1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
These concepts are not legally distinguished.
‘Cybersecurity' is defined in the Basic Act on Cybersecurity as referring to measures to manage data safely, such as the prevention of security breaches or loss of or damage to data; and to guarantee the safety and reliability of information and telecommunications systems and networks. This definition is so extensive that it overlaps extensively with ‘data protection' under the Act on the Protection of Personal Information, described below, and ‘trade secret protection' under the Unfair Competition Prevention Act. Moreover, the definition includes not only countermeasures against cyberattacks, but also countermeasures against system failures.
‘Data protection' is not legally defined, but the term is often used in conjunction with personal information protection under the Act on the Protection of Personal Information and the right to privacy that is recognised and protected by case law as a constitutional right. The right to privacy is the right for a person's private information not to be disclosed to third parties or made public without good reason.
‘Cybercrime' is not legally defined. However, according to the White Paper on the Police issued by the National Police Agency, the police generally interpret this term as referring to a crime that is committed through the use of information technology such as advanced information communication networks (eg, the Internet), or that targets computers or electromagnetic records.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Cybersecurity: The Basic Act on Cybersecurity imposes no specific obligations on private companies. Rather, statutory and regulatory provisions that address cybersecurity as defined in the Basic Act on Cybersecurity are scattered among various laws. While it is difficult to list all of those laws, one key statute is the Unfair Competition Prevention Act, which protects trade secrets and other valuable data defined as ‘data for limited provision' (Article 2).
Data protection: A business operator that processes personal information must take necessary and appropriate actions to ensure the security control of that data, including preventing the leakage, loss of or damage to personal data (Article 20 of the Act on the Protection of Personal Information).
Cybercrime: Various cybercrimes are included in several laws. Articles 168-2 and 168-3 of the Penal Code impose criminal sanctions on anyone who creates, provides, uses or stores ‘improper command records', which refers to electronic records that send improper commands, such as computer viruses or malware, to computers. The Act on the Prohibition on Unauthorised Computer Access imposes criminal sanctions on anyone who accesses a computer without authorisation. The Unfair Competition Prevention Act imposes criminal sanctions on anyone who illegally acquires, uses or discloses trade secrets. The Act on the Protection of Personal Information imposes criminal sanctions on anyone who illegally uses or discloses any personal information database.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Certain cyber laws and guidelines apply to critical infrastructure of certain businesses, such as financial services and healthcare. In addition, so-called ‘critical information infrastructure operators' must make an effort to develop their understanding of the importance of cybersecurity, and to voluntarily and proactively ensure cybersecurity for the purpose of providing services in a stable and appropriate manner (Article 6 of the Basic Act on Cybersecurity). Article 3(1) of the Basic Act on Cybersecurity defines ‘critical information infrastructure operators' as operators of businesses that provide infrastructure which is a foundation of people's lives and economic activities, and which could be significantly impacted by the functional failure or deterioration of that infrastructure.
The Cybersecurity Strategy Headquarters, established under Article 25 of the Basic Act on Cybersecurity to promote Japan's cybersecurity measures, formulated the Cybersecurity Policy for Critical Infrastructure Protection as a voluntary guideline which designates 14 critical infrastructure areas under its scope: information and communication, financial services, aviation, airports, railways, electric power, gas supply, government and administrative supply, medical, water, logistics, chemicals, credit cards and petroleum.
Information which must be kept secret for national security reasons is protected under the Act on the Protection of Specially Designated Secrets.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The Act on the Protection of Personal Information applies to personal information. It also protects what is referred to as ‘special care required' personal information by imposing additional restrictions, such as requiring consent before it may be obtained. ‘Special care required' personal information is defined in Article 2(3) of the Act on the Protection of Personal Information as personal information relating to the data subject's race, creed, social status, medical history, criminal record, status as the victim of a crime or other information which a cabinet order has prescribed requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject.
For health information, in addition to the Act on the Protection of Personal Information, there are guidelines which set out special data protection rules.
For financial information, in addition to the Act on the Protection of Personal Information, there are business-related laws and guidelines which set out special data protection rules.
Classified information is protected under the Act on the Protection of Specially Designated Secrets.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Cybersecurity: The Basic Act on Cybersecurity does not have extraterritorial reach.
Data protection: If an operator processing personal information obtains personal information relating to the provision of goods or services to a person in Japan and processes that personal information in a foreign country, the main provisions of the Act on the Protection of Personal Information apply to the operator directly (Article 75 of the Act on the Protection of Personal Information,).
Cybercrime: In general, if the effect of a crime occurs in Japan, criminal penalties can be applied, even where the crime is committed overseas. The Penal Code and the Act on the Prohibition on Unauthorised Computer Access apply to anyone who commits a crime which is governed by a treaty, even if the crime is committed outside the territory of Japan (Article 4-2 of the Penal Code and Article 14 of the Act on the Prohibition on Unauthorised Computer Access). Therefore, the Penal Code and the Act on the Prohibition on Unauthorised Computer Access apply if a server or a person in Japan suffers damage from cyberattacks from overseas. In addition, the Unfair Competition Prevention Act (Articles 21(6), (7) and (8)) and the Act on the Protection of Personal Information (Article 86) have extraterritorial reach.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Data protection: Japan has recognised European Economic Area (EEA) member countries and the United Kingdom as foreign countries with systems for the protection of personal information that are deemed to be at the same level as Japan (Article 24 of the Act on the Protection of Personal Information); and the European Union and the United Kingdom have recognised that Japan ensures an adequate level of protection (see Article 45 of the EU General Data Protection Regulation (GDPR)). Hence, an international data transfer from Japan to EEA member countries or the United Kingdom is free from additional regulations under the Act on the Protection of Personal Information specific to data transfers to third parties outside Japan. Data transfers from EEA member countries and the United Kingdom are free from certain international data transfer regulations under the GDPR and each local law; however, a data importer that is subject to the Act on the Protection of Personal Information must follow supplementary rules stipulated by the Personal Information Protection Commission.
Cybercrime: Japan has signed the Convention on Cybercrime (2001 Budapest Convention). In 2011, it established domestic substantive and procedural laws under the convention; and it ratified the convention in 2012. In addition, Japan has signed a mutual legal assistance treaty with each of the United States, South Korea, China, Hong Kong, the European Union and Russia to collect and obtain evidence in those countries.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
Anyone who creates, provides or uses improper command records, such as a computer virus or malware, is subject to imprisonment for up to three years or a fine of up to JPY 500,000 (Article 168-2 of the Penal Code); and anyone who obtains or stores improper command records for the purpose of using such records is subject to imprisonment for up to two years or a fine of up to JPY 300,000 (Article 168-3 of the Penal Code).
Hacking is considered unauthorised access under the Act on the Prohibition on Unauthorised Computer Access, which is punishable by imprisonment for up to three years or a fine of up to JPY 1 million. Article 7 of the Act on the Prohibition on Unauthorised Computer Access prohibits phishing, which is subject to imprisonment for up to one year or a fine of up to JPY 500,000 (Article 12 of the Act on the Prohibition on Unauthorised Computer Access).
Anyone who illegally acquires, uses or discloses trade secrets is subject to imprisonment for up to 10 years or a fine of up to JPY 20 million, and a corporation whose employee commits the crime in the course of performing his duties as an employee is also subject to a fine of up to JPY 500 million (Articles 21(1) and 22(1) of the Unfair Competition Prevention Act).
Anyone who illegally uses or discloses a personal information database is subject to imprisonment for up to one year or a fine of up to JPY 500,000, and a corporation whose employee commits the crime in the course of performing his or her duties as an employee is also subject to a fine of up to JPY 500,000. However, under the newest amendments to the Act on the Protection of Personal Information ("APPI"), which were promulgated on June 12, 2020 (the amended Act on the Protection of Personal Information), the fine will be increased to up to JPY 100 million. (Please note that most of the amendments to the APPI will take effect by June 12, 2022; however, the amendments regarding penalties will take effect on December 12, 2020.)
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Japan has no civil penalties system for violations of cyber laws and regulations. Other economic sanctions, except for criminal penalties, that may be imposed by authorities include administrative surcharges and fines. However, they are not imposed in the case of violations of the provisions listed in question 1.2.
As for cybersecurity, the Cybersecurity Strategy Headquarters and its secretariat, the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC), are responsible for the promotion of cybersecurity policy. However, while NISC has the authority to oversee government agencies, it does not have jurisdiction over private companies.
On the other hand, the Personal Information Protection Commission, in principle, has enforcement powers through the issuance of guidance and advice, report collections, recommendations and orders.
Prosecutors and the police have the power to enforce laws against cybercrime by conducting investigations and arrests. Criminal penalties are usually imposed only on individuals (eg, directors, officers and employees), but some special provisions impose criminal penalties on corporations.
The application of laws overseas is described in question 1.4. In addition, in order to collect and obtain evidence from foreign countries, Japan has entered into mutual legal assistance treaties and conventions on cybercrime to ask certain governments for assistance, as described in question 1.5.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Yes. If a company is subjected to a cyberattack and personal data is breached as a result, the data subject can file a claim for damages against the company under tort or contract theory. In addition, if specific actions of directors, officers or employees cause damages to data subjects, the directors, officers or employees will be personally responsible for the injury. It is also possible to pursue the liability of directors and officers through what is referred to in Japan as a shareholder representative lawsuit, assuming that the company suffered damages due to the negligent actions of the directors and officers.
2.3 What defences are available to companies in response to governmental or private enforcement?
With respect to defences against administrative guidance, advice or recommendations in accordance with Article 36-2 of the Administrative Procedure Act, if the guidance, advice or recommendations do not conform to the requirements set forth in the law, the affected entity has the right to request the administrative agency to discontinue that guidance, advice or recommendation.
Regarding defence against administrative orders, the subject of the order – whether an individual or a corporate – may file a complaint under the Administrative Complaint Review Act or a lawsuit to seek revocation of the order under the Administrative Case Litigation Act.
Another defence that companies may raise in an action described in question 2.2 is denial of negligence in the case of tort claims or denial of breach in the case of claims based on breach of contract.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Cybersecurity: The Ministry of Internal Affairs and Communications and the National Institute of Information and Communications Technology, in cooperation with telecommunications carriers, are conducting the National Operation Towards Internet of Things (IoT) Clean Environment project (aka "NOTICE project"). The purpose of this project is to survey vulnerable IoT devices and alert users to problems pursuant to the Act on the National Institute of Information and Communications Technology, as amended in 2018, because cyberattacks which exploit vulnerable IoT devices have been increasing.
Data protection: In 2014 the unauthorised removal of personal information affecting 48,580,000 individuals occurred at Benesse Corporation, one of the largest private distance-learning companies for children in Japan. Some of the affected data subjects filed multiple lawsuits against Benesse for damages on the grounds that it had problems with information security management. Some of these lawsuits were commenced by groups consisting of numerous plaintiffs. These cases are still pending. In addition, a shareholder representative lawsuit was filed to hold the officers of Benesse liable, but this case was dismissed.
Cybercrime: In the data breach in the Benesse case above, the person who illegally removed the personal information was sentenced to imprisonment for two years and six months and a fine of JPY 3 million for violating the Unfair Competition Prevention Act.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Regarding major data breaches, see question 3.1 (regarding the 2014 Benesse incident). In addition, in an incident affecting Kanagawa Prefecture, the prefecture engaged a contractor to dispose of hard disk drives but an employee of the contractor secretly resold some of them through an internet auction, even though the data on them could be easily recovered. The breach involved a total of 18 hard disk drives and up to about 54 terabytes of data.
With respect to legislative activity, in 2018 the Basic Act on Cybersecurity was amended to establish the Cyber Security Council, which consists of national governmental bodies, critical infrastructure operators, security vendors and other related organisations, and which shares information on cybersecurity. In June 2020 additional amendments to the Act on the Protection of Personal Information were approved (see question 1.6).
As of the time of writing, there have been no recent notable events relating to major cyber-related innovations or technology developments.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The Ministry of Economy, Trade and Industry and the Information Technology Promotion Agency (IPA) have jointly released Cybersecurity Management Guidelines which cover specific industries and summarise what management personnel should be aware of and direct the persons in charge of cybersecurity on what to do to protect their companies from cyberattacks.
In the financial industry, the Centre for Financial Industry Information Systems (FISC) published the FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions to promote security measures for financial institutions.
As a reference, the Cybersecurity Strategy which was formulated by the government of Japan under the Basic Act on Cybersecurity will promote the Proactive Cyber Defence Policy. This involves the sharing and utilisation of information on cyber threats and information on vulnerabilities.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
The Cybersecurity Strategy Headquarters and the National Centre of Incident Readiness and Strategy for Cybersecurity jointly issued the Common Standards on Information Security Measures of Governmental Entities as voluntary guidance under Article 26(1) of the Basic Act on Cybersecurity. The standards are a unified framework for improving the level of information security of governmental entities and define the baseline for information security measures to ensure a higher level of information security.
As regards other voluntary guidelines issued by governmental agencies, see question 4.1.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
The directors of large companies must determine relevant matters concerning the establishment of an internal control system (ie, a risk management system based on the size and characteristics of the business), which includes a system to ensure cybersecurity. If company directors have not determined such matters – for example, if internal regulations concerning cybersecurity have not been put in place – they may be deemed to be in violation of this obligation.
In addition, if company directors – including those in small or medium-sized companies – do not take appropriate cybersecurity measures to prevent their companies from causing undue damage, they may be in violation of their duties of due care and loyalty.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
Publicly listed entities are subject to the Financial Instruments and Exchange Act and the Securities Listing Regulations, which are self-regulations, in addition to the Companies Act. These regulations cover, among other things, information disclosure about cybersecurity in relation to proactive cyber-compliance.
Listed companies must submit annual securities reports describing important matters related to their business. These important matters include risks relating to their business, including cybersecurity.
In addition, companies applying for listing must submit a report on corporate governance under the Securities Listing Regulations; and if there is a change in the content of the report, the applicant must revise and resubmit the report. As this report describes the basic concepts and development status of a company's internal control system, it is conceivable that cybersecurity matters will be outlined as part of this system.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There are several information-sharing systems on cybersecurity, such as the following.
Cyber Security Council: This is a statutory information-sharing system organised under the amended Basic Act on Cybersecurity described in question 3.2. The Cyber Security Council aims to share information among a wide range of entities beyond the boundaries of each industry and across the public and private sectors.
The Initiative for Cyber Security Information Sharing Partnership of Japan (J-CSIP): The IPA launched the J-CSIP in 2011, which shares information on targeted email attacks, focusing on manufacturers of equipment used in critical infrastructure such as heavy industry and heavy electric power.
Industry information-sharing and analysis centres (ISACs): The establishment of so-called ISACs is gradually increasing in various industries for the purpose of gathering, analysing and sharing information across those industries. Active working centres include ICT-ISAC Japan, Financials ISAC Japan, and Japan Electricity ISAC.
Collective Intelligence Station for Trusted Advocates (CISTA): The Japan Computer Emergency Response Teams Coordination Centre provides information about cybersecurity threats, analysis and countermeasures as a form of early warning information through its CISTA portal site to organisations that provide infrastructure, services and products that have a significant impact on the social activities of the Japanese people.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Data protection: In principle, a business operator which causes a breach of personal data is encouraged to submit a report on the data breach to the Personal Information Protection Commission (PPC) and to notify the affected data subjects accordingly. However, reporting and notification are not legally required under the current Act on the Protection of Personal Information.
This will change under the amended Act on the Protection of Personal Information, which will require business operators to submit a report on data breaches to the PPC and notify the affected data subjects if their rights and interests are likely to be infringed.
Cybersecurity: If cyber incidents occur, mandatory notification is not required. But as a form of voluntary notification, under the Cybersecurity Policy for Critical Infrastructure Protection (Fourth Edition) formulated by the Cybersecurity Strategy Headquarters, critical infrastructure operators are encouraged to report information system failures – including indications of these failures – and cyber incidents which threaten the confidentiality, integrity or availability of information to the National Centre of Incident Readiness and Strategy for Cybersecurity through competent ministries and agencies.
In addition, in the financial industry, guidelines require financial companies to report data breaches. In the telecommunications industry, if a serious accident – including a cyber incident – occurs, the business operator must report the incident without delay to the minister for internal affairs and communication (Article 28 of the Telecommunications Business Act). Similar duties apply in a few other industries.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Regarding data protection, if there is a breach of personal data held by a business operator, the operator is encouraged by the Personal Information Protection Commission (PPC) to report the breach to the PPC as described in question 5.1. Prompt reporting is desirable, but no specific deadline is imposed. If personal data has not been substantially disclosed to third parties – such as where the data breached was subject to advanced encryption – or in the case of very minor personal data breaches such as mis-transmission of an email, there is no obligation to submit a report to the PPC.
Furthermore, to prevent secondary damage and the recurrence of such incidents in the future, it is desirable to promptly contact data subjects about such incidents and promptly disclose the facts and measures taken to prevent any recurrence.
In addition, some industries, such as the financial industry, are subject to special regulations.
5.3 What steps are companies legally required to take in response to cyber incidents?
Under the Civil Code, if a business operator intentionally or negligently causes a data breach and damage to a data subject, it must compensate the data subject for the damages caused by breach. In addition, although this is not a legally required procedure, in addition to what is outlined in question 5.2, it is desirable to:
- investigate the facts and the cause of the breach;
- identify the scope of its impact; and
- consider and implement measures to prevent any recurrence.
These procedures are voluntary, as outlined in questions 5.1 and 5.2, but may be legally required under the amended Act on the Protection of Personal Information.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
If a company does not have an established policy regarding its internal control system for information management, and a cyber incident occurs and the company suffers damages, the corporate directors and officers may be held liable for damages, including damages incurred by the company.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Awareness of cyber insurance is gradually growing in Japan, but take-up as yet is not high. According to a survey conducted by the General Insurance Association of Japan in 2019, about 63% of large companies and 34% of small and medium-sized companies surveyed were aware of cyber insurance, but only about 19% of large companies and about 3% of small and medium-sized companies had taken out cyber insurance policies.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In June 2020 an outline of the Information System Security Management and Assessment Programme (ISMAP) was released. The purpose of ISMAP is to ensure security in governmental cloud service procurement by evaluating and registering cloud services that meet the government's security requirements, thereby contributing to the smooth penetration of cloud services. This system is based on the Federal Risk and Authorization Management Program of the United States.
Cloud services that meet the registration requirements under ISMAP will be listed and published. In principle, government agencies are supposed to select from this list when procuring cloud services. This system is intended for government agencies, but it is expected that the private sector will also refer to it to promote the proper use of cloud services in Japan.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
Chief information security officer (CISO): Management understanding of the role of the CISO is not yet well established. Although company management generally recognises that their company should address cybersecurity as an organisation, in many cases company policies are vague and do not identify specific issues. In addition, the role, tasks, duties and obligations of CISOs seem to be rather vague; thus, there is a risk that organisational measures are not being adequately promoted. In this regard, companies should clearly assign tasks, responsibility and authority to a CISO, and then establish communication links between management and the CISO.
Lack of human resources: In order to promote cybersecurity measures, it is necessary to have secure resources relating to persons who have the qualifications and skills to become CISOs or to support CISOs. But it is generally unclear what kinds of budgets and what kinds of human resources are needed in this regard. Thus, many companies struggle to secure the necessary human resources. In order to address this problem, it is necessary to build a model for security personnel and design a working internal CISO system that addresses issues such as career paths, evaluation and salaries.
Appropriate evaluation of security operation status: An increasing number of companies are preparing internal regulations to promote cybersecurity measures. However, few are conducting exercises and training to check whether these measures are operating properly. Therefore, it is necessary to strengthen countermeasures by reviewing internal rules and conducting regular exercises and training, vulnerability diagnoses, penetration tests and internal audits.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.