[Contribution] Coupang lawsuit seen in Sony precedent, ‘data security governance’ up for judgment

In 2014, the federal court in the Southern District of California made a historic ruling in the history of data leak lawsuits in the 'Sony Gaming Networks Data Security Breach Litigation (In re Sony Gaming Networks)'. This is because the court at the time clearly ruled which legal claims would survive and which would be dismissed, and presented a 'basic textbook' for future similar lawsuits to refer to. In the ongoing Coupang, Inc. class action lawsuit, it is expected that a more detailed and sophisticated legal battle will unfold based on this precedent.

The most crucial difference between the Sony and Coupang cases lies in the framing that defines the cases. The Sony incident arose from a situation in which the PlayStation Network (PSN) was hacked in 2011, causing the information of about 77 million users to be leaked and service to be interrupted. At the time, the lawsuit was all focused on ‘data leak’. The main concern was whether there was an external intrusion itself and whether Sony implemented technically reasonable security measures.

On the other hand, the Coupang incident essentially has ‘governance failure’ as its core agenda. Beyond the technical negligence of failing to prevent external attacks, it deals with the overall failure of the global operating system and security management structure centered on US corporations. The level of litigation has expanded to the area of ​​management responsibility, which examines who was responsible for making security decisions and whether there was structural neglect.

The first hurdle in a personal information leak case in a U.S. federal court is whether or not the plaintiff's standing is recognized under the Constitution. In the previous Sony case, the court focused on the objective fact that personal information was violated and opened the door to plaintiff eligibility widely, but applied very strict standards at the stage of determining liability for compensation. It was believed that the abstract risk of instability due to information leakage alone did not meet the requirements for compensation. At the time, the court dismissed a number of claims that lacked provable "realistic damages," such as actual misuse of personal information or attempted fraud, as well as specific cost expenditures and time losses. In other words, the key issue given by Sony's precedent is that the outcome of a personal information case depends not on whether a leak incident occurred, but on how to structure and prove the specific damage caused by it. Therefore, the success or failure of this Coupang lawsuit can also be seen as depending on how realistic damages, such as identity theft management costs or damages caused by leaks such as actual monetary losses, are logically specified.

The legal approach also needs to change. At the time of the Sony decision, the court dismissed a large number of pure negligence (Negligence) claims on the grounds that “in principle, economic damages are the domain of contract law.” On the other hand, many claims based on the California Consumer Protection Act (UCL, FAL, CLRA) were acknowledged. This is because the Consumer Protection Act focuses on the presence of deceptive practices by companies. The court judged based on what statements the company made about its security level, whether those statements conflicted with the security status or risk perception recognized within the company at the time, and whether consumers were reasonably misled as a result. This trend is expected to remain effective in the Coupang lawsuit as well. The key issue will be whether the company deceived consumers by failing to keep its promises of 'industry standard encryption' or 'reasonable security', rather than liability for negligence, which has a low probability of winning. In other words, linking consumer deception and security governance failure can be seen as the key link in this lawsuit.

The most important thing to note is Discovery’s qualitative expansion. If the discovery of the past Sony incident was limited to confirming the adequacy of technical security measures, the scope of the Coupang incident should be expanded to include the board of directors and management. This is because we need to go beyond simply ‘whether a security system was in place’ and investigate ‘who left the vulnerable system unattended and under what organizational structure?’ A close understanding of the executive reporting lines, security budget allocation, and decision-making structure at the U.S. headquarters will be key to this lawsuit.

In the end, the Coupang lawsuit is expected to not only follow the textbook precedent of the Sony case, but will use this as a stepping stone to develop into an advanced legal struggle that holds the headquarters of a global company accountable. This lawsuit, which seeks responsibility for governance beyond technical negligence, will become a new judicial standard that will redefine the scope of data security responsibilities of global companies in the future.

● Contributions by external writers may differ from our editorial direction.

Reporter Kim Dong-sik kds77@kyeonggi.com

[View full article]
[Contribution] Coupang lawsuit based on Sony's precedent, 'data security governance' on the bench (Shortcut)