개인정보 보호조치에 관하여 -옥션 판결의 기술적·관리적 보호조치와 인과관계 판단을 중심으로

The Supreme Court of Korea held that if an information and communications service provider took all necessary measures prescribed under the Guidelines on Technical and Organizational Measures for Protection of Personal Information (hereinafter “Notice”), the pertinent service provider was not liable for damages barring special circumstances. However, in examining relevant foreign statutes, such technical and organizational protection measures (hereinafter “TOM”) not stipulated in the Notice, if deemed reasonable, should be considered de jure measures as prescribed by the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter “Information Communications Network Act”) and thus constituting “special circumstances”: (i) the basic protective measures already taken by the security industry, before the Notice was promulgated, were cost-efficient than the TOM; or (ii) the risk of adopting such protective measures, which became the norm in line with the technology development following the Notice, was smaller compared to TOM. Concrete examples of the security industry’s basic protective measures include changing default ID and password, restricting remote access or allowing access via only a specific IP, and other measures included in the information and communications service provider’s internal control policy provider. In the instant case, the lower court deemed that Auction did not abide by the Notice but found no causation with the leakage of personal information. The Supreme Court did not directly determine as to the causation but examined the lower court’s decision on the said portion and held that Auction’s failure to take TOM did not constitute a violation of the Information Communications Network Act on the ground that other protective measures were in place. The aforesaid ruling, however, goes against the purport of having introduced the per se Notice.