The Basic Act on Cybersecurity is the fundamental law on cybersecurity.
The Act on the Protection of Personal Information (Act No 57 of 30 May 2003, as amended, the APPI) is the principal data protection legislation in Japan.
The Unfair Competition Prevention Act prohibits the infringement of trade secrets.
The Act on the Prohibition on Unauthorised Computer Access prohibits unauthorised computer access.
The Penal Code also penalises some cybersecurity crimes.
The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.
For details of the laws cited above, and for other laws, please refer to 2.1 Key Laws.
The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (the PPC), which has the following powers under the APPI:
The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes.
For other regulators, please refer to Section 2 Key Laws and Regulators at National and Subnational Levels.
The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations.
It is important to note that the APPI imposes no administrative fines. In addition, criminal sanctions may only be imposed under the APPI if the handling operator refuses to co-operate with or makes any false report in response to an investigation by the PPC, or violates any order given by the PPC as a part of an administrative sanction, or provides information to unauthorised persons or misuses any personal information database for unlawful gains.
The National Police Agency and the Prosecutors’ Office have enforcement powers against cybercrimes or related crimes under the Criminal Procedure Code.
As for personal information, Japan is a member of the APEC Cross Border Privacy Rules (CBPR) system. While local governments have enacted local regulations, those regulations are applicable only to the local public sector.
The Ministry of Economy, Trade and Industry (METI) and the Information Technology Promotion Agency of Japan (IPA) published the Cybersecurity Management Guidelines (amended November 2017), which serve as the basic cybersecurity guidelines for companies in Japan.
The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines mentioned above, guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breach. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on people).
The Japan Network Security Association (JNSA) also provides information regarding cybersecurity.
The Japan Computer Emergency Response Team Co-ordination Centre (JPCERT/CC) acts as a CSIRT (Computer Security Incident Response Team) within the Japanese community and publishes security alerts, incident news, and manuals.
The IPA, the JNSA, and the JPCERT/CC accept reports or notices from the public regarding cybersecurity incidents and publish useful information.
The fourth action plan on information security of critical infrastructure, published by the Cybersecurity Strategies Headquarters of the Cabinet, provides for certain reporting obligations and sharing of cybersecurity information in relation to critical infrastructure service providers.
The Cybersecurity Council was established in April 2019 under Article 17 of the Basic Act on Cybersecurity to enable the sharing of necessary information and consultations for cybersecurity between the public sector and the private sector in relation to the 2020 Olympic games in Tokyo.
The APPI follows the Organisation for Economic Co-operation and Development's eight privacy principles. Japan and the EU have certified each other’s country/territory as an "adequate" country for Japan and EU data protection purposes; however, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR).
As mentioned above, the Cybersecurity Council was established in April 2019 based on an amendment to the Basic Act on Cybersecurity (Article 17) to facilitate the sharing of necessary information and consultations for cybersecurity between the public and the private sectors for the Tokyo 2020 Olympic and Paralympic Games.
The APPI is expected to be amended later in 2020, which will likely make the notification of data breach to data subjects and the filing of data breach reports to the PPC legal obligations.
The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.
The APPI, the principal data protection legislation in Japan, provides the basic principles for the government’s regulatory policies and authority, as well as the handling operators.
Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the My Number Act), which stipulates special rules for "my number" – a 12-digit individual number assigned to each resident of Japan.
The obligations of the public sector in the handling of personal information are stipulated in the Act on the Protection of Personal Information Held by Administrative Organs, the Act on the Protection of Personal Information Held by Independent Administrative Agencies, and the local regulations (jyorei) legislated by local governments.
The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as damage compensation and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as "data for limited provision" after a recent amendment comes into force on 1 July 2019. An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to damage compensation and injunctive relief but not to criminal sanctions.
The Act on the Prohibition on Unauthorised Computer Access prohibits: the use of another person’s identification code (eg, a password) to access remote computers via a telecommunications network; inputting information (excluding an identification code) or a command to evade access restrictions on remote computers via a telecommunications network; or obtaining, supplying, or storing someone else's identification code without legitimate reason (Articles 3, 4, 5 and 6). It also forbids phishing or creating a false impression of being the network administrator concerned and requesting identification codes (Article 7).
The Penal Code prohibits: the creation of false electromagnetic records that are related to rights, duties or certification of facts (Article 161-2); fraud by using computers (Article 246-2); the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259); the obstruction of a business by damaging its computers or electromagnetic records or causing them to operate counter to the original purpose (Article 234-2); and the creation, provision, acquisition, or storage of a computer virus (articles 168-2 and 168-3).
The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41-5(iii)) and to report serious incidents of breach to the Ministry of Internal Affairs and Communications (MIC).
The Instalment Sales Act requires businesses who handle credit card numbers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35-16).
The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to information pertaining to their respective businesses (Articles 21, 49, and 63-8).
Sector-specific regulators impose additional information security obligations for some industries including the financial and healthcare industries. Regarding the financial industry, the Financial Services Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. As for the healthcare industry, various ministries have issued relevant guidelines: the Ministry of Health, Labour and Welfare (MHLW) issued the Guidelines on the Safety Management of Medical Information Systems (May 2017); METI issued the Guidelines for Information Processing Service Providers Entrusted with the Management of Medical Information (October 2012); MIC issued the Guidelines on the Management of Medical Information by Cloud Service Providers (July 2018), and published comprehensive measures for the security of the internet of things (IoT).
The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes. (For other regulators, please see the rest of this Section, below.)
The National Centre for Incident Readiness and Strategies for Cybersecurity (NISC) is responsible for national-level cybersecurity under the Basic Act on Cybersecurity, and regularly publishes Cybersecurity Strategies of Japan.
The regulator tasked with enforcing and implementing the APPI is the PPC, which has the following powers:
As stated above, FSA is the regulator for the financial sector, and MIC is the regulator for telecommunications business operators. As mentioned in 2.1 Key Laws, there are also other sector-specific regulators, such as MHLW and METI.
Please see 1.5 Information Sharing Organisations.
Commonly deployed guidance is provided by JIS Q 27000:2014 (based on ISO/IEC27000), JIS Q 27001:2014 (based on ISO/IEC27001), and JIS Q 27002:2014 (based on ISO/IEC27002).
JIS Q 27017:2016 (based on ISO/IEC 27017, ISO/IEC 27018) provides guidance for securing cloud services.
JIS Q 15001:2017 is the standard that covers personal information and is used as the standard for issuing “PrivacyMark” certifications, which major Japanese companies commonly pursue.
The Instalment Sales Act requires a business that handles credit card numbers to take necessary measures to control the numbers (Article 35-16). Most companies adopt the PCI DSS security standard.
Please refer to 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.
Written Information Security Plans or Programmes
The Cybersecurity Management Guidelines issued by METI and IPA provide for ten instructions, including the recognition of cybersecurity risks and the development of company-wide measures such as drafting data security policies. In addition, the PPC Guidelines (defined in 4.1 Personal Data) include the implementation of a basic policy and internal rules on personal data (defined in 5.2 Data Elements Covered) as an example of security measures that should be taken for personal data protection.
Incident Response Plans
The Cybersecurity Management Guidelines provide for the development of an emergency organisation framework for incidents and a recovery organisation framework to recover damages resulting from any incident identified in the ten instructions. In addition, the PPC Guidelines indicate the creation of an incident response plan as an example of security measures that should be taken for the protection of personal data.
Appointment of Chief Information Security Officer or Equivalent Position
There are no general legal obligations to appoint a chief information security officer (CISO). However, the Cybersecurity Management Guidelines require the management of companies to work steadily towards putting together cybersecurity measures by giving the CISO directions on the following ten important items:
In addition, the PPC Guidelines indicate the appointment of a person in charge of the processing of personal data as an example of security measures that should be taken for the protection of personal data.
Involvement of Board of Directors or Equivalent Authority
Under the Japanese Companies Act, the board of directors of a large company must determine the company’s internal control systems, including cybersecurity management; the failure to put in place or comply with such a system may be a breach of the directors’ duty of due care of a prudent manager. In addition, the CISO or the director in charge of supervising the company’s cybersecurity may be in breach of his or her duty of due care of a prudent manager if he or she does not properly take necessary actions on cybersecurity. The Cybersecurity Management Guidelines stress the importance of the directors’ involvement in cybersecurity management.
Cconducting Internal Risk Assessments, Vulnerability Scanning and Penetration Tests
The Cybersecurity Management Guidelines mention the importance of PDCA cycles for cybersecurity and provide a checklist for cybersecurity management.
In addition, the PPC Guidelines indicate taking regular audits of the processing of personal data as an example of security measures that should be taken for the protection of personal data.multi-factor authentication, Anti-phishing Measures, Ransomware andThreat Intelligence
The Cybersecurity Management Guidelines do not directly mention multi-factor authentication, anti-phishing measures, ransomware, or threat intelligence. However, they mention the importance of collecting and utilising information on cyber-attacks through participation in information-sharing activities and developing the environment to utilise such information.
Insider Threat Programmes
The IPA has published guidelines on how to prevent insider data breach. The Cybersecurity Management Guidelines refer to the IPA’s guidelines as useful guidance in minimising and dealing with insider threat.
Vendor and Service Provider Due Diligence, Oversight and Monitoring
The Cybersecurity Management Guidelines mention taking measures with respect to, and monitoring, a company’s entire supply chain, including business partners and outsourcing companies. The guidelines also state that PDCA for cybersecurity including internal audits and oversight must be conducted with respect to business partners and outsourcing companies.
Article 22 of the APPI also requires a handling operator to properly supervise any person to whom it has entrusted the handling of personal data. The PPC Guidelines require the handling operator to select a proper vendor and service provider, enter into an agreement with that provider and have a good grasp of how that provider processes personal data.
Use of Cloud, Outsourcing, and Offshoring
The Cybersecurity Management Guidelines mention the importance of multi-layer defences for terminals, networks, systems, and services including cloud used for important business.
For offshoring, please note that there are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 24). In other words, the overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in Japan, the overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing which are exceptions to local third-party data transfer restrictions. The data subjects’ consent to overseas data transfers is not necessary only if (i) the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries have been designated to date) or (ii) the third-party recipient has a system of data protection that meets the standards prescribed by the Ordinance issued by the PPC (the PPC Ordinance) – ie, either firstly that there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI, or secondly that the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data. The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the APEC CBPR as a recognised international framework on the handling of personal data.
The Cybersecurity Management Guidelines include the securing of proper resources, such as setting aside adequate budget and sufficient manpower, for the implementation of cybersecurity measures in the ten instructions.
In addition, since Article 21 of the APPI requires a handling operator to properly supervise its employees who handle personal data, the PPC Guidelines indicate that training is an example of security measures that should be taken to protect personal data.
The Cybersecurity Policy, which was issued as a Cabinet Order, emphasises the importance of multinational co-operation, especially in preventing cyber-terrorism ahead of the Tokyo 2020 Olympic Games.
Under the APPI, a handling operator must take necessary and appropriate action for security control over the personal data that it handles, including preventing the leakage, loss or damage of or to personal data (Article 20).
The PPC is the regulator primarily responsible for the APPI and the My Number Act, and has published guidelines for the handling of personal information (the PPC Guidelines).
The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures.
According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 21). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the handling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 22).
As discussed elsewhere, for some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the FSA and the PPC have jointly published data protection guidelines for the financial sectors, and MIC has issued data protection guidelines for telecommunications business operators.
Reporting is required in relation to an investigation by the PPC for a breach of the APPI, but there is no obligation for periodic reporting to the PPC.
No information has been provided.
The Cybersecurity Policy for Critical Infrastructure Protection (25 July 2018) issued by the Cybersecurity Strategy Headquarters of the Cabinet defines the following 14 sectors as critical information infrastructure:
The aforementioned cybersecurity policy also encourages critical information infrastructure operators to:
The fourth action plan on information security of critical infrastructure published by the Cybersecurity Strategies Headquarters of the Cabinet provides for the reporting obligations of critical information infrastructure operators in the following instances:
The relevant incident and other useful information may be shared with other critical information infrastructure operators.
In addition, governmental authorities that have specific jurisdiction over some of the 14 critical information infrastructure sectors have issued specific guidelines described below concerning cybersecurity.
The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks which include detailed cybersecurity obligations. The Comprehensive Guidelines recognise the prevention of cybersecurity incidents and prompt recovery as significant management issues, and assert the necessity for certain major measures such as the appointment of a CSIRT, implementation of multi-layered defences for cybersecurity incidents, and conducting continuous evaluations for cybersecurity risks.
For the healthcare industry, please refer to 5.4 Security Requirements for Medical Devices.
The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued: the Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services; the Safety Guidelines for Securing Information Security in the Airport Sector for airport services; the Safety Guidelines for Ensuring Information Security for Railway Operators for railway services; and the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.
MHLW issued the Information Security Guidelines for the Water Sector for water services.
There are no special requirements regarding the prevention of denial of service attacks or similar attacks on system or data availability or integrity.
No information has been provided.
Regarding personal data, the PPC’s Notification No 1 (2017) defines a breach of data security as the leakage, loss of, or damage to data. There is also a special rule for "my numbers" under the My Number Act.
There are no definitions of reportable data security incidents or breaches relating to other data.
The PPC’s Notification No 1 (2017) covers the following (excluding personal data containing "my number") breaches of data security:
Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 2.6), which is a collection of information (which includes personal information) that is systematically organised to enable a computer, or through another means, to search for particular personal information. However, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 2.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system.
Under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than two hours and affects 30,000 or more users, the telecommunications business operator must report the accident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers.
There is no restriction for the systems covered.
MHLW has issued the Guidelines on the Safety Management of Medical Information Systems (May 2017).
METI has issued the Guidelines for Information Processing Service Providers Entrusted with the Management of Medical Information (October 2012).
MIC has issued the Guidelines on the Management of Medical Information by Cloud Service Providers (July 2018).
However, no special rule has been issued for data breach reporting and notification.
No information has been provided.
MIC has published comprehensive measures for the security of IoT.
According to the PPC’s Notification No 1 (2017), a handling operator must endeavour to report a breach to the government through the PPC, an Accredited Personal Information Protection Organisation (which is a non-governmental organisation accredited by the PPC), or any other supervising authority or organisation.
The foregoing notification also provides that it is preferable for a handling operator to notify the data subjects who may be affected by the data breach to prevent further damage and to announce publicly the fact of the data breach and the operator’s recurrence prevention measure to prevent further damage and similar data breaches in other companies.
Please note that, generally speaking, the APPI does not have any specific or explicit mandatory notification requirements in the case of data breaches. However, if the personal data affected by a data breach is handled by financial institutions under the control of the FSA, there is legal obligation to report to the FSA and to notify data subjects. In addition, if personal data affected by a data breach contains "my numbers", there is a legal obligation to report to the PPC for some serious incidents.
Please also note that that the APPI is expected to be amended in 2020. Amendments are likely to include mandatory obligations to send data breach notifications to data subjects and to file data breach reports to the PPC.
With respect to "risk of harm" and thresholds, reporting is not required in the following cases: (i) the handling operator determines that there has been no substantial leakage of personal data (for example, the personal data is secured by high-level encryption); or (ii) minor wrong transmissions of email or fax or erroneous dispatches of a package (for example, the personal data leaked was only the name of the addressor or addressee of the email or the fax or package and just that email, fax or package).
An employer may monitor and inspect the emails of its employees in connection with the implementation of its internal rules regarding email monitoring, as long as the actual email monitoring is conducted only to the extent necessary. Some companies also use other digital forensic measures to boost cybersecurity.
See 6.1 Cybersecurity Defensive Measures.
There is no mandatory sharing of cybersecurity information; for authorised sharing of cybersecurity information, please refer to 1.5 Information Sharing Organisations.
Please refer to 1.5 Information Sharing Organisations.
No administrative order has ever been made regarding non-compliance with an official recommendation and no criminal sanction for non-compliance with an order or reporting requirement has been imposed.
As for significant data breach incidents, before the PPC was created to enforce the APPI, in 2014 METI issued recommendation to an educational company regarding the leakage of personal information of approximately 30 million data subjects (children) to take necessary action to rectify the violation of the APPI. Several civil cases were filed in relation to this leakage of personal information.
Please refer to 8.1 Regulatory Enforcement or Litigation.
The data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. Japanese courts recognise the right to privacy, which is the right of a person not to have his or her private life disclosed except for a legitimate reason. Article 709 of the Civil Code also provides for tort action in connection with a breach of the right to privacy.
In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal data (eg, name, birth date, address and telephone numbers). The case has been remanded to the High Court for further examination, and the High Court awarded JPY1,000 to the claimant. This is one of the cases mentioned in 8.1 Regulatory Enforcement or Litigation.
The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers, which was enacted on 1 October 2016, allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. However, as a practical matter, a number of data subjects may select the same lawyer to represent them and that lawyer can initiate one litigation for those data subjects, which can be similar to class action.
Japanese companies have started to recognise that conducting due diligence regarding cybersecurity in corporate transactions is important, especially after the UK’s Information Commissioner’s Office published their “Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach” in July 2019.
There are no non-cybersecurity-specific laws which legally mandate disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. The Cybersecurity Management Guidelines issued by METI and the IPA, as well as the Point of View regarding Cybersecurity for Enterprise Management issued by NISC, both mention the possibility of public disclosure.
All significant issues have been dealt with above.