Auction case

The Auction case (옥션 사건) is the incident where massive scale data breach took place, and a number of customers of the Korea's largest online shopping mall filed lawsuits for damages against the company.

The Auction case was one of the largest data breach suits in terms of the number of victims and plaintiffs in the ensuing lawsuits, shows the necessity of regulatory compliance as well as mandatory data breach notification.

Key words
data leaks, hacking, incident, data breach notification, collective lawsuits

Facts
In February 2008, an overseas hacker snatched 18 million customers of Auction, 145,000 victims of whom filed suit against the e-marketplace operator only to fail in the litigation.

Lawyers were eager to promote massive lawsuits against Auction in their Internet cafes and blogs, encouraging the aggrieved Auction users to join their actions for damages totalling 150 billion won (US$133 million). The plaintiffs organized in several groups eventually exceeded 145,000.

In the courtroom, the representatives of plaintiffs argued the ordinary customers of the e-marketplace fell victim to Auction's negligent administration of computer systems and suffered mental distress whether their personal data could be abused or misused as a result of such data breach. If they succeeded in the massive lawsuit, the compensation money, presumably at the same level as 50 thousand won per person in the Lineage case of the first instance, could reach the amount enough to undermine the corporate financial base.

First instance
On January 14, 2010 after four-month-long courtroom arguments, the Seoul Central District Court ruled that Auction was not to blame. The court ruled, "There’s no evidence that Auction was lenient about its security measures against hacking." The court added, "It was not legally mandatory for companies to set up firewalls for their websites, considering that there was low credibility over installing firewalls among businesses at that time." Also the court was believed to take into account how the top management swiftly handled the incident to prevent a possible attack in the future. The final result of the Auction case should wait for the higher courts as a number of victims have appealed. The appellate court, however, needs to consider the following questions:
 * 1) Have ISPs observed the technical and managerial measures required by the relevant laws to safeguard the personal data?
 * 2) Have ISPs established reliable firewalls and other security measures against possible hacking incidents?
 * 3) Does it cost too much to install anti-hacking technologies in view of the latest hacking skills?
 * 4) Have ISPs discharged their duties to prevent possible attack or threat in the future?
 * 5) How many users are affected by the incident and how large could the actual damage to the victims be?

The Auction case of the first instance has raised the following questions: First, Korean courts in the past used to rule in favor of users who sued a company for information leaks by hacking or secretly selling customers' data to others. So it remains to be seen whether the wind of change in this court ruling will prevail in the future.
 * 1) Is there wind of change in court rulings, so far, in favor of consumers?
 * 2) Is a kind of leniency program introduced to data protection?
 * 3) Is the US-type class action recommendable in the area of data protection?

Second, the response of the top management was swift contrary to expectations. Auction did not try to cover up, but urged the affected users to change their IDs and passwords as soon as possible, and to be cautious in using the existing telephone numbers and bank accounts.

The court of the first instance looked at the defendant's response in the affirmative. It seems to make a good precedent just like the controversial leniency program in case of the violation of the Fair Trade Act.

Appellate court
In August 2011, eBay Auction was mergered into eBay Korea, which succeeded the standing of eBay Auction. At last, in June 2013, the Seoul High Court dismissed the appeal of plaintiffs. Approving the first instance decision, the Seoul High Court placed no additional reasoning in its ruling.

GS Caltex case
In the GS Caltex case, the Supreme Court decided what kind of data breach amounts to such damage as is to be compensated for mental distress.