<Case Summary>

The Supreme Court of Korea held that mere psychological anxiety resulting from a data breach does not constitute compensable damage under the Personal Information Protection Act.

Even where personal data is leaked through hacking, damages are not presumed in the absence of concrete and identifiable harm.

In this case, approximately 400,000 users’ email addresses and encrypted passwords were exposed following a hacking incident involving an online platform.

The plaintiff sought statutory damages, claiming mental distress and anxiety caused by the data breach.

The Court emphasized that:

The leaked passwords were encrypted, and

The exposure of email addresses alone did not place users in a specific, foreseeable, or realistic risk of harm.


The defendant company had:

Promptly reported the incident to authorities,

Blocked the unauthorized access route, and

Notified affected users while requesting password changes.


While a possible violation of security obligations was acknowledged, the Court clarified that such a violation cannot be equated automatically with compensable damage.

The Supreme Court concluded that extending liability to cases where no actual damage is evident would exceed the legislative intent of the data protection regime.



—

Key Takeaway

> A data breach alone does not give rise to damages.
> Courts require proof of concrete harm, not abstract fear.

Article: https://www.lawtimes.co.kr/Case-curation/214902