications Network Act, or Information and Communications Service Contracts

legal or contractual measures necessary for securing the safety of personal information

In judging whether the obligation has been violated, universal recognition at the time of hacking or other intrusion;

The level of technology for information security, the type and scale of business of the provider of information and communications services, and the information sharing;

The details of the overall security measures taken by the new service provider, and the economy necessary for information security

Expenses and the degree of utility thereof, the level of hacking technology and the degree of development of information security technology

information and communications service provider's possibility of avoidance, content of personal information collected and personal information;

Information in comprehensive consideration of the extent of damage suffered by a user due to withdrawal, etc.

To the extent reasonably expected by social norms at the time of intrusion such as hacking;

whether or not the measures have been taken. In particular, the information and communications network of the Gu should be determined.

Enforcement Decree of the Act on Promotion of Use and Information Protection, Etc. (amended by Presidential Decree No. 24047, Aug. 17, 2012)

Article 15 of the former Enforcement Decree of the Information and Communications Network Act (hereinafter referred to as the "Enforcement Decree of the Information and Communications Network Act") 28 of the former Information and Communications Network Act

The Gu under paragraphs (1) through (5) on the basis of each technical and administrative measure provided for in each subparagraph of paragraph (1).

In addition to providing for protective measures, "Korea Communications Commission" in Paragraph 1 to 6 shall be construed as "Korea Communications Commission".

Matters referred to in paragraph (5) and Article 28 (1) 6 of the Act and other personal information;

Detailed standards for protective measures necessary for securing safety shall be determined and publicly announced.

The notice of this case prepared by the Korea Communications Commission is defined as the intrusion such as hacking.

Information and Communications Service Providers, taking into account technical level at the time of maritime dismissal,

28(1) and technical and administrative matters to be observed pursuant to Article 15(6) of the former Enforcement Decree of the Information and Communications Network Act;

22) Since the provider of information and communications services provides the specific criteria for protective measures of this case

If the technical and administrative protective measures prescribed in the Notice have been taken, unless there are special circumstances:

A provider of information and communications services shall take necessary protective measures to ensure the safety of personal information.

It is difficult to deem that a person has breached his/her legal or contractual duty (Supreme Court Decision 201Do145 Decided February 12, 2015)

2013Da43994, 44003, etc.).

On the other hand, the function of the hardware or software created by the provider of information and communications services is utilized.

The sole reason that the hacking could have been sufficiently prevented if the function was not used.

It is presumed that the provider of telecommunications services has failed to take all technical and administrative protective measures.

of the product or software established by the provider of information and communications services, or

The duty under the Act and subordinate statutes or contractual duty related to information and communications networks to be used as technical and administrative protective measures;

As to the fact that there was a person who asserts it, it is necessary to prove it.

C. Determination

In accordance with the aforementioned legal principles, the remaining plaintiffs are contractual or information and communications networks statutes.

claim that there was negligence in violation of technical and administrative protective measures for the protection of personal information.

We examine each item.

1) An appropriate intrusion detection system or DLP solution, such as not conducting real-time monitoring.

As to negligence not used

(A) Whether real-time monitoring or DLP solution is required

First, for the protection of personal information, the Defendant’s massive outflow from the database of this case

the purpose of real-time monitoring information or using DLP solution;

In relation to whether there is an obligation to take tactical and administrative protective measures, Section A

83 Evidence No. 89, Evidence No. 105, Evidence No. 106, Evidence No. 106-1, 2, and evidence No. 17

14. As a whole, Eul's evidence Nos. 46, Eul's evidence No. 47 and Eul's evidence No. 47

At the time of hacking accident, many business operators were generally using the DLP solution, in particular the Defendant.

DLP solution, a corporation established by J, was used by more than 100 business operators.

fact, the foregoing 2 DLP solution is an electronic document and data stored in the user computer.

Detection or blocking the outflow of outside, production of routes, and prevention and surveillance of the outflow of data;

and data leakage prevention system that provides tracking functions; name, address, telephone number, e-mail address;

Any device that enables identification of a file containing information of a particular pattern, such as resident registration number, account number, etc.

(2) If these information is leaked to a specified number of persons, a warning shall be given to the manager; or

The above blocking shall be cancelled after blocking or temporarily blocking the leakage, and the superior officer shall approve it.

The manager of the leakage status through the screen of the real-time leakage inquiry in monitoring.

The fact that △△△△△△ has provided the function, etc. to identify it, and △△△△△

Ring Programs at the same time using a number of probes (measurements), traffic in a particular point, Switzerland

It is possible to monitor and monitor the Commission, and also the monitoring of SPL Sver as well as the OS.

Doable facts, however, Article 15(2) of the former Enforcement Decree of the Information and Communications Network Act

Subparagraph 2: A system for blocking intrusion to block illegal access to the personal information processing system;

and the establishment and operation of the intrusion detection system as one of the protective measures, and accordingly,

Article 4(5) of the Notice of the instant case provides illegal contact through information and communications networks by providers of information and communications services.

To prevent nearby and intrusion incidents, access authority to the personal information processing system is IP address, etc.

Restrictions on Unauthorized Access (No. 1) and the State of Intellectual Property connected to the Personal Information Processing System

(2) If it includes the function of detecting illegal personal information leakage attempt (No. 2) by re analysis of cattle, etc.

The article must be installed and operated, and the contents and purport of the above provisions are inconsistent with the contents and purport of the above provisions.

In other words, No. 1 means the intrusion prevention system, and No. 2 means the intrusion detection system.

However, in real time, the information leaked from the database of the instant case is leaked in a large quantity.

electronic documents and data stored in a monitoring function or user computer shall be disclosed externally;

(1) have the function of detecting or blocking, and monitoring and tracking such

It is difficult to see that the rule or operation is also prescribed, and there is no other evidence to acknowledge it.

C. As to this, the remaining plaintiffs, the defendant's use of the DolP Solar or △△△△△△△.

Information leakage by monitoring the volume of data transmission and the FTPP with △△ Monitoring Program;

Although it is possible to prevent it from being properly utilized, it is alleged that there was an error that did not utilize it, but it is above.

information and communications networks-related laws and regulations that can realize the function and that must realize the function; and

that the defendant has a contractual duty is a different matter from each other, and the above function of the defendant is the above.

Technologies to block illegal access to personal information solely on the sole basis that they have not been used.

No person may be deemed to have violated the appropriate and administrative protective measures.

On the other hand, Article 45 (1) of the former Information and Communications Network Act provides "information and communications service provider cost"

assistance to ensure the stability of the information and communications network and the reliability of the information used for the provision of the

subsection (2) provides that "the Korea Communications Commission shall provide for protection under subsection (1)."

methods, procedures, and fees for information protection measures and safety examinations that prescribe the detailed details of the rule;

Any person who provides information and communications services may determine and publicly notify aggressions and advise the provider of information and communications services to comply therewith;

subsection (3) does not have legitimate authority to include in the information protection guidelines.

The information protection system to prevent or cope with the invasion of an information and communications network by a person.

Technical and physical protection measures such as installation and operation (paragraph (1)), and prevention of unlawful leakage, alteration, deletion, etc. of information

technical protective measures (No. 2) for the purpose of carrying out a continuous use of the information and communications network; and

for the stabilization of information and communications networks and the protection of information, such as technical and physical protection measures (paragraph (3).

Administrative protective measures, such as securing human resources, organizations, and expenses, and establishing related plans, (No. 4)

F. Accordingly, pursuant to Article 45(2) of the former Information and Communications Network Act, information under Article 2 of the Information Protection Guidelines

Preparation by a telecommunications service provider for securing the stability of information and communications networks and the reliability of information;

the details of administrative, technical, and physical protection measures required to be taken, ' network monitoring'.

The traffic of the main lines connected with the external network using the means of shot net23), the main street24, and the external network;

Information: 'Operation by setting up and operating warning functions to inform the detection after abnormal requisition' for 24 hours of communication;

Inspection on a regular basis as to whether the security function of the protection system (the prevention of abnormal traffic, etc.) is normal operation (the first month)

However, as seen earlier, the former Information and Communications Network Act provides Chapter IV.

Article 28 of the Personal Information Protection Act provides for the protection of personal information of providers of information and communications services.

Article 15 of the Enforcement Decree of the former Information and Communications Network Act provides technical and administrative measures for this purpose.

The criteria for specific technical and administrative protective measures for the protection of personal information through the instant notice

A provider of information and communications services provides for section 106 of the Information and Communications Network Act.

The measures of protecting personal information shall be deemed to have been taken by implementing the measures of protecting personal information, and the information of the Gu.

Part 6 of Article 45 of the Communication Network Act is set out in the part ", such as securing the stability of the information and communications network," and the corresponding part.

The purpose of the safeguard measure is to ensure the stability of the information and communications network and the reliability of the information.

In addition, it is recommended that the provider of information and communications services comply with information protection guidelines.

section 46-3(1) of the former Information and Communications Network Act, and the information protection area

Major information among persons required to undergo a safety inspection for information protection provided for in Article 5 (1) [Attached Table 3]

Telecommunications Service Providers and Internet Access Service Providers, 'A business operator of integrated information and communications facilities'.

25) Of technical protection measures, the traffic monitoring under subsection 1. 1. 2 on network security.

in light of the fact that there is no obligation to undergo safety inspection, the Defendant’s compliance

technical and administrative protective measures for the protection of personal information under laws and regulations related to information and communications networks to be required;

Measures for real-time monitoring of information leaked in the personal information processing system;

It is difficult to view that the inclusion is included.

B) Whether real-time monitoring measures have been breached

The Defendant’s real-time monitoring of traffic in large capacity and the transmission of FTP files.

Gap evidence 43, Eul even if he/she was obligated to establish and operate the DLP solution,

No. 9, Eul evidence No. 42, and testimony by the first instance court witness alone are detection by the defendant's intrusion detection.

In real-time monitoring of traffic and the transmission of FTP files through items and DLP solution and after re-training;

(1) It is insufficient to recognize that a person has violated technical and administrative protection measures to detect the person, and otherwise

not only does there are no evidence to acknowledge this, but rather Eul evidence No. 5, Eul evidence No. 16, Eul

Before oral pleadings are made in each entry of the evidence 17-1 to 14, Eul evidence 57, Eul evidence 69-1 to 4

In full view of the intent of the body, the following circumstances, i.e., the Defendant, etc.

Installation, maintenance, repair, extension contract, etc. of a system for blocking or detecting intrusion on the system;

Since each system is established and operated by entering into a contract, the system for blocking intrusion is a personal information processing device.

fire prevention that restricts unauthorized access by limiting access to the item to IP addresses, etc.

The access detection system is operated by installing walls, and the intrusion detection system is personal information processing when blocking intrusion.

To detect illegal leakage of personal information by re analysis of IP addresses, etc. connected to the system.

(2) 20 DoLP solution used by the Defendant

Only the particulars sent outside from the computer of Defendant employees could have been the subject of detection;

Details transmitted from the DB server of this case to the Litwe server, and operation system of the Commission server.

Details transmitted from the Tweg server to the computer of the Defendant’s staff, or encrypted;

(3) At the time of the hacking incident, the instant damage was caused.

FTP program is implemented in the state of “command (one name DOS)” as used by Crackers.

personal information, such as the name, address, telephone number, and e-mail address of the above DLP solution, if transmitted.

There is a program error (bug) that does not detect leakage, and such leakage of personal information is

(4) Monitoring of L/C to which the Defendant entered into a security control contract shall be networked.

In order to verify whether the equipment is operated normally, the time of mooring in the monitoring shall be the core time.

Since there was no reason to set up the operating hours in installments, the sum of 2GB, 2GB, 6GB at night 10GB

monitoring measures to ensure that the traffic falling under the subparagraph has not been known to a clear and abnormal appearance;

It is difficult to conclude that there was a problem, 5. The file capacity in 0 DLP solar.

provided that there was no function to block the leakage of information, and compared with traffic in ordinary sense;

The traffic arising from the files distributed out by the Maritime Royer divided into 2GB, 2GB, and 6GB

It is difficult to see that it is a large capacity to be determined after the requisition, and 6) in paragraph (2) below.

As seen, the defendant needs to use the FTPP program, and thus, the defendant files an FTPP file.

The duty of care for security solely on the fact that transmission has not been used to monitor and control the transmission;

In light of the fact that it is difficult to deem that the Defendant violated the Information and Communications Network Act;

technical and administrative protective measures for the protection of personal information prescribed in the

It is reasonable to see that it is.

C) Sub-decisions

Therefore, information leaked by the Defendant to protect personal information in the database of this case.

technical and administrative protective measures to be taken in real-time monitoring or using DLP solution;

and even if it is not, the intrusion detection system and the DLP solution are operated.

To monitor traffic and the transmission of FTP files, technical and administrative means to detect abnormalness;

As it is difficult to see that the plaintiffs violated protective measures, the remaining plaintiffs' rights on different premise are above.

The argument is without merit.

2) As to negligence in the use of the FTPP or in the detection of the FTPP file transmission

The Doer, Doer, of this case, personal information from the DB server to the Doer server.

The fact that it was sent to China through FTP using FTP-based computers is between F and G.

As seen earlier, according to Eul's evidence No. 5, the defendant's personal information protection work guidelines

Article 26(4) provides that "No access to personal information access PC may be made impossible."

It shall establish and ensure that services vulnerable to security, such as telnet and ftp services, are not provided.

under section 44 of the title A, No. 49 of the title A. 49

evidence (as evidence Eul No. 56) , Eul evidence No. 50 1, and Eul evidence No. 2 (as evidence No. 55-1, 2) .

In the testimony of a witness of the first instance trial, the following circumstances are considered to have taken into account the overall purport of the pleading:

(1) Article 2 of the Information Protection Guidelines under Article 45 of the former Information and Communications Network Act is within the scope of protective measures.

For purposes of [Attachment 1] 2.2.5 2. (Rabter/S security location) applying ACL26) access control functions, etc.

section 2.2.2.8 (Control of Access and Security) An unnecessary protocol

Security establishment, such as call and removal of services, is stipulated, but the letter "rater" as mentioned above is defined;

equipment that designates a route when delivering data clocks between networks from net connection services;

D. On the other hand, the Defendant’s Litwe’s server uses different network protocol.

Since it is an application server connecting two networks, the information protection guidelines [Attached Table 1] 2.2.5.

The information protection guidelines (attached Table 1 2.2.8. 8) as well as not falling under Razers, are set out in the paragraph of 2.8.2.

The subject of "establishment of security, such as removal of unnecessary protocols," is important information.

The defendant is a telecommunications service provider, Internet connection service provider, integrated information and communications facility provider, and the defendant

Since each of the above businesses is not the above businesses, the defendant at the computer of the DB server manager.

FTP program is not subject to statutory obligations to delete the FTP program, and ② FTP service column;

It is intended that a user can transmit a file on the Internet, which is set up in the web server that is open to the Committee.

and directly implement the FTP service that is not provided in this section after the installation of the FTP service;

27) FTP sets (ftp. exe) is a program that enables access to the FTP website.

scOS and Linux, Unix, etc. are basically distributed to a computer operation system.

4. The defendant's personal information protection work guidelines

Section 4 of Article 26 provides FTP services when using personal information access PC as the FTP server.

personal security issues that are completely different from the time of use in the case of a Cloart may arise.

The act of establishing information access PC as the FTP server, i.e., the sharing of files from personal information access PC

the function of making access to other computers and file transmission possible by opening them;

The purpose of this hacking is to set up a personal information access PC as the FTP server.

Personal information is not generated but personal information by hacker using the FTP PC as a hacker

Article 26 of the Personal Information Protection Work Guidelines in connection with the instant hacking incident.

(5) The FTP program of the Defendant’s Lowa server and the FTP program

DB server manager’s computer function such as FTP Cloat is the receipt of travel information and local culture DB; and

the background music use settlement details of the subsidiary institution, and the file transmission for the security failure of the DB server, etc.

(No. 55-1, No. 55-2, No. 49), 6 FTPpp

Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes Mes

Mass volume using various programs or methods, such as SMTPP (SP) SP, and through various programs or methods;

To the extent that information transmission is possible, any caution is required only by the fact that the defendant used the FTPP program.

It is difficult to readily conclude that the Defendant breached its duty, as seen in paragraph (7) below.

From the intrusion detection system on July 28, 201, the FTP approach from the PC inside the defendant on July 28, 201

the security of the defendant according to the records of the incident discovered after the hacking accident of this case.

The hacking of this case, where the contents of hacking were not revealed merely because it was merely a test;

Before the accident, the FTP program use attempt could have been detected as a single intrusion pattern.

8.command status (one person) of this case, as seen earlier.

DOS Chang) Using the way to transmit files by enforcing the FTP order in the FTP order, the Defendant’s use

It shall search for the leakage of personal information, such as names, addresses, telephone numbers, and e-mail addresses by the DolP Solar;

Leakage of personal information at the time of the instant hacking incident due to program error (bug)

In light of the fact that the defendant was not detected, the defendant set up the FTP program or the FTP.

The mere fact that the defendant was unable to detect the file transmission is illegal access to personal information.

in order to block it, or the above defendant's act in violation of technical and administrative protection measures.

A. It cannot be deemed that there is a proximate causal relation with the occurrence of the instant hacking incident. Accordingly, the remainder of the costs

The above assertion is without merit.

3) As to negligence on which prior approval is not taken when printing personal information

In this case, Article 8 (1) of the Public Notice of this case provides "personal information to the provider of information and communications services."

When printing personal information in the management system (printed, screen display, file format, etc.), the purpose of use shall be specified.

and to minimize the output items according to the purpose of use, and paragraph 2 of this section provides that "the information and communications document" shall be

Non-resident, etc. shall use paper-printed materials containing personal information and external storage media in which personal information has been reproduced.

In order to safely manage the output and reproduction of personal information, such as output and reproduction records, necessary.

(28) The defendant's personal information protection work guidelines shall be prepared.

Article 31, basically, the output of personal information has been approved in advance by the person in charge of the management of personal information.

In principle, the defendant is an individual, but the above provisions alone provide that the defendant is an individual.

The output of personal information (printed, screen display, file creation) without obtaining prior approval from the information manager;

o) conclude that there is an obligation to obtain the approval system that makes it impossible to do so;

Gap evidence No. 43 (Criteria for Technical and Administrative Protective Measures for Personal Information)

In doing so, according to the statement of Eul No. 45, the purport of Article 8 of the Notice of this case is that Eul's No. 45

Methods of access control (Acces Control Control), encryption, etc. are not personal information handlers but non-authorized persons.

effective or effective to prevent the divulgence of personal information by a person handling personal information;

A separate measure is required for personal information handler to copy, print, etc. personal information.

In order to obtain prior approval from the person in charge of the management of personal information, procedures for control shall be prepared.

Inasmuch as it can be recognized that the personal information is to prevent the divulgence of the personal information, it is ultimately an objection.

Article 8 of the Notice of the instant case is to output personal information files, etc. by a person authorized through normal routes.

(2) A person who does not have authority, such as the hacking incident of this case, to take protective measures to be

not applicable to the outflow of information under section 22(A)(22-1 and 2).

In full view of the purport of the entire argument, the defendant shall have the right to extract and transmit ordinary personal information.

The data provider shall prepare an application for personal information and request the extraction and transmission, obtain approval from the approving authority, and then obtain approval;

Since it can be recognized that the defendant has been managed so that it can be extracted, Article 8 of the Notice of this case

Article 31 of the Personal Information Protection Work Guidelines seems to have been complied with) Accordingly, on a different premise

The plaintiffs' remaining arguments are without merit.

4) As to negligence for not controlling IP or sharing accounts among employees

The provider of information and communications services, etc. under Article 4(5)1 of the Notice of this case

To prevent illegal access and intrusion through information and communications networks, the personal information processing system

Korea shall include the function of limiting unauthorized access to IP addresses, etc.

One system should be established and operated, and as seen earlier, this case

DB server’s access to VPN server to FIP address without access authority to the pertinent DB server

Next, access to the database and the database of this case is authorized to access the database of this case.

G by using the ID and password of the DB manager of the G, and

According to the statements in Gap evidence 121-1 to 3, Gap evidence 122, Eul evidence 54-4

in connection with the DB server, the ID and password of the user account shall be daily when accessing the DB server.

In order to reduce the inconvenience to be input, entry of the ID and password in advance into an environment establishment;

Quick that allows only choice from the list to automatically go to the relevant account if it is selected;

Connect function may be recognized, but only the fact of recognition can be found by the Defendant.

A system including a system that restricts unauthorized access through the control of IP addresses;

If the establishment and operation of B or the defendant's DB manager connects the DB server, such as above.

A It is difficult to readily conclude that Quick access was made using Quct functions, and F further: G

There was a sharing of the G ID and password for access to the Logwa server between the division.

In addition, there is no evidence to prove that Eul evidence No. 42, Eul evidence No. 43, Eul

51 Each entry of evidence shall include the following circumstances, namely, F:

G, H has the authority to access the DB servers under the DB Technical Team, provided that the F is Eglus DB

G. The server manager, G. H. the staff of the DB server manager of the instant case, and DB the DB technical team

In order to access a server, it is necessary to first access the store server through VPN; and

in the process of such connection, access to the DB server of IP addresses that may be connected to the DB servers

access to the DB server, which is limited to the IP address of the computer used by the employees authorized to do so.

IP addresses are not permitted in such a way as to limit the IP addresses of the Logwa server to the IP addresses of the Logwa server.

The measure is taking to prevent access to the Logwa server or DB servers through address;

The database, which is responsible for connecting the database to the pertinent database, was 4 parts of the database, and the instant server was 4 parts.

DB servers are used when the manager of the database connects the database to the copyright server.

Since the user account was arbitrarily allocated, the manager of the server of this case is two persons.

Do Do Roster No. 4, however, there are four users' accounts, and the DB server managers are IP addresses and IP addresses.

In light of the fact that it is not visible to use a ID or password while sharing it, it shall be avoided.

Gohap controls IP at an appropriate level with respect to the Lowawa server or the DB server of this case.

It is reasonable to see that there was a existence.

As to this, the remaining plaintiffs, according to the above connection method, are as a result of this case.

DB server access to the pertinent database to F’s computer IP address without the right to manage the database.

Pursuant to the Notice of this case, the obligation to control IP in accordance with the Notice of this case is not properly fulfilled.

88,000,000,000,000

G’s ID and password, a manager of the DB server of this case, shall be obtained from the Royitwe server

access to the Defendant, at the stage after the Litwa server, the act of access to the Defendant

Recognizing that the F’s computer was commenced, the F had a duty to prevent it.

B. Technical and administrative protective measures for the Defendant to block illegal access to personal information

not be deemed to have violated the Act.

Ultimately, the remaining plaintiffs' arguments are without merit.

5) As to negligence not using an authorized certificate, etc.

First, Article 4(4) of the Notice of this case provides that "information and communications service providers shall handle personal information.

If a person needs access to the personal information processing system from outside through an information and communications network, the official seal;

In order to apply safe means of certification, such as a letter of certification, "in accordance with the above provision," and "out of the above provision."

Section A. 56 for the meaning of “in the case of access to the personal information processing system,”

In full view of the purport of the entire arguments in Gap evidence 60, Eul evidence 60 to 63

In the criteria for ensuring the safety of information (Ministry of Public Administration and Security Notice No. 2011 - 43), internal network means the Internet.

Functions, etc. to block illegal access which is physically separated from sections or which is not authorized;

control to ensure that direct access to the Internet section is not possible by the access control system with which it is available; and

fact that it is defined as a section that has been cut off, whether it is geographically away according to the business environment.

access to the personal information processing system by private agencies, etc. shall not use the Internet network.

The fact that the use of lines or VPN can be constituted and used as an internal network;

Korea VPN does not physically connect the two electronic computer systems to the public, and does not physically connect them to the public.

and connection, however, by applying the tunneling technology using rock protocol;

or a fact that it functions as a logical state of exclusive use by blocking intrusion;

It can be determined by the above facts of recognition, two computer networks which are located far away from the place.

If the space is connected through the dedicated line such as VPN, the whole of this network is within one within

with a network that can be seen as a sub-net, and from a network of such internal network to the other network;

section 4(4) of the Notice of this case shall have access to the personal information processing system outside

In that case, it is not applicable to ‘in the case'.

On this premise, the instant case is a health unit, and in the case of the Defendant, a computer network of the Defendant’s History.

IDC is linked to VPN, and the piracy of this case is directly personal information office outside the Internet network.

staff member F and G’s computer intrusion not connected to the Ri system, but into the Defendant’s office,

Then, through VPN, such as normal connection route on the computer, the instant DB

Since the facts connected to the server are as seen earlier, the instant hacking incident No. 4 of the instant notice

Section 4 does not apply to the instant hacking incident, and further, the instant hacking incident

If the defendant connects to the personal information processing system inside the time, the additional certification method;

Even if not required to do so, technical and administrative protective measures under the Act on Information and Communications Network;

additional means of certification to the case of connection to the personal information processing system inside the

As such, the defendant at the time of the hacking accident in this case does not stipulate that the defendant shall be at the time of the hacking accident.

With respect to access to IDC, no additional means of certification, such as an authorized certificate, have been adopted;

No error may be deemed to exist. Therefore, the remaining plaintiffs' above assertion is without merit.

6) As to negligence that did not block connection

Before oral pleadings are made in each entry of evidence No. 35, Eul evidence No. 35, Eul evidence No. 42, Eul evidence No. 68

Comprehensively taking account of the purport of the body, the method by which the instant hacking accident was the same as the instant hacking accident on July 18, 2011.

ALAD2. ex e is a malicious file on the computers of K staff by using the I’s I’s ○○ ○○ ○○○○○○○.

Facts that the Company was infected by A, N Rateon. d. d. d. d. d. d. d. d. d. d. d. d.

The IP address installed in the State has attempted to conduct reverse connection, but it is cut off by K's intrusion prevention system.

In fact, L around July 28, 201: around 44: the defendant's internal computer to the IP address in China.

The fact that the FTP approach was detected can be acknowledged, but the purport of the whole argument on the evidence as a whole is as follows.

as a whole, the following circumstances, i.e., K’s computer

K as long as the method or detailed details of blocking reverse connection by the computer is unknown (i.e. K)

(j) Whether it was cut off in conformity with the IP address separately registered or constitutes an act of abnormal connection.

There are various methods, such as whether it has been cut off, whether it has been cut off in accordance with the pre-registered intrusion pattern.

K is not specifically known, but K has prevented such reverse connection attempt.

Do the defendant was unable to block it, and any operation of the defendant's intrusion detection system.

It is difficult to readily conclude that there was an error 29), the content of L’s access to the FTP, detected on July 28, 201,

The defendant's security culture promotion team revealed after the hacking incident of this case occurred.

Accordingly, it was merely attempted for the purpose of testing the vulnerability in security.

The facts alone are that the Defendant sufficiently detect and block connection prior to the occurrence of the instant hacking incident.

In light of the fact that it is difficult to deem that the Defendant was able to take technical and administrative protective measures.

In violation of the foregoing provision, it cannot be deemed that the connection was not interrupted. Therefore, the line on a different premise is therefore set aside.

The remaining plaintiffs' arguments are without merit.

7) As to negligence not blocking all computers

Modern, this case’s Madern is connected with F’s computer and then F’s computer.

The access to the database of this case to the server of this case is as seen earlier, and each of Gap evidence No. 98-1 to 8

Second, a day of safety rules for the protection of personal information on the website of a major company.

한번 컴퓨터를 껐다 켜고 , 컴퓨터를 이용하지 않을 때는 전원 끄기 ' 를 권고하고 있는

In fact, the Korea Internet and Security Agency's intrusion response team (ERT) establishment / Operational Guidance for PC

To check the management status of electric power resources at the time of retirement or retirement for a long time as one of the security audit matters;

information and communications services, however, only such fact-finding alone may be recognized.

In order to protect personal information, the provider's obligation to block all of the computers when retired.

The year of this case as well as there is no other evidence to prove that it is insufficient to view it as the burden.

Computer when the provider of information and communications services retires even under the information and communications network-related statutes at the time of the commission accident.

Technical and administrative protective measures necessary for the protection of personal information in order to block all of them;

and on the other hand, Eul's evidence 78-1, 2, Eul's evidence 79-1 to 3, Eul's

No. 80, Eul evidence No. 81-1, 2, Eul evidence No. 82-1, and 2

(1) The extent of the importance of the security of the DB server by the Defendant

Accordingly, it is classified into Category A, B, C, and D. The member server, such as the DB server of this case, is the member server.

Of Class A, there is a high need for security, and it is not directly connected to the computers of DB Managers.

Da 200,000,000,000

2. F at the time of the hacking incident, approximately KRW 200.

The database was managed by the DB server, and among them, Eglus member DB belonging to Grade A.

Only two servers, including but not limited to the servers, are connected to the F computer through the Logwa server, and the remainder

The server was directly connected with the F computer, on the other hand, the reorganization or performance of the service.

work to change the DB structure, or to extend, replace, or improve the server;

work, extraction of large-scale data for the exercise of customer eligibility or customer analysis, etc. DB

Nighttime or new as it has a significant impact on the capacity, at which the use of services by customers is the lowest.

F. F. F. F. F. F. F. F.C.

In the case of DB servers directly connected to Furter, if all computers are put up, the order shall be executed.

(3) The employees who manage the Defendant’s DB server at night interfere with the DB server at night.

In the event of an occurrence, a person in charge shall be determined by the sequence to promptly resolve such occurrence.

A person who has retired from his/her own computer for business purposes and thereby has left the computer network of the defendant when a disability occurs.

by linking the database with its own computer for business purposes to solve the problem; F

on July 26, 2011 and July 27, 2011, at the time of the instant hacking incident, designation as the above person in charge.

(4) An information and communications document via the Internet, and

Switzerland has a characteristic of continuous provision of information and communications services for 24 hours.

If a person has taken all technical and administrative protective measures under the Act on Information and Communications Network;

The mere fact that all of the computers have not been prevented at the time when they are not directly engaged in the business

In light of the fact that it is difficult to view that there was an error, etc., the F’s own business purpose is to retire.

Technical and administrative protections under information and communications networks-related Acts and subordinate statutes, by deeming that all of the computers have not been taken off;

It cannot be deemed that there was negligence in violation of measures. Accordingly, the remaining plaintiffs' above assertion is with merit.

(2).

8) Fruits which did not go through the formation of a streetout or do not set up automatic streetouts at the time of leaving the country.

For the purposes of this section:

statement No. 42 of Eul, Eul evidence No. 51 of Eul, each statement No. 51 of Eul, the purport of the whole pleadings.

F. A person from 48 to 17:29, on July 25, 201, prior to the occurrence of the instant hacking incident.

The work was performed by accessing the DB server with his own computer, and even after the completion of the work

The defendant was operated at the time of the hacking accident of this case.

It is recognized that ‘the limited time setting' function was included in the DLP solution.

Gap evidence 55, Gap evidence 67, Gap evidence 70 to 74, Gap evidence 76 to 76

79 The server manager at the time of the instant hacking incident is after the completion of the work, solely with each description of the evidence 79.

It is recognized that there was a duty to set the day-to-day or automatically set the day-to-day hours.

(In accordance with each of the above evidence, the National Police Agency Blog, Industrial Confidential Protection Center, Mac OS Customer Support

Experts such as the center, etc. in one of the computer security rules "in the event that they are placed, at the site";

A hacking may be reduced only by a initial effort to create a network. The term “a fact that is recommended to do so,” and the Republic of Korea

Robere Agency's "Guidelines for Database Security" shall read "DB for a certain period after signing the guidelines."

In the event that it does not conduct the SPL order, it shall be prevented or used after re-certification.

information security service, which is an order given by the National Tax Service, is contained in the "Regulations on the Implementation of Information Security Services".

When the system is not used by the security rules of the party or when it is separated or removed from the system;

Sirogia. The fact that "the fact" is prescribed as "the Internet & Security Agency," and the establishment and security point of the web server.

If any order is not entered for a certain period of time after the marbing in ‘a death certificate', it shall be automatically entered.

to terminate connection or to set up a streetout, etc.;

A provider of information and communications services may protect personal information on the sole basis of such recognition

for the purpose of withdrawing from a computer, or setting up a function of automatic streetout on a computer.

of this case, there is no other evidence to acknowledge otherwise, in the absence of such proof as to the assumption that the obligation is to be borne.

In addition, as seen earlier, the F changes the DB structure that significantly affects the DB performance.

extension, replacement, or improvement of a business or server, or extraction of large-scale data;

An order to conduct the business, etc. at night or on a new wall, which is the time when the use of the service is less than the minimum;

In this case, DB servers directly connected to F’s computer need to be withdrawn and in the case of F’s DB servers

If you want to do so, it is impossible to perform the order, and the piracy of this case has already become a key.

G obtained the ID and password of G, a manager of the DB server of the instant case, through G,

G at any time regardless of whether F was engaged in rogism in his own computer;

Using E.O. and passwords, to access the DB server of this case via the DB server.

in light of the fact that it appears that the F would have been likely to have been employed in the computer for its own business when it retires.

The information and communications network has not established the function of automatic streetout without forming a streetout.

There is negligence in violation of technical and administrative protective measures under the network-related Acts and subordinate statutes, or the hacking of this case

It cannot be deemed that there is a proximate causal relation between intentional occurrence and intentional occurrence. Accordingly, the remaining plaintiffs' above cannot be viewed.

The argument is without merit.

9) With respect to negligence for which DB security utilizing the functions of the OO was not properly conducted, 31)

The following facts are revealed in light of the overall purport of the pleadings:

The facts that ex exp or specific SPL order was used for the instant hacking are as follows: (i) exp or specific SPL order

As seen earlier, exp is used in any data processing system

For purposes of restoring or restoring data collection and replacements to a different system;

duplicating on one’s own tapes or disks or other computer systems to make copies thereof; or

32) This section uses his system data, etc. for use, and 32) this section

It is difficult to see that the work related to the DoB server is not used, and even if it is, Nas.

as alleged by the plaintiffs, the order is not necessarily necessary for DB operations.

Even if such circumstance alone makes it possible for the defendant to use ex officio order language by the DB manager.

It is difficult to readily conclude that technical and administrative protective measures have been violated; 2.

Monitoring traffic or specific order control shall be the defendant's flag to prevent the divulgence of personal information.

It is difficult to consider that it is included in the content of tactical and administrative protective measures, and ③ the use of the FTP program.

on the grounds as seen earlier, the employee’s office computer is not used as the FTPP server.

Information protection guidelines or the defendant's personal information protection work solely on the basis of the use of FTP Cloat

The FTP program does not violate the relevant provisions of the Guidelines, and such FTP program is normal and reasonable for the defendant.

(4) The printing out of personal information to the defendant as mentioned above.

The duty to realize the function of prohibiting the work without prior approval.

(5) The management of the database of the instant case may not be deemed to have been performed outside of the operating hours.

Since it is necessary for the Defendant to have the DB manager manage the DB server during the late night hours.

The defendant shall not be deemed to have prohibited acts or bear the obligation to obtain prior approval. 6

○○○, which is a DB security program used by the Corporation, has various arguments as claimed by the remaining plaintiffs.

Technical and administrative protection in accordance with such functions solely with the fact that the monitoring functions, etc. are included therein;

It is not recognized that there are obligations under laws and regulations related to information and communications networks that must be taken;

In light of the above facts, even if the remaining plaintiffs' assertion is acknowledged, such fact is acknowledged.

The defendant violated the technical and administrative protective measures to protect personal information on the sole basis of the reasons.

Therefore, the remaining plaintiffs' assertion is without merit.

10) Sub-decisions

As seen earlier, at the time of the instant hacking incident, the information and communications network-related laws and regulations are stipulated.

Details of tactical and administrative protective measures, the level of technology for information security generally known at the time;

The details of the overall security measures taken by the defendant, economic costs necessary for information security, and any

A avoidance of damage caused by the degree of utility, the level of hacking technology, and the degree of development of information security technology;

Function, the content of personal information collected by the provider of information and communications services and leakage of personal information

In full view of the circumstances such as the degree of damage inflicted upon users, the Defendant’s personal information

In this case due to negligence that fails to take technical and administrative protective measures for the prevention of leakage;

It is difficult to view that a hacking accident occurred, unlike this, the defendant's contract or information and communications network.

The remaining plaintiffs on the premise that they violated technical and administrative protective measures under relevant laws and regulations;

The claim of this case is without merit without further examining the remainder.

4. Conclusion

Thus, the plaintiffs' claims of this case are dismissed for all reasons, and they are dismissed.

Since the judgment of the court of first instance is unfair in part of its conclusion, the part against the defendant in the judgment of first instance is revoked.

and all plaintiffs' claims corresponding to their revocation are dismissed. It is so ordered as per Disposition by the court below.

shall be determined.

Judges

Judges Kim Jong-young

Judges Dokwon Line

Judges Lee Jin-hee

Site of separate sheet

A person shall be appointed.

Note tin

1) Netherlands is a portal site that provides search, news, e-mail, UCC (User Created Services), cartoons, etc.

2) The instant Messensen (Instant Messensensenger) provided by Nitrate.

3) Down World’s Internet-based social network services ( Societ Network Service), and wrap users on their respective websites.

(In operating the U.S. Homep, a notice of writing or photograph shall be posted, background music shall be created, and shall be communicated with other users through a record of protection, etc.

4) The Internet server is a very sensitive computer system to the surrounding environment, such as damp, temperature, electricity, etc., so safety and set maintaining the state of vision for 24 hours.

The work expansion. The IMO shall keep the operation and management of such a remote server, communications equipment, and communications network;

hold workshops, etc.

5) Virtual Pate Network means a package which is encrypted through a tunneling and security process by utilizing the Internet (public network).

It refers to virtual network technology that guarantees safe communications, such as a single private network, by organizing a clock or exclusive route.

6) It is a kind of soc that the program can be operated as if the program was carried out in the remote server in the computer environment.

The function of the Twegian operating system is one function. It separates internal and external networks and connects the Internet from computers connected to internal networks.

It is also a principle such as remote sawsaws to implement virtual PC.

7) The Gway is an official door that needs to be moved from a single network to another network. Two computers are networked.

Since the same protocol should be used to connect to a computer, if a protocol communicates with a computer on another network, Rowawa

Partictoc call conversion role. In this case, the screen of the server located in Sung-dong may be reported as it is and operated as Mas and kids.

the terminal service environment.

8) As a separate server from the pertinent DB server and the Logwa server, users can be certified and monitoring functions can be performed.

9) A computer with an OO’s crypter, which seeks to obtain OO certification in response to the OO server (in this case, the Litwa server)

set up.

10) It is a short-term program connected to DB.

11) The above user account is to connect DBS (database Asset Management) to the DBS (database).

12) The ISO TI TI TI shall have the authority to first deal with all requests which were located in the front of the Internet information server and entered into the Internet information server.

and the Internet information servers have the authority to process the response created by the Internet information servers before sending them to the Clar.

13) The employer’s act of recording the contents entered into a kidboard computer in a remote street.

14) It means that large amount of copies are carried out from storage media to other storage media, storage media, screen, and other output media.

15) It means a program which communicates with a protocol or this protocol, used to deliver a file between computers on the Internet.

16) It is a DB order that is used to extract data in the DB table outside files or in any other way as the disadvantaged in the report ex.

17) An order is an order that is used to reproduce files inside a computer as the disadvantaged of the epourecopy.

18) If a user of information and communications services incurs a loss due to a violation of the provisions of this Chapter by a provider of information and communications services, etc., he/she shall do so.

A provider, etc. may claim damages. In such cases, the relevant provider, etc. of information and communications services shall not prove that he/she had no intention or negligence.

If you do so, it may not be exempted from liability.

19) It is to prevent and block the leakage of secrets or important information as the weak of Datosss Pirv action or Datata Lekage Pirv Action.

an activity refers to an activity that is embodied as a hardware or software, and is referred to as the DLP solution. The requirement that DLP solution must be prepared.

The function is to monitor a series of processes in which certain information is leaked and to block it in a selective manner, and the keyboard (such as extreme rain, secret, etc.)

The word) information may be identified through a specific pattern (resident registration number, Handphone number, credit card number, account number, etc.).

20) The Internet is the sole distinctive person for a specific DNA page connected to the network, and is DNA.

The term "mor" means an address consisting of an identified person (lcator).

21) A database used for the operation and management of a related database (RB) as the weak of Qruc Credit (a language of structuralization inquiry)

De Languages means all the nature and nature of the database, for example, data that define the design of the bar code, bundd definition, file location, etc.

Definition (DL) and data processing language (DM) used to search, insert, renew, or delete data in the database.

(2) the Corporation.

22) Specific details of the relevant statute are as stated in attached Table 2. 'Attachment 2.'; hereinafter the former Information and Communications Network Act, the former Enforcement Decree of the Information and Communications Network Act, and the instant case.

Notice is referred to as "Acts related to information and communications networks" in total.

23) The white net (bakbone nething network) means the main network for the transmission of data of the total network with a partial network that is linked to high-speed telecommunications lines.

It means a long-term network that functions as a main line or a median line.

24) Rode (node) column is available, including devices installed at any device or relay point connected to a network, in an information and communications sector.

I refer to a branch.

25) Major providers of information and communications services are telecommunications business operators under Article 2(1)1 of the Telecommunications Business Act, and information and communications service throughout the country.

A provider of network connection services, for example, Internet connection service provider, telecommunications line facilities, network service provider, etc.

for example, a business operator who operates and manages integrated information and communications facilities for the provision of information and communications services to others:

a person who provides spatial rental services or server leasing services, network services, etc.; or a person who leases integrated information and communications facilities;

The Plaintiff refers to a network provision service, Internet shopping mall, portal, game, reservation, CATV broadcasting service, CATV broadcasting service, card table/

A business operator included in "information and communications service provider", such as shopping mall providing a payment relay, newspaper or broadcasting, music, education, and electronic document exchange service, etc.

(see the report on the safety of information protection by the Korea Communications Commission and the Korea Information Security Agency) and Article 5 (1) [Attached Table 3] of the Information Protection Guidelines.

Among those who are required to undergo safety inspection for information protection, it seems that they are business operators under paragraph (d).

26) It refers to a list of the disadvantaged people at Acces List (Access Control List) to determine whether to allow access to the network.

27) htp: / / techpht.com.com / km - kr/ Lbimary/ c70792 (v = x. 10) . See "px".

28) Criteria for technical and administrative protective measures of personal information prior to amendment by the instant public notice (Notice of the Korea Communications Commission No. 2009 - 21)

Article 8 (2) "A provider of information and communications services, etc." means a provider of information and communications services, etc. who prints personal information in paper or print it, diskettes, compact disks, etc.

When copying a portable storage medium, the following matters shall be recorded and the person in charge of the management of personal information shall be subject to prior approval:

The same shall also apply to cases where personal information is printed out or reproduced again from history or reproduction. "The prior succession of the person in charge of the management of personal information at the time of printing personal information."

The notice of this case, which was enforced at the time of the hacking incident, provided that the person should receive the seal, but is necessary to output or copy the records as above.

It stipulated that protective measures should be prepared.

29) According to the evidence No. 68 of Eul, K's malicious code used for the instant hacking accident is a new malicious code that is not detected in the existing white code.

Nor may respond at the time of recognition of the relevant malicious code, but the opinion that the relevant response was not possible before it becomes known;

is the time limit.

30) According to the evidence No. 77 of Eul, K, the provider of information and communications services, such as the defendant, or in the following cases, the DNA server at the new wall time:

inspection work may be recognized.

31) Since the Plaintiff’s assertion on this part is alleged to the effect that it overlaps with or overlaps with the aforementioned several arguments, various circumstances recognized earlier.

in the light of the judgment.

32) See 'Niber Knowledge Bag and IT language advance'

A person shall be appointed.