Compensation for data breach

Compensation for data breach (개인정보침해 위자료/個人情報侵害 慰藉料) refers to a pecuniary compensation which a violator of personal data or privacy is ordered by the authority including the court to pay to the data subject(s) affected by a certain data breach incident.

At first, it is questionable whether the data subject(s) suffered emotional distress is entitled for compensation of damages in a case where a data processor leaks the personal information against the intention of the data subjects.

Then it should be determined what constitutes the standards of the amount of damages.

Supreme Court Decision 2011Da59834,59858,59841 decided December 26, 2012 is a recent leading case on this matter. This case is also known as GS Caltex data breach incident.

Supreme Court case
In a case where personal information collected by a person who handles the information was leaked out by the person's employee against the intentions of the subject of the personal data (hereinafter "data subject"); when determining whether the leak caused the data subject to suffer emotional distress which qualifies as compensable damages, the determination should be made after considering the following circumstances, and judged accordingly and specifically to each individual case.

Firstly, the type and characteristic of the leaked personal information; whether the data subject is identifiable through the leaked information; whether a third party accessed the leaked information, and if it did not occur, whether there is probability that a third party had such access or will have access in the future; to what extend the leaked information was spread; whether the leak possibly caused any additional infringement of rights; the actual reality of how the personal information was managed by the person who handled the information, and the specific circumstances in which the information was leaked; and what measures were taken to prevent injury caused by the leak, and to prevent the spread of leaked information.

In a case where Gap corporation built and managed a database of its gas credit card members, which it used for customer service; corporation Eul (commissioned by Gap to manage customer service etc.) management team employee Byeong conspired with Jeong et al to extract the aforementioned information (specifically: name, resident registration number, address, phone number, and email address) of credit card members including Mu et al, deliver or copy the information through a DVD and other storage devices, then report the information leak to the media so that the information can be used in a class action lawsuit; and thereby provided such storage devices to journalists: we determined that it was difficult to perceive that Mu et al suffered emotional distress which qualifies as compensable damages on the following grounds.

Firstly, although the information was first extracted by Byeong, and then leaked to accomplices and journalists, immediately after the news reports, every storage device containing the information, as well as computers used to edit or transfer the information was seized from the related parties, or voluntarily submitted, or destroyed.

Secondly, the crime was discovered when the information was delivered or copied to a limited number of the aforementioned individuals while they were conspiring, planning, and preparing to sell the personal information of this case to the market or to a lawyer. Since every storage device containing the personal information of this case was seized or destroyed, and there being no trace of any other leak, it does not appear likely that any third party aside from the aforementioned individuals was able to access or use the information.

Thirdly, while is true that nonparty 1 and other offenders who leaked the personal information of this case, as well as journalists, did access a portion of the information; the offenders accessed the information only during the process of storing, editing, and copying it; and it does not appear that they intended to learn in detail, or understand the contents of the information themselves.

As for the journalists: since they accessed the information only for the purpose of confirming its existence, scope, and accuracy during the process of coverage and report, it does not appear they were able to recognize detailed contents of the information. Considering the type and scope of the information, it seems highly difficult to identify or discover any specific personal information with the kind of aforementioned access.

Finally, there were no circumstances to perceive that additional injury caused by the information leak was inflicted upon the plaintiffs, such as identity confirmation or illegal use of another person's name.

Reasoning
The grounds of appeal are examined.

Regarding grounds of appeal on whether emotional distress occurred
In a case where personal information collected by a person who handles the information was leaked out by the person's employee against the intentions of the subject of the personal data (hereinafter "data subject"); when determining whether the leak caused the data subject to suffer emotional distress which qualifies as compensable damages, the determination should be made after considering the following circumstances, and judged accordingly and specifically to each individual case. Firstly, the type and characteristic of the leaked personal information; whether the data subject is identifiable through the leaked information; whether a third party accessed the leaked information, and if it did not occur, whether there is probability that a third party had such access or will have access in the future; to what extend the leaked information was spread; whether the leak possibly caused any additional infringement of rights; the actual reality of how the personal information was managed by the person who handled the information, and the specific circumstances in which the information was leaked; and what measures were taken to prevent injury caused by the leak, and to prevent the spread of leaked information.

The following are the factual relations affirmed by the court below.

1. Defendant GS Caltex Co. (hereinafter "defendant GS Caltex") had built a database on the personal information of its gas credit card (a type of credit card that offers rebates on gas purchases) members. Defendant GS Caltex Co. commissioned GS Nextation Co. (which manages GS Caltex Co.'s customer service center, and also maintains and repairs related equipment; hereinafter "defendant GS Nextation Co.") to manage the database. Then nonparty A-an employee of the GS Nextation Co. management team-conspired with colleague nonparty B, friend nonparty C, and nonparty D (an acquaintance of nonparty C) to earn money by extracting customer information using nonparty A's access privileges, and sell the information to the market or to a lawyer preparing a class action lawsuit.

2. From July 8, 2008 to July 20, 2008, at the management team office of defendant GS Nextation Co., nonparty A entered the relevant address and password known to him during work on his office computer, and thereby accessed the customer service center server; then transferred the customer information (name, resident registration number, address, phone number, email address) of 11,517,125 members (including the plaintiffs) of the aforementioned gas credit card to the aforementioned office computer, and saved the information in the form of 76 Microsoft Excel files.

3. Afterwards, nonparty A copied the aforementioned Excel files on 2 DVDs and 2 external hard drives; sent one of the DVDs to nonparty B, who edited the files, saved them to a USB, and gave it to nonparty A; nonparty A copied the USB contents to a DVD, and returned the USB to nonparty B; then nonparty B inquired nonparty E on to whom the files could be sold, and copied the files in the USB to nonparty E's external hard drive.

4. Nonparty A sent the aforementioned edited DVD to nonparty D via nonparty C; then nonparty D copied the contents to another DVD, and also received a sample CD from nonparty A containing customer information of 6 members.

5. On Aug, 28, 2008, nonparty D offered to give nonparty F (a law firm office manager) personal information of 12,000,000 members, which the law firm could use in a class action lawsuit, and then give the profit to nonparty D. However, nonparty F told nonparty D that first the information leak should be reported to the media and become a social issue; hence through his acquaintance nonparty G (who was told that nonparty D "found a DVD containing defendant GS Caltex's customer information in a downtown trash pile"), nonparty D sent one sample CD to CBC Nocut News reporter nonparty H and one DVD, then later sent 3 additionally copied CDs and 3 DVDs to nonparty H, Daily Zoom reporter nonparty I, MBC producer nonparty J, nonparty G, and nonparty K (nonparty G's friend).

6. On September 5, 2008, news media reported that "a CD with the letters 'GS Caltex customer list' written on it was found in downtown trash pile, contains personal information of over 11 million individuals." Nonparty A, C, B was arrested the same day, nonparty D was arrested the following day; and all of their CDs, DVDs, USBs, external hard drives containing the personal information, as well as desktop PCs and notebook PCs they used during the information leak were seized or destroyed. Afterwards, all CDs and DVDs sent to the reporters and the producer were voluntarily submitted; nonparty G destroyed the DVD he owned, nonparty K delivered the DVD to nonparty D upon the latter's request, and the DVD was seized through nonparty D.

7. There is no evidence that the personal information of this case was leaked through any other channels.

According to these facts, the following circumstances can be acknowledged.

1. The personal information of this case was leaked by nonparty 1; and after editing, the information was delivered or copied to nonparty E in data storage devices such as CDs, DVDs, USBs, and external hard drives, for the purpose of seeking a buyer. Afterwards, the information was leaked to journalists as a tip-off, and to prepare for the class action lawsuit. Yet immediately after the news reports, every storage device containing the information, as well as computers used to edit or transfer the information was seized from the related parties, or voluntarily submitted, or destroyed.

2. The crime was discovered when the information was delivered or copied to a limited number of the aforementioned individuals while they were conspiring, planning, and preparing to sell the personal information of this case to the market or to a lawyer. Since every storage device containing the personal information of this case was seized or destroyed, and there being no trace of any other leak, it does not appear likely that any third party aside from the aforementioned individuals was able to access or use the information.

3. It is true that nonparty A and other offenders who leaked the personal information of this case, as well as journalists, did access a portion of the information. However, the offenders accessed the information only during the process of storing, editing, and copying it; and it does not appear that they intended to learn in detail, or understand the contents of the information themselves.

As for the journalists: since they accessed the information only for the purpose of confirming its existence, scope, and accuracy during the process of coverage and report, it does not appear they were able to recognize detailed contents of the information. Considering the type and scope of the information, it seems highly difficult to identify or discover any specific personal information with the kind of aforementioned access. <4> There were no circumstances to perceive that additional injury caused by the information leak was inflicted upon the plaintiffs, such as identity confirmation or illegal use of another person's name. Upon examining these surrounding circumstances in light of the aforementioned legal principles, it is difficult to perceive that the plaintiffs suffered emotional distress which qualifies as compensable damages.

Thus, the court below's determination that it is difficult to perceive that the plaintiffs suffered emotional distress is just; and contrary to the alleged ground of appeal, there were no errors in the misapprehension of related legal principle.

Regarding the remaining grounds of appeal
The main point of the plaintiffs' remaining grounds of appeal was that the court below was erroneous in determining that any danger of the plaintiffs' personal information being used against their will disappeared, since every relevant storage device was seized or destroyed. However, this allegation cannot be deemed as a legitimate ground of appeal, as it merely blames the selective adoption of evidence or acknowledgment of facts-both of which are entirely within the court below's authority.

Additionally, even when the determination of the court below is examined in light of the records; contrary to the alleged grounds of appeal, there were no violation of the rules of evidence, nor errors in the misapprehension of related legal principles.

Conclusion
Therefore all appeals are dismissed, and the costs of appeal are assessed against the defeated party.

It is decided as per Disposition by the assent of all participating Justices.

Justices
Kim So-young (Presiding Justice) Shin Young-chul Lee Sang-hoon (Justice in charge) Kim Yong-deok