Why New York and not Seoul... Coupang lawsuit goes beyond punishment and asks for ‘digital responsibility’

33 million information leaked... Meaning of ‘subclass’ strategy for Korean consumers

There is heated discussion both inside and outside the legal community regarding the recent Coupang, Inc. incident, in which personal information of 33 million people was leaked. At a time when most people are preparing for domestic lawsuits, there are many who are questioning the fact that my law firm, SJKP, LLP (Daeryun Law Firm's U.S. partner), submitted a complaint to the U.S. District Court for the Eastern District of New York (EDNY). The question is, “For a company that generates most of its sales in Korea, why did they choose the US court, which has difficult procedures?”

The answer to that question is clear. The core of this lawsuit is to hold Coupang's U.S. headquarters (Inc.) fundamentally responsible for the incident and force it to establish a practical system to prevent recurrence. And SJKP's judgment is that the optimal judicial battlefield to realize this is the United States. This is not simply an attempt to assert the superiority of American legal procedures. This is the result of intense legal consideration to provide the most practical means of relief to victims of cross-border data breaches.

What differentiates this lawsuit most from domestic lawsuits is the expansion of 'defendant eligibility.' In the complaint, not only Coupang Corporation but also Chairman Kim Beom-seok were listed as co-defendants. This is not simply a symbolic choice based on the position of corporate representative. Under U.S. law, if a corporate violation occurs due to direct involvement or approval of management, or due to gross negligence in management, the executive may be held liable separately from the corporation. SJKP believed that Chairman Kim Beom-seok, as the final decision-maker on security policy and budget, should take real responsibility for this 'internal control failure'.

Furthermore, it is also clear that there is a violation of Article 349 of the New York State Corporation Law (N.Y. GBL). This provision strictly prohibits acts or practices that deceive consumers. Coupang has continued to give the impression that it has a sufficient security system, but in reality it operates a lax security system that falls short of this, misleading consumers. The ultimate responsibility for these ‘deceptive practices’ has no choice but to fall on Chairman Kim Beom-seok, who oversaw the policy direction.

In addition, we plan to actively utilize the 'discovery' system, which is the core of US civil litigation, to identify the governance failure, which is the root cause of this incident. Unlike in Korea, where it is difficult to prove a victim, in American courts, decisive evidence such as internal emails or decision-making meeting minutes can be forcibly obtained. Through this, SJKP will thoroughly uncover whether Chairman Kim Beom-seok and the headquarters were aware of security vulnerabilities but tolerated improvements for profitability reasons. This goes beyond a simple data leak and proves the ‘collapse of governance’, which is a neglect of the responsibilities of the highest decision-making system, and will serve as a powerful driving force for demanding strict legal responsibility.

Some are focusing on the damages claim amounting to more than $5 million (approximately KRW 7.3 billion), but the true value of this lawsuit that legal experts should pay attention to is 'equitable damages.' Unlike domestic civil lawsuits, which often limit to ex post facto monetary compensation, U.S. courts can issue 'Declaratory Relief', which officially confirms that a company's actions are illegal, through a ruling, and 'Injunctive Relief' that forces specific actions.

In addition, SJKP requested the court to order Coupang to establish the best security system and mandate a multi-factor authentication system. This goes beyond a simple agreement and is a will to prevent a second leak by forcibly reorganizing the company's security governance. It also aims to bring about 'systematic change' by requiring strengthened monitoring services for minors and the elderly who are vulnerable to identity theft.

Another decisive reason for choosing the US court lies in the strategy of forming a ‘class’. This lawsuit has New York residents as the representative plaintiffs, but victims residing in Korea are designated as a 'subclass'. A subclass is a device that separately classifies and protects groups with different residences or legal issues within the overall group. Through this structure, Korean consumers will be able to enjoy the same effects of the U.S. court's favorable ruling, and the benefits of the security enhancement order will also extend beyond the border to Korean users.

In the end, the reason why SJKP headed to the U.S. court is clear. This lawsuit is not just a battle for compensation, but a fight to establish the company's 'data security obligations' that meet global standards. We are confident that this lawsuit will become a milestone in new digital justice that prevents global companies from avoiding responsibility and ensures that consumer rights are fully protected regardless of national borders.
 

Small Business Team

[View full article]
Why New York and not Seoul... Coupang lawsuit asks for ‘digital responsibility’ beyond punishment (Shortcut)