Attached 1, 2, 3, 3-1 List is as shown in the Attached 1, 2, 3-1 list (Attorneys Lee E-hoon et al., Counsel for the defendant

Lawing Card Co., Ltd and one other (Attorneys Kim Sung-sung et al., Counsel for the plaintiff-appellant)

August 22, 2016

1. Of the instant lawsuit, the part of the Plaintiffs’ claim against Defendant Pream Card Co., Ltd. listed in the [Attachment 3-1-2] shall be dismissed.

2. Defendant Bar Card Co., Ltd shall pay to each of the Plaintiffs listed in the separate sheet 1-1, 2-1, 3, and 3-1, 100 won and 15% interest per annum to each of the Plaintiffs listed in the separate sheet 1-1, from March 19, 2014; from August 29, 2014 to the Plaintiffs listed in the separate sheet 2-1; from January 31, 2011 to the Plaintiffs listed in the separate sheet 3; from December 31, 2013 to October 13, 2016 to the Plaintiff, 5% per annum from the following day to the date of full payment; and from the date of full payment to the date of full payment.

3. 별지 1-1, 2-1, 3, 3-1-1 목록 기재 원고들의 피고 롯데카드 주식회사에 대한 나머지 청구와 별지 1-1, 2-1 목록 기재 원고들의 피고 코리아크레딧뷰로 주식회사에 대한 청구, 별지 1-2, 2-2 목록 기재 원고들의 피고들에 대한 청구와 별지 3-1-3 목록 기재 원고들의 피고 롯데카드 주식회사에 대한 청구를 각 기각한다.

4. Of the costs of lawsuit:

가. 별지 1-2, 2-2 목록 기재 원고들과 피고들 사이에 생긴 부분, 별지 1-1, 2-1 목록 기재 원고들과 피고 코리아크레딧뷰로 주식회사 사이에 생긴 부분과 별지 3-1-2, 3-1-3 목록 기재 원고들과 피고 롯데카드 주식회사 사이에 생긴 부분은 위 원고들이 각 부담하고,

B. Attached 1-1, 2-1, 3, and 3-1-1 list of the plaintiffs and 1/2 of the part arising between the defendant Bar Card Co., Ltd. shall be borne by the above plaintiffs, and the remainder by the above defendants, respectively.

4. Paragraph 2 can be provisionally executed.

【2014 Gohap51956, 2015 Gohap526255】

The defendants shall pay 200,000 won to each of the plaintiffs listed in the separate sheet Nos. 1 and 2 with 5% interest per annum from the day following the service of a copy of the complaint of this case to the day of this judgment, and 20% interest per annum from the next day to the day of full payment.

[2015Gahap9788]

Defendant Bar Card Co., Ltd (hereinafter “Defendant Bar Card”) shall pay 30,000 won to each of the Plaintiffs listed in the separate sheet 3 and 3-1, respectively, and to the Plaintiffs listed in the separate sheet 3 from January 31, 2011, and to the Plaintiffs listed in the separate sheet 3-1 from December 31, 2013 to the delivery date of the copy of each of the instant complaint in this case, 5% per annum and 15% per annum from the next day to the date of full payment.

1. Basic facts

(a) Status of parties;

1) 피고 롯데카드는 신용카드, 선불카드, 직불카드 발행, 판매 및 관리 등의 사업을 영위하는 회사이고, 피고 주식회사 코리아크레딧뷰로(이하 ‘피고 KCB’라 한다)는 금융기관들이 공동출자하여 설립한 회사로서, 신용정보의 이용 및 보호에 관한 법률(이하 ‘신용정보법’이라 한다)에서 정하는 신용조회 및 신용조사업무 등의 사업을 영위하는 회사이다.

2) The Plaintiffs listed in the separate sheet No. 2014Gahap51956 case, and the Plaintiffs listed in the separate sheet No. 2014Gahap525 case, and the Plaintiffs listed in the separate sheet No. 2014Gahap52625 case, and the Plaintiffs listed in the separate sheet No. 3, 3-1, are the Plaintiffs listed in the separate sheet No. 2015Gahap9788 case, and they are listed in the separate sheet No. 3, 3-1, respectively.

(b) the concept and introduction of a card accident analysis system;

The card accident analysis system (FDS) is introduced by all domestic card companies as a system for detecting abnormal transactions or fraudulent use due to theft, loss, forgery, etc. of credit cards. According to the FDS, a large amount of card use information and the relevant customer information based on the past accident transaction is created based on statistical techniques based on the results, and based on the results, the card company will take measures such as refusing to grant credit card approval if the credit card company is discovered as a type of transaction.

(c) Outflow of customer information on cards;

1) Conclusion of the FDS development services contract and provision of credit card customer information;

Around 2006, Defendant Rack Card introduced FDS and implemented a regular e-mail. At each time, Nonparty 1 requested bILb or Defendant KCB to provide services related to FDS business. From October 2009 to April 2010, Defendant KCB’s employees from around September 2013 to around December 2013, the said company participated in the business of developing and installing FDS entrusted by Defendant Rack Card. Nonparty 1 used the fDS development and installation of the said system by being provided information not converted from Defendant Rackb cards on the grounds that it is necessary for work in the FDS development process.

2) Outflow of customer information on a card around April 2010

A) On April 2010, Nonparty 1, at the head office of the Jung-gu Seoul Metropolitan Government ○○○○○○dong, stored and used the FDS development information at the Defendant Bar Card’s head office in the △△△△△△△△△ disc for business purposes, and stored customer information in the hive disc in the hive disc, despite the storage of customer information in the 10230,000 members of the Defendant Bar Card’s card, the hive disc was used to describe the hive disc format security inspection without using the hive disc format without using the hive disc format and without using the hive disc format inspection, and stored the above information on its own computer around July 2010.

B) After that, around January 201, Nonparty 1 sent it to Nonparty 2 by means of accessing Nonparty 2’s Nowon-gu and storing the said card customer information to Nonparty 2, who had the intent to utilize customer information in loan brokerage business, etc., where approximately KRW 1,52,00,00 of the customer information in the name of Defendant Bar Card members, which was deducted as above, is about KRW 1,52,00,00 of the customer information in the name of Nonparty 2.

3) Disclosure of customer information by cards around December 2013

A) On September 2013, Defendant KB’s employees carried in two computers of Defendant KCB in the office of Defendant KCB in Jung-gu Seoul, Jung-gu, Seoul, ○○○○○○ Dong-dong, and among them, one of them did not install a security program to prepare documents, such as a report, and store them in USB joints or, if necessary, send them to Defendant KCB. The employees of Defendant KB cards knew of the fact that two computers were additionally carried in, but did not directly verify whether the security program was installed.

B) On December 2013, Nonparty 1: (a) at the office of the Defendant Bar Card in Jung-gu, Seoul, Jung-gu, ○○○○○○ Building; (b) at the office of the Jung-gu, Seoul; (c) at the office-based computer that did not install a security program, connected his own USB domains; and (d) generated co-locations in the USB camera. Nonparty 1 installed a security program and downloaded customer information and used the FDS development work through an internal network from the office’s computer that was used in the FDS development work; and (d) connected to the U.S.B domains connected to the computer where the said security program is not installed, copied customer information in approximately 2,689,00 of the card members.

C) Although Nonparty 1 kept customer information of the Defendant Barn Card leaked, Nonparty 1 did not leak it to others, including Nonparty 2.

(d) Dissemination and dissemination of other leaked card customer information;

① On August 2012, 2012 and January 2013, 2013, Nonparty 2 provided credit card customer information under the name of KRW 100,00,00 in total twice by linking Nonparty 3’s e-mail at the △△ Office located in Yeongdeungpo-gu Seoul, Yeongdeungpo-gu, Seoul, which is a lending goods consignment company that he/she operated.

② On October 2012 and early November 2012, Nonparty 2 provided Nonparty 4 with an aggregate of approximately KRW 187,000 cards and customer information leaked on two occasions by providing Nonparty 4 with an information on credit cards, which had been stored in the Dong-dong, Yongsan-gu, Yongsan-gu, Dong-gu, Yongsan-gu, Busan, to Nonparty 1.

③ From November 2012 to August 201, 2013, Nonparty 2 provided Nonparty 5 with approximately 95,000 card customers information leaked on three occasions in total by delivering mergs of USB in which customer information was stored to Nonparty 5.

④ From November 2012 to November 201, 2013, Nonparty 2 provided card customers information, which was leaked to approximately KRW 4783,00,00 on a total of 10 occasions, by accessing Nonparty 6’s e-mail at the △△△△ Office.

⑤ From November 2012 to August 201, 2013, Nonparty 2 provided the card customer information, which was leaked to approximately KRW 195,000 on five occasions in total, by accessing Nonparty 7’s e-mail at the △△△△ Office, by advertising the card customer information.

④ From November 2012 to March 2013, 2013, Nonparty 2 provided Nonparty 8 with approximately KRW 540,00 in total three times, by delivering the USB mix with which the card’s customer information was stored, to Nonparty 8 in the vicinity of the Seoul Southernbuk-gu Office.

7) From early December 2012, 2012 to June 2013, Nonparty 2 provided Nonparty 4,10,000 card customers information, which was leaked on five occasions in total, by accessing Nonparty 9’s e-mail at △△△△ Office by advertising the card customer information.

④ On January 2013, 2013 and July 2013, Nonparty 2 provided a total of approximately 13,000 card customer information by transmitting the card customer information to e-mail used by Nonparty 10 at the Seocho-gu Office.

9) From January 2013 to December 2012, 2013, Nonparty 2 provided approximately 4890,00 card customers information on a total of 32 occasions by accessing Nonparty 11’s e-mail at △△△△△ Office by advertising the card customer information.

(10) On January 2013, 2013 and January 2013, 2013, Nonparty 2 provided a total of approximately KRW 29,000 card customer information leaked on two occasions by accessing Nonparty 12 to Nonparty 12’s e-mail at the △△△ Office.

1) On January 2013, 2013, Nonparty 2 provided Nonparty 13 with the aforementioned information by accessing e-mail used by himself/herself, and providing Nonparty 2 with approximately KRW 5,000 card customer information, and notifying Nonparty 13 of the above e-mail account and password, and allowing Nonparty 13 to download the above information to Nonparty 13’s USB note.

(12) From February 2013 to September 2013, Nonparty 2 provided Nonparty 14 with the card customer information totaling about KRW 600,00,00 by accessing Nonparty 14’s e-mail at △△△ Office, and making it available to Nonparty 2.

(13) On February 2013, 2013 and on August 2013, 2013, Nonparty 2 provided Nonparty 15 with the card customer information, which was leaked in the total of about 90,00 won, by accessing Nonparty 15’s e-mail at the △△△ Office.

(14) From March 2013 to May 2013, Non-party 2 provided 78,000 card customer information leaked to Non-party 17, who was an employee of Non-party 16, for a total of four times by transmitting card customer information to Non-party 17, who was an employee of △△△△ Office using the Messenger of “ssenger” to Non-party 2.

(15) From March 2013 to August 2013, 2013, Nonparty 2 provided card customers information, which was leaked to approximately KRW 300,00,00 on a total of six occasions, by accessing Nonparty 18’s e-mail at the △△△ Office, by driving off the card customer information.

On August 2013, Nonparty 2 provided a card customer information that was leaked in approximately KRW 100,00 by accessing Nonparty 19 to Nonparty 19’s e-mail and making it available to Nonparty 2.

On September 2013, Nonparty 2 provided approximately KRW 50,00 card customer information by transmitting the card’s customer information to e-mail used by Nonparty 20 at the Seocho-gu Office.

On September 2013, Nonparty 2 issued an USB note with which the card customer information leaked in approximately KRW 500,00 to Nonparty 21 was stored at the loan brokerage office of Nonparty 21’s operation, which was located at the Government-si ( Address omitted).

소외 2로부터 유출된 카드고객정보를 제공받은 소외 5는 2013. 2.경 서울 송파구 ▷▷동 소재 휘트니스 커피숍에서 약 30만 명의 유출된 카드고객정보가 들어있는 출력물을 대출모집인인 소외 22, 소외 23에게 제공하였다.

Around September 2013, Nonparty 5 provided the above Nonparty 22 and Nonparty 23 with the name of Nonparty 5, which contains approximately one million card customer information at the coffee shop.

(e) Follow-up measures on Defendant Bar Card;

On January 2014, after becoming aware of the occurrence of the instant customer information leakage, Defendant Slick Card posted a apology on its own website, notified the fact of the divulgence of the instant card and provided a method of verifying the leakage of personal information. On January 17, 2014, Defendant Slick Card provided a call center service, operated a call center at the end of the week, extended the hours of operation of the call center, operated the call center at the call center, and operated the personal information damage reporting center at the call center.

(f) Scope of disclosed cards customer information;

Personal information leaked by Defendant Bar Card includes all or part of the name, resident registration number, card number, effective period, settlement account number, corporate address, book address, other address, company telephone number, house telephone number, cell phone number, and other card holding status.

(g) The progress of related criminal procedures;

Non-party 1, etc., who is the Changwon District Court 2014Ma64, etc., shall not damage another person’s information processed, stored, or transmitted through an information and communications network, nor infringe, use, or divulge another person’s confidential information. While a person who is an executive officer or employee of a credit information company, etc., was not aware of another person’s credit information obtained in the course of performing his/her duties, he/she was indicted for committing an offense, etc., by infringing or divulging the customer information of Defendant Slick Card and by disclosing another person’s credit information obtained in the course of performing his/her duties as a person related to credit information. On June 20, 2014, the above court sentenced the non-party 1 to three years, and the said judgment became final and conclusive

[Ground] A without dispute, state 1) Each entry in Gap's Evidence Nos. 1, 2, 4, 5, 6, 10 through 15, Gap's Evidence Nos. 1, 2, 4, 5, 6, Gap's Evidence Nos. 1, 3, Eul's Evidence Nos. 1, 2, 3 through 41, 43 through 52, Eul's Evidence Nos. 1, 2, 2, 3, 5, 10, 11, 12, 17 through 36 (including each number), the purport of the whole pleadings,

2. Determination on the legality of a lawsuit

The Plaintiffs indicated in the separate sheet No. 3-1-2 of this case filed the lawsuit of this case claiming that the Plaintiffs should compensate for the damages suffered by the Plaintiffs, since they either violated the legal duty of care or breached their duty of care as an employer, thereby allowing Nonparty 1 to leak the card’s customer information as indicated in the following No. 3.

Article 89(1) of the Civil Procedure Act provides that “The power of attorney shall be attested in writing,” and Article 89(2) of the same Act provides that “Where the document referred to in paragraph (1) is a private document, the court may order a notary public or any other person engaged in notarial business to obtain authentication.” The existence of the power of attorney is subject to ex officio investigation by the court. In the event the power of attorney is a private document, whether the court shall issue a certification order with respect to the certification of the right of attorney belongs to the discretion of the court, but the other party is disputed and there is no obvious evidence to prove that the power of attorney is authentic on the record, the court shall investigate whether the power of attorney is defective by examining whether the certification order with respect to the certification of the right of attorney or otherwise delegate the right of attorney (see Supreme Court Order 97Ma1574, Sept. 22, 1997, etc.).

With respect to the plaintiffs listed in the separate sheet 3-1-2 list, notwithstanding the title of this court, the plaintiffs' agent did not submit the above plaintiffs' screen pictures to submit the personal information leakage response screen. Meanwhile, the plaintiffs' attorney's attorney's letter of delegation submitted by the plaintiffs' attorney is affixed only to the above plaintiffs' blocking, and there is no signature or seal of the plaintiffs, and in the case of card customers, the plaintiffs' attorney could easily submit the leakage screen of the personal information of the card through the provision of the leaked information provided by the defendant's cards, barring special circumstances, but the plaintiffs' attorney failed to submit it until the closing of argument in this case, unlike other plaintiffs, and there was no other evidentiary materials to prove that the plaintiffs' attorney was delegated with the power of attorney according to their genuine intent. In light of the above, the data submitted by the plaintiffs' attorney are insufficient to acknowledge the fact that the plaintiffs' attorney was granted the power of attorney in this case from the above plaintiffs, and there is no other evidence to prove otherwise.

Therefore, the plaintiffs' lawsuit on the defendant Bar Card, as stated in the [Attachment 3-1-2 list, is unlawful as a lawsuit filed by a person who has no power of attorney.

3. The parties' arguments and issues

The key issue of the instant case is whether the Defendants committed an illegal act, such as breach of duty of care, against the Defendants in relation to the act of leakage of information by Nonparty 1, whether the Plaintiffs’ damages are recognized, and if damages are recognized, the amount of damages can be determined. The following arguments by the parties related thereto are examined, and each issue is determined by changing the clauses.

A. A claim on Defendant Bar Card

1) Plaintiffs listed in the separate sheet 1 and 2

㈎ 2010. 4.경 카드고객정보 유출사고의 경우

Around April 2010, Defendant Bar Card offered to Nonparty 1 without encryptioning the customer information processed, stored, and transmitted from the server while awarding a contract for the development and installation of FDS to Brap. When Nonparty 1 takes out the hive disc in which the above customer information was stored, it did not confirm or control whether the hive disc was format. As above, Defendant Bar Card neglected its duty of care to prevent the leakage of the plaintiffs' customer information of this case. The above act of Defendant Bar Card violated the duty to manage customer information under the contract, and also violates Article 28(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. and Article 15 of the Enforcement Decree of the same Act, and thus, Defendant Bar Card is liable for damages suffered by the plaintiffs of this case as a tort under the Civil Act or a person who failed to perform contractual obligations.

㈏ 2013. 12.경 카드고객정보 유출사고의 경우

Defendant Bar Card offered customer information to Defendant KCB without encryptioning customer information while awarding a contract for the development and installation of FDS, and did not supervise whether the information was installed on the computer or on the street, and neglected Nonparty 1 to transmit and store customer information on the number of thousand persons on the Defendant Bar Card’s business-use computer by negligence without supervising whether the information was installed on the computer or on the street, and did not prepare a coding system to confirm and control it when an external employee uses the data of Defendant Bar Card’s name card. As such, Defendant Bar Card neglected its duty of care to prevent the leakage of customer information while processing personal information. Since the aforementioned act of Defendant Bar Card violated Article 29 of the Personal Information Protection Act and Article 30 of the Enforcement Decree of the same Act, it is liable for damages suffered by the Plaintiffs pursuant to Article 750 of the Civil Act.

2) Plaintiffs listed in the separate sheet Nos. 3, 3-1

Around April 2010, Defendant Bar Card provided personal information to Nonparty 1 without encryptioning the customer information processed, stored, and transmitted in the server, despite the duty of care to manage and supervise the development and installation of the FDS, and neglected to do so (attached Form 3, 3-1-1 list). In addition, it is reasonable to view that the Plaintiff listed in the Attached Table 3-1-1 list as of April 2010, which was included in the Attached Table 3-1 list, also claims for damages caused by the leakage of personal information as of December 3, 2013, as indicated in the Attached Table 3-1 list, is liable to compensate the Plaintiffs for damages, such as the Plaintiff’s provision of encrypted information to Nonparty 1, who neglected to carry-out control, such as computer equipment, and neglected to use the program exclusive account; and Nonparty 1’s provision of customer information to Nonparty 3 as of January 3, 2013.

3) Defendant Barun Card

A) Since the former Personal Information Protection Act was enacted as of March 29, 201 and enforced as of September 30, 201, the said Act does not apply to the divulgence accident that occurred around April 201, 201, which was prior to the enactment, and the Plaintiffs are the persons who joined the Defendant Bar Card, and the Plaintiffs are the persons who joined the Defendant Bar Card as credit card holders, and the Plaintiffs are only off-line persons without going through the information and communications network, and thus, they cannot be deemed as naturally constituting “user” on the information and communications network solely on the ground that the Plaintiffs are credit card holders. Therefore, the said Plaintiffs cannot be applied to the said Plaintiffs.

B) The Defendant Bar Card was prepared to take all technical, physical, and administrative protective measures required by the relevant statutes in relation to the handling of personal information as follows, and thus, it cannot be said that Defendant Bar Card violated any duty of care.

① Defendant Bar Card made best efforts to block access to Internet networks, such as networks, servers, and terminals, system for blocking intrusion, personal information encryption, storage, preservation, and regular monitoring of personal information stored information, user account control and access authority control system, and auxiliary storage media control program, such as USB Myle Card, security measures and real name system for printed matters including personal information, change of customer information, establishment of information protection regulations, establishment of personal information protection organization, management and supervision of external employees, regular education of personal information protection, establishment of personnel, budget security infrastructure, and control of the shipping of computer equipment, etc.

② In order to prevent the leakage of customer information on a card that may arise from suspicion, Defendant Bar Card was installed and operated in each individual computer, which is a document encryption crypt, and DRM was installed and operated in each individual computer. Nonparty 1 had access to a server and operated DRM was also installed and operated normally even for computers in which customer information was downloaded.

③ In addition, in order to control the use of USBmers, Defendant Bar Card installed a medium control program, such as USBmers, on all computers carried into the company to control the use of USBmers, and took measures so that even if personal information is stored in USBmers due to DDRmers, it cannot be confirmed from the outside. As to FDS operators, Defendant Bar Card installed a DB Accesser (DB) and stored and managed access route, and stored and managed access route, and FDS development server used the log recording function provided by the operating system (OS and OB), and stored and managed access records by installing fire walls between computers used by employees of external companies and FDS development projecters.

C) Since Nonparty 1, as a project manager (PM), was at a location where it is inevitable to see in an uncrypted state customer information to carry out data magy operations, whether Defendant Scryl Card was encrypted with Defendant KCB’s customer information, there is no causation between the instant leakage accident and the instant accident.

D) In the case of customer information leaked on April 2010, there was a risk of distribution by delivering only 2.55,00 card customer information among the card information leaked to a third party. The remaining 7.680,000 card customer information was deleted or seized to an investigation agency without being delivered or distributed to a third party. It cannot be said that a data subject of the card customer information, which was not distributed to a third party, suffered a mental damage that could compensate for a solatium in relation to the leakage of the card’s customer information.

E) In the case of customer information leaked on December 2013, 2013, it was arrested by Nonparty 1 and the pertinent information was seized, and thus, was not distributed to a third party. Therefore, it cannot be said that the said Plaintiffs suffered mental damage that could be compensated for consolation money in relation to the leakage of customer information on the card around December 2013.

B. A claim against Defendant KCB (limited to the plaintiffs listed in attached Tables 1 and 2)

1) Plaintiffs listed in the separate sheet 1 and 2

At the time of the divulgence of customer information of this case, Nonparty 1 was an employee of Defendant KCB, and Nonparty 1 was dispatched to Defendant KCB to Defendant KCB for the development and installation of the FDS that was concluded with Defendant KCB card, and the customer information was leaked while performing the above duties. As such, Defendant KCB bears the employer’s responsibility for Nonparty 1’s act in collaboration with Defendant KCB card as to the Plaintiffs listed in [Attachment 1 and 2].

2) Defendant KCB

A) Nonparty 1’s act of discharging customer information of Defendant Bar Card does not relate to Defendant KCB’s original execution of business affairs, namely, “FDS development and trade Rad..” This is because FDS’s work is not entirely necessary, and the provision of non-converted customer information to Nonparty 1 is a result of the convenience of Defendant Bar Card’s work in violation of the provisions of Defendant Bar Card, regardless of the original FDS work.

B) Defendant KCB faithfully performed the duty of appointment, management, and supervision of Nonparty 1, who was dispatched to Defendant Bar Card and served in Defendant Bar Card. Defendant KCB cannot be deemed to bear all the duty of management and supervision of Nonparty 1’s performance of business affairs related to FDS-related services. Defendant KCB’s duty of supervision is limited to the general and abstract supervision of Nonparty 1, who is an employee, but Nonparty 1’s individual and specific management and supervision of duties (in particular, receipt and handling of customer information on the card) performed in the course of carrying out the FDS-related services on Defendant Bar Card. Even if Defendant KCB fulfilled the duty of management and supervision over Nonparty 1, it would not be possible to avoid the occurrence of the result of the Plaintiffs’ disclosure of customer information.

C) Accordingly, Defendant KCB’s employer liability should be exempted pursuant to the former or latter part of Article 756(1) of the Civil Act.

4. Determination as to whether the liability for damages of Defendant Bar Card was established

A. Relevant statutes and relevant legal principles

The relevant Acts and subordinate statutes shall be as shown in the attached Form.

Meanwhile, providers of information and communications services are legally obligated to take technical and managerial measures necessary to ensure the safety of personal information under each subparagraph of Article 3-3(1) of the former Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (wholly amended by Presidential Decree No. 34, Sept. 23, 2008; hereinafter the same shall apply). Furthermore, in cases where providers of information and communications services seek to provide user information and communications services through terms and conditions of use, etc., and collected such information and communications services, the providers of information and communications services are obligated to take necessary protective measures to ensure the safety of personal information, such as loss, theft, leakage, alteration, or damage to the user’s personal information collected through the Internet (see, e.g., Supreme Court Decision 200Du8200, supra). It is difficult for such providers of information and communications services to reasonably determine whether to take protective measures such as information and communications networks or operating systems, etc., that have been installed by providers of information and communications services, taking into account the inherent vulnerability of information and communications services.

In addition, it is reasonable to view that the above legal principle also applies not only to the duty of the provider of information and communications services under the former Information and Communications Network Act to secure the safety of personal information, but also to the duty of personal information manager to take safety measures or to ensure

B. The part of the release of information in December 2013 (attached Form 1-2, 2-2, 3-1-3 list of the Defendant Barn Card)

1) Violation of obligations relating to security programs (violation of Article 9 of the Security Standards for Personal Information Safety)

A) The premise for the determination

Article 6 of the former Personal Information Protection Act provides that “Except as otherwise expressly provided for in other Acts, such as the Information and Communications Network Act and the Credit Information Act, this Act shall apply.” Article 3-2(2) of the Credit Information Protection Act, newly established by Act No. 13216, Mar. 11, 2015, provides that “Except as otherwise provided for in this Act, the protection of personal information shall be governed by the Personal Information Protection Act,” and comprehensively taking account of the aforementioned provisions, the Personal Information Protection Act is located in the position of a general law on the Credit Information Act in relation to matters related to personal information, such as the instant card customer information leakage incident.

However, at the time of leakage of customer information of this case, the former Personal Information Protection Act has provisions that are strengthened in relation to the protection of personal information compared to the Credit Information Act, such as Article 3 (Principle of Personal Information Protection), Article 18 (Restriction on Use and Provision of Personal Information), Article 24 (Restriction on Management of Personal Information), Article 26 (Restriction on Management of Personal Information Following Entrustment of Duties), Article 29 (Obligation to Take Safety Measures) as shown in Attached Table 4, so it is difficult to view that at least in relation to this case, the Credit Information Act has special provisions in comparison with the Personal Information Protection Act at the time. Accordingly, in this case, the Defendants’ liability should be determined pursuant to the former Personal Information Protection Act.

B) Comprehensively taking account of the aforementioned evidence and the overall purport of oral arguments, the following circumstances are to be revealed: (a) the Defendant Bar Card prohibits Defendant Bar Card from using the functions of connecting USB joints on its business computer through a security program; (b) the storage of personal information in its business computer and the activation of the functions of using USB joints; (c) there is a very high risk of leakage of personal information easily by using the USB joints; (d) there is a limit to completely block the entry and removal of USB joints that can be produced so that it can be mistaken for small size and other items; and (e) the possibility of leakage of personal information on its business computer can be easily predicted by anyone; and (e) the security program installed and operated by a personal information manager under Article 9 of the former Personal Information Protection Act and the standards for securing the stability of personal information should have the function of managing and supervising the use of the USB joints, barring special circumstances.

In full view of the aforementioned evidence, Nonparty 1, from around December 2012, who was working in the Defendant Bar Card Office for the FDS development work, was additionally carried in two computers of Defendant KCB from September 2013. When installing security programs provided by the Defendant Bar Card, it is impossible for Nonparty 1 to use the functions of the USB from the company’s computer. However, Nonparty 1, among the computers additionally carried in, did not prepare documents, such as a report, and send them to the USB camera, if necessary, or did not install a security program for the purpose of storing smartphones by accessing the smartphone and transmitting them to e-mail from the smartphones. The employees of the Defendant Bar Card did not verify whether Defendant Bar Card installed a security program, even if they knew of the fact that the aforementioned additional cost was carried in, but did not verify whether Defendant Bar Card installed a security program. Nonparty 1, who did not use the aforementioned information that was installed in the Defendant Bar Card’s computer and did not use the information to use it in the US.

According to the above facts, it did not verify the existence of the computer carried in by Defendant KCB employees for the FDS development work at a regular or occasional time at the time of the leakage of customer information by the card around December 2013, and whether it was installed and maintained a security program. As such, it neglected Nonparty 1’s use of the computer in the situation where the security program was not installed continuously, and as a result, made it easy for Nonparty 1 to leak the customer information by Nonparty 1. Accordingly, it violated Article 9 of the Personal Information Safety Measures Act.

2) Violation of duties related to personal information encryption (Article 7 of the Standards for Securing Safety of Personal Information)

A) Article 29 of the former Personal Information Protection Act and Article 7(2) and (8) of the standards for the measures to ensure the safety of personal information that embodyed Article 30(1)3 of the Enforcement Decree of the same Act are as stated in attached Table 4. The above statutes do not provide for exceptional grounds concerning the duty to decry personal information, including personally identifiable information. In addition, Article 21(2) of the former Electronic Financial Transactions Act and Article 13(1)10 of the former Electronic Financial Supervision Regulations that embody the aforementioned provisions are as listed in attached Table 4, and in light of such provisions, the following determination may be made as follows.

B) Defendant KCB’s act of providing cards, including personally identifiable information not modified by encryption, etc., to Defendant KCB’s employees engaged in the FDS development work at the office, after storing them in auxiliary storage media, such as HDS development work and leaving them unattended without any specific management and supervision as to the use thereof constitutes a violation of each provision of the above encryption.

Meanwhile, Article 7(5) of the Act on the Safety of Personal Information stipulates to the effect that encryption may not apply to the storage of personally identifiable information on an internal network based on the result of risk analysis. However, in light of the purport of Article 7(2) and (8) of the Act on the Safety of Personal Information, where personally identifiable information is delivered through auxiliary storage media, etc. or where it is stored and managed in a computer for business purposes, it does not provide for exceptions to encryption obligations. However, even if it is possible to include inevitablely modified card customer information in the FDS development process, it should have been strictly limited to the implementation of the modified Act on the Safety of Personal Information, such as the provision of Article 7(2) and (8) of the former Regulations on the Supervision of Financial Services and the provision of Article 13(1)10 of the former Regulations on the Safety of Personal Information, which does not necessarily require the change of customer information on the credit card to be developed and modified to prevent such information from being developed and modified without the possibility of the use of such information by providing it to the relevant employee.

Therefore, it is reasonable to view that Defendant Bar Card violated the relevant provision that it should not provide encrypted card customer information.

(iii) a breach of an obligation relating to the access control system (Article 6 of the Criteria for Measures to Secure Safety of Personal Information)

In light of the provisions of Article 29 of the former Personal Information Protection Act, the provisions of Article 6(3) and (4) of the Act on Measures to Secure the Safety of Personal Information and Communications Network Act, and Article 15(2) of the Enforcement Decree of the Information and Communications Network Act, the following determination may be made.

In full view of the overall purport of the arguments as seen above, if requested by Defendant KCB during the FDS development process, Defendant KCB’s employees sent the card customer information on several occasions to the office-based computer used by Defendant KCB employees, or had Defendant KCB employees directly downloaded the card. Defendant KCB’s employees stored the card customer information transmitted from Defendant KCB cards in the sharing platform whenever necessary, and copied and used it on each own business-based computer. Defendant KCB’s cards did not restrict access authority while providing Defendant KCB with the card information as above. Defendant KCB did not control the fact that Defendant KCB employees shared the card customer information through the sharing platform, and that they did not particularly prepare measures to prevent the divulgence of such information.

As seen above, Defendant KCB’s provision of personal information to Defendant KCB’s employees working in the office so that they can keep and utilize it on a computer for business purposes and did not impose restrictions, etc. on access rights. This constitutes a case where the measures to protect personal information under Article 6(3) and (4) of the Act on the Measures to Secure the Safety of Personal Information are not fully taken.

4) Violation of the duty of supervision by the truster of personal information processing (violation of Article 26 of the former Personal Information Protection Act)

A) The following facts revealed in light of the above facts, namely, (i) the provision of customer information to Defendant KCB was for FDS development; (ii) the development of FDS was entrusted by the above Defendant; and (iii) the provision of customer information to Defendant KCB employees participating in the FDS development of the above Defendant’s FDS development at the place provided by the above Defendant; and (iv) it was reasonable to view that Defendant KCB employees who were provided with the card information was prohibited from using it for purposes other than FDS development; (iii) the provision of personal information to Defendant KCB employees to the above Defendant’s office; and (iv) it was reasonable to view that Defendant KCB provided the above customer information to Defendant KB employees without any profit to hold and use it for other business; and (v) it was reasonable to view that Defendant KCB would have provided it to Defendant KB’s customer information to the above Defendant’s office in light of the circumstances, such as the provision of personal information to Defendant 2, including the completion of development of FDS development.

B) Comprehensively taking account of the purport of the entire arguments as seen earlier, Defendant Bar Card did not take such measures as specifically determining the matters prescribed by the Personal Information Protection Act and the Enforcement Decree of the same Act as to the technical and managerial measures of personal information, such as the provision of personal information to Defendant KCB, or the restriction on access to personal information, etc. As to the measures to ensure safety, such as the provision of personal information to Defendant Bar Card, and the provision of necessary data such as card customer information to Defendant Bar Card, but did not provide any particular guidelines or attention to Defendant KCB. Employees of Defendant KCB appear to have used the FDS development by sharing the information on the cards provided by Defendant Bar Card, and there seems to have not been any other measures to take technical and administrative measures for personal information.

Thus, it is a case in which Defendant Bar Card entrusted Defendant KCB with the management of personal information on cards customer information in connection with the FDS development work, but did not agree on the technical and administrative protective measures of personal information, and Defendant KCB neglected the use of card customer information on the FDS development work without such protective measures, thereby violating Article 26(1) and (4) of the Personal Information Protection Act.

C) Meanwhile, pursuant to Article 26(6) of the former Personal Information Protection Act, Defendant Bar Card, an employee of Defendant KCB, bears the responsibility as an employer for the act of divulging out of personal information in violation of the Personal Information Protection Act, and as seen earlier, Defendant Bar Card cannot be said to have been negligent in the appointment, management, and supervision of Defendant KCB, insofar as it is found that the method of providing information on Defendant Bar Card and the measures related thereto were in violation of relevant Acts and subordinate statutes.

C. The part of the leakage of information in April 2010 of the Defendant Bar Card (the Plaintiffs indicated in the list of attached Table 1-1, 2-1, 3, 3-1-1)

1) Whether the Act on Promotion of Information and Communications Network Utilization and Information Protection applies

Defendant Bar Card is deemed to recruit card members and provide various services to card members via an information and communications network. As such, Defendant Bar Card constitutes an information and communications service provider prescribed by the Information and Communications Network Act. In addition, the leakage of personal information protected by the Information and Communications Network Act refers to the disclosure of personal information by a third party beyond the right to manage and control the relevant information and communications service provider, and the solicitation of card members is made by multiple persons, and Defendant Bar Card is deemed to provide relevant services on the Internet homepage operated by Defendant Bar Card with respect to the members who joined the card, and accordingly, it is difficult to conclude that the above Plaintiffs do not constitute the user of information and communications services provided by Defendant Bar Card, taking into account the fact that the Plaintiffs indicated in the [Attachment 1-1, 2-1, 3-1, 3-1] and 3-1-1 were able to inquire about whether the information was leaked through the Internet homepage operated by Defendant Bar Card.

Therefore, it is reasonable to view that the provisions on the protection of personal information under the Information and Communications Network Act apply to the leakage of customer information by the Defendant Bar Card around April 2010.

2) Whether the former Act on the Protection of Personal Information applies

The provisions of Article 22 of the former Personal Information Protection Act are as shown in attached Form 4, and it is reasonable to view that the Defendant Bar Card also bears the duty to take measures to protect personal information given to public institutions by the former Personal Information Protection Act.

3) Whether Article 9 of the Enforcement Rule of the Electronic Financial Supervision Regulations has been violated

In light of the provisions of Article 21(2) of the former Electronic Financial Transactions Act and Article 5(2) of the former Enforcement Rule of the Personal Information Protection Act, Defendant 1 cards were provided to employees of boo boo boo boo boo boo boo boo boo boo boo boo boo 3,000, and they did not directly perform the duties of management of 2,000,000,000,000,000,0000,000,0000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,00,000,00.

4) Whether provisions relating to the provision of encrypted information by customers are violated

In accordance with Article 21(2) of the former Electronic Financial Transactions Act, Article 9(1)10 of the Enforcement Rule of the former Electronic Financial Supervision Regulations, and Article 15(4)2 and 4 of the former Enforcement Decree of the Information and Communications Network Act, Defendant Bar Card should have encrypted customer information and have protected such information. However, as seen above, Defendant Bar Card provided information that is not converted for FDS development projects and neglected to manage and supervise the use thereof.

This act is a violation of the enforcement rules of the former Electronic Financial Supervision Regulations and Article 15 (4) 2 and 4 of the former Enforcement Decree of the Information and Communications Network Act.

(d)the occurrence of damage and causation with the illegal act;

1) The part of the leakage of information in December 2013 (attached Form 1-2, 2-2, 3-1-3 list of the Defendant Barn Card)

Comprehensively taking account of the overall purport of the arguments as seen earlier, Nonparty 1’s personal information on Defendant Bar Card’s cards was leaked in his own USB joints on December 2013, and stored and stored it in his own computer as it was. Nonparty 1 attempted to deliver it to Nonparty 2 in the future, but was arrested by an investigation agency on December 23, 2013 before delivery of it, and Nonparty 1’s personal card information was seized by the investigation agency on the same day.

In light of the aforementioned facts and the legal principles as seen earlier, ① Nonparty 1 appears to have no intention to abuse information on a card that was personally leaked to a third party, except for the transfer of such information to a third party. ② Nonparty 1 was provided with and used the card in the FDS development process, but it seems unlikely to have known of the specific contents of individual information, and it appears that it was the same even after the leakage of customer information and stored it in its own computer storage media. ③ Nonparty 1 did not have any other duty of care in light of the fact that, despite the fact that Nonparty 2’s personal information leaked to Defendant 1 on December 2013, it is difficult to find that the personal information leaked from Defendant 2 was leaked, and there was no possibility that the personal information leaked to the third party, such as the period and circumstances until the seizure was made, and there was no possibility that the personal information leaked to the third party, such as Defendant 2-1, which did not have any other duty of care.

2) The part of the leakage of information in April 2010 of the Defendant Bar Card (attached Form 1-1, 2-1, 3, 3-1-1 list)

In full view of the aforementioned evidence, Nonparty 1 stated that, in addition to the provision of approximately KRW 2.52,00 information to Nonparty 2 from among the customer information in the name of approximately KRW 1,0230,00, Nonparty 1 stated that there was no provision of approximately KRW 1,023,00 to the other person. The fact that Nonparty 1 was seized by the investigative agency while Nonparty 1 was kept in custody of the customer information in the above name of approximately KRW 1,02,00.

However, in light of the records, it is difficult to acknowledge the credibility of Nonparty 1’s statement that Nonparty 2 provided only approximately 1,50,000 cards to Nonparty 2, out of around April 2010, the following circumstances: (i) Nonparty 1 provided Nonparty 1’s online cards to Nonparty 2; and (ii) Nonparty 1 provided Nonparty 2’s online cards to reduce his/her criminal conduct; and (iii) it is difficult to eliminate the possibility that Nonparty 1 provided information only on the cards seized by Nonparty 2’s office until the date on which the instant online card was leaked to Nonparty 2; and (iv) Nonparty 1 provided Nonparty 2’s online information to Nonparty 1 on April 201 until the date on which the instant online card was leaked to Nonparty 2, including Nonparty 1’s online card; and (v) it is difficult to exclude Nonparty 2’s online information from the date on which the instant online card was leaked.

E. Sub-decision

1) Defendant Bar Card is obligated to compensate the Plaintiffs for damages caused by the illegal act listed in the separate sheet No. 1-1, 2-1, 3, 3-1-1.

2) It is difficult to recognize that the health care unit and the evidence submitted by the above plaintiffs with respect to the plaintiffs as stated in the attached Table 1-2, 2-2, 3-1-3 alone were leaked from the Defendant Bari Card in April 2010, or that the damage was caused by the leakage of information in December 2013, and there is no other evidence to acknowledge otherwise.

5. Determination as to the establishment of Defendant KCB’s liability for damages

A. Regarding leakage in December 2013

4. As seen above 4. D. 1-2, it is difficult to view that the instant Plaintiffs suffered mental damage that could be compensated as consolation money due to the divulgence of customer information on the card in December 2013, as seen in the above 4. D. 1-2, and there is no other evidence to find otherwise.

Therefore, the claim against Defendant KCB related to this is without any need to examine whether Defendant KCB violated the duty of care as an employer of Defendant KCB.

B. Regarding leakage in April 2010

As seen above 1.C. 1-1, as seen above, Nonparty 1 did not belong to Defendant KRB at the time when the credit card was leaked from Defendant ScB on April 2010, and there is no evidence to deem Defendant CEB as being in the employer’s status for the acts at the time.

Therefore, the claim against the defendant KCB related to this is not justified without any need to examine further.

6. Scope of liability for damages

As to the amount that Defendant Barun Card is liable to compensate for to the plaintiffs as stated in the separate sheet No. 1-1, No. 2-1, No. 3, and No. 3-1 due to the leakage of information in April 2010 by Nonparty 1.

As seen above, in light of the actual status of customer information management of Defendant Bar Card and its detailed details, scope of dissemination and dissemination of leaked personal information, contents of ex post measures taken by the Defendants to prevent the occurrence and spread of damage caused by the divulgence of personal information, etc., the leaked personal information in this case includes resident registration numbers with a unique, permanent, and binding character, and it is difficult to eliminate the possibility of occurrence and expansion of secondary damage caused by misappropriation of such information. However, the possibility of property damage caused by misappropriation or fraudulent use of the leaked card information is not verified without any specific case where it is possible to verify the possibility that such damage was actually caused by 00, in light of the details of customer information leaked in this case or the purpose of acquiring customer information on the card by the person who acquired such information, and it seems that it would have been difficult for the company to provide such information to the general customer information of this case without any specific purpose. On the other hand, it appears that it would have been difficult for the company to use the information of this case as a means of collecting customer information in the form of an essential mental accident.

Therefore, as the plaintiffs seek from 10,000 won each of the plaintiffs listed in the separate sheet 1-1, 2-1, 3, 3-1-1 and after the occurrence of the occurrence of the divulgence of customer information on the cards, the defendant Bar Card is obligated to pay 10,000 won each of them to the plaintiffs listed in the separate sheet 1-1 from March 19, 2014, the following day after the duplicate of the complaint was served on the defendant Bar Card, and from August 29, 2014, the plaintiffs listed in the separate sheet 2-1 from the following day after the duplicate of the complaint was served on the defendant Bar Card Card; from January 31, 2011 to December 31, 2013 to the plaintiff listed in the separate sheet 3-1 from the day after the separate sheet 3-1 to the day after December 15, 2016 to the day after the execution of the obligation is declared as 15% per annum of the Civil Act.

7. Conclusion

A. The plaintiffs' claim against the defendant Pream Card as stated in the [Attachment 3-1-2 list is unlawful and thus dismissed.

B. The plaintiffs' claims against the defendant Pream Card listed in the separate sheet No. 1-1, 2-1, 3, 3-1-1 are quoted within the extent of the above recognition.

C. The plaintiffs listed in the separate sheet 1-1, 2-1, 3, 3-1-1, the plaintiffs' remaining claims against the defendant Bar Card, the plaintiffs' claims against the defendant KCB listed in the separate sheet 1-1, 2-1, 1-2, and 2-2, the plaintiffs' claims against the defendants listed in the separate sheet 1-2, and the plaintiffs' claims against the defendant Bar Card listed in the separate sheet 3-1-3, are dismissed for each reason.

[Attachment]

Judges Ham-sik (Presiding Judge)

1) The evidence of the case 2014Gahap51956 is written by arranging the evidence of the case 2014Gahap51956 as “A”, combined 2014Gahap526255 as “AB”, and combined 2015Gahap9788 as “AB”. In the case of the Defendants, only the evidence number submitted in the case 2014Gahap51956, taking into account the content of the assertion, quantity of the presented evidence, etc.