Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Japan has a dedicated cybersecurity law called the Basic Cybersecurity Act, which was enacted on 6 November 2014 (and promulgated on 12 November 2014). The Basic Cybersecurity Act is the first cybersecurity-specific law that has been enacted among the G7 nations.
The primary task of the Basic Cybersecurity Act is to ensure cybersecurity while also ensuring free distribution of information. It is the purpose of the Basic Cybersecurity Act to move cybersecurity-related policies forward in a comprehensive and effective manner, and contribute to the creation of a more energetic and continuously developing economic society, consequently contributing to the national security of Japan.
Owing to increased threats to cybersecurity, the Cabinet has submitted a bill to amend the Basic Cybersecurity Act with a view to further ensuring cybersecurity in Japan and being fully prepared to host the Tokyo 2020 Olympic and Paralympic Games. Deliberations are currently underway in the Diet regarding the following principal amendments to be made by the bill:
- Establishment of a cybersecurity council to enable various public/private entities to mutually cooperate in sharing cybersecurity information and discussing necessary countermeasures, etc. It is planned that the members of such council will be representatives of national or local administrative organs, principal infrastructure and cyber entities, educational or research institutions, experts and others; and
- additional operations to be handled by the Cyber Security Strategy Headquarters in communicating and making adjustments with parties inside and outside of Japan upon the occurrence of cybersecurity incidents.
If the bill passes the Diet, it will become effective within one year after promulgation thereof, on the date prescribed by a Cabinet Order.
The Basic Cybersecurity Act is, as the name implies, a basic law. In the future, the government may develop more specific relevant laws and regulations based on the Basic Cybersecurity Act.
At present, Japan has other substantive laws that relate to cybercrime, such as the Penal Code, the Unfair Competition Prevention Act, the Unauthorised Computer Access Prohibition Act, the Unfair Competition Prevention Act, the Copyright Act, the Specially Designated Secret Protection Act, the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society, and the Act on Electronic Signatures and Certification Business. In addition to cybercrime legislation, the Personal Information Protection Act was enacted in 2003 to protect personal information and identity. Further, the Social Security and Tax Number Act was enacted in 2013.
The Personal Information Protection Act relates to information security, but more specifically to the proper handling of personal information, rather than to cybersecurity per se. Although the Personal Information Protection Act prescribes concrete duties of a business operator handling personal information as prescribed in article 2, paragraph 5 of the said Act (personal information-handling business operator), it does not prescribe concrete duties of administrative organs, independent administrative agencies and local governments. Concrete duties of administrative organs are prescribed in the Act on the Protection of Personal Information Held by Administrative Organs; those of independent administrative agencies are prescribed in the Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc, and those of local governments are prescribed in privacy protection ordinances enacted by each local government.
The Personal Information Protection Act was amended in September 2015 (amended Personal Information Protection Act) and became fully effective on 30 May 2017. The principal amendments made therein are as outlined below:
- clarification of the definition of ‘personal information’ (ie, information ‘containing any personal identification code’ being included to the definition to eliminate grey areas, and the addition of new provisions concerning sensitive information);
- new provisions concerning the use of information anonymised pursuant to the method prescribed in the rules established by the Personal Information Protection Commission (PPC);
- new provisions concerning the traceability of personal information by the relevant individual identified by such personal information;
- new provisions concerning criminal penalties imposed in the event of personal information having been provided to obtain illicit gains;
- establishment of the PPC as an authority independent of other administrative organs, which will coordinate personal information protection policies in a unified manner; and
- provisions concerning overseas transfers of personal information and extraterritorial applicability of the Personal Information Protection Act of Japan.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
The Basic Cybersecurity Act specifically prescribes, in addition to the cybersecurity duties of the state and the local authorities, the cybersecurity duties of critical infrastructure business operators (ie, those engaged in business pertaining to such infrastructure that forms the basis of the lives of Japanese nationals and economic activities and that is likely to have a considerable impact thereon in the event of any discontinuance or decrease of its functions), cyber-related business operators, universities and other educational or research institutions in the economic field. There is a possibility that, in the future, duties for these business operators may be prescribed in further detail by more specific laws.
Revisions are currently being made to expand the scope for critical infrastructure business operators. In Japan, critical infrastructure business operators belonging to the following 10 sectors have conventionally been expected to safeguard information with the same level of security as the governmental institutions are required to do:
- information and communications technologies;
- government and government services (including local authorities);
- water; and
In addition to the above, the Basic Policy for Critical Information Infrastructure Protection (3rd Edition), published by the Information Security Policy Council on 19 May 2014, has further added chemical, credit card and petroleum industries, as critical information infrastructure sectors, and has also prescribed that new network system services such as smart cities and smart towns, intelligent transportation systems and other transportation control systems, etc, as well as defence industries and energy-related industries, which are included in the scope of critical infrastructure in the United States, will also continue to be considered, in line with environmental changes and based on coordination with related parties. Under the 4th Edition of this Basic Policy published by the Cyber Security Strategy Headquarters on 18 April 2017, the 13 sectors specified above are maintained as critical information infrastructure sectors and measures will be taken to safeguard information in a further improved and reinforced manner in line with the far-ranging spread of ‘internet of things’ (IOT) systems and to deal with increased risks surrounding critical infrastructure in connection with the upcoming Tokyo 2020 Olympic and Paralympic Games. Furthermore, under the 25 July 2018 revisions made to the 4th Edition, ‘airports’ has been newly added to the 13 sectors listed above, thereby bringing the number of critical infrastructure sectors up to 14. Although the 4th Edition of the Basic Plan will, in principle, cover the period up to the end of the Tokyo 2020 Olympic and Paralympic Games and is planned to be revised thereafter, necessary revisions will also be duly made even before the end of such period.
It is pertinent to mention that the Security Special Adviser to the Cabinet Secretariat has referred to IT systems such as websites, control systems of plants, and critical social infrastructures such as power plants, financial institutions and broadcasting companies as possible cyberattack targets. The Adviser also mentioned that the promotion of the development and the strengthening of the international competitiveness of cybersecurity industries and the cultivation of human resources in the cybersecurity sector are the key points to be taken from the Basic Cybersecurity Act. Some universities and IT companies have already started joint activities towards the cultivation of cybersecurity human resources.
Has your jurisdiction adopted any international standards related to cybersecurity?
The Japan Institute for Promotion of Digital Economy and Community (JIPDEC) operates an assessment system (ISMS conformity assessment system) for certifying whether or not the information security management system (ISMS) of a company is consistent with international standards. Under this assessment system, examinations are made as to whether an ISMS implemented by a company is in conformity with JIS Q 27001 (ISO/IEC 27001).
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Under the Personal Information Protection Act, a personal information-handling business operator is required to take, in relation to information security, necessary and suitable measures for the prevention of any leakage, loss or damage of any personal data handled by it and for the security management of other personal data (article 20 of the Personal Information Protection Act). In addition, to ensure security management of personal data, the aforementioned business operator is required to perform the necessary and suitable supervision over its employees or contractors who handle personal data (articles 21 and 22 of the Personal Information Protection Act). Furthermore, the PPC has developed guidelines regarding the Personal Information Protection Act (general rules, as well as rules concerning transfers to third parties located overseas, confirmation or recording obligations in the event of transfers to third parties and anonymised information). In the medical, financial, telecommunications and other sectors, although the guidelines developed by the PPC are basically applicable, additional guidelines are also applicable in view of the nature, method of use and conventional control of personal information in such sectors.
If any personal information-handling business operator violates its obligation to take security management measures, the PPC or any other authority to which the PPC delegates the relevant power may, where necessary, recommend or order that such personal information-handling business operator cease the violation and take necessary measures for correcting the violation (articles 42 and 44 of the Personal Information Protection Act). A business operator that violates any such order issued by the PPC shall be sentenced to imprisonment for up to six months or be subject to a fine of up to ¥300,000 (article 84 of the Personal Information Protection Act).
In the case of a large company, defined in article 2, item 6 of the Companies Act, the company must, to develop a system to ensure good governance of the company, decide on matters concerning internal regulations and other systems. Internal regulations concerning such risk management are general in nature, and they are typically not intended for ensuring cybersecurity. Provisions for ensuring cybersecurity, however, may be required to be made as part of the internal policies depending on the type or the volume of information held by the applicable large company or its business type.
Directors of a company limited by shares, if not a large company as defined in article 2, item 6 of the Companies Act, have a duty of due care of a prudent manager (article 330 of the Companies Act; article 644 of the Civil Code) to the company, and there is a possibility that any failure to develop a system for risk management constitutes a violation of the duty of care of a prudent manager. If a director is recognised to have violated the duty of due care of a prudent manager, the director shall be liable for providing compensation for damage caused thereby (article 423, paragraph 1 of the Companies Act).
How does your jurisdiction define cybersecurity and cybercrime?
In Japan, the term ‘cybersecurity’ has been legally defined for the first time in article 2 of the Basic Cybersecurity Act. The definition of cybersecurity is as follows:
The conditions where the measures necessary for the prevention of leakage, loss or damage, and for other security management of information which is recorded, sent, transmitted or received using an electronic method, a magnetic method, or any other method not recognisable to human senses, as well as measures necessary for securing the safety and reliability of information systems and information communication networks have been taken, and where such conditions are being properly maintained and managed.
There is no clear comprehensive definition of the term ‘cybercrime’; only the types of acts to be punished as a crime are prescribed in each of the criminal penalty provisions.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
In terms of the Personal Information Protection Act, concrete security management measures to be taken by personal information-handling business operators are prescribed in the guidelines developed by the PPC, etc, as provided in question 4.
For example, according to the guidelines targeting the financial sector, as prescribed by the PPC and the Financial Services Agency (FSA), in addition to the guidelines prescribed by the PPC, each personal information-handling business operator (ie, financial institution) must take necessary and suitable measures as to the development of implementation structures for security management measures, for the prevention of leakage, loss or damage, and for other management of security of the personal data that it handles. Further, it is prescribed in these guidelines that these measures must include ‘systematic management measures’, ‘human security management measures’, and ‘technical management measures’, which are laid out according to the respective levels of acquisition, usage and retention of personal data.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
Article 15 of the Basic Cybersecurity Act provides the obligation of the state to promote awareness of the importance of cybersecurity and to provide necessary information, advice and other necessary measures to private business operators and educational and research institutions to protect the intellectual property information held by them, in view of the importance of such intellectual property-related information for the reinforcement of Japan’s international competitiveness.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
To provide stable and proper services, critical infrastructure operators are obligated to have a deeper understanding and should know the significance of cybersecurity. They are further required to make voluntary and active efforts to ensure cybersecurity and to cooperate in putting in place cybersecurity measures prescribed by the state or local authorities (article 6 of the Basic Cybersecurity Act). In addition, the Basic Cybersecurity Act prescribes that the government must develop basic schemes concerning cybersecurity (‘cybersecurity strategies’) for the furtherance of cybersecurity measures in an effective manner. It further provides that cybersecurity strategies must contain matters relating to strengthening cybersecurity in critical infrastructure operators (article 12, paragraph 2, item 3 of the Act). In furtherance of the enactment of the Basic Cybersecurity Act, the government may separately enact or develop specific laws, regulations or guidelines concerning matters to be complied with by critical infrastructure operators for ensuring cybersecurity.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
It is construed that the spirit of article 13 of the Japanese Constitution guarantees privacy in general. The Personal Information Protection Act also deals with some aspects of privacy; however, there are no privacy-specific cybersecurity laws or regulations.
In terms of private communications, article 21, paragraph 2 of the Japanese Constitution guarantees the secrecy of communications, stating that: ‘No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.’ It is prescribed in the Telecommunications Business Act that secrecy of communications handled by telecommunications business operators shall not be violated (not only by telecommunications business operators but also by any other person). The Radio Act also protects the secrecy of encrypted private communications.
As an exception to the above, the Act on Wiretapping for Criminal Investigation permits, as a special investigation method for serious crimes, the wiretapping of telecommunications for criminal investigations, based on strict requirements and subject to a warrant issued by a judge, with an observer being present throughout the process, limited to such cases where it would be difficult to reveal the truth through normal investigative means.
Under the current Act, wiretapping is performed at the facilities of telecommunications carriers, with such carriers’ personnel, etc acting as observers. This has resulted in a huge burden being caused to both the telecommunications carriers and the investigative authorities owing to the need to dispatch several investigators to such carriers for a considerable period. To change this situation, the Act has been amended (to become effective by June 2019) to prescribe the technical measures to be taken, such as encryption of communications, thereby meaning it is no longer necessary for the personnel of telecommunications carriers to act as observers and to seal the wiretapped communications. Further, procedures for enabling wiretapping at police facilities have also been newly introduced.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
See question 24.
How has your jurisdiction addressed information security challenges associated with cloud computing?
Globalisation of corporate activities has facilitated cloud services and other transborder distribution of information. To ensure smooth transborder distribution of information, the amended Personal Information Protection Act is aimed toward creating a better structure in line with the systems being used overseas as well as the prevailing circumstances in the international society. For the foregoing purpose, the amended Personal Information Protection Act newly includes:
- a provision prescribing protective measures to be taken when transferring information to other countries (ie, article 24, which, in principle, requires the obtaining of prior consent from the relevant individual in the event of such individual’s personal information being provided to a third party located overseas); and
- a provision allowing the application of Japanese laws to foreign business operators in the event of transborder distribution of information (ie, article 75, pursuant to which many of the obligations prescribed in the Personal Information Protection Act will be directly applicable to any business operator handling personal information, who has acquired the personal information of an individual in Japan in connection with the provision of goods or services to such individual, and who handles, outside of Japan, any such personal information or any de-identified information created using the same).
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Obligations under Japanese laws and regulations applicable to foreign corporations engaging in business in Japan are the same as those applicable to domestic corporations in Japan.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
As stated in question 2, under the Basic Cybersecurity Act, the obligations for critical infrastructure operators, cyber-related business operators, university and other educational and research institutions may be prescribed in a more concrete manner by the promulgation of specific laws and regulations in the future. These may also include guidelines for strengthening cybersecurity. For example, on 27 July 2018, the Cabinet adopted a revised Cybersecurity Strategy. Furthermore, the Cyber Security Strategy Headquarters published the 4th Edition of the Basic Policy on Critical Information Infrastructure Protection, as mentioned in question 2, on 18 April 2017 (partly revised on 25 July 2018), whereby the following five measures have been promoted:
- developing security standards and raising awareness: to continuously improve guidelines for cross-sectoral measures and sector-to-sector security standards in protecting critical information infrastructure;
- strengthening information-sharing arrangements: to strengthen information-sharing arrangements between public and private sectors and across different sectors, principally by way of various forms of communication and the specification of shared information;
- strengthening failure response frameworks: to generally strengthen the frameworks for responding to service failures in critical infrastructure through drills, to be performed by way of public-private collaboration and coordination of various drills and training;
- managing and addressing risks: to promote comprehensive risk management, including improvement of risk response capabilities, through assessment of risks and development of contingency plans; and
- strengthening the protection base: to revise the scope for critical infrastructure protection, promoting public relations or public consultation activities and international collaboration, make necessary approaches to corporate senior management, and promote human resource development, etc.
The guidelines mentioned in question 4, which have been provided from the perspective of information security, would also recommend additional protections.
How does the government incentivise organisations to improve their cybersecurity?
To ensure that critical infrastructure operators adhere to measures to strengthen cybersecurity, the Basic Cybersecurity Act requires the state to take necessary measures such as developing basic standards to be followed, providing drills, training and promoting information sharing and other voluntary efforts (article 14). In addition, the state is required to promote awareness regarding the significance of cybersecurity, hold consultations concerning cybersecurity, provide necessary information and advice and take other necessary measures (article 15). See also questions 13 and 18.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
With regard to information security, international standards ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27017 are principally used in the development of relevant guidelines.
To use the ISO standards for the applicable certification system in Japan, however, the contents of such ISO standards must be established anew as Japanese Industrial Standards (JISs). JISs refer to national standards that are established in accordance with the Industrial Standardisation Act. These are specially enacted for the purpose of furthering industrial standardisation in Japan.
For example, as of November 2018, JIS Q 27000:2014, JIS Q 27001:2014, JIS Q 27002:2014, JIS Q 27006:2018 and JIS Q 27017:2016 have been established or revised as national standards based on ISO/IEC27000 (issued in 2012), ISO/IEC27001 (issued in 2013), ISO/IEC27002 (issued in 2013) and ISO/IEC27006 (issued in 2015), respectively. In 2017, JISQ15001, being a standard used for privacy mark certification, was revised. This JISQ15001 is not an international standard but rather a national standard that partly overlaps with ISO/IEC 27001 in terms of information protection; however, the two standards greatly differ in that, while information held by an organisation is generally protected under ISO/IEC 27001, only personal information is protected under JISQ15001.
Are there generally recommended best practices and procedures for responding to breaches?
In the event of an accidental information leak at a company resulting from a cybersecurity incident, although the measures to be taken by such company may vary depending on each case, examples of possible measures generally include the following:
- immediately verify related facts concerned, including causes of the accident and the information that has been leaked, and announce accurate facts at an early stage and express sincere apologies;
- continuously announce facts that may be revealed through subsequent investigations;
- perform investigations not only by a team of internal members, but also, where necessary or appropriate, organise a third-party committee consisting of legal specialists including attorneys and technical specialists, etc, who are in neutral positions and cause investigations to be performed by such committee, and also report the results of the investigations performed; and
- develop and adopt measures to prevent the recurrence based on the accidental information leak concerned.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
With regard to the voluntary sharing of information relating to cyberthreats, there is no legal or political incentive in particular. From the perspective of information security, however, in the event of an accidental information leak at a company, it would be practically advantageous for such company to make an accurate announcement at an early stage and to humbly take necessary measures to reduce the deterioration of goodwill among its customers. In the Japanese market, there have been cases of huge business losses incurred by companies as a result of deterioration in their corporate image owing to improper handling of information leaks. Risk to reputation must, therefore, be considered a significant business risk that should never be ignored.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The Basic Cybersecurity Act provides the basic philosophy for cybersecurity and basic measures that are required to be taken ‘for facing threats to cybersecurity, through coordination of various entities such as the state, local authorities, critical infrastructure operators, etc’ (article 3). To realise such coordination, the Basic Cybersecurity Act requires the government or the state to take the following measures, in addition to the measures mentioned in question 14:
- necessary legal, financial or tax measures and other measures to be taken by the government to adhere to the policies concerning cybersecurity under the Basic Cybersecurity Act (article 10); and
- necessary measures to be taken by the state to reinforce coordination among relevant governmental agencies and ministries, and to enable various entities such as the state, local authorities, critical infrastructure operators, etc, to mutually coordinate and work on cybersecurity-related measures (article 16).
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance products covering ‘cyber risks’, such as standard attacks from outside parties and unauthorised access committed internally, providing coverage for damage arising from personal information leakage or system failure or such similar issues, are generally available. However, most of these insurance products have limited the types of incidents for which insurance benefits can be claimed, and have also limited the place of insured incidents to Japan.
In December 2012, a Japanese corporation belonging to an insurance company group based in the United States started selling insurance products that provide broader coverage for damage arising from cyberattacks, including accidents occurring outside Japan. Currently, insurance products that cover damage incurred in cybersecurity incidents are being sold by leading Japanese insurance companies.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
Government agencies that are the competent authorities concerning cybersecurity are the nodal authorities for ensuring implementation of the said laws, such as by providing their interpretations as relevant administrative organs and developing guidelines (provided, however, that the interpretation of laws by such administrative organs shall not be binding upon judicial organs).
For example, the National Police Agency, the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry are the competent authorities in the case of the Unauthorised Computer Access Prohibition Act, and the Ministry of Justice has competency over laws pertaining to cybercrimes, including the Penal Code, and, as such, are in charge of the implementation of such laws. The PPC has competency over the Personal Information Protection Act and, as expressly prescribed in said Act, is entitled to require the submission of reports and materials from personal information-handling business operators, as well as being entitled to enter their business premises for inspection purposes (article 40 of the Act; the power of entry and inspection has been newly included pursuant to the amended Personal Information Protection Act). Furthermore, the PPC provides necessary guidance and advice (article 41 of the Act) or recommendations or orders (article 42 of the Act) to personal information-handling business operators. A personal information-handling business operator shall be punished (Chapter 7 of the Act) if it fails to comply with such order. Since the PPC must ensure the proper handling of personal information in an urgent and focused manner, it is entitled to delegate the power to collect reports from, and to enter and inspect the business premises of, a personal information-handling business operator, etc, to the authority having jurisdiction over the business concerned, whenever the PPC considers it necessary to do so in order to effectively provide recommendations or orders (article 44, paragraph 1 of the Act).
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
With regard to cybersecurity, there are, to date, no laws or regulations directly and expressly prescribing the power of any administrative organ to monitor or investigate private business operators for their compliance with regard to the implementation of measures to strengthen cybersecurity. The obligation imposed on those other than the state or the local authorities under the Basic Cybersecurity Act are obligations to make efforts, and the Basic Cybersecurity Act itself will not be a ground for the authorities’ power over private sectors. Therefore, no administrative organ has the power to prosecute any private business operator in the event of a violation of such obligations. See also question 18.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Administrative organs do not have the power to impose, by way of penalties or by any other means, any mandatory obligations on private business operators to ensure cybersecurity. The Basic Cybersecurity Act is preconditioned on the fact that the obligations of parties, other than the state and local authorities, are limited to carrying out best efforts and the voluntary efforts of private business operators will be furthered by the state by taking necessary measures. This being the case, there is a huge issue in terms of whether or not voluntary efforts of private business operators can be effectively furthered based on measures taken by the state. Since there is no physical border and no safe space in cyberspace, international cooperation towards enforcement is an important issue.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
To date, there is no penalty under law imposed on those parties who, because of not implementing sufficient measures for cybersecurity, have been victims of cyberattacks. It is, however, set forth in the Unauthorised Computer Access Prohibition Act that an administrator of a computer connected to telecommunication lines, who has added an access control feature to such computer by way of an ID or password, has the obligation to always verify the effectiveness of such ID or password and endeavour to promptly take the appropriate measures to protect the computer concerned from acts of unauthorised computer access, such as enhancement of the function of the access control feature concerned, whenever deemed necessary (article 8 of the Unauthorised Computer Access Prohibition Act). See also question 20 with regard to information security.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
With regard to cybersecurity, there is, to date, no law or regulation directly and expressly obliging a private business operator to report any cyberattack sustained by it, and no penalty is imposed on it in the event of a failure to make such report. However, in terms of information security, some of the guidelines prepared in accordance with the Personal Information Protection Act set forth an obligation to report any information leakage to the competent authority (however, according to the Guidelines Concerning Measures to be Taken Upon Personal Data Leakage Incidents, Etc, prepared by the PPC, private business operators are merely obliged to make efforts for reporting information leakages to the PPC or any other relevant authority). For example, the Guidelines for Personal Information Protection in the Financial Field, prepared by the PPC and the FSA, state that: ‘An entity handling personal information must immediately report to the supervisory authorities when an incident regarding leakage of personal information occurs’ (article 17, paragraph 1). See also question 20.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
If cybersecurity is regarded as a contractual obligation, compensation may, as a general rule, be claimed against a party who has such obligation, within the scope of a reasonable cause-effect relationship. It is, however, possible to restrict the scope of the damage compensation obligation, based on the mutual agreement of both parties to a contract, as long as such restrictions do not conflict with any mandatory laws and regulations. If such restriction is set forth in a contract, this merely means that compensation for damage may be made within such scope.
In the internet business, however, contracts could be entered into with consumers (ie, individuals, excluding those who become a party to a contract in the course of, or for the interest of any business (article 2 of the Consumer Contract Act)). In such case, according to the Consumer Contract Act, any clause that totally exempts a business operator from its liability to compensate a consumer for damage arising from default by the business operator is void (article 8 of the Act), and that such provision of the Act is a mandatory statute (ie, any clause of a contract in conflict therewith will be void). In this regard, according to the 2018 amendments to the Act promulgated on 15 June 2018 (to become effective on 15 June 2019), any clause that permits termination of a contract upon commencement of guardianship for a consumer, or any clause in which a business operator attempts to set its own liability, will be void.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
See question 6.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
To date, there are no rules directly and expressly prescribing such obligations under any laws or regulations.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
See question 24.
What is the timeline for reporting to the authorities?
To date, there is no law or regulation directly and expressly prescribing the obligation of a private business operator to make regular reports concerning cybersecurity. Reporting obligations in the event of a leakage of information are discussed in question 24.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
In terms of information security, some of the guidelines established in accordance with the Personal Information Protection Act set forth matters relating to public announcements or notices to be provided in the event of any leakage of information. For example, the Guidelines Concerning Measures to be Taken Upon Personal Data Leakage Incidents, Etc, prepared by the PPC, prescribe that: ‘It is desirable for a business operator handling personal information to take necessary measures concerning (1) through (6) below’, and, with regard to (6) (‘Publication of facts involved and recurrence prevention measures’), ‘Facts involved and recurrence prevention measures should be promptly publicised based on the details of such leakage incident, etc., so as to prevent any secondary damage or the occurrence of similar incidents.’
Furthermore, it is provided in the Guidelines for Personal Information Protection in the Financial Field that, in the event of an accidental leak or the like of personal information, an entity handling personal information in the financial field must ‘promptly publicise the facts involved in such incident and the recurrence prevention measures, so as to prevent secondary damage or the occurrence of similar incidents’ (article 17, paragraph 2); and must ‘notify the facts of such incident promptly to the person whose personal information has been leaked’ (article 17, paragraph 3).
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Most of the critical infrastructure business operators are private entities and, accordingly, there is an issue in relation to the possibility of excessively strict obligations being imposed on such entities, resulting in pushback from such entities owing to the huge expenses and manpower required from them in ensuring cybersecurity. In this regard (see question 22), it can be said that this issue has been resolved by the Basic Cybersecurity Act being preconditioned on the furtherance of the voluntary efforts of private business operators, while limiting their obligations merely to making an effort to improve the security of their systems. In addition, pursuant to the Basic Cybersecurity Act, the position of the Cyber Security Strategy Headquarters (the Chief Cabinet Secretary acting as the head of the headquarters) as an organisation demonstrating a control tower function extending across ministries and agencies has been made legally clear, allowing for the Cyber Security Strategy Headquarters to fulfil its role in a more effective manner (as outlined in Chapter 4 of the Basic Cybersecurity Act). Much attention continues to be paid to the effective measures to be taken hereafter by the state in relation to cybersecurity under the leadership of the Cyber Security Strategy Headquarters.
The specific measures that are currently being considered concerning cybersecurity include the following.
The FSA is currently considering and intends to reach a conclusion concerning issues such as the possibility of cyberattack-related incidents taking place at listed companies and indicating such possibilities to investors as business risks, etc, referring to the practices of the US Securities and Exchange Commission. With regard to the said issues, the FSA is also considering and intends to reach a conclusion concerning possible incentives for furthering the disclosure of such incidents. The Ministry of Economy, Trade and Industry (METI) is now working on establishing Cybersecurity Management Guidelines that will describe desirable cybersecurity measures, set forth an organisational framework, including the appointment of a Chief Information Security Officer, and describe technical measures and information disclosure methods, etc.
In view of increasing threats to cybersecurity, the Basic Cybersecurity Act has been partly amended (promulgated on 21 October 2016) to fundamentally reinforce the countermeasures taken by the national administrative organs. More specifically, under the amended Act, the scope of parties to be evaluated by the national government in terms of cybersecurity measures has been expanded to cover special corporations and authorised corporations (in addition to the central government and incorporated administrative agencies that had already been covered under the pre-amended Act). Further, the scope of parties whose information systems will be monitored unanalysed by the national government to deal with wrongful activities targeting the same has been expanded to cover incorporated administrative agencies, special corporations and authorised corporations (in addition to the central government that had already been covered under the pre-amended Act). Such amendments have been triggered by an incident made public in June 2015 wherein there was a cyberattack on the Japan Pension Service (a special and authorised corporation) resulting in the leakage of approximately 125 million items of personal information. In relation to such amendments, the Act on Promotion of Information Processing was also amended, and a national qualification system of cybersecurity specialists (registered information security specialists) has been newly established.
Additionally, the Unfair Competition Prevention Act, which regulates the wrongful acquisition of trade secrets, has been amended in view of factors such as the expansion of cyberspace (with the rapid spread of cloud computing) and the development of technologies enabling the wrongful acquisition of information (including cyberattacks), and also considering the purpose of the Basic Cybersecurity Act.
Under the amended Unfair Competition Prevention Act, promulgated on 1 January 2016, regulation on the wrongful acquisition of trade secrets has been principally reinforced by:
- expanding the scope of subsequent acquirers of trade secrets who are punishable (ie, wrongful use or wrongful disclosure by a third or subsequent acquirer becoming additionally punishable);
- causing any attempt of wrongful use or wrongful disclosure of trade secrets to be punishable; and
- expanding the scope for punishment of crimes committed outside Japan (making it clear that any wrongful acquisition of trade secrets committed outside Japan, in respect of trade secrets stored on overseas servers, will also be punishable).
Moreover, under the amended Unfair Competition Prevention Act promulgated on 30 May 2018 (to become effective within one year and six months thereafter), in line with the expanded use of big data, any valuable data that fulfils certain requirements will be deemed as ‘data provided to limited users’, and any highly wrongful acquisition or use, etc, of such data will be regarded as an act of unfair competition and be subject to civil remedies such as the right to file an injunction.
As mentioned above, a bill to amend the Basic Cybersecurity Act is currently being deliberated in the Diet for the purpose of further ensuring cybersecurity.
Furthermore, in view of the increasing seriousness of internet failures owing to cyberattacks caused through the misuse of IOT devices, the revised Telecommunications Business Act was enacted on 1 November 2018 and such Act enables the establishment of telecommunications carriers being able to share information concerning malware-infected devices, etc, that may become sources of cyberattacks, through a third-party institution, which is to be newly established (ie, a general incorporated association established by telecommunications carriers and approved by the Minster of Internal Affairs and Communications in accordance with the Telecommunications Business Act).
In addition, as stated in question 9, the amended Act on Wiretapping for Criminal Investigation will become effective by June 2019 and such Act will streamline and allow for more efficient wiretapping procedures for criminal investigation purposes.
In addition, due to factors such as an increased number of cases of damage caused by the divulgence or wrongful use of credit card numbers, and the entry of fintech companies into the service payment business, the amended Instalment Sales Act promulgated on 9 December 2016 has become effective, newly containing provisions for: (i) obliging member stores to take countermeasures against wrongful use, such as by way of making credit card terminals compatible with IC cards; and (ii) introducing a registration system in respect of payment service companies (fintech companies, etc).
Further, on 28 December 2015, METI issued its Cybersecurity Management Guidelines, which were subsequently revised on 28 December 2016 and further on 16 November 2017 (as version 2.0). The Guidelines are intended for large, and small to-medium-sized companies that provide IT-related systems or services and that essentially require the use of IT in accordance with their managerial strategies, from the perspective of protecting companies from cyberattacks. The Guidelines prescribe: (i) three principles that manager of a company should be aware of; and (ii) 10 significant items that a manager of a company should instruct to the officer responsible for execution of information security measures (eg, the Chief Information Security Officer in charge of supervising information security within the company). The current version 2.0 provides further detailed information about the ‘detection’ and ‘recovery’ processes in the subsequent measures.
In addition, in line with circumstances such as the need to make preparations for the Tokyo Olympic and Paralympic Games scheduled for 2020, as well as increased threats to cyberspace, related laws and regulations may be developed and it will be necessary to pay careful attention to such developments.