"If Calculated at 100,000 Won per Mental Damage... Coupang Faces First 'Punitive Damages' of 6 Trillion Won"

There is growing attention on whether the recent '33.7 million customer data leak' incident involving Coupang will become the first case in South Korea where punitive damages are practically applied. Under the current Personal Information Protection Act, companies are required to pay up to five times the actual damages if personal information is leaked due to intentional or gross negligence. However, the effectiveness of this regulation has long been questioned. Given that the scale of damage in this case is unprecedented, there is analysis suggesting that both the scope of the law and the amount of compensation could be expanded to an unprecedented level.

According to industry sources on December 3, Beonhwa Law Firm has filed a lawsuit against Coupang at the Seoul Eastern District Court, claiming 300,000 won in compensation per person. Previously, Cheongdo Law Firm also gathered 14 victims and submitted a complaint to the Seoul Central District Court, while several other law firms, including Daeryun, are currently recruiting participants for class action lawsuits. More than 30 online forums have already been established to prepare for class action lawsuits against Coupang, with a combined membership of around 500,000 people. These changes have occurred just five days after the large-scale data breach was made public on November 29. If this trend continues, the number of participants in the lawsuits is expected to reach hundreds of thousands by the end of the year.

Legal experts believe that even under the current punitive damages regulations, Coupang’s potential liability could be substantial. Based on recent precedents, if mental damages are estimated at 100,000 won per person and 50,000 people participate in the lawsuit, the basic damages would total 5 billion won, rising to 25 billion won if punitive damages (five times) are applied. If 500,000 people participate, punitive damages could reach 250 billion won, and if 1 million people join, the amount would be about 500 billion won. Applying this to the total number of victims (33.7 million), the basic damages alone would amount to 3.37 trillion won, and the maximum legal limit (five times) would bring the theoretical compensation to 16.85 trillion won. As the expected number of class action participants is rapidly increasing, the actual claimed amount could exceed even these figures.

At an emergency parliamentary inquiry held the previous day by the National Assembly’s Science, ICT, Broadcasting and Communications Committee, it was confirmed that there were significant flaws in Coupang’s security management system. Brett Mathis, Coupang’s Chief Information Security Officer (CISO), stated that the attacker accessed Coupang’s internal private signing key (encryption key) to generate fake authentication tokens, which allowed them to impersonate other users and access internal information without entering a password. The root cause was identified not as a sophisticated external attack, but as a management failure in leaving an unreturned encryption key unattended for an extended period.

The punitive damages system is designed to impose compensation amounts higher than actual damages in order to prevent recurrence and raise awareness among companies. Following the 2014 credit card company data breach, the relevant provision was introduced into the Personal Information Protection Act in 2015. However, because companies can be exempted from liability by proving a lack of intent or gross negligence, the regulation has rarely been applied in practice. Last year, Kakao was fined only 15.1 billion won for leaking 33 million records, and this year, SK Telecom was fined 134.7 billion won for a breach affecting 23 million people.

After the Coupang incident, legislative discussions in the National Assembly have accelerated toward significantly strengthening the penalty system. The proposed amendment to the Personal Information Protection Act by Lee Hoonki, a lawmaker from the Democratic Party, includes provisions for imposing fines of up to 10% of a company’s total sales if personal information is lost, stolen, or leaked. Based on Coupang’s sales of 41 trillion won last year, this could result in a maximum fine of 4.1 trillion won if the law is applied.

Assemblyman Park Jumin from the Democratic Party has sponsored a bill to establish a punitive damages law requiring companies to pay double the damages if harm is caused to others through intent or gross negligence. Assemblyman Park Jungha from the People Power Party has proposed the establishment of a "Personal Information Damage Compensation Fund," while Assemblyman Lee Sanghwi has proposed an amendment to strengthen the obligation to immediately notify victims upon recognizing a data breach.

There are already cases overseas where large-scale personal data breaches have resulted in high compensation and penalties. In July 2017, U.S. credit rating agency Equifax suffered a breach, which was disclosed in September, exposing sensitive information of about 147 million people. Due to delayed security patches and poor internal controls, Equifax agreed to pay up to $700 million (about 900 billion won) in settlements in 2019.

In 2019, Meta (formerly Facebook) was fined $5 billion (about 6 trillion won) by the U.S. Federal Trade Commission (FTC) for leaking the personal data of 87 million people to a polling firm without consent. In 2021, U.S. telecom company T-Mobile paid $350 million (about 514 billion won) in compensation after the data of 76.6 million people was leaked.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.