2024-04-01
Company Loses in Litigation Due to Fraud Arising from Data Leakage
A woman (the "Plaintiff") purchased discount vouchers from a hot spring hotel (the "Hotel"). Her personal data, however, was somehow compromised and subsequently fell into the hands of an unknown fraudulent group, resulting in a loss of nearly NT$100,000. In response, the Plaintiff filed a lawsuit against the Hotel and a technology corporation responsible for the Hotel's online booking system (the "Tech Company"). The Plaintiff claimed NT$20,000 in damages for emotional distress and demanded that the Hotel cease using and delete her data.
The Plaintiff argued that the defendants were liable because they failed to take necessary measures to safeguard the Plaintiff's personal data that she provided to the defendants when she purchased the Hotel's coupons. In addition, the Plaintiff alleged that the Hotel was aware that the Tech Company had suffered a data breach as the result of hacking. Nonetheless the Hotel failed to notify the Plaintiff of the data breach. Based on these facts, the Plaintiff urged that both defendants should be held liable for the loss she suffered.
The defendants deny the liabilities. First, the defendants argued that the Plaintiff failed to establish a causal link between the hacking attack suffered by the Tech Company and the data breach that disclosed the Plaintiff's personal data". Relying on a notice letter issued by the Administration for Digital Industries (ADI), the agency that investigated the hacking attack, the defendants argued that the ADI classified the incident as a mere "cyber attack" rather than a "personal data breach incident". In other words, the defendants argued, the ADI did not find any personal data being breached by the hacker. The defendants further argued that the ADI did not confirm that any personal data had been disclosed to any unknown hacker. Furthermore, the defendant argued that there could be other sources from which the fraudulent group gained access to the Plaintiff’s data and that Plaintiff's personal data was not exclusively possessed by the defendants.
On March 20, 2023, the High Court ruled in favor of the Plaintiff, ordering the defendants to compensate the Plaintiff NT$20,000 for her non-economic loss. The High Court first found that the Plaintiff had established that the data used by the fraudulent group was indeed leaked via the Tech Company’s online booking system, considering that the Hotel's online booking system was developed by the Tech Company and other evidence indicating abnormal IP activity due to hack attack, resulting in the theft of approximately 5,423 sets of personal data.
Furthermore, the High Court held that Taiwan's Personal Data Protection Act requires non-governmental entities to implement adequate security measures to safeguard the data they hold from unlawful collection, manipulation, exploitation, damage, loss, or leakage; entities failing to do so, whether intentionally or negligently, are liable for compensation for resulting damages.
In this regard, the defendants argue that they had taken proper measures preventing personal data from being compromised by any unknown sources, relying on the ADI’s finding after its administrative investigation of the hack attack. The High Court, however, disagreed with the ADI, finding that the defendants failed to prove that the Tech Company had implemented adequate security measures for the personal data under its control. The High Court explained that although the Tech Company adopted a certain internal rules governing its data use practices, these rules were merely abstract internal rules that had no direct impact on how the Tech Company actually used the data in practice. Consequently, the High Court concluded that the defendants had not implemented adequate security measures leading to the unauthorized use of the personal data by the fraud group, thereby violating Article 27 of the Personal Data Protection Act with negligence.
In conclusion, the High Court held, while there was insufficient evidence to establish an adequate causal link between the defendants’ negligence and the Plaintiff's financial loss, the Plaintiff's claim for non-economic damages was deemed justified due to the time and effort she spent trying to rectify the situation and her ongoing concerns regarding the disclosure of her personal data to unauthorized parties.
The High Court's ruling stands as a reminder that a data processor is required to take proper measures that actively and effectively safeguard personal data under its control. Any failure to do so may result in liability for any resultant damages.
Authors:
Brian, Hsiang-Yang Hsieh, Partner
Shelley Hsu, Associate
Formosa Transnational
Search
English