The Supreme Court has ruled that an employee who arbitrarily changed some numbers in the URL of an internet page displaying multi-faceted evaluation results of employees to view other employees' evaluation results and even leaked them to company executives cannot be punished for violating the Information and Communications Network Act.
The ruling states that if the service provider did not properly implement security measures, making it possible to access the information simply by changing some numbers in the internet address without inputting any particularly fraudulent commands, this cannot be considered an infringement of the information and communications network, nor can it be regarded as leaking others' information obtained by fraudulent means.
According to the legal community on the 15th, the Supreme Court's First Division (Presiding Justice Oh Kyung-mi) overturned the lower court's ruling that sentenced Mr. Ham (46), who was indicted for violating the Information and Communications Network Act (network intrusion and leaking others' information), to 8 months in prison with a 2-year probation, and remanded the case to the Suwon District Court.
The court stated the reason for overturning and remanding was "an error in the lower court's interpretation of Articles 48(1) and 49 of the Information and Communications Network Act."
Mr. Ham, who worked as a safety facility team employee at the Gyeonggi Arts Center, was prosecuted for unauthorized viewing of multi-faceted evaluation results of 51 other colleagues in January 2020, capturing them on his mobile phone, and sending them in March of the same year upon the request of the center's headquarters chief.
The Gyeonggi Arts Center conducted annual multi-faceted evaluations among employees for personnel management purposes and notified each employee of their results. The evaluation results included the name, affiliation, evaluation score, and descriptive evaluation by the evaluator of the person being evaluated.
The center signed a contract for multi-faceted evaluation survey services with Company B, represented by Mr. A, in 2019. Company B collected evaluation data from 78 employees from December 30, 2019, to January 3, 2020, analyzed it, and then sent each center employee an internet address where they could view their own multi-faceted evaluation results.
However, unlike the previous security method that used a random 7-character encryption, Company B used a numeric assignment method that allowed anyone to access other employees' multi-faceted evaluation result pages simply by changing the last digit of the individually assigned internet address.
Upon accidentally discovering this fact, Mr. Ham used his mobile phone on January 3, 2020, to view the multi-faceted evaluation results of 51 executives and employees, captured them, and saved the photos. Then, on March 9 of the same year, upon the request of the center's headquarters chief, he sent the captured photos of the 51 evaluation results via the KakaoTalk messenger.
The prosecution judged that Mr. Ham's actions constituted unauthorized access or exceeding authorized access to the information and communications network, and leaking others' secrets processed, stored, or transmitted by the network. He was indicted for violating Articles 48(1) (prohibition of network intrusion acts) and 49 (protection of secrets) of the Information and Communications Network Act. Both charges are punishable by up to 5 years imprisonment or a fine of up to 50 million KRW.
Additionally, Mr. A and Company B were jointly indicted for violating the Personal Information Protection Act for failing to take proper security measures while processing personal information. The Act includes a dual punishment clause that imposes the same fine on the corporation if the company representative is punished for violating security obligations.
The first trial court found Mr. Ham guilty on all charges and sentenced him to 8 months imprisonment with 2 years probation. Mr. A and Company B were each fined 5 million KRW.
During the trial, Mr. Ham claimed, "As a personal information handler, I discovered security issues with the multi-faceted evaluation data and captured the results only to collect evidence and out of concern for evidence destruction by the external company, with no intent to infringe the information and communications network."
He also argued, "Sending the data upon the center headquarters chief's request cannot be considered leaking, and my actions were lawful as necessary evidence collection and at the superior's request."
However, the court did not accept these claims.
The court cited several reasons to recognize Mr. Ham's intent to intrude the network and leak others' secrets: ▲He did not immediately notify the personnel or audit team, the main departments responsible for the multi-faceted evaluation, despite discovering security issues ▲He did not notify the company to fix the problem and kept the captured photos on his phone for about two months ▲The headquarters chief to whom he sent the photos was a personal acquaintance but was in charge of performance duties unrelated to personnel evaluation or security ▲He did not cooperate with the company's investigation, leading to a request for investigation by authorities ▲He initially testified to the police that he collected evidence for the annual 'Personal Information Security Check and Internal Audit Report,' but when questioned about the absence of such records in the 2019 and 2020 reports, he changed his statement to say he intended to include it in the quarterly 'Information Security Report,' and did not prepare any documents related to the leakage ▲He deleted all captured screenshots once an official investigation into the information leakage began.
The court said, "Mr. A not only viewed the multi-faceted evaluation results without proper authority but also captured and transmitted the screen. Despite the seriousness of the offense, he vehemently denies it, warranting strict punishment."
Mr. Ham appealed, but the second trial court upheld the same judgment. Mr. A and Company B did not appeal, so the first trial ruling was finalized. Mr. Ham then filed a final appeal.
However, the Supreme Court completely overturned the outcome.
First, the Supreme Court found it difficult to consider the viewing target as restricted from the outset, and since Mr. Ham only changed the last two digits of the internet address without inputting any other fraudulent commands, it was difficult to regard this as network intrusion.
The court noted, "The internet page individually sent to the evaluation subjects to view their multi-faceted evaluation results was accessible without any separate login or personal authentication process, and the internet address was not encrypted. Company B did not include any content in the emails or text messages sent to employees that would restrict viewing other employees' evaluation results."
The court added, "Since the last two digits of the internet address consisted of numbers, anyone could simply access other employees' evaluation result pages by changing those last two digits. The defendant repeatedly accessed other employees' evaluation pages by changing the last two digits of the internet address sent to him based on his guess, without inputting any other commands."
It concluded, "Therefore, even if the defendant accessed internet pages displaying others' multi-faceted evaluation results by changing some numbers in the URL, this cannot be considered an act of intruding the information and communications network."
Furthermore, the Supreme Court ruled that since the information was not obtained by intruding the network, Mr. Ham cannot be punished for leaking others' information under the Information and Communications Network Act.
The court cited precedent, stating, "The 'leakage' of others' secrets under Article 49 of the Information and Communications Network Act does not mean all acts of disclosing others' secrets, but only those who acquire others' secrets processed, stored, or transmitted by the network through fraudulent means such as network intrusion, or those who know that the secret was obtained by such means, and disclose it to others who do not yet know it."
It further judged, "Since the defendant did not engage in any other fraudulent means or methods besides changing part of the internet address to access the pages displaying other employees' multi-faceted evaluation results, it cannot be said that he acquired or leaked the secrets posted on the internet by fraudulent means such as network intrusion."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
