Coupang Grapples with Data Breach Fallout: Billions in Compensation & Stricter Laws Looms
E-commerce behemoth Coupang is embroiled in a significant crisis following a massive data breach that exposed the personal information of 33.7 million customers. The incident has triggered a wave of legal and political challenges, with potential compensation liabilities projected to reach billions of dollars and lawmakers advocating for more stringent legal penalties.
The Scale of the Security Breach
Attributed to a former employee, the breach has ignited public outrage and led to an increasing number of class-action lawsuits. Initial financial estimations for the cumulative legal costs are staggering, with figures potentially escalating to 16.8 trillion won, or approximately $11.44 billion. This immense sum underscores the severe consequences facing one of South Korea's most prominent online retailers.
Mounting Financial Liabilities and Regulatory Scrutiny
South Korea's Personal Information Protection Commission (PIPC), the nation's data privacy watchdog, has indicated it will impose a substantial fine, potentially reaching 1.2 trillion won. This signals the profound severity of the breach, marking it as one of the most critical in Coupang's operational history. Concurrently, the number of individuals joining class-action suits continues its upward trend, with over 500,000 people coordinating efforts across more than 20 online communities by the end of last week. Several law firms have already initiated proceedings, demanding damages ranging from 200,000 to 300,000 won per person.
Legal Precedents and Punitive Damage Potential
Legal professionals and industry experts often reference a 2016 Seoul court decision that awarded 100,000 won per person in a comparable 2014 credit card data leak incident. If all 33.7 million affected Coupang customers were to receive this benchmark amount, the total compensatory damages would sum up to 3.37 trillion won. Moreover, under Korea's Personal Information Protection Act, courts can impose punitive damages up to five times the compensatory amount in cases where personal information is stolen due to negligence. This provision could theoretically inflate the total liability to an astonishing 16.8 trillion won. However, the five-time penalty has historically been applied sparingly due to exemption clauses if a company can demonstrate a lack of gross negligence or malicious intent.
Intensifying Political and Regulatory Pressure
During a recent session with the National Assembly's National Policy Committee, Coupang Corp. CEO Park Dae-jun acknowledged the imperative to compensate victims but declined to outline a specific plan, citing ongoing investigations. His testimony unfolded amid significant pressure from lawmakers, who are urging the PIPC and the government to enact more rigorous punitive measures.
Current legislation allows for penalties up to 3 percent of a company's annual sales. Considering Coupang's 41 trillion won in sales last year, this translates to a maximum penalty of 1.23 trillion won. However, legislators, including Rep. Kim Seung-won of the Democratic Party of Korea, contend that this percentage is inadequate and have proposed a revision to the Personal Information Protection Act to elevate the upper limit to 4 percent.
Corporate Accountability and Negligence Allegations
Further compounding Coupang's challenges, law firm Daeryun recently filed a criminal complaint against CEO Park with the Songpa Police Station. The complaint asserts violations of the Personal Information Protection Act and breach of duty, specifically alleging that Coupang was negligent in allowing a former Chinese employee, the primary suspect in the breach, to retain access to the company’s database after their departure. Daeryun also claims that Coupang failed to respond promptly upon the initial discovery of the leak. Notably, Coupang founder Bom Kim has maintained his silence throughout this escalating crisis.
The monumental scale of the breach, coupled with increasing legal and political scrutiny, places Coupang in a precarious position, facing not only immense financial obligations but also potential catalysts for significant reforms in South Korea's data protection landscape.