The court ruled that the fine imposed on the online shopping mall operator, whose customer data of 110,000 people was leaked due to hacking, is justified.
According to the legal community on the 10th, the Seoul Administrative Court Administrative Division 2 (Chief Judge Ko Eunseol) ruled against SL Biotech, a manufacturer and seller of health functional foods, in the lawsuit filed against the Personal Information Protection Commission seeking cancellation of the fine imposed.
The ‘Nutricore’ shopping mall operated by this company was hacked around September 2022, resulting in the leakage of personal information of 119,856 customers. SL Biotech, after receiving complaints and inspecting the system, reported the leak to the Personal Information Comprehensive Portal and notified the members whose personal information was leaked.
The Personal Information Protection Commission, upon receiving the report, investigated SL Biotech’s personal information handling and operation practices and legal violations from October 2022 to February of the following year, and judged that SL Biotech violated the technical and managerial protection standards for personal information. Accordingly, in March of last year, the Personal Information Protection Commission imposed a fine of 464.57 million KRW on SL Biotech.
SL Biotech argued that "at the time of the incident, it fulfilled the ordinary duty of care commensurate with the industry and business scale in light of the general level of information technology, and the incident occurred due to an issue with a management domain managed by another company, not the representative domain managed by the plaintiff," and filed a cancellation lawsuit.
However, the court did not accept SL Biotech’s claims.
The court stated, "This incident appears to have occurred because the firewall and intrusion prevention system operated by SL Biotech failed to provide sufficient access restrictions and leak detection functions," and added, "Considering that the plaintiff changed settings to block illegal access and took measures such as changing the file upload/download method for the shopping mall bulletin board, it cannot be said that reasonable protection measures, which could be socially expected at the time, were taken for the personal information."
Furthermore, the court noted, "Looking at the plaintiff’s financial statements, including cash, deposits, and current assets, it does not appear that the plaintiff is significantly lacking the ability to bear the fine," and added, "It is difficult to see that the fine was excessively harsh or that the discretion was exceeded or abused in violation of the principles of proportionality or equality."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
