Arthur Shay of Shay and Partners writes:
In September 2019 a landmark appeal court decision found an online information service provider liable for consequential damages of data theft.
In April 2017 subscribers and users of one of Taiwan’s most popular box office websites, EZding, reported numerous data theft incidents. EZding rejected the complaints about its security management, insisting that it regularly performed vulnerability scanning and, as a result, had received a Trustwave compliance certificate for its data security.
The plaintiff, a victim of the data theft, filed a civil action with the Shilin District Court, claiming property loss and compensation for non-pecuniary damages. She stated that she had received a scam phone call requesting her authorisation of an account transfer to complete a refund from EZding. After following the scammers instructions, the plaintiff had lost approximately $8,500.
EZding denied liability for all of the plaintiff’s claims. However, in view of the police investigation report, the court considered EZding liable for the data theft. Under Article 28 of the Personal Data Protection Act, the plaintiff was therefore entitled to statutory compensation of NT$20,000 (approximately $6,700). The plaintiff’s other claims were rejected.