The Basic Act on Cybersecurity is the fundamental law on cybersecurity.

The Act on the Protection of Personal Information (the APPI) is the principal data protection legislation in Japan. An amendment to the APPI was approved in June 2020, and came into full force on 1 April 2022. Another set of amendments to the APPI was approved in May 2021, and came into full force on 1 April 2023. However, the 2021 amendment does not have a material impact on private companies.

Pursuant to the amended APPI, personal data breach is subject to a mandatory reporting and notification – refer to 5. Data Breach or Cybersecurity Event Reporting and Notification.

There is no general regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve personal data breach.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets. The Act on the Prohibition on Unauthorised Computer Access prohibits unauthorised computer access. The Penal Code also penalises some cybersecurity crimes. The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.

Japan does not have specific regulations for secure software development. For vendor responsibilities in some specific instances, see 3.3 Legal Requirements and Specific Required Security Practices.

For details of the laws cited above, and for other laws, refer to 2.1 Key Laws.

The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (the PPC), which has the following powers under the APPI:

• to require private business operators who handle personal information (the handling operators) to report or submit materials regarding its handling of personal information (Article 146), which the APPI defines as information about living individuals that can identify specific individuals or contains what is referred to in the APPI as an “individual identification code” (Article 2.1);
• to enter a handling operator’s offices or other places to investigate, make enquiries and check records or other documents (Article 146);
• to provide guidance or advice to a handling operator (Article 147);
• to recommend that a handling operator cease any violation of the APPI and take other necessary measures to correct the violation (Article 148.1);
• to order a handling operator to take necessary measures to implement the PPC’s recommendation mentioned above and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and
• when the PPC issues an order pursuant to Articles 148.2 and 148.3, and a handling operator violates the order, the PPC may publicly announce the violation (Article 148.4).

The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes.

As for non-regulatory government authorities that are also directly relevant to cybersecurity, the IPA and the National Centre for Incident Readiness and Strategies for Cybersecurity (NISC) are notable. Refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance for the IPA and 2.3 Over-Arching Cybersecurity Agency for NISC. For other regulators, refer to 2. Key Laws and Regulators at National and Subnational Levels.

The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).

It is important to note that the APPI imposes no administrative fines. In addition, criminal sanctions may only be imposed under the APPI if the handling operator refuses to co-operate with or makes any false report in response to an investigation by the PPC (Article 178), provides information to unauthorised persons or misuses any personal information database for unlawful gains (Article 180), or violates any order given by the PPC as a part of an administrative sanction (Article 181).

The PPC is not vested enforcement power against cybersecurity events, including supply chain and software vulnerabilities to the extent not involved with personal information.

The National Police Agency and the Prosecutors’ Office have enforcement powers against cybercrimes or related crimes under the Criminal Procedure Code.

As for personal information, Japan is a member of the APEC Cross Border Privacy Rules (CBPR) system. Before 31 March 2022, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies. One of the main purposes of the 2021 amendments to the APPI is to integrate the obligations prescribed in these two laws into the APPI. The amendments relating to the foregoing integration were effective from 1 April 2022.

While local governments have enacted jyorei (local regulations), those regulations are applicable only to the local public sector and vary from one body to the other. The 2021 amendments to the APPI introduced nationwide principles for jyorei and related implementing guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, and jyorei can only stipulate local rules in very limited situations allowed under the APPI. The aforesaid amendments are effective from 1 April 2023.

The Ministry of Economy, Trade and Industry (METI) and the Information Technology Promotion Agency of Japan (IPA) published the Cybersecurity Management Guidelines (amended in November 2017 and a draft of the proposed update was published on 26 October 2022), which serve as the basic cybersecurity guidelines for companies in Japan.

The NISC, the National Police Agency (NPA), the Ministry of Internal Affairs and Communications (MIC) and METI issued the Guidance on Sharing and Publishing Information on Cyber-attack Incidents on 8 March 2023. This guidance includes recommendations and 33 FAQs regarding sharing and publishing cyber-attack incidents.

The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines mentioned above, guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breach. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on people).

The Japan Network Security Association (JNSA) also provides information regarding cybersecurity.

The Japan Computer Emergency Response Team Co-ordination Centre (JPCERT/CC) acts as a computer security incident response team (CSIRT) within the Japanese community and publishes security alerts, incident news, and manuals.

The IPA, the JNSA, and the JPCERT/CC accept reports or notices from the public regarding cybersecurity incidents and publish useful information.

The Cybersecurity Policy for Critical Infrastructure Protection (last amended on 17 June 2022), published by the Cybersecurity Strategies Headquarters of the Cabinet, provides for certain reporting obligations and sharing of cybersecurity information in relation to critical infrastructure service providers.

The Cybersecurity Council was established in April 2019 under Article 17 of the Basic Act on Cybersecurity to enable the sharing of necessary information and consultations for cybersecurity between the public sector and the private sector.

The NPA and the Prosecutors’ Office may assist a victim of cybercrime.

The APPI follows the Organisation for Economic Co-operation and Development’s eight privacy principles. Japan and the EU and Japan and the UK have certified each other’s country/territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes, and this decision is renewed in March and April 2023. However, this does not mean that the APPI is identical to the EU’s General Data Protection Regulation (GDPR). Japanese data protection law is closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law in the APPI.

As for specific regulation for critical infrastructure cybersecurity, refer to 4.3 Critical Infrastructure, Networks, Systems and Software.

As discussed in 1.1 Laws and 1.4 Multilateral and Subnational Issues, the APPI was amended in 2020 and 2021.

The MIC and the METI are in the process of establishing AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding cybersecurity.

The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.

The APPI, the principal data protection legislation in Japan, provides the basic principles for the government’s regulatory policies and authority, as well as the handling operators.

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the “My Number Act”), which stipulates special rules for “my number” – a 12-digit individual number assigned to each resident of Japan.

The obligations of the public sector in the jyorei legislated by local governments.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as damage compensation and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as “data for limited provision”. An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to damage compensation and injunctive relief but not to criminal sanctions.

The Act on the Prohibition on Unauthorised Computer Access prohibits:

• the use of another person’s identification code (eg, a password) to access remote computers via a telecommunications network;
• inputting information (excluding an identification code) or a command to evade access restrictions on remote computers via a telecommunications network;
• obtaining, supplying, or storing someone else’s identification code without legitimate reason (Articles 3, 4, 5 and 6); and
• phishing or creating a false impression of being the network administrator concerned and requesting identification codes (Article 7).

The Penal Code prohibits:

• the creation of false electromagnetic records that are related to rights, duties or certification of facts (Article 161–2);
• fraud by using computers (Article 246–2);
• the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259);
• the obstruction of a business by damaging its computers or electromagnetic records or causing them to operate counter to the original purpose (Article 234–2); and
• the creation, provision, acquisition or storage of a computer virus (Articles 168–2 and 168–3).

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6 (iii)) and to report serious incidents of breach to the MIC.

The Instalment Sales Act requires businesses who handle credit card numbers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35–16).

The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to information pertaining to their respective businesses (Articles 21, 49 and 63–8).

Sector-specific regulators impose additional information security obligations for some industries including the financial and healthcare industries. Regarding the financial industry, the Financial Services Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics, and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices also request pharmacies to do the same (Article 11.2). Further, various ministries have issued relevant guidelines:

• the Ministry of Health, Labour and Welfare (MHLW) issued the Guidelines on the Safety Management of Medical Information Systems (last amended in May 2023);
• METI and MIC jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (last amended in July 2023); and
• MIC published comprehensive measures for the security of the internet of things (IoT) (July 2016).

The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes. For other regulators, see the other subsections within 2. Key Laws and Regulators at National and Subnational Levels.

NISC is responsible for national-level cybersecurity under the Basic Act on Cybersecurity, and regularly publishes Cybersecurity Strategies of Japan.

The regulator tasked with enforcing and implementing the APPI is the PPC. The PPC’s powers are explained in 1.2 Regulators.

As stated above, the FSA is the regulator for the financial sector, and MIC is the regulator for telecommunications business operators. As mentioned in 2.1 Key Laws, there are also other sector-specific regulators, such as the MHLW and METI.

See 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

Commonly deployed guidance is provided by JIS Q 27000:2019 (based on ISO/IEC27000), JIS Q 27001:2014 (based on ISO/IEC27001), and JIS Q 27002:2014 (based on ISO/IEC27002. An update draft of JIS Q 27002:2022 is under public consultation).

JIS Q 27017:2016 (based on ISO/IEC 27017) provides guidance for securing cloud services.

JIS Q 15001:2017 is the standard that covers personal information and is used as the standard for issuing “privacy mark” certifications, which major Japanese companies commonly pursue.

The Instalment Sales Act requires a business that handles credit card numbers to take necessary measures to control the numbers (Article 35–16). Most companies adopt the PCI DSS security standard.

Refer to 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.

Written Information Security Plans or Programmes

The Cybersecurity Management Guidelines (Version 3.0, last updated on 24 March 2023) issued by METI and the IPA provide for three key principles and ten instructions, including the recognition of cybersecurity risks and the development of company-wide measures such as drafting data security policies. In addition, the PPC Guidelines (defined in 4.1 Personal Data) include the implementation of a basic policy and internal rules on personal data (defined in 5.2 Data Elements Covered) as an example of security measures that should be taken for personal data protection.

Incident Response Plans

The Cybersecurity Management Guidelines provide for the development of an emergency organisation framework for incidents and a recovery organisation framework to recover damages resulting from any incident identified in the ten instructions. In addition, the PPC Guidelines indicate the creation of an incident response plan as an example of security measures that should be taken for the protection of personal data.

Required Security Practices Applicable Generally, or to Specific Sectors or Data

Refer to 4. Key Affirmative Security Requirements for security practices generally applicable to businesses and specific sectors or data.

Appointment of Chief Information Security Officer or Equivalent Position

There are no general legal obligations to appoint a chief information security officer (CISO). In a specific area, like telecommunications, large telecommunications service providers are required to appoint a chief manager who is responsible for handling user information from 16 June 2023. However, the Cybersecurity Management Guidelines require the management of companies to work steadily towards putting together cybersecurity measures by giving the CISO directions on the following ten important items.

• Recognising cybersecurity risks and develop an organisation-wide policy.
• Building a management system for cybersecurity risk.
• Securing resources (budget, workforce, etc) for cybersecurity measures.
• Identifying cybersecurity risks and develop plans to address them.
• Establishing systems to effectively address cybersecurity risks.
• Continuously improving cybersecurity measures through a PDCA cycle.
• Developing a cybersecurity incident response team and relevant procedures.
• Developing a business continuity and recovery team and relevant procedures in preparation for damage due to cyber incidents.
• Understanding the status of and implement measures considering the entire supply chain, including business partners and outsourcing organisations.
• Facilitating the gathering, sharing and disclosure of information on cybersecurity.

In addition, the PPC Guidelines indicate the appointment of a person in charge of the processing of personal data as an example of security measures that should be taken for the protection of personal data.

Involvement of Board of Directors or Equivalent Authority

Under the Japanese Companies Act, the board of directors of a large company must determine the company’s internal control systems, including cybersecurity management; the failure to put in place or comply with such a system may be a breach of the directors’ duty of due care of a prudent manager. In addition, the CISO or the director in charge of supervising the company’s cybersecurity may be in breach of their duty of due care of a prudent manager if they do not properly take necessary actions on cybersecurity. The Cybersecurity Management Guidelines stress the importance of the directors’ involvement in cybersecurity management.

Conducting Internal Risk Assessments, Vulnerability Scanning and Penetration Tests

The Cybersecurity Management Guidelines mention the importance of continuous improvement through PDCA cycles for cybersecurity and provide a checklist for cybersecurity management.

In addition, the PPC Guidelines indicate taking regular audits of the processing of personal data as an example of security measures that should be taken for the protection of personal data.

Multi-factor Authentication, Anti-phishing Measures, Protection Against Business Email Compromise, Ransomware and Threat Intelligence

The Cybersecurity Management Guidelines do not provide for explicit requirements of multi-factor authentication, anti-phishing measures, ransomware, protection against business email compromise, or threat intelligence. However, they mention the importance of collecting and utilising information on cyber-attacks through participation in information-sharing activities and developing the environment to utilise such information.

Insider Threat Programmes

The IPA has published guidelines on how to prevent insider data breach. The Cybersecurity Management Guidelines refer to the IPA’s guidelines as useful guidance in minimising and dealing with insider threat.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The Cybersecurity Management Guidelines mention taking measures with respect to, and monitoring, a company’s entire supply chain, including its own domestic or international establishments, business partners and outsourcees. The guidelines also state that PDCA for cybersecurity including internal audits and oversight must be conducted to them.

Article 25 of the APPI also requires a handling operator to properly supervise any person to whom it has entrusted the handling of personal data. The PPC Guidelines require the handling operator to select a proper vendor and service provider, enter into an agreement with that provider and have a good grasp of how that provider processes personal data.

Use of Cloud and Outsourcing and Offshoring

The Cybersecurity Management Guidelines mention the importance of multi-layer defences for terminals, networks, systems and services including cloud used for important business.

Basic Regulation of Offshoring

For offshoring, please note that there are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). In other words, the overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in Japan, the overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing which are exceptions to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary unless the following applies:

• the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date);
• the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the Ordinance issued by the PPC (the PPC Ordinance) – ie, either of the following:
1. there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI; or
2. the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data.

The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the APEC CBPR as a recognised international framework on the handling of personal data.

Additional Obligation Under the 2020 Amendments

Under the 2020 amendment of the APPI, offshoring is permitted with additional requirements. First, when handling operators transfer personal data to a foreign country based on the aforementioned consent mechanism, they will be required to provide a data subject with certain information as specified by the amended ordinance issued by the PPC (the amended PPC Ordinance) (Article 28.2). According to the proposed PPC Ordinance, information about the name of the foreign country, the personal information protection system in the foreign country, and measures to be taken by a recipient party to protect personal information is required to be provided to the data subject.

Secondly, when handling operators transfer personal data relying on the recipient’s equivalent system of data protection, they will be required to take steps necessary to ensure that the overseas recipient continuously takes equivalent measures and to provide a data subject with certain information about the measures to be taken upon a request in accordance with the amended PPC Ordinance (Article 28.3). In this regard, according to the PPC Ordinance, one of the measures to ensure such matters is to periodically confirm the implementation status of the equivalent measures taken by the recipient and presence or absence of a system in the foreign country that might affect the implementation of the equivalent measures.

The other measure is to take necessary and appropriate measures if the implementation of the equivalent measures by the recipient party is interfered with in some way and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures. The PPC Ordinance also states that the information to be provided to a data subject upon request is:

• the recipient party’s equivalent system of data protection;
• an outline of the equivalent measures taken by the recipient;
• the frequency and method of confirmation of the status of the equivalent measures and the system in the foreign country that might affect the implementation of the measures;
• the name of the foreign country;
• the presence or absence of a system in that foreign country that might affect the implementation of the equivalent measures;
• the presence or absence of any impediment to the implementation of the equivalent measures; and
• an outline of the measures to be taken in response to any such impediment.

Payment of Ransomware

For the issue of payment of ransomware, refer to 4.6 Ransomware/Extortion.

Secure Software Development or Patching

Japan does not have specific regulations for secure software development or patching. However, if a system vendor negligently develops a vulnerable system for its client, the vendor may be responsible for a cybersecurity incident arising from the vulnerability. In this regard, on 23 January 2014, Tokyo district court acknowledged such responsibility exists for a system vendor, in a case where an e-commerce website had a cyber-attack and credit card information stored therein was stolen due to a vulnerability that the vendor failed to manage.

Responsible Disclosure of Software Vulnerabilities

Japan does not have specific regulations obliging software vendors to disclose software vulnerability. However, if software finds a vulnerability, the vendor should timely disclose the vulnerability to alert its users and to prevent a potential cyber-attack arising from the security issues. Otherwise, the software vendor would be subject to liability under a theory of breach of contract with its users or tort.

Training

The Cybersecurity Management Guidelines include the securing of proper resources, such as setting aside an adequate budget and sufficient manpower for the implementation of cybersecurity measures in the ten instructions.

In addition, since Article 24 of the APPI requires a handling operator to properly supervise its employees who handle personal data, the PPC Guidelines indicate that training is an example of security measures that should be taken to protect personal data.

The Cybersecurity Policy for Critical Infrastructure Protection emphasises the importance of multinational co-operation.

Under the APPI, a handling operator must take necessary and appropriate action for security control over the personal data that it handles, including preventing the leakage, loss or damage of or to personal data (Article 23).

The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has published guidelines for the handling of personal information (the PPC Guidelines).

The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the external environment. “Understanding of the external environment” is a security measure, newly introduced by the amendments to the guidelines, which requires a handling operator who processes personal data in a foreign country to understand the foreign country’s legal system for personal information protection and, taking into consideration that legal system, to take necessary and appropriate measures to ensure the security of personal data. Effective from 1 April 2024, the PPC Guidelines will also require a handling operator to take security control over personal information that will be collected and expected to be treated as personal data so that a cyber attacker will not intercept such information on behalf of the operator.

According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 24). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the handling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 25).

As discussed elsewhere, for some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the FSA and the PPC have jointly published data protection guidelines for the financial sectors, and MIC has issued data protection guidelines for telecommunications business operators.

Reporting is required if certain personal data breach occurs. Please refer to 5. Data Breach or Cybersecurity Event Reporting and Notification.

There are no specific regulations prescribing security requirements for material business data and material non-public information. However, the general understanding is that if a director or an employee causes damages to their employers by negligently taking insufficient security safeguards, thereby leading to the leak of material business data and material non-public information, they may be responsible for the damage.

The Cybersecurity Policy for Critical Infrastructure Protection defines the following 14 sectors as critical information infrastructure:

• airports;
• aviation;
• chemical industry;
• credit cards;
• electric power supply;
• financial services;
• gas supply;       
• information and communication;
• government and administration;
• logistics and shipping;
• medical;
• petroleum industry;
• railways; and
• water supply.

The aforementioned cybersecurity policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies.

The Cybersecurity Policy for Critical Infrastructure Protection provides for the reporting obligations of critical information infrastructure operators in the following instances:

• if there is a legal reporting requirement by law or regulation;
• if the operator has determined that an incident has a serious impact on the lives of people or the operator’s services and that information must be shared; and
• in other cases where the operator has determined that information must be shared.

The relevant incident and other useful information may be shared with other critical information infrastructure operators.

In addition, governmental authorities that have specific jurisdiction over some of the 14 critical information infrastructure sectors have issued specific guidelines, described below, concerning cybersecurity.

The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks which include detailed cybersecurity obligations. The Comprehensive Guidelines recognise the prevention of cybersecurity incidents and prompt recovery as significant management issues, and assert the necessity for certain major measures such as the appointment of a CSIRT, implementation of multi-layered defences for cybersecurity incidents, and conducting continuous evaluations for cybersecurity risks.

For the healthcare industry, refer to 5.4 Security Requirements for Medical Devices.

The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued:

• the Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services;
• the Safety Guidelines for Securing Information Security in the Airport Sector for airport services;
• the Safety Guidelines for Ensuring Information Security for Railway Operators for railway services; and
• the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.

MLIT also issues information security countermeasure check lists for railway service, bus service, bus terminals, taxis, hotels, ferries, and airports and airport buildings.

The MHLW issued the Information Security Guidelines for the Water Sector for water services.

There are no special requirements regarding the prevention of denial of service attacks or similar attacks on system or data availability or integrity.

MIC has published comprehensive measures for the security of IoT. The MLIT has issued the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.

There is no special requirement for ransomware attacks. Please note, however, METI issued a public announcement “Alerts to Company Executives to be Issued to Encourage them to Enhance Cybersecurity Efforts in Light of Situations of Recent Cyber-attacks” in December 2020. It states that payment of a ransom may assist criminal organisations and that the payment does not necessarily mean that a perpetrator will not expose stolen data to the public or that the encrypted data will be decrypted. The announcement further notes that such payment may trigger sanctions against a payer in some countries. Accordingly, the announcement requests companies not to pay the ransom, although this request is not legally binding. In addition, if a director of a company negligently pays a ransom and therefore causes unjustifiable losses to the company, such payment can be considered as a breach of duty of care owed to the company.

If the ransomware attack involves a data breach or system failure, such incident is subject to requirements generally applicable to data breach or system failure described in 5. Data Breach or Cybersecurity Event Reporting and Notification.

The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the occurrence or possible occurrence of the leakage or loss of, or damage to personal data. The details of the requirements are discussed below.

There is also a special rule for “my numbers” under the My Number Act. There is no general regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve personal data breach. However, there are various regulations generally mandating certain type of service providers to report an incident affecting their service to authorities. This reporting obligation also covers cases where service failure happens as a result of cyber-attack.

For example, under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than certain hours and affects a certain number of users specified by the relevant ordinance, the telecommunications business operator must report the accident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sectors oblige them to report material service failure to its authorities.

Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 16.3), which is a collection of information (which includes personal information) that is systematically organised to enable a computer, or another means, to search for particular personal information. However, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system.

The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach involves personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual):

• containing “special-care-required personal information”;
• that is likely to cause property damage if used inappropriately;
• that is likely to have been committed for an improper purpose (effective from 1 April 2024, personal information that is already collected or will be collected and expected to be treated as personal data is also included in this requirement); or
• of more than 1,000 individuals.

Special-care-required personal information is defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3).

There is no restriction for the systems covered.

The MHLW has issued the Guidelines on the Safety Management of Medical Information Systems (last amended in May 2023).

The MIC and METI have jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (last amended in July 2023).

However, while the MHLW guidelines and an announcement issued by MHLW on 29 October 2018 say that medical service providers should report a cybersecurity incident to an authority, no special rule has been issued for statutory data breach reporting and notification.

There are no specific regulations prescribing security requirements for industrial control systems (and SCADA).

MIC published guidelines of comprehensive measures for the security of IoT in July 2016. These guidelines provide guidance for the life cycle (policy, analysis, design, construction/connection and operation/maintenance) of IoT devices, systems and services, as well as rules for general users.

There is no specific law to regulate security software life-cycles, certifications, patching, and responsible disclosure of vulnerabilities; for details, refer to 3.3 Legal Requirements and Specific Required Security Practices.

The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents. When the reporting obligation is triggered (see 5.2 Data Elements Covered), handling operators must report to the PPC in general, pursuant to the amended PPC Ordinance. Any outsourcee who processes personal data on behalf of another company is exempt from this reporting obligation, provided that it reports any data breach to the outsourcer company (Article 26.1). In addition, in any case of data breach, handling operators are also required to notify the data subjects whose personal data is compromised pursuant to the amended PPC Ordinance. This notification obligation, however, does not apply when it is difficult to inform data subjects and when necessary alternative action is taken to protect a data subject’s rights and interests (Article 26.2).

Under the PPC Ordinance, reporting to the PPC is twofold. The first report should be made promptly after recognition of the data breach and contain the following details, if they have been ascertained:

• overview, categories of (likely) affected personal data;
• the number of (likely) affected individuals;
• cause;
• likelihood and details of secondary damage;
• status of the response to the individual;
• status of any public announcement;
• measures to prevent recurrence; and
• other helpful information.

The second report should be made within 30 days from the date of recognition of the data breach, and this second report must include all the above matters. However, if the data breach is caused by intentional acts such as unauthorised access, the second report may be submitted within 60 instead of 30 days. In addition, handling operators should promptly notify data subjects with an overview of the data breach, categories of (likely) affected personal data, cause, likelihood and details of secondary damage, and other helpful information.

If the personal data affected by a data breach is handled by financial institutions under the control of the FSA, there is a legal obligation to report to the FSA and to notify data subjects. In addition, if personal data affected by a data breach contains “my numbers”, there is a legal obligation to report to the PPC for some serious incidents.

Under the 2020 amendments to the APPI, the reporting obligation to the PPC and affected individuals will be limited to the extent prescribed in the amended PPC Ordinance. See 5.2 Data Elements Covered.

An employer may monitor and inspect the emails of its employees in accordance with its internal rules regarding such data, as long as the actual email monitoring is conducted only to the extent necessary. Some companies also use other digital forensic measures (eg, website monitoring, recording application log, and packet inspection) to boost cybersecurity.

See 6.1 Cybersecurity Defensive Measures.

There is no mandatory sharing of cybersecurity information; for authorised sharing of cybersecurity information, refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

Refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

From May 2017, when the PPC became the regulator and enforcement authority of the APPI, until August 2019, the PPC had not issued any official recommendations or administrative orders. However, on 26 August 2019, the PPC first made an official recommendation to a company operating an online job platform. It was considered that the company captured users’ likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.

On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based entities published the personal data of bankrupts, including names and addresses in violation of required procedures in the APPI. On 23 March 2022, and 2 November 2022, the PPC again issued administrative orders against similar website operators. On 11 January 2023, the PPC officially requested a criminal investigation authority to file a criminal charge against the operator for non-compliance with the order.

As for significant data breach incidents, before the PPC was created to enforce the APPI, in 2014 METI issued recommendation to an educational company regarding the leakage of personal information of approximately 30 million data subjects (children) to take necessary action to rectify the violation of the APPI. Several civil cases were filed in relation to this leakage of personal information (see 8.4 Significant Private Litigation).

Refer to 8.1 Regulatory Enforcement or Litigation.

The data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. There are two major types of legal causes.

Firstly, Japanese courts recognise the right to privacy, which is the right of a person not to have their private life disclosed except for a legitimate reason. A breach of the right to privacy consists of torts under Article 709 of the Civil Code.

Secondly, if a business promises to keep personal data confidential in an agreement such as terms of use, but then compromises the data, the legal cause of breach of contract may also be available.

In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal data (eg, names, birth dates, addresses and telephone numbers). The case has been remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020; thus, these Appeal Court decisions are deemed final. These are some of the cases mentioned in 8.1 Regulatory Enforcement or Litigation.

The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. Please also note that an amendment to this act came into force on 1 October 2023, which includes emotional distress in the scope of the class action if it is caused along with property damage or by intentional conduct. As a practical matter, a number of data subjects may select the same lawyer to represent them and that lawyer can initiate one litigation for those data subjects, which can be similar to class action.

Because boards of directors owe generally a duty of due care to a company, they are required to take appropriate steps to protect the company from unreasonable loss or damage in light of individual circumstances. It is considered that such steps should include cybersecurity measures. Refer to 3.3 Legal Requirements and Specific Required Security Practices and 4. Key Affirmative Security Requirements for the general legal requirements of corporate cybersecurity governance.

Japanese companies have started to recognise that conducting due diligence regarding cybersecurity in corporate transactions is important, especially after the UK’s Information Commissioner’s Office (ICO) published their Statement: Intention to fine Marriott International, Inc GBP99.2 million under GDPR for data breach in July 2019. Subsequently, in October 2020, the ICO issued a fine for the reduced sum of GBP18.4 million.

There are no non-cybersecurity-specific laws which legally mandate disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. The Cybersecurity Management Guidelines issued by METI and the IPA, as well as the Point of View regarding Cybersecurity for Enterprise Management issued by NISC (2 August 2016), both mention the possibility of public disclosure. The MIC published Manuals for Information Disclosure of Cybersecurity Measures (28 June 2019).

The government is discussing introduction of a security clearance system and is going to submit a bill to the Diet in 2024. There are several insurance companies which offer cybersecurity insurance in Japan, and it is becoming more popular than before.