The Basic Act on Cybersecurity is the fundamental law on cybersecurity.
The Act on the Protection of Personal Information (the APPI) is the principal data protection legislation in Japan. An amendment to the APPI was approved in June 2020, and came into full force on 1 April 2022. Another set of amendments to the APPI was approved in May 2021, and came into full force on 1 April 2023. However, the 2021 amendment does not have a material impact on private companies.
Pursuant to the amended APPI, personal data breach is subject to a mandatory reporting and notification – refer to 5. Data Breach or Cybersecurity Event Reporting and Notification.
There is no general regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve personal data breach.
The Unfair Competition Prevention Act prohibits the infringement of trade secrets. The Act on the Prohibition on Unauthorised Computer Access prohibits unauthorised computer access. The Penal Code also penalises some cybersecurity crimes. The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.
Japan does not have specific regulations for secure software development. For vendor responsibilities in some specific instances, see 3.3 Legal Requirements and Specific Required Security Practices.
For details of the laws cited above, and for other laws, refer to 2.1 Key Laws.
The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (the PPC), which has the following powers under the APPI:
The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes.
As for non-regulatory government authorities that are also directly relevant to cybersecurity, the IPA and the National Centre for Incident Readiness and Strategies for Cybersecurity (NISC) are notable. Refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance for the IPA and 2.3 Over-Arching Cybersecurity Agency for NISC. For other regulators, refer to 2. Key Laws and Regulators at National and Subnational Levels.
The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).
It is important to note that the APPI imposes no administrative fines. In addition, criminal sanctions may only be imposed under the APPI if the handling operator refuses to co-operate with or makes any false report in response to an investigation by the PPC (Article 178), provides information to unauthorised persons or misuses any personal information database for unlawful gains (Article 180), or violates any order given by the PPC as a part of an administrative sanction (Article 181).
The PPC is not vested enforcement power against cybersecurity events, including supply chain and software vulnerabilities to the extent not involved with personal information.
The National Police Agency and the Prosecutors’ Office have enforcement powers against cybercrimes or related crimes under the Criminal Procedure Code.
As for personal information, Japan is a member of the APEC Cross Border Privacy Rules (CBPR) system. Before 31 March 2022, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies. One of the main purposes of the 2021 amendments to the APPI is to integrate the obligations prescribed in these two laws into the APPI. The amendments relating to the foregoing integration were effective from 1 April 2022.
While local governments have enacted jyorei (local regulations), those regulations are applicable only to the local public sector and vary from one body to the other. The 2021 amendments to the APPI introduced nationwide principles for jyorei and related implementing guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, and jyorei can only stipulate local rules in very limited situations allowed under the APPI. The aforesaid amendments are effective from 1 April 2023.
The Ministry of Economy, Trade and Industry (METI) and the Information Technology Promotion Agency of Japan (IPA) published the Cybersecurity Management Guidelines (amended in November 2017 and a draft of the proposed update was published on 26 October 2022), which serve as the basic cybersecurity guidelines for companies in Japan.
The NISC, the National Police Agency (NPA), the Ministry of Internal Affairs and Communications (MIC) and METI issued the Guidance on Sharing and Publishing Information on Cyber-attack Incidents on 8 March 2023. This guidance includes recommendations and 33 FAQs regarding sharing and publishing cyber-attack incidents.
The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines mentioned above, guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breach. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on people).
The Japan Network Security Association (JNSA) also provides information regarding cybersecurity.
The Japan Computer Emergency Response Team Co-ordination Centre (JPCERT/CC) acts as a computer security incident response team (CSIRT) within the Japanese community and publishes security alerts, incident news, and manuals.
The IPA, the JNSA, and the JPCERT/CC accept reports or notices from the public regarding cybersecurity incidents and publish useful information.
The Cybersecurity Policy for Critical Infrastructure Protection (last amended on 17 June 2022), published by the Cybersecurity Strategies Headquarters of the Cabinet, provides for certain reporting obligations and sharing of cybersecurity information in relation to critical infrastructure service providers.
The Cybersecurity Council was established in April 2019 under Article 17 of the Basic Act on Cybersecurity to enable the sharing of necessary information and consultations for cybersecurity between the public sector and the private sector.
The NPA and the Prosecutors’ Office may assist a victim of cybercrime.
The APPI follows the Organisation for Economic Co-operation and Development’s eight privacy principles. Japan and the EU and Japan and the UK have certified each other’s country/territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes, and this decision is renewed in March and April 2023. However, this does not mean that the APPI is identical to the EU’s General Data Protection Regulation (GDPR). Japanese data protection law is closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law in the APPI.
As for specific regulation for critical infrastructure cybersecurity, refer to 4.3 Critical Infrastructure, Networks, Systems and Software.
As discussed in 1.1 Laws and 1.4 Multilateral and Subnational Issues, the APPI was amended in 2020 and 2021.
The MIC and the METI are in the process of establishing AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding cybersecurity.
The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.
The APPI, the principal data protection legislation in Japan, provides the basic principles for the government’s regulatory policies and authority, as well as the handling operators.
Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the “My Number Act”), which stipulates special rules for “my number” – a 12-digit individual number assigned to each resident of Japan.
The obligations of the public sector in the jyorei legislated by local governments.
The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as damage compensation and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as “data for limited provision”. An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to damage compensation and injunctive relief but not to criminal sanctions.
The Act on the Prohibition on Unauthorised Computer Access prohibits:
The Penal Code prohibits:
The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6 (iii)) and to report serious incidents of breach to the MIC.
The Instalment Sales Act requires businesses who handle credit card numbers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35–16).
The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to information pertaining to their respective businesses (Articles 21, 49 and 63–8).
Sector-specific regulators impose additional information security obligations for some industries including the financial and healthcare industries. Regarding the financial industry, the Financial Services Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics, and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices also request pharmacies to do the same (Article 11.2). Further, various ministries have issued relevant guidelines:
The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes. For other regulators, see the other subsections within 2. Key Laws and Regulators at National and Subnational Levels.
NISC is responsible for national-level cybersecurity under the Basic Act on Cybersecurity, and regularly publishes Cybersecurity Strategies of Japan.
The regulator tasked with enforcing and implementing the APPI is the PPC. The PPC’s powers are explained in 1.2 Regulators.
As stated above, the FSA is the regulator for the financial sector, and MIC is the regulator for telecommunications business operators. As mentioned in 2.1 Key Laws, there are also other sector-specific regulators, such as the MHLW and METI.
See 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.
Commonly deployed guidance is provided by JIS Q 27000:2019 (based on ISO/IEC27000), JIS Q 27001:2014 (based on ISO/IEC27001), and JIS Q 27002:2014 (based on ISO/IEC27002. An update draft of JIS Q 27002:2022 is under public consultation).
JIS Q 27017:2016 (based on ISO/IEC 27017) provides guidance for securing cloud services.
JIS Q 15001:2017 is the standard that covers personal information and is used as the standard for issuing “privacy mark” certifications, which major Japanese companies commonly pursue.
The Instalment Sales Act requires a business that handles credit card numbers to take necessary measures to control the numbers (Article 35–16). Most companies adopt the PCI DSS security standard.
Refer to 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.
Written Information Security Plans or Programmes
The Cybersecurity Management Guidelines (Version 3.0, last updated on 24 March 2023) issued by METI and the IPA provide for three key principles and ten instructions, including the recognition of cybersecurity risks and the development of company-wide measures such as drafting data security policies. In addition, the PPC Guidelines (defined in 4.1 Personal Data) include the implementation of a basic policy and internal rules on personal data (defined in 5.2 Data Elements Covered) as an example of security measures that should be taken for personal data protection.
Incident Response Plans
The Cybersecurity Management Guidelines provide for the development of an emergency organisation framework for incidents and a recovery organisation framework to recover damages resulting from any incident identified in the ten instructions. In addition, the PPC Guidelines indicate the creation of an incident response plan as an example of security measures that should be taken for the protection of personal data.
Required Security Practices Applicable Generally, or to Specific Sectors or Data
Refer to 4. Key Affirmative Security Requirements for security practices generally applicable to businesses and specific sectors or data.
Appointment of Chief Information Security Officer or Equivalent Position
There are no general legal obligations to appoint a chief information security officer (CISO). In a specific area, like telecommunications, large telecommunications service providers are required to appoint a chief manager who is responsible for handling user information from 16 June 2023. However, the Cybersecurity Management Guidelines require the management of companies to work steadily towards putting together cybersecurity measures by giving the CISO directions on the following ten important items.
In addition, the PPC Guidelines indicate the appointment of a person in charge of the processing of personal data as an example of security measures that should be taken for the protection of personal data.
Involvement of Board of Directors or Equivalent Authority
Under the Japanese Companies Act, the board of directors of a large company must determine the company’s internal control systems, including cybersecurity management; the failure to put in place or comply with such a system may be a breach of the directors’ duty of due care of a prudent manager. In addition, the CISO or the director in charge of supervising the company’s cybersecurity may be in breach of their duty of due care of a prudent manager if they do not properly take necessary actions on cybersecurity. The Cybersecurity Management Guidelines stress the importance of the directors’ involvement in cybersecurity management.
Conducting Internal Risk Assessments, Vulnerability Scanning and Penetration Tests
The Cybersecurity Management Guidelines mention the importance of continuous improvement through PDCA cycles for cybersecurity and provide a checklist for cybersecurity management.
In addition, the PPC Guidelines indicate taking regular audits of the processing of personal data as an example of security measures that should be taken for the protection of personal data.
Multi-factor Authentication, Anti-phishing Measures, Protection Against Business Email Compromise, Ransomware and Threat Intelligence
The Cybersecurity Management Guidelines do not provide for explicit requirements of multi-factor authentication, anti-phishing measures, ransomware, protection against business email compromise, or threat intelligence. However, they mention the importance of collecting and utilising information on cyber-attacks through participation in information-sharing activities and developing the environment to utilise such information.
Insider Threat Programmes
The IPA has published guidelines on how to prevent insider data breach. The Cybersecurity Management Guidelines refer to the IPA’s guidelines as useful guidance in minimising and dealing with insider threat.
Vendor and Service Provider Due Diligence, Oversight and Monitoring
The Cybersecurity Management Guidelines mention taking measures with respect to, and monitoring, a company’s entire supply chain, including its own domestic or international establishments, business partners and outsourcees. The guidelines also state that PDCA for cybersecurity including internal audits and oversight must be conducted to them.
Article 25 of the APPI also requires a handling operator to properly supervise any person to whom it has entrusted the handling of personal data. The PPC Guidelines require the handling operator to select a proper vendor and service provider, enter into an agreement with that provider and have a good grasp of how that provider processes personal data.
Use of Cloud and Outsourcing and Offshoring
The Cybersecurity Management Guidelines mention the importance of multi-layer defences for terminals, networks, systems and services including cloud used for important business.
Basic Regulation of Offshoring
For offshoring, please note that there are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). In other words, the overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in Japan, the overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing which are exceptions to local third-party data transfer restrictions.
The data subjects’ consent to overseas data transfers is not necessary unless the following applies:
The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the APEC CBPR as a recognised international framework on the handling of personal data.
Additional Obligation Under the 2020 Amendments
Under the 2020 amendment of the APPI, offshoring is permitted with additional requirements. First, when handling operators transfer personal data to a foreign country based on the aforementioned consent mechanism, they will be required to provide a data subject with certain information as specified by the amended ordinance issued by the PPC (the amended PPC Ordinance) (Article 28.2). According to the proposed PPC Ordinance, information about the name of the foreign country, the personal information protection system in the foreign country, and measures to be taken by a recipient party to protect personal information is required to be provided to the data subject.
Secondly, when handling operators transfer personal data relying on the recipient’s equivalent system of data protection, they will be required to take steps necessary to ensure that the overseas recipient continuously takes equivalent measures and to provide a data subject with certain information about the measures to be taken upon a request in accordance with the amended PPC Ordinance (Article 28.3). In this regard, according to the PPC Ordinance, one of the measures to ensure such matters is to periodically confirm the implementation status of the equivalent measures taken by the recipient and presence or absence of a system in the foreign country that might affect the implementation of the equivalent measures.
The other measure is to take necessary and appropriate measures if the implementation of the equivalent measures by the recipient party is interfered with in some way and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures. The PPC Ordinance also states that the information to be provided to a data subject upon request is:
Payment of Ransomware
For the issue of payment of ransomware, refer to 4.6 Ransomware/Extortion.
Secure Software Development or Patching
Japan does not have specific regulations for secure software development or patching. However, if a system vendor negligently develops a vulnerable system for its client, the vendor may be responsible for a cybersecurity incident arising from the vulnerability. In this regard, on 23 January 2014, Tokyo district court acknowledged such responsibility exists for a system vendor, in a case where an e-commerce website had a cyber-attack and credit card information stored therein was stolen due to a vulnerability that the vendor failed to manage.
Responsible Disclosure of Software Vulnerabilities
Japan does not have specific regulations obliging software vendors to disclose software vulnerability. However, if software finds a vulnerability, the vendor should timely disclose the vulnerability to alert its users and to prevent a potential cyber-attack arising from the security issues. Otherwise, the software vendor would be subject to liability under a theory of breach of contract with its users or tort.
Training
The Cybersecurity Management Guidelines include the securing of proper resources, such as setting aside an adequate budget and sufficient manpower for the implementation of cybersecurity measures in the ten instructions.
In addition, since Article 24 of the APPI requires a handling operator to properly supervise its employees who handle personal data, the PPC Guidelines indicate that training is an example of security measures that should be taken to protect personal data.
The Cybersecurity Policy for Critical Infrastructure Protection emphasises the importance of multinational co-operation.
Under the APPI, a handling operator must take necessary and appropriate action for security control over the personal data that it handles, including preventing the leakage, loss or damage of or to personal data (Article 23).
The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has published guidelines for the handling of personal information (the PPC Guidelines).
The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the external environment. “Understanding of the external environment” is a security measure, newly introduced by the amendments to the guidelines, which requires a handling operator who processes personal data in a foreign country to understand the foreign country’s legal system for personal information protection and, taking into consideration that legal system, to take necessary and appropriate measures to ensure the security of personal data. Effective from 1 April 2024, the PPC Guidelines will also require a handling operator to take security control over personal information that will be collected and expected to be treated as personal data so that a cyber attacker will not intercept such information on behalf of the operator.
According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 24). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the handling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 25).
As discussed elsewhere, for some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the FSA and the PPC have jointly published data protection guidelines for the financial sectors, and MIC has issued data protection guidelines for telecommunications business operators.
Reporting is required if certain personal data breach occurs. Please refer to 5. Data Breach or Cybersecurity Event Reporting and Notification.
There are no specific regulations prescribing security requirements for material business data and material non-public information. However, the general understanding is that if a director or an employee causes damages to their employers by negligently taking insufficient security safeguards, thereby leading to the leak of material business data and material non-public information, they may be responsible for the damage.
The Cybersecurity Policy for Critical Infrastructure Protection defines the following 14 sectors as critical information infrastructure:
The aforementioned cybersecurity policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies.
The Cybersecurity Policy for Critical Infrastructure Protection provides for the reporting obligations of critical information infrastructure operators in the following instances:
The relevant incident and other useful information may be shared with other critical information infrastructure operators.
In addition, governmental authorities that have specific jurisdiction over some of the 14 critical information infrastructure sectors have issued specific guidelines, described below, concerning cybersecurity.
The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks which include detailed cybersecurity obligations. The Comprehensive Guidelines recognise the prevention of cybersecurity incidents and prompt recovery as significant management issues, and assert the necessity for certain major measures such as the appointment of a CSIRT, implementation of multi-layered defences for cybersecurity incidents, and conducting continuous evaluations for cybersecurity risks.
For the healthcare industry, refer to 5.4 Security Requirements for Medical Devices.
The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued:
MLIT also issues information security countermeasure check lists for railway service, bus service, bus terminals, taxis, hotels, ferries, and airports and airport buildings.
The MHLW issued the Information Security Guidelines for the Water Sector for water services.
There are no special requirements regarding the prevention of denial of service attacks or similar attacks on system or data availability or integrity.
MIC has published comprehensive measures for the security of IoT. The MLIT has issued the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.
There is no special requirement for ransomware attacks. Please note, however, METI issued a public announcement “Alerts to Company Executives to be Issued to Encourage them to Enhance Cybersecurity Efforts in Light of Situations of Recent Cyber-attacks” in December 2020. It states that payment of a ransom may assist criminal organisations and that the payment does not necessarily mean that a perpetrator will not expose stolen data to the public or that the encrypted data will be decrypted. The announcement further notes that such payment may trigger sanctions against a payer in some countries. Accordingly, the announcement requests companies not to pay the ransom, although this request is not legally binding. In addition, if a director of a company negligently pays a ransom and therefore causes unjustifiable losses to the company, such payment can be considered as a breach of duty of care owed to the company.
If the ransomware attack involves a data breach or system failure, such incident is subject to requirements generally applicable to data breach or system failure described in 5. Data Breach or Cybersecurity Event Reporting and Notification.
The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the occurrence or possible occurrence of the leakage or loss of, or damage to personal data. The details of the requirements are discussed below.
There is also a special rule for “my numbers” under the My Number Act. There is no general regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve personal data breach. However, there are various regulations generally mandating certain type of service providers to report an incident affecting their service to authorities. This reporting obligation also covers cases where service failure happens as a result of cyber-attack.
For example, under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than certain hours and affects a certain number of users specified by the relevant ordinance, the telecommunications business operator must report the accident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sectors oblige them to report material service failure to its authorities.
Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 16.3), which is a collection of information (which includes personal information) that is systematically organised to enable a computer, or another means, to search for particular personal information. However, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system.
The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach involves personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual):
Special-care-required personal information is defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3).
There is no restriction for the systems covered.
The MHLW has issued the Guidelines on the Safety Management of Medical Information Systems (last amended in May 2023).
The MIC and METI have jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (last amended in July 2023).
However, while the MHLW guidelines and an announcement issued by MHLW on 29 October 2018 say that medical service providers should report a cybersecurity incident to an authority, no special rule has been issued for statutory data breach reporting and notification.
There are no specific regulations prescribing security requirements for industrial control systems (and SCADA).
MIC published guidelines of comprehensive measures for the security of IoT in July 2016. These guidelines provide guidance for the life cycle (policy, analysis, design, construction/connection and operation/maintenance) of IoT devices, systems and services, as well as rules for general users.
There is no specific law to regulate security software life-cycles, certifications, patching, and responsible disclosure of vulnerabilities; for details, refer to 3.3 Legal Requirements and Specific Required Security Practices.
The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents. When the reporting obligation is triggered (see 5.2 Data Elements Covered), handling operators must report to the PPC in general, pursuant to the amended PPC Ordinance. Any outsourcee who processes personal data on behalf of another company is exempt from this reporting obligation, provided that it reports any data breach to the outsourcer company (Article 26.1). In addition, in any case of data breach, handling operators are also required to notify the data subjects whose personal data is compromised pursuant to the amended PPC Ordinance. This notification obligation, however, does not apply when it is difficult to inform data subjects and when necessary alternative action is taken to protect a data subject’s rights and interests (Article 26.2).
Under the PPC Ordinance, reporting to the PPC is twofold. The first report should be made promptly after recognition of the data breach and contain the following details, if they have been ascertained:
The second report should be made within 30 days from the date of recognition of the data breach, and this second report must include all the above matters. However, if the data breach is caused by intentional acts such as unauthorised access, the second report may be submitted within 60 instead of 30 days. In addition, handling operators should promptly notify data subjects with an overview of the data breach, categories of (likely) affected personal data, cause, likelihood and details of secondary damage, and other helpful information.
If the personal data affected by a data breach is handled by financial institutions under the control of the FSA, there is a legal obligation to report to the FSA and to notify data subjects. In addition, if personal data affected by a data breach contains “my numbers”, there is a legal obligation to report to the PPC for some serious incidents.
Under the 2020 amendments to the APPI, the reporting obligation to the PPC and affected individuals will be limited to the extent prescribed in the amended PPC Ordinance. See 5.2 Data Elements Covered.
An employer may monitor and inspect the emails of its employees in accordance with its internal rules regarding such data, as long as the actual email monitoring is conducted only to the extent necessary. Some companies also use other digital forensic measures (eg, website monitoring, recording application log, and packet inspection) to boost cybersecurity.
See 6.1 Cybersecurity Defensive Measures.
There is no mandatory sharing of cybersecurity information; for authorised sharing of cybersecurity information, refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.
Refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.
From May 2017, when the PPC became the regulator and enforcement authority of the APPI, until August 2019, the PPC had not issued any official recommendations or administrative orders. However, on 26 August 2019, the PPC first made an official recommendation to a company operating an online job platform. It was considered that the company captured users’ likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.
On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based entities published the personal data of bankrupts, including names and addresses in violation of required procedures in the APPI. On 23 March 2022, and 2 November 2022, the PPC again issued administrative orders against similar website operators. On 11 January 2023, the PPC officially requested a criminal investigation authority to file a criminal charge against the operator for non-compliance with the order.
As for significant data breach incidents, before the PPC was created to enforce the APPI, in 2014 METI issued recommendation to an educational company regarding the leakage of personal information of approximately 30 million data subjects (children) to take necessary action to rectify the violation of the APPI. Several civil cases were filed in relation to this leakage of personal information (see 8.4 Significant Private Litigation).
Refer to 8.1 Regulatory Enforcement or Litigation.
The data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. There are two major types of legal causes.
Firstly, Japanese courts recognise the right to privacy, which is the right of a person not to have their private life disclosed except for a legitimate reason. A breach of the right to privacy consists of torts under Article 709 of the Civil Code.
Secondly, if a business promises to keep personal data confidential in an agreement such as terms of use, but then compromises the data, the legal cause of breach of contract may also be available.
In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal data (eg, names, birth dates, addresses and telephone numbers). The case has been remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020; thus, these Appeal Court decisions are deemed final. These are some of the cases mentioned in 8.1 Regulatory Enforcement or Litigation.
The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. Please also note that an amendment to this act came into force on 1 October 2023, which includes emotional distress in the scope of the class action if it is caused along with property damage or by intentional conduct. As a practical matter, a number of data subjects may select the same lawyer to represent them and that lawyer can initiate one litigation for those data subjects, which can be similar to class action.
Because boards of directors owe generally a duty of due care to a company, they are required to take appropriate steps to protect the company from unreasonable loss or damage in light of individual circumstances. It is considered that such steps should include cybersecurity measures. Refer to 3.3 Legal Requirements and Specific Required Security Practices and 4. Key Affirmative Security Requirements for the general legal requirements of corporate cybersecurity governance.
Japanese companies have started to recognise that conducting due diligence regarding cybersecurity in corporate transactions is important, especially after the UK’s Information Commissioner’s Office (ICO) published their Statement: Intention to fine Marriott International, Inc GBP99.2 million under GDPR for data breach in July 2019. Subsequently, in October 2020, the ICO issued a fine for the reduced sum of GBP18.4 million.
There are no non-cybersecurity-specific laws which legally mandate disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. The Cybersecurity Management Guidelines issued by METI and the IPA, as well as the Point of View regarding Cybersecurity for Enterprise Management issued by NISC (2 August 2016), both mention the possibility of public disclosure. The MIC published Manuals for Information Disclosure of Cybersecurity Measures (28 June 2019).
The government is discussing introduction of a security clearance system and is going to submit a bill to the Diet in 2024. There are several insurance companies which offer cybersecurity insurance in Japan, and it is becoming more popular than before.
16th Floor, Marunouchi Park Building
2-6-1 Marunouchi
Chiyoda-ku
Tokyo
100-8222
Japan
+81 3 6212 8330
+81 3 6212 8230
mhm_info@mhm-global.com www.mhmjapan.comCybersecurity Law in Japan in 2024
Introduction
In light of the escalating cyber threats in Japan during the year 2023, as reported by the Japanese National Police Agency (JNPA), it has come to the attention of the authorities that certain cyber attacks were perpetrated by hackers believed to be aligned with Russia, influenced by the ongoing Ukrainian conflict. Furthermore, the JNPA’s report underscores the persistent prevalence of ransomware attacks, with a noteworthy increase in incidents related to a new form of ransomware known as “No-ware ransom.” This variant involves the theft of data from victims’ companies without encrypting the information, thereby causing substantial harm. Additionally, the Information-technology Promotion Agency (IPA) publicly reported “10 Major Security Threats 2024”. In this article, concerning threats to enterprises, attacks exploiting vulnerabilities embedded in the supply chain is ranked second, while damages caused by ransomware attacks is ranked first.
Given the concerning trend in cyber attacks, the Japanese government, along with pertinent government agencies, has proactively revised and released updated guidelines for enhancing cybersecurity risk management, including supply chain risk management. This revision is aimed at fortifying the nation’s resilience against cyber threats and ensuring a comprehensive response to emerging challenges.
The subsequent sections provide an in-depth examination of the specific circumstances surrounding the cyber attacks in Japan during 2023. Additionally, a detailed elucidation is presented of the modifications made to existing systems and the guidelines issued by the Japanese authorities in response to these circumstances. This comprehensive overview serves to articulate the evolving landscape of cybersecurity in Japan and the corresponding measures, especially in relation to the supply chain risk management implemented to safeguard national interests.
Cybersecurity incidents in Japan
In September 2023, JNPA disseminated a report titled “Regarding the Circumstances of Threats in Cyberspace from January to June 2023.”
This publication highlights instances of website disruptions attributed to Distributed Denial of Service (DDoS) attacks during the aforementioned period. Notably, certain hacktivist groups aligned with the Russian government asserted their involvement in these incidents through messages posted on social media platforms.
The report also underscores that ransomware attacks remained prevalent, with 103 documented cases during the specified period, signifying a sustained high level of threat. Of particular concern are 65 instances of double extortion, wherein companies faced threats of public data disclosure unless a ransom was paid. Among these, 22 cases involved direct payment requests from the attackers, with 21 of them specifying cryptocurrency as the preferred form of payment. The JNPA identified a new modus operandi termed the “No-ware ransom” case, wherein attackers pilfered data without encryption and demanded payment.
Additionally, the report reveals a continuation of the trend observed in 2022, wherein cybercriminals exploited vulnerable VPN devices and weak credentials in remote desktop services as a conduit for ransomware attacks.
A granular examination of the 103 ransomware cases indicates 30 instances targeting large enterprises and 60 affecting small and medium sized enterprises. Furthermore, the breakdown by industrial categories reveals 34 cases in manufacturing, 16 in services, and 15 in wholesaling and retailing. Consequently, the pervasive impact of ransomware attacks is evident across industries, irrespective of size or sector.
Moreover, in January 2024, IPA publicly reported “10 Major Security Threats 2024”. Every year, IPA evaluates ten major threats to individuals and enterprises. Concerning threats to enterprises, attacks exploiting vulnerabilities embedded in the supply chain is ranked second, while damages caused by ransom attacks is ranked first. This result is the same as in “10 Major Security Threats 2023”.
Revised Cybersecurity Management Guideline announcement by the Ministry of Economy, Trade and Industry and Information-technology Promotion Agency
In March 2023, the Ministry of Economy, Trade and Industry (METI) and IPA jointly revised the Cybersecurity Management Guidelines (CMG). The CMG establishes that companies bear the responsibility for mitigating cybersecurity risks to an acceptable level.
The CMG outlines the following key components:
The current revision of the CMG takes into consideration the evolving circumstances in Japan, including:
Significant alterations in the CMG include the emphasis on implementing measures throughout the entire supply chain, acknowledging the escalating cyber threats through supply chain channels.
In October 2023, METI and IPA jointly released a compendium of best practices aligned with the revised CMG, providing practical guidance for the application of principles and instructions outlined in the guidelines. This initiative aims to assist companies in enhancing their cybersecurity posture in line with the latest CMG revisions.
Guidelines for Establishing Safety Principles for Ensuring Cybersecurity of Critical Infrastructure and Risk Management Guidelines for the Department in Charge of Cybersecurity in the Critical Infrastructure Operator in Accordance with the Cybersecurity Policy for Critical Infrastructure Protection
Introduction to Cybersecurity Policy for Critical Infrastructure Protection
In June 2022, the Cybersecurity Strategic Headquarters Government of Japan (CSH) unveiled the Cybersecurity Policy for Critical Infrastructure Protection (CPCIP). Aligned with the cybersecurity strategy stipulated in the Basic Act on Cybersecurity, CPCIP aims to encourage Critical Infrastructure (CI) operators to enhance cybersecurity assurance among them.
CPCIP delineates the responsibilities of the state, local authorities, Chief Information Officers (CIOs) within CI operators, and cybersecurity-related projects. Its objective is to ensure the secure and sustained provision of CI services. Recognised as a critical management concern, CPCIP actively promotes the fortification of incident response systems in CI operators during cybersecurity-related security incidents. Moreover, CPCIP asserts that an organisation’s cybersecurity structure is integral to its internal control system, suggesting that compliance with the duty of care under the Companies Act may necessitate appropriate cybersecurity measures.
CPCIP categorises the following 14 sectors as CI.
In light of a cyber-attack case leading to the unauthorised disclosure of a substantial amount of customers’ personal information, the Okayama Branch of the Hiroshima High Court in a ruling on 18 October 2019 elucidated the directors’ duty of care under the Companies Act. The court affirmed that the adequacy of internal control systems is determined by industry practices, and its specific content is contingent on the discretion of directors, considering factors such as the business, size, and management status of the company or group in question.
The court’s judgment is considered valuable when assessing the directors’ duty of care concerning the internal control system in response to cybersecurity.
CPCIP illustrates specific guidelines as to actions to be carried out by CI operators. The key areas of focus include:
Outline of Guidelines for Establishing Safety Principles for Ensuring Cybersecurity of Critical Infrastructure
In July 2023, CSH released the Guidelines for Establishing Safety Principles for Ensuring Cybersecurity of Critical Infrastructure (GESP), building upon CPCIP.
GESP serves as a comprehensive guide for CI operators, offering a structured approach to cybersecurity measures and risk management principles in accordance with the evolving threat landscape outlined in CPCIP.
Outline of Risk Management Guidelines for the Department in Charge of Cybersecurity in the Critical Infrastructure Operator
In July 2023, the National Center of Incident Readiness and Strategy for Cybersecurity released the Risk Management Guidelines for the Department in Charge of Cybersecurity in the Critical Infrastructure Operator (RMG) to elucidate essential processes and security measures for leveraging risk management and crisis management, as outlined in GESP.
The RMG serves as a valuable resource for the department in charge of cybersecurity in CI operators, offering practical guidance to enhance the robustness of risk management practices, including supply-chain risk management, within the broader context of cybersecurity.
Outline of the System for Ensuring Provision of Essential Infrastructure Services under the Economic Security Promotion Act
Outline of the System for Ensuring Provision of EIS
The outlined System under ESPA establishes a comprehensive framework to fortify the cybersecurity posture of CF, safeguarding against external threats and disruptions to the EIS.
Outline of the Prior Screening Process in the System for Ensuring Provision of Essential Infrastructure Services under the Economic Security Promotion Act
This outlined process ensures that EIS operators actively engage in risk management and cybersecurity measures, fostering a collaborative effort with competent authorities to protect the CF from external threats. In addition, the examples of detailed measures for risk management serve as a valuable resource not only for the EIS operators but also for other business operators to establish and promote supply-chain risk management, and to mitigate risks resulting in breach of the directors’ duty of care concerning the internal control system in response to cybersecurity.
This structured process would have a something of an influence on suppliers and vendors, since there is a possibility that they would not be able to carry out transactions with EIS operators due to the recommendation by the relevant authorities. Therefore, in practice they would be required to cooperate with EIS operators in order to effectively proceed with the screening process.
JP Tower
2-7-2 Marunouchi
Chiyoda-ku
Tokyo 100-7036
Japan
+81 3 6889 7396
+81 3 6889 8396
yasushi_kudo@noandt.com www.noandt.com/en/lawyers/yasushi_kudo/