개인정보 침해사고를 막지 못한 자의 형사책임

In many cases, incident of leakage of personal information occurs because of negligence of duty of protection the information by the security manager. In legal terms, neglecting duty of protection of personal information comes under an act of criminal negligence. In practice, to apply legal elements of neglecting duty of protection of personal information to cases following should be proved; the security manager’s intention of neglecting his/her duty of protecting information; negligence breach of duty on preventing information leakage; and possibility of excluding “reasonable suspicion” from the causal relationship between negligence and leakage of information. Specifically, duty of protecting personal information is closely related to technologies and legal elements of negligence of duty is covered by so-called “Blanketstrafgesetz (blank criminal law).” For these reasons, it is difficult to prove intention behind leakage of information, and to define the scope of responsibility of the security manager when it comes to preventing any possible leakage. Because of the practical issues, most of information leakage cases were closed with non-prosecution disposition or being cleared of suspicion on grounds of insufficient evidence. Furthermore, non-prosecution disposition is sometimes used as a ground for exempting civil liabilities while criminal responsibility on him/her still remain for the case of personal information leakage. When an information leakage incident occurs, the security manager becomes a victim and at the same time the suspect which makes he/she not actively cooperate to investigation into the incident. In some cases, the security manager pins all blames of information leakage incident on the subcontract company. It is true that a nation has the duty to protect personal information of people with laws and regulations, though, any legal measures, which have formulated not reviewing sanctions and dispositions under the criminal law but accommodating the public opinion, may cause bigger problems in the future. What should be considered is that any law or regulation shall not fulfill its original purpose if it is enacted for the purpose of achieving policy objectives, but be only used as a legal ground to punish offenses. Under this circumstances, companies in charge of protecting personal information of customers may show the tendency of using technologies which are only acceptable under the law to be exempted from unnecessary legal reasonabilities. Simply put, if companies do their duties of protecting personal information only within the scope of law rather than take any proactive measures so that they do not take any legal responsibility it would result in impeding advancement in new technologies required to protect further personal information, may degrade their level of protection, and cause information leakage incident on the rise. Policy goals of preventing information leakage incident should not be met by imposing criminal responsibility of information leakage incident on the security manager. To appropriately deal with information leakage cases under the criminal law, limits of the law providing criminal responsibilities for security managers in charge first.