This is a cross blog post with BakerHostetler’s data privacy blog. For the latest in developments in data privacy, visit dataprivacymonitor.com. For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler’s International Compendium of Data Privacy Laws.
On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession. Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession. This appears to be the first ever judgment abroad rendering such a ruling.
In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines. The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200.
According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers. Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight. This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections. Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough. In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages.
Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad. Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession. Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning. The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness. By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.