Global Intellectual Property
Benesse compensates customers for data leak
On 9 July 2014, Benesse Holdings Inc. and its group company Benesse Corp. (“Benesse”) announced that approx. 7.9 million pieces of its customer information were leaked from its database, and that direct-mail advertisements had been sent to its customers from an unrelated IT company, who allegedly obtained the information through a broker.
Benesse is a major correspondence education provider for children in Japan, and the leaked data included the names of children and their parents, as well as the child's birth date, gender, address, and phone number.
According to police reports, a system engineer who was dispatched from an outside firm to Benesse copied the customer information from his work computer to his smartphone during the period from July 2013 to June 2014, and sold 200 million pieces (in gross) of information to three brokers who trade database information, for 4 million yen (nearly USD 40,000). The engineer was later found and arrested on 17 July 2014.
The engineer was charged for stealing trade secrets of Benesse in violation of the Unfair Competition Prevention Act (“UCPA”). In Japan, the UCPA, among other things, provides for civil liability and criminal penalty for stealing trade secrets. Personal information held by a business is not necessarily protected under the UCPA, unless it qualifies as a trade secret (i.e., technical or business information useful for business activities, such as manufacturing or marketing methods, that is kept secret and that is not publicly known). Under the UCPA, criminal penalty for stealing trade secrets is imprisonment with labor up to 10 years or a fine up to 10,000,000 yen for individuals, and a fine up to 300,000,000 yen for businesses.
It is interesting that he was not charged under the the Act of Protection of Personal Information (“APPI”) which provides for rules that businesses must comply in handling personal information. Like the UCPA, the APPI also provides for criminal penalties for mishandling of personal information, but the penalties are lighter (e.g., imprisonment with labor for up to 3 years or a fine of up to 300,000 yen), and are applicable only after a business does not comply with an administrative order issued by the government. Further, the APPI does not provide for civil liability for mishandling of personal information, although businesses may be subject to civil liability in tort under the Civil Code, if found negligent for such mishandling.
On 10 September 2014, Benesse announced that they will issue a 500 yen (just under USD 5) cash voucher to an estimated 28.95 million customers who were affected by the data leak. A compensation of 500-yen per customer is in line with the amount of compensation paid by Japanese companies in the past
For further information please contact:
+ 81 3 6271 9479
+ 81 3 6271 9696
2 Intellectual Property Client Alert August 2014
for data leak cases that were resolved outside of court. For example, in data leak cases from major convenience store franchisers, Lawson issued a 500 yen cash voucher to 5.6 million customers, and Family Mart issued a 1,000 yen cash voucher to 1.8 million customers, both in 2003. However, financial and insurance companies tend to pay more: a 10,000 yen cash voucher was issued by Mitsubishi UFJ Securities to 5 million customers and by ALICO (currently MetLife Insurance) to 2 million customers, both in 2009. Further, in data leak cases that were brought to court, the damage awarded by the court is even higher: 30,000 yen (plus 5,000 yen as attorney fee) per customer against TBC (major aesthetic salon operator) for the data leak in 2002, and 5,000 yen (plus 1,000 yen as attorney fee) per customer against Softbank BB for the data leak in 2006.
On 17 September 2014, Benesse submitted a final report to the Ministry of Economy, Trade and Industry (METI), following METI’s request on 10 July 2014 to submit a report under the APPI. In the report, Benesse declared that it will no longer outsource maintenance and operations of its data system to an outside company. By April 2015, Benesse will set up a new joint venture for this purpose, with a Tokyo-based information security service firm, Lac Co, one of whose directors has been a member of Benesse’s “incident investigation board” that was formed after the data leak. Further, Benesse will also establish an external body comprising of information security experts who will monitor the data management. METI plans to review the report and decide whether to issue an improvement order or take other measures against Benesse. More generally, METI plans to amend the APPI guidelines to address issues posed by the Benesse incident.