In September 2014, an investigation report released by Benesse Holding Inc. and its subsidiary Benesse Corporation in Japan, concluded that a data breach earlier that year affected approximately 48.6 million people in Japan (approximately one third of the country's total population). This was more than double the original estimate made by Benesse, Japan's largest provider of correspondent education for children. A wave of individual civil claims have already been filed. By the end of January 2015, 1,789 complaints had been reported, but according to the lawyers, over 1,000 further plaintiffs are expected to file claims during February. If so, according to court records, the litigation will be the largest multi-plaintiff lawsuit ever seen in Japan. Unlike class actions in the U.S., multi-plaintiff actions in Japan commence with individual claims from each plaintiff.

The scale of the data breach has attracted massive attention in Japan. Benesse originally offered compensation of $4 per person, although the claims filed ask for much higher amounts, ranging from the equivalent of $125 to over $850 for the harm caused by the data breach. The data breach apparently occurred as a result of a systems engineer subcontracted to manage and maintain Benesse's customer database illegally copying the data. The engineer had access to the database terminal and it is thought that he used an advanced smartphone to circumvent security measures and download data. While buying or selling stolen personal data is illegal, if data brokers claim that they were not aware of this, it is hard to prove otherwise and almost impossible to control the flow of data. In the wake of this scandal, the Japanese Ministry of Economy, Trade, and Industry (METI) has announced that it will amend and strengthen its guidelines for the implementation of the Personal Information Protection Law.

TIP: This case highlights the potential security risks of outsourcing the management and maintenance of customer databases and the need for companies to have an active, coordinated, and evolving overall security strategy. Companies should supervise the activities of contractors' and subcontractors' review and access rights and regularly review and upgrade security protocols and systems. Foreign companies operating in Japan should also follow any new guidelines issued by METI.