Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Notifying individuals when a security breach has occurred is not required under the Act on the Protection of Personal Information, but it is mentioned in some guidelines. For example, while the Ministry of Economy, Trade and Industry Guidelines Targeting the Economic and Industrial Sectors Pertaining to the Protection of Personal Information include no express provisions imposing such an obligation, they provide that “it is preferable to apologize to the person for the accident or violation, and to contact the person, as much as possible, in order to prevent secondary damage”. They also include an example of security control measures that should be taken to secure personal information under the act.

Are data owners/processors required to notify the regulator in the event of a breach?

While this is not required under the Act on the Protection of Personal Information, some guidelines require or recommend that the relevant minister be notified. For example, the Financial Services Agency (FSA) Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information state that if a personal information breach occurs, the business operator handling the personal information should immediately report the breach to the FSA and promptly make a public announcement addressing – among other things – the facts around the breach and the measures to be taken to prevent a recurrence.

Click here to view the full article.