Cybersecurity 2025

Last Updated March 13, 2025

Japan

Law and Practice
Trends and Developments

Law and Practice

Authors

Yoshifumi Onodera

Hiroyuki Tanaka

Naoto Shimamura

Rio Ichii

Mori Hamada & Matsumoto is a full-service law firm that has served clients with distinction since its establishment in December 2002. Mori Hamada & Matsumoto is made up of experienced lawyers with considerable expertise in the constantly evolving and increasingly complex areas of information technology, life sciences and intellectual property, providing a variety of legal services in response to the diverse legal needs of its clients. These legal services include advising on regulatory requirements, setting up business, corporate housekeeping, contract negotiations and dispute resolution. In terms of data protection, the firm has noted expertise in leveraging user information while protecting clients’ businesses. Mori Hamada & Matsumoto’s data protection team comprises approximately 130 lawyers.

1. General Overview of Laws and Regulators

1.1 Cybersecurity Regulation Strategy

The Basic Act on Cybersecurity is Japan’s fundamental law on cybersecurity, and the Act on the Protection of Personal Information (APPI) is the country’s principal data protection law.

Pursuant to the APPI, a personal data breach is subject to mandatory reporting and notification requirements – see 2.3 Incident Response and Notification Obligations.

However, there is no general regulation imposing a mandatory reporting obligation for a cybersecurity incident that does not involve a personal data breach.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets, and the Act on Prohibition on Unauthorised Computer Access outlaws unauthorised computer access. The Penal Code also includes penalties for some cybersecurity crimes. The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.

Japan does not have specific regulations for secure software development.

For more details on the laws cited above and other relevant laws, see 1.2 Cybersecurity Laws.

1.2 Cybersecurity Laws

The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.

The APPI, Japan’s principal data protection law, provides the basic principles for the government’s regulatory policies and authority, as well as requirements for handling operators.

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the “My Number Act”), which stipulates special rules for “my number” – a 12-digit individual number assigned to each resident of Japan.

The jyorei, or ordinances, enacted by local governments contain public sector obligations.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as compensation for damages and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as “data for limited provision”. An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to compensation for damages and injunctive relief but not criminal sanctions.

The Act on the Prohibition on Unauthorised Computer Access outlaws:

the use of another person’s identification code (eg, a password) to access remote computers via a telecommunications network;
inputting information (excluding an identification code) or a command to evade access restrictions on remote computers via a telecommunications network;
obtaining, supplying or storing someone else’s identification code without legitimate reason (Articles 3, 4, 5 and 6); and
phishing or creating a false impression of being the network administrator concerned and requesting identification codes (Article 7).

The Penal Code prohibits:

the creation of false electromagnetic records that are related to rights, duties or the certification of facts (Article 161–2);
fraud by using computers (Article 246–2);
the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259);
the obstruction of a business by damaging its computers or electromagnetic records or causing them to operate counter to their original purpose (Article 234–2); and
the creation, provision, acquisition or storage of a computer virus (Articles 168–2 and 168–3).

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6 (iii)) and to report serious breaches to the Ministry of Internal Affairs and Communications (MIC).

The Installment Sales Act requires businesses who handle credit card numbers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35–16).

The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to information pertaining to their respective businesses (Articles 21, 49 and 63–8).

Sector-specific regulators impose additional information security obligations on some industries including the financial and healthcare industries. For the financial sector, the Financial Services Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. For details on cybersecurity guidelines in finance, see 3. Financial Sector Operational Resilience Regulation. As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices also requests pharmacies to do the same (Article 11.2). Further, various ministries have issued other relevant guidelines:

the Ministry of Health, Labour and Welfare (MHLW) issued the “Guidelines on Safety Management of Medical Information Systems” (last amended in May 2023);
the Ministry of Economy, Trade and Industry (METI) and MIC jointly issued the “Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information” (last amended in July 2023);
the MIC published comprehensive measures for the security of the internet of things (IoT) (July 2016); and
the MIC published guidelines on the application of the Telecommunications Business Act to reports of serious accidents (volume 7, December 2023).

1.3 Cybersecurity Regulators

The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (PPC), which has the following powers under the APPI:

to require private business operators who handle personal information (handling operators) to report or submit materials regarding its handling of personal information (Article 146), which the APPI defines as information about living individuals that can identify specific individuals or contains what is referred to in the APPI as an “individual identification code” (Article 2.1);
to enter a handling operator’s offices or other places to investigate, make enquiries and check records or other documents (Article 146);
to provide guidance or advice to a handling operator (Article 147);
to recommend that a handling operator cease any act constituting a violation of the APPI and take other necessary measures to correct the violation (Article 148.1);
to order a handling operator to take necessary measures to implement the PPC’s recommendation mentioned above and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and
when the PPC issues an order pursuant to Articles 148.2 and 148.3, and a handling operator violates the order, the PPC may publicly announce the violation (Article 148.4).

The National Police Agency and the Public Prosecutors Office are responsible for the criminal investigation and prosecution of cybercrimes.

As for non-regulatory government authorities that are also directly involved with cybersecurity, the Information Technology Promotion Agency of Japan (IPA) and the National Center for Incident Readiness and Strategy for Cybersecurity (NISC) are notable. The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines, guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breaches. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on people). NISC is responsible for national-level cybersecurity under the Basic Act on Cybersecurity and regularly publishes updates to Japan’s Cybersecurity Strategy. For more on other regulators, refer to the previous sections in 1. General Overview of Laws and Regulators.

2. Critical Infrastructure Cybersecurity

2.1 Scope of Critical Infrastructure Cybersecurity Regulation

The Cybersecurity Policy for Critical Infrastructure Protection defines the following 15 sectors as critical information infrastructure:

airports;
aviation;
chemical industry;
credit cards;
electric power supply;
financial services;
gas supply;
information and communication;
government and administration;
logistics and shipping;
medical;
petroleum industry;
ports and harbours;
railways; and
water supply.

The aforementioned Cybersecurity Policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies.

2.2 Critical Infrastructure Cybersecurity Requirements

Under the APPI, a handling operator not limited to critical infrastructure must take necessary and appropriate action for security control over the personal data that it handles, including preventing the leakage, loss or damage of or to personal data (Article 23).

The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has published guidelines for the handling of personal information (the “PPC Guidelines”).

The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the external environment. “Understanding of the external environment” is a security measure, newly introduced by the amendments to the Guidelines, which requires a handling operator who processes personal data in a foreign country to understand the foreign country’s legal system for personal information protection and, taking into consideration that legal system, to take necessary and appropriate measures to ensure the security of personal data. Effective from 1 April 2024, the PPC Guidelines also require a handling operator to take security control over personal information that is collected and expected to be treated as personal data so that a cyber-attacker may not intercept such information on behalf of the operator.

According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 24). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the handling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 25).

Under the Economic Security Promotion Act, important critical infrastructure businesses are individually designated by the competent ministry as Specified Essential Infrastructure Service Providers. They are required to take measures to reduce or eliminate risk factors among parties involved in the supply chain. Some of the requirements include establishing measures to:

prevent unauthorised changes to specified critical facilities;
prevent service interruptions;
confirm any legal or contractual violations by parties involved in the supply chain; and
prevent unintended changes by subcontractors.

2.3 Incident Response and Notification Obligations

The Cybersecurity Policy for Critical Infrastructure Protection provides for the reporting obligations of critical information infrastructure operators in the following instances:

if there is a legal reporting requirement by law or regulation;
if the operator has determined that an incident has had a serious impact on the lives of people or the operator’s services and that information must be shared; and
in other cases where the operator has determined that information must be shared.

Definition of Data Security Incident, Breach or Cybersecurity Event

The APPI stipulates mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the occurrence or possible occurrence of the leakage or loss of, or damage to personal data. The details of the requirements are discussed below.

There is also a special rule for “my numbers” under the My Number Act. There is no general regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve a personal data breach. However, there are various regulations generally mandating certain types of service providers to report an incident affecting their service to the authorities. This reporting obligation also covers cases where service failure happens as a result of a cyber-attack.

For example, under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than the prescribed number of hours and affects a certain number of users specified by the relevant ordinance, the telecommunications business operator must report the accident to the MIC. Furthermore, the MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sectors oblige them to report material service failure to its authorities.

Data Elements Covered

Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 16.3), which is a collection of information (which includes personal information) that is systematically organised to enable a computer or some other means to search for particular personal information. However, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system.

The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach includes personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual):

containing “special care-required personal information”;
that is likely to cause property damage if used inappropriately;
that is likely to have been committed for an improper purpose (effective from 1 April 2024, personal information that is already collected or will be collected and expected to be treated as personal data is also included in this requirement); or
of more than 1,000 individuals.

Special care-required personal information is defined as personal information comprising a data principal’s race, creed, social status, medical history, criminal record, the fact of having been a victim of a crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3).

2.4 State Responsibilities and Obligations

Governmental authorities that have specific jurisdiction over some of the 15 critical information infrastructure sectors have issued specific guidelines, described below, concerning cybersecurity.

For the healthcare industry, see 6.3 Cybersecurity in the Healthcare Sector. For the financial industry, see 3. Financial Sector Operational Resilience Regulation.

The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued:

the Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services;
the Safety Guidelines for Securing Information Security in the Airport Sector for airport services;
the Safety Guidelines for Ensuring Information Security for Railway Operators for railway services; and
the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.

The MLIT also issues information security countermeasure checklists for railway service, bus service, bus terminals, taxis, hotels, ferries, and airports and airport buildings.

The MHLW issued the Information Security Guidelines for the Water Sector for water services.

3. Financial Sector Operational Resilience Regulation

3.1 Scope of Financial Sector Operational Resilience Regulation

The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks, etc. (the “Comprehensive Guidelines for SMB”), which mention cybersecurity obligations, referring to the Guidelines for Cyber Security in Finance Sector (the “Guidelines for CSFS”). The Comprehensive Guidelines for SMB further include measures regarding operational resilience. Operational resilience refers to the ability of financial institutions to continue to maintain the minimum level of their critical operations even in the event of a system failure, terrorist attack, cyber-attack, infectious disease, natural disaster or other event. The Comprehensive Guidelines for SMB specify the actions to be taken by the board of directors and the regulations of the authorities to achieve operational resilience.

3.2 ICT Service Provider Contractual Requirements

Not limited to the financial sector, when a handling operator entrusts personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25 of the APPI). Handling operators shall supervise the entrustees to ensure that the same levels of security control are taken as those imposed on the operators under the APPI.

If a handling operator uses cloud services, it may not be considered as entrustment and thus, the aforesaid obligation under Article 25 of the APPI does not apply. Instead, businesses that use cloud services must still take appropriate security control over the personal data stored in cloud services as part of their own duties.

3.3 Key Operational Resilience Obligations

The Comprehensive Guidelines for SMB require businesses to report to the authorities when they become aware of a computer system failure or cybersecurity incident, when they are recovering from such incidents, and when they have identified the cause of an incident. Where the business detects that cyber-attack will or is highly likely to have an impact on customers or business, a report is required even if the system failure or incident does not occur. For details of the Comprehensive Guidelines, see 3.1 Scope of Financial Sector Operation Resilience Regulation.

3.4 Operational Resilience Enforcement

The FSA may impose administrative disposition on financial businesses that may violate or may have violated laws and regulations. Such disposition includes on-site inspections and orders to improve business operations.

3.5 International Data Transfers

For offshoring, there are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). In other words, overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in Japan, these overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing that are exceptions to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary if:

the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date);
the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the Ordinance issued by the PPC (the PPC Ordinance) – ie, either of the following:

there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI; or
the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data.

The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) as a recognised international framework on the handling of personal data.

3.6 Threat-Led Penetration Testing

The Guidelines for CSFS require that threat-led penetration testing (TLPT) be carried out on a regular basis.

4. Cyber-Resilience

4.1 Cyber-Resilience Legislation

There is no uniform legislation on cyber-resilience. Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

4.2 Key Obligations Under Legislation

Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

5. Security Certification for ICT Products, Services and Processes

5.1 Key Cybersecurity Certification Legislation

The Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements provides an evaluation index for the security functions of IoT products. This system will be provided by the IPA, and applications are scheduled to begin in March 2025.

6. Cybersecurity in Other Regulations

6.1 Cybersecurity and Data Protection

Handling operators have to establish appropriate safeguards to protect personal data (Article 23 of the APPI) and have to report data breaches to the PPC and notify affected data subjects in cases where their rights and interests are likely to have been infringed (Article 26 of the APPI).

6.2 Cybersecurity and AI

The MIC and METI published the AI Business Guidelines for AI developers, AI service providers and AI users on 19 April 2024. These Guidelines urge businesses to invest in and implement robust security management throughout the entire AI lifecycle, including cybersecurity. They also suggest considering appropriate cyber-access controls.

6.3 Cybersecurity in the Healthcare Sector

The MHLW has issued the Guidelines on the Safety Management of Medical Information Systems (last amended in May 2023). While the MHLW Guidelines and an announcement issued by the MHLW on 29 October 2018 state that medical service providers should report a cybersecurity incident to the authority, no special rule has been issued for statutory data breach reporting and notifications in this regard.

The MIC and METI have jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (last amended in July 2023).

Mori Hamada & Matsumoto

16th Floor, Marunouchi Park Building
2-6-1 Marunouchi
Chiyoda-ku
100-8222
Tokyo
Japan

+81 362 128 330

+81 362 128 230

info@morihamada.com www.morihamada.com

Trends and Developments

Authors

Yasushi Kudo

Yukiko Konno

Takayuki Inukai

Nagashima Ohno & Tsunematsu is one of the foremost providers of international and commercial legal services, based in Tokyo. The firm has approximately 600 lawyers, including nearly 50 experienced foreign lawyers from various jurisdictions. Its overseas network includes offices in New York, Singapore, Bangkok, Ho Chi Minh City, Hanoi and Shanghai, Jakarta and collaborative relationships with prominent local law firms throughout Asia, Europe, North and South America, and other regions. The firm provides comprehensive assistance in the development of cybersecurity systems, including the establishment of internal governance systems and vendor management. It also has extensive experience in crisis management in the event of a security incident. In collaboration with IT system experts, the firm also provides one-stop support for the entire process, from the initial response, including fact-finding and evidence preservation, to dealing with the authorities, information disclosure and the mass media, liaising with victims, root cause analysis and recurrence prevention measures.

Introduction

In 2024, as in previous years, numerous incidents involving the leakage of personal data occurred in Japan due to cyber-attacks such as ransomware and internal misconduct by outsourced contractors. In response, the Personal Information Protection Commission (PPC), the Japanese data protection authority, has decided to publish quarterly summaries of its supervision activities, detailing the content of its administrative guidance and advice. In this context, the PPC has focused on issues related to the “handling of large volumes of personal information”, identifying problems with security measures and the need for necessary and appropriate oversight of data processors. Taking into consideration past judicial precedents in Japan regarding data breaches, these insights provide valuable references in order for businesses managing significant volumes of personal information to assess the required security standards. This article highlights these developments and introduces trends in legal reforms surrounding cybersecurity in Japan.

Recent Enforcement and Administrative Guidance by the PPC

Since August 2024, the PPC has published quarterly reports summarising its “Overview of the Exercise of Monitoring and Supervisory Authority” and the “Handling Status of Breach Notifications” (as of the end of December 2024, the latest being the second quarter of FY2024). While the PPC has previously disclosed cases of administrative guidance or advice based on the severity of incidents, these announcements were limited in scope. The quarterly reports thus serve as valuable reference materials for businesses to understand the PPC’s enforcement policies on data breach incidents.

Handling status of breach notifications

In the second quarter of FY2024, there were 3,599 reports of breaches from businesses handling personal information. Of these, 1,087 cases (30.2%) stemmed from unauthorised access, including breaches caused by external cyber-attacks.

Overview of the exercise of monitoring and supervisory authority

During the second quarter of FY2024, it was reported that there were 87 cases in which the PPC gave administrative guidance and/or gave advice to private businesses. Of these, 70 cases related to security measures (Article 23 of the Japanese Act on Protection of Personal Information (APPI)) and supervision of contractors (Article 25 of the APPI), and 33 cases concerned delays in breach notification submissions. (Note: a single case may fall under multiple categories.)

Among the said 87 cases, 48 involved breaches due to unauthorised access. Excluding formal violations such as delayed reporting, administrative guidance on unauthorised access breaches was most frequent course of action. The PPC gave the following reasons to explain this trend.

Unlike cases such as the leakage of sensitive personal information, which require reporting even for a single incident, unauthorised access incidents often involve a large number of individuals (most unauthorised access cases involved breaches affecting over 1,000 individuals).
These incidents were often linked to businesses failing to implement the necessary security measures that should have been in place as a matter of course.

Causes of unauthorised access and content of administrative guidance

For unauthorised access incidents in the second quarter of FY2024, the causes and the types of attack were analysed as follows.

By cause:

software vulnerabilities: 27 cases (including VPN: six, e-commerce sites: five);
weak ID/password protection: 22 cases; and
misconfigured access controls: 16 cases.

By type of attack:

brute-force attacks: 12 cases;
cross-site scripting: six cases;
SQL injection: four cases; and
ransomware: 21 cases.

Most of the identified inadequacies in security measures for FY2024 concerned technical safeguards. In the second quarter, the most common administrative guidance related to the requirement of “preventing unauthorised external access” (42 cases), followed by “identification and authentication of users” (eight cases).

Primary causes of breaches included:

known vulnerabilities in VPN devices or applications used to build e-commerce sites left unaddressed by businesses;
easily guessable IDs and passwords; and
misconfigured system settings allowing improper database access control.

Such inadequacies in security measures often led to the PPC’s enforcement actions.

Implications for businesses

The PPC’s reports provide detailed case studies, including the specifics of incidents and deficiencies addressed in their administrative guidance, offering valuable insights for practical countermeasures. Businesses in Japan, especially those handling substantial volumes of personal information, should regularly review these reports. They should also continuously update their technical security measures and implement robust oversight frameworks for contractors.

Practical Measures to be Taken by Companies in the Event of a Data Breach

Procedures for reporting leakages and the like

In Japan, upon the occurrence of a leakage, or the like, in respect of personal data it is in principle necessary to report the incident to the authorities. In this regard: (i) for personal data, under the APPI the occurrence must be reported to the PPC (however, in relation to certain industries, the leakage, or the like, must be reported to the competent ministries such as the Ministry of Internal Affairs and Communications (MIC)); and (ii) for information to which the secrecy of telecommunications applies and/or which is specified user information, under the Telecommunications Business Act (TBA) the occurrence must be reported to the MIC. In addition: (iii) in the case of listed companies, timely disclosure under the relevant rules established by each security exchange in Japan and/or disclosure through extraordinary reports under the Financial Instruments and Exchange Act may be required in the event of a major incident. In such cases, careful consideration should be given to the scope of information to be disclosed, in order that the perpetrators of the incident or other persons do not use the information to cause further damage.

As regards (i) and (ii) above, these entail different scopes, procedures and institutional purposes. In the event of a leakage, or the like, it is important to be aware of the difference between (i) and (ii), and to handle both at the same time and in a timely manner.

(i) The situations that require reporting under the APPI (Article 26, paragraph 1 of the APPI) are when personal data has been leaked, etc (ie, leakage, loss, damage or other circumstances pertaining to the security of personal data) and there is a significant risk of harm to the rights and interests of individuals. Under the APPI, there are two types of reports: a preliminary report (promptly after learning of the situation); and a definitive report (within 30 days (60 days in certain cases) from the date of learning of the situation).
(ii) The situations that require reporting under the TBA (Article 28 of the TBA) are: (a) when there is a leakage in respect of secrecy of telecommunications (eg, content of chats); (b) when there is a leakage of specified user information (eg, telecommunications account information) – in which case, only designated businesses are required to report; and (c) when a “threat” of such a situation arises. There are two types of reports under the TBA: a first report (promptly after becoming aware of the situation); and a detailed report (within 30 days).

In addition, as is common for both procedures, it is necessary to comply with the deadlines for submitting each of the above reports, and therefore it would be advisable to establish a response process in advance – ie, in normal times prior to any such incident. In addition, when submitting a report, it is necessary to (i) describe the status of implementation in respect of security control measures and supervision of contractors, and (ii) investigate the technical causes of the leak. With the increase in the number of cases of leakage, there is an inevitable increase in the number of cases necessitating the use of the reporting procedures, and thus the day when a report is required may come at any time. Therefore, it is important, regarding (i), to establish and conduct the appropriate security control measures and supervisory procedures in advance, and, regarding (ii), to establish relationships with security vendors who have the necessary capabilities to conduct required investigations so that they can be immediately engaged when needed.

Risks in respect of disclosure of administrative guidance and recommendations

In addition, there has been an increase in the number of cases of public disclosure of administrative guidance, order and the like, and therefore de facto risks such as reputational risks, that are not purely legal in nature in recent years.

In 2023, NTT West discovered that an employee of a re-outsourcee had accessed the server where customer data was stored and had illegally appropriated customer data for about ten years. In response, in 2024, the PPC issued recommendations and administrative guidance to the outsourcee and the re-outsourcee, directing them to improve the inadequate organisational security control measures. In addition, the MIC issued administrative guidance to NTT West, directing it to review its supervision of its outsourced companies and strengthen its measures. The content of said guidance, including the name of the company, has been made public.
In 2023, an incident occurred involving NTT DOCOMO and NTT NEXIA, whereby temporary employees of NTT NEXIA, NTT DOCOMO’s outsourcee for customer information management, appropriated personal data of a total of approximately 5.96 million people. In response, in 2024, the PPC issued administrative guidance to NTT DOCOMO and NTT NEXIA, directing them to implement measures to prevent a recurrence and to report on the implementation status. The content of this guidance, including the names of the companies, was made public.

In both cases, the incidents occurred at the outsourcee, and the authorities identified issues related to the maintenance of organisational security control measures. It is becoming increasingly difficult for large companies that outsource parts of their business handling personal information to third parties to manage the personal information on their own, and thus it is important to ensure that security control measures are implemented, including at outsourcees.

As mentioned above, in recent years there have been an increasing number of cases of administrative guidance and public announcements in response to leaks. Businesses that handle large volumes of personal data are likely to be more vulnerable to attacks and to risks of leakage and therefore must employ caution because of the increased risk of administrative guidance, administrative order and public disclosure.

Civil risks

In 2014, a very well-known Japanese company (the “Company”) in educational and publishing industry suffered a massive leak (the “Case”), in which an insider (a former employee of the outsourcee) appropriated the personal information of tens of millions of people and sold the information to a directory company. Over the past few years, a series of court judgments have been issued to determine civil liability in the Case.

Corporate responsibility

In the Case, numerous victims filed lawsuits for damages. The court stated that “regarding information security, necessary measures must be taken in consideration of each company’s business, environment, risks, and suchlike” and noted that “a large amount of personal information from customers forms the subject of business activities, and in light of the general public perception of information management, close attention is to be paid to information security measures.” As a result, the court concluded that “the Company is in a position to pay close attention to information security measures, in light of the fact that it handles a large amount of personal information from its customers in its business activities and in light of the general public perception of information management”, and partially granted the plaintiffs’ (victims’) damages claims against the Company (Tokyo High Court, 17 March 2021, (Ne) No 102).

From this, it can be concluded that businesses handling large volumes of personal data have a heightened duty of care in terms of the security measures required to prevent information leaks of personal data. Therefore, such businesses are susceptible to the risk that a finding of either default (contract liability) based on a breach of the obligation to implement security controls or negligence based on foreseeability (tort liability) may be easily made. In particular, since foreseeability is more likely to be established in relation to known security risks, it is of paramount importance for companies to constantly collect the latest information and take technical countermeasures.

Liability of company officers

If the company were to post an extraordinary loss due to payment of a large amount of compensation for damages or loss in respect of operating profit, the officers could be accused by shareholders and others of violating their duty of care (Article 330 of the Companies Act and Article 644 of the Civil Code) due to the inadequacy of their establishment and operation of a cybersecurity system.

In the Case, a shareholder derivative suit was filed against the officers (more precisely, the officers of the Company group’s holding company) to hold them liable. In its judgment, the court held that it was necessary to establish an internal control system based on the nature and scale of the business, management conditions, and other related circumstances (Hiroshima High Court, Okayama Branch, 18 October 2019 (2018 (Ne) No 201)). Therefore, in the case of a large corporation, it is necessary to establish an appropriate internal control system from the perspective of cybersecurity, taking into account the trends in practice. In the Case, the responsibility of the officers of the holding company was in question, not the Company itself, since it was the holding company that had established the relevant internal control system. In conclusion, the court dismissed the claim against the officers of the holding company.

Additionally, in a case where the issue was whether or not there were deficiencies in the risk management system of a listed company due to the false statements made in the securities report required under the Financial Instruments and Exchange Act, as a result of fictitious sales being recorded by employees, the Japanese Supreme Court made its judgment based on (i) whether the company had a management system sufficient to prevent the type of misconduct that could normally be expected, and (ii) whether there were special circumstances that should have led the company to anticipate the misconduct that occurred (Supreme Court, 9 July 2009 (2008 (Ju) No 1602)).

If the responsibility of company officers for the inadequacy of risk management systems for cyber-attacks is contested in court, this Supreme Court judgment may be cited as a precedent. In such cases, security incidents and tactics employed by attackers, as introduced in public alerts by relevant authorities like the PPC, such as the PPC’s quarterly report and in publicised cases by other companies, would be taken into account. As a result, it should be noted that the court may assess whether a degree of control was exercised that could have prevented security incidents that occurred, assuming that the incidents were caused by normal, expected cyber-attacks.

Necessity of ensuring adequate security levels

As discussed above, the legal risks associated with cybersecurity are increasing, and so is the need to ensure an adequate level of cybersecurity. For example, the following are beneficial in ensuring adequate standards.

Considering, from the viewpoint of system maintenance, the necessary cybersecurity measures from the perspective of maintenance of internal controls, with reference to the technical management described in the “Guidelines for Internal Fraud Prevention in Organizations” of the Information-technology Promotion Agency, Japan (IPA) and the evaluation items set forth in “Evaluation of the effectiveness of maintenance and operation status of internal controls using IT” listed in the “Standards for evaluation and audit of internal controls over financial reports” of the Financial Services Agency.
Conducting cyber due diligence, including penetration tests (actual simulated attacks) and systemic checks, with a view to reducing risks before they occur.
Participating in the Cyber Security Council (a council legally established under Article 17 of the Cyber Security Basic Act, in which both the public and private sector participate) to obtain non-public information on the latest attack trends, and such like, from the viewpoint of information gathering.

Trends in Legal Reforms and in Other Areas

Discussion on the review of the APPI

When the APPI was amended in 2020, it was decided that the regulatory regime would thenceforth be reviewed every three years. Based on this, the PPC is currently reviewing the regime, including the introduction of a surcharge system and revision of the system for demanding injunctions; and on 25 December 2024, the report of the Expert Panel was published (albeit in the form of both sides of the argument).

The report examines, with respect to both (i) violations of various conduct regulations and (ii) violations of regulations pertaining to leaks, and the like, as well as security control measures, narrowing down the cases to which the surcharge system applies.

Specifically, with respect to the situation in which the surcharge system is to be applied, the report proposes the following.

With respect to (i) above:

limiting the subject acts (situations) to violations of the following four types: restrictions on provision to third parties (Article 27, Paragraph 1); prohibition of inappropriate use (Article 19); restrictions based on the purpose of use (Article 18); and appropriate acquisition (Article 20);
limiting the subject cases to those where the violator can be said to have failed to have been negligent in respect of taking reasonable care to prevent the violation;
limiting the subject cases to those where individual rights and interests have been infringed or there is a concrete threat of infringement; and
limiting the subject cases to those where a large-scale breach has occurred (specifically, where the number of data subjects involved in the breach is 1,000 or more), etc.

With respect to (ii), above:

limiting the subject acts to cases where a large-scale leakage, or the like of personal data and the like occurs as a result of a breach of the obligation to take security control measures (specifically, cases where the number of data subjects involved in the breach is 1,000 or more);
limiting the subject cases to those where the violator can be said to have been extremely negligent in respect of taking reasonable care to prevent violations of the obligation to take security control measures; and
limiting the subject cases to those where individual rights and interests have been infringed or there is a concrete threat of infringement.

With respect to the method of calculation of the surcharge, the report proposes the following.

With respect to (i) above:

the surcharge be the full amount of financial gain (or an amount exceeding the full amount of such financial gain) obtained by the violating business operator from the violation or from the use of personal information acquired through the violation.

With respect to (ii), above:

the surcharge be such amount as is obtained by multiplying (x) the amount of sales generated by the business activities of the business operator in violation of the obligation to take security control measures during the period of the relevant violation by (y) a certain “calculation rate” ‒ this proposal is based on the viewpoint of speediness and efficiency of administrative penalties, and it is believed that the proposal considers the ease of calculation.

In addition, there are proposals to establish a provision for reducing penalties for violators who voluntarily report violations, and an additional provision to impose a surcharge of 1.5 times the normal surcharge on repeat violators.

From the viewpoint of civil law, with regard to the system for demanding an injunction, there is a proposal to grant qualified consumer organisations the right to demand an injunction under the APPI as their own right, targeting violations that are highly likely to infringe on the rights and interests of individuals.

Although the report of the expert panel is still in the process of being put forward for consideration, if these systems are introduced, both the administrative law and civil law risks from an enforcement perspective may increase in Japan in the future.

Trends in legal reforms in the national security sector

In 2024, the Act on the Protection and Use of Critical Economic Security Information came into effect. This Law stipulates:

the designation of critical economic security information;
he provision of critical economic security information; and
restrictions on who can handle critical economic security information (so-called “security clearance”), among other matters.

It is important for businesses that handle critical infrastructure, such as information and communications, to comply with this Law.

In addition, recently the government has been preparing Active Cyber Defense legislation, and the bill was submitted to the Diet in February 2025. This bill aims to enhance Japan’s cybersecurity response capabilities to a level equal to or higher than that of major Western countries. Among other things, it stipulates provisions for:

strengthening public-private sector co-operation, such as imposing reporting requirements on critical infrastructure operators when they notice certain types of cyber-attacks;
the government’s use of communication information to understand the actual situation of cyber-attacks on Japan; and
allowing the National Police Agency and the Self-Defense Forces to intrude into and neutralise servers possessed by attackers to prevent serious harm from cyber-attacks under certain conditions.

It will be necessary to keep a close eye on the deliberations on the bill in the Diet.