Coupang seeks US certification that ‘it was not a major security incident’

Why did you make an arbitrary announcement after ‘passing Korea’?

Even if we endure domestic criticism,
Analysis of advantageous position in trial

Analysis has been raised that the reason Coupang conducted its own investigation into the suspect of personal information leakage and arbitrarily announced the relevant information without consulting the government was because it considered a trial in the United States to be its top priority. This means that it was done in a situation where it had no choice but to give the lawsuit filed in the U.S. an advantage, even if it meant enduring domestic criticism.

According to the legal and distribution industry on the 26th, the American law firm Hagens Berman announced the day before that it would enter a shareholder class action lawsuit on behalf of Coupang Inc investors. This is the second Coupang Inc shareholder class action lawsuit, following the shareholder class action filed by Rosen, an American law firm, on the 18th. The argument of the class action plaintiffs is clear. Coupang Inc belatedly disclosed a serious cybersecurity incident, and shareholders suffered damage due to the resulting drop in stock price.

The U.S. Securities and Exchange Commission (SEC) stipulates that if a company determines that it is a serious security incident, it must disclose it within 4 business days. Coupang made a related announcement on the 16th of this month, more than two weeks after the announcement of the large-scale leak on the 29th of last month.

Experts believe that Coupang made the announcement unilaterally, risking conflict with the Korean government in order to claim that it was not a serious security incident. It should be argued that the scale of the information leak was small, but it is said that there was impatience that the work progress of the Korean police and the public-private joint investigation team would not meet Coupang's expectations.

The results of Coupang's own survey are in line with expert analysis. Coupang claimed that the amount of information stolen outside the company was only about 3,000 people. This is an argument that can be used as evidence that the materiality does not meet the SEC disclosure requirements. The detailed disclosure of the forensic investigation process in cooperation with American companies Palo Alto Networks and Mandiant and the laptop recovery process using divers is also interpreted as a strategy to persuade the American jury, which is composed of ordinary citizens.

Dong-hoo Son, an attorney at Daeryun Law Firm, explained, “Looking at U.S. precedents, the issues are whether the company’s investigation and follow-up measures were sufficient and what level of severity it understood,” adding, “In this respect, the results of our own investigation will serve as important reference material for the trial.”

Reporter Taewoong Bae btu104@hankyung.com

[View full article]
Coupang seeks US certification that 'it was not a major security incident' (Shortcut)