Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Apr 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Japan: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

The Basic Act on Cybersecurity ('BAC') sits at the center of Japan's regime for addressing cybersecurity legal issues and provides basic cybersecurity principles and measures. Guidelines are then prepared for each industry, and businesses, as well as companies, are required to implement their cybersecurity measures taking these guidelines into consideration. Also, the Companies Act No. 86 of 26 July 2005 ('the Companies Act') provides for general obligations of directors, etc. to set up cybersecurity-related systems as part of internal control systems. Further, cybersecurity-related laws and regulations may be established for areas focused on the sensitivity of information, such as personal information that is generally regulated under the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended 2020) ('APPI'), or established by each industry, such as critical infrastructural areas. Furthermore, some cybersecurity-related crimes are prescribed in relevant acts.

1.2. Regulatory authority 

Cyber Security Strategy Headquarters

In January 2015, the Cabinet of Japan established the Cyber Security Strategy Headquarters, headed by the Chief Cabinet Secretary, in accordance with Article 25 of the BAC. It is responsible for coordinating with the National Security Council, and is regarded as the control tower for the Japanese Cybersecurity Strategy, which was recently updated on 28 September 2021 ('Cybersecurity Strategy 2021') for the first time in three years. The Cybersecurity Strategy formulated by the Cyber Headquarters was approved by the Cabinet Secretariat ('the Cabinet') and is now Japan's basic cybersecurity strategy. The Cyber Headquarters lacks the authority to issue orders to, levy monetary fines on, or carry out investigations of private companies.

The Digital Agency

In May 2021, the Basic Act on the Formation of a Digital Society and the Act for Establishment of the Digital Agency were enacted, and they came into effect on 1 September 2021. At the time of the Acts coming into effect, the Digital Agency and Digital Society Promotion Council were established in accordance with the Act for Establishment of the Digital Agency. At the same time, the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society was repealed, and thus, the Comprehensive IT Strategic Headquarters was abolished.

The National Center of Incident Readiness and Strategy for Cybersecurity

Simultaneous to the establishment of the Cyber Headquarters, the National Center of Incident Readiness and Strategy for Cybersecurity ('NISC') was established as an internal organisation of the Cabinet. The NISC works in cooperation with the relevant ministries and agencies for critical infrastructures, as well as other relevant ministries and agencies, and is positioned as the central institution for implementing the Cybersecurity Strategy. Similar to the Cyber Headquarters, the NISC lacks the authority to issue orders to levy monetary fines on or carry out investigations of private companies.

The Competent authorities

Under the Cybersecurity Strategy 2021 and Cybersecurity 2021 (only available in Japanese here) ('the Cybersecurity 2021'), five ministries and agencies have jurisdiction over critical infrastructure providers: the Financial Services Agency ('FSA'), the Ministry of Internal Affairs and Communications ('MIC') (information and communications organisations and local governments), the Ministry of Health, Labor and Welfare ('MHLW') (medical services and water supply), the Ministry of Economy, Trade and Industry ('METI') (electricity, gas, chemicals, credit, and petroleum), and the Ministry of Land, Infrastructure, Transport and Tourism ('MLIT') (aviation, airports, railways, and logistics). Each ministry or agency formulates guidelines for its own areas of jurisdiction, serves as a point of contact for information sharing between the public and private sectors, and receives reports on cybersecurity incidents. The obligations to make reports on cybersecurity incidents are essentially unenforceable and are merely obligations to make efforts. From 1 April 2022, however, certain serious cybersecurity incidents involving the leakage of personal information will need to be reported to the Personal Information Protection Commission ('PPC') under the Amended APPI (Section 6 below makes reference to the details of such Amended APPI).

The Cybersecurity 2021 was established as the combination of the annual report of 2020 and the annual plan of 2021 based on the Cybersecurity Strategy, based on which each relevant authority is expected to implement appropriate measures to address certain issues specified therein, such as the enhancement of the cybersecurity in supply chains.

The Personal Information Protection Commission

The PPC was established in accordance with the APPI. Based on the APPI, the PPC is authorised to provide business operators who handle personal information with necessary guidance and advice, collect reports, conduct on-site inspections, and give recommendations and orders in the event of any violation of laws and regulations. Violations of PPC correction orders may result in the penalties mentioned above being imposed.

1.3. Regulatory authority guidance

The Cybersecurity Strategy

This is a three-year action plan formulated by the Cabinet in accordance with Article 12(1) of the BAC. It sets out the basic plan for cybersecurity in order to comprehensively and effectively promote cybersecurity policies in Japan. The matters for determination are provided in Article 12(2) of the BAC. Specifically, these matters are:

  • basic objectives of cybersecurity policies;
  • matters regarding the ensuring of cybersecurity within national administrative organs and other related organs;
  • matters regarding the promotion of the ensuring of cybersecurity for critical information infrastructure operator ('CII Operators'), their professional associations, and local governments; and
  • other matters required for the comprehensive and effective promotion of cybersecurity policies.

The basic policies provided in Chapter 3, Articles 13 to 24 of the BAC, are being put in place based on the latest version of the Cybersecurity Strategy approved by the Cabinet on 28 September 2021.

Cybersecurity Management Guidelines

The Cybersecurity Management Guidelines Version 2.0 ('the Cybersecurity Management Guidelines') published by the METI, on 16 November 2017, recognise that, in order to promote cybersecurity policies, it is essential for management to consider the implementation of security measures not as 'costs', but as 'investments' essential for future business activities and growth. In view of this, the Cybersecurity Management Guidelines summarises three principles that managers should be aware of, and ten important matters on which executives in charge of implementing information security measures should be briefed.

Specifically, management should be aware of the following three points:

  • leadership should take measures for cybersecurity risks;
  • security measures that must be taken in the supply chain, including those relating to business partners and contractors as well as the company itself; and
  • appropriate communication with the relevant stakeholders, which should include cybersecurity risks and information disclosure related to cybersecurity risks and measures, in both peacetime and emergencies. In addition, the Cybersecurity Management Guidelines also sets out the specifics for management briefs, such as the necessity for awareness of cybersecurity risks, formulation of organisational response policies, establishment of cybersecurity risk management systems, and the maintenance of resources (i.e., budgets, human resources, among others) for cybersecurity policies.

Cybersecurity Guidelines for Medium-to-Small Enterprises

The Information-technology Promotion Agency has issued the Guidelines for Cybersecurity Measures for Medium-to-Small Enterprises ('SMEs'). This is intended to facilitate SMEs' (and ordinary people's) understanding of the cybersecurity measures (only available in Japanese here).

Guidelines for critical infrastructure areas

In the area of critical infrastructures, in addition to the Cybersecurity Strategy, the fourth action plan on critical information infrastructure security measures (published on 18 April 2017, and last revised on 30 January 2020) (only available in Japanese here) have been formulated. Specifically, the five measures below are being promoted:

  • development and dissemination of safety standards, among others;
  • strengthening information sharing systems;
  • strengthening failure response systems;
  • risk management; and
  • strengthening protection infrastructure.

In addition, the relevant ministries and agencies (i.e. the FSA, the MIC, the MHLW, the METI, and the MLIT) that have jurisdiction over critical infrastructure providers have also issued guidelines, which indicate recommended measures for information security. For example, the MLIT has issued guidelines for the maintenance of information security for the following sectors:

  • railway;
  • logistics;
  • air transport business operators; and
  • airport business operators.

In the financial sector, the FSA published Policies for Strengthening Cybersecurity in the Financial Sector (October 2018), which provides measures and responses in peacetime and in the event of an incident as a means of strengthening cybersecurity management systems of financial institutions. It also describes the promotion of measures to ensure the effectiveness of information sharing networks among financial institutions, and the strengthening of human resources development in the financial sector.

General framework for security for secure IoT systems

The NISC, published in August 2016, the General Framework for Security for Secure IoT Systems ('the General Framework on IoT') premised on the view that it is essential to design, construct, and operate IoT systems based on the concept of Security By Design, basic principles, action policies, and noteworthy points for realising safe IoT systems are provided in the General Framework on IoT. In response to this General Framework on IoT, the MIC issued its Recommendations on IoT Security Measures (only available in Japanese here) in April 2017, in which it published matters to be urgently addressed in the IoT Security Guidelines Ver. 1.0. (only available in Japanese here). Following this, the MIC published the IoT Security Comprehensive Measures (only available in Japanese here) in October 2017.

Other guidelines

Section 9 below makes reference to the guidelines for the specific sectors and the Telework Security Guideline.

2. SCOPE OF APPLICATION

The BAC

Enacted in November 2014 amidst serious, growing cybersecurity threats, the BAC comprehensively and effectively promotes cybersecurity policies in Japan, where safeguarding cybersecurity while ensuring free distribution of information is a pressing issue. The BAC sets out basic principles (Article 3 of the BAC) and measures for cybersecurity (Articles 13 to 24 of the BAC). It also makes provision for the following:

  • responsibilities of the national and local governments;
  •  CII Operators;
  • cyber-related business operators; and
  • educational and research organisations (Articles 4 to 8 of the BAC).

The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) ('the Cybersecurity Guidance'), published on 18 April 2017 and last revised on 30 January 2020, covers 14 critical infrastructural areas vis-à-vis CII Operators: ICT, finance, aviation, airports, railways, electricity, gases, governmental services, health care, water, logistics, chemicals, credits, and petroleum. 'Cyber-related business operators' also include, for example, communications carriers or internet service providers.

In view of the nature of the BAC, the obligations of CII operators, cyber-related business operators, and educational and research organisations in Japan, are limited to voluntarily and actively providing efforts to establish and maintain cybersecurity in their businesses in accordance with the basic principles provided in Article 3, and to cooperate with cybersecurity policies implemented at the local and national government levels. According to the BAC, educational and research organisations should make efforts to develop cybersecurity-related personnel, engage in cybersecurity-related research, and disseminate the findings thereof. As these are obligations to make efforts, no penalties can follow their breach.

Under the Amended BAC  which came into effect on 1 April 2019, a 'Cyber Security Council' ('the Council'; Article 17 of the amended BAC) was established to promote cybersecurity policies in preparation for the 2020 Tokyo Olympic and Paralympic Games).

The further amended BAC was enacted in May 2021, and it came into effect on 1 September 2021. In this amendment, the Digital Minister, who is the minister of the Digital Agency referred to in Section 1.2 above, was added as a member of the Cybersecurity Strategy Headquarters.  

Key cybersecurity-related laws

Under the Companies Act, large companies, companies with nominating committees, and companies with audit and supervisory committees, among others, are obligated to pass resolutions on internal control systems, and the prevailing view is that such internal control systems may cover information management system and other cybersecurity-related systems. A breach of the obligation to develop an internal control system could render a director liable to pay compensation for damages and non-compliance with the duty of care of a good manager. Under the non-legally binding the Cybersecurity Management Guidelines (Section 1.3), published by the METI, cybersecurity is regarded as a management issue, and is considered to be an important guideline when examining directors' breach of the duty of due care of a good manager.

Under the APPI, business operators handling personal information in Japan are, as the term suggests, required to handle personal information in accordance with the regulations under the APPI. The Amended APPI is implemented by cross-sectoral administrative guidelines prepared by the PPC. With respect to certain sectors, such as medical, financial, and telecommunications sectors, sector-specific guidance and guidelines are published by the PPC or the relevant governmental ministries given the highly sensitive nature of personal information handled in those sectors. Self-regulatory organisations and industry associations have also adopted their own policies or guidelines.

Business operators handling personal information are not obligated under the APPI to maintain cybersecurity. However, they are obligated to take necessary and appropriate measures to manage personal data security (Article 23 of the APPI from 1 April 2022) and supervise employees and contractors (i.e., entrusted persons) (Articles 24 and 25 of the APPI from 1 April 2022). Breaches of these obligations may lead to the PPC issuing recommendations (Article 145(1) of the amended APPI from 1 April 2022)), and orders may be issued to those failing to comply with such recommendations (Article 145(2) and (3) of the amended APPI from 1 April 2022). Violators of such orders may face imprisonment with labour for not more than 12 months or a fine of not more than JPY 1 million (approx. €7,300) (Article 173 of the APPI from 1 April 2022)). Business operators handling personal information, their employees, or those who were formerly in such position who provide or misappropriate personal information databases, or the like, which they are handling for their business, to unfairly benefit themselves commit the offense of the improper provision of personal information databases, and the like. The penalty for this offense is imprisonment with labour for not more than one year or a fine of not more than JPY 500,000 (approx. €3,650) (Article 174 of the APPI from 1 April 2022). The fines stated above have been raised to JPY 100 million (approx. €730,720) in case of corporations (Article 179 of the APPI from 1 April 2022).

It is notable that amended APPI will enter into full force on 1 April 2022. The APPI will have a significant impact on businesses as it includes, inter alia:

  • new regulations on 'pseudonymised information';
  • new regulations on third-party transfers of 'individual related information' (including cookie information) where it is anticipated that the recipient may identify an individual, even if the disclosing party cannot identify an individual;
  • the addition of matters to be disclosed by business operators;
  • enhancement of the rights of data subjects;
  • obligation to report to the PPC and notify a data subject with regard to data breaches;
  • stricter regulations on cross-border transfers;
  • broadened enforcement options on entities outside of Japan; and
  • reinforcement of criminal penalties (e.g., lifting an upper limit on fines for corporations to JPY 1 million (approx. €7,300).

Please note the new penalties have entered into force 12 December 2020.

The Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (Act No. 27 of 2013, as amended) ('the Number Act') provides special rules concerning the handling of 'individual numbers', which are granted to each resident of Japan under the Individual Social Security and Tax Numbering System (known in Japan as the 'My Number System'), and other specific personal information (i.e., personal information containing any 'individual number'). Furthermore, acquiring individual numbers by certain improper means, including unauthorised access, is subject to sanction (Article 51 of the Number Act).

The Unfair Competition Prevention Act (Act No. 47 of May 19, 1993) ('the Unfair Competition Act') outlines that, where information constitutes a 'trade secret' (i.e. has to be kept secret, constitutes useful information, and is non-public by nature), trade secret holders may obtain injunctions (Article 3 of the Unfair Competition Act) and make claims for compensation for damages (Article 4 of the Unfair Competition Act) for certain types of unfair competitive practices (Article 2(1)(iv) to (x) of the Unfair Competition Act) vis-a-vis their trade secret. Trade secret violations are subject to criminal sanction (Article 21 of the Unfair Competition Act).

With the expansion of the use of big data, the amended Unfair Competition Prevention Act of 2018 (enforced on 1 July 2019) ('Amended Unfair Competition Act') (now provides that 'limited provision data' ('LPD') (Article 2(7) of the Amended Unfair Competition Act) applies to data that does not constitute a trade secret but is provided to a party only through the use of identity documents and passwords (except data managed as confidential), and that LPD holders may obtain injunctions (Article 3 of the Amended Unfair Competition Act) and make claims for compensation for damages (Article 4 of the Amended Unfair Competition Act) resulting from certain types of unfair competitive practices (Article 2(1)(xi) to (xvi) of the Amended Unfair Competition Act). However, unlike trade secret violations, LPD violations are not subject to sanction under the Unfair Competition Prevention Act.

Holders of trade secrets or LPD must exercise a certain degree of control over their trade secrets or LPD in order to be afforded protection under the Unfair Competition Prevention Act.

The Penal Code (Act No. 45 of 1907) classifies the following acts that threaten cybersecurity as criminal offenses:

  • those who commit the offense of unauthorised creation of electromagnetic records (Article 161-2 of the Penal Code) regarding rights, obligations, or the certification of facts to mislead others in their administrative processing may face criminal sanctions. For example, transmitting false information and voluntarily creating or changing customer database data for Internet membership registrations constitute acts of unauthorised creation of electromagnetic records;
  • those who commit the offense of unauthorised creation of electromagnetic record which is encoded in a credit card or other cards for the payment of charges for goods or services (Articles 163-2 to 163-5 of the Penal Code) for the purpose of bringing about improper administration of the financial affairs of another person may face criminal sanctions. An example of this offense is the unauthorised creation of credit cards by using credit card information stolen by the credit card skimming;
  • those who commit the offense of computer fraud (Article 246-2 of the Penal Code) of creating false electronic data regarding the acquisition, loss or change of property rights by giving false information or unauthorised instructions to computers may face criminal sanctions. An example of this offense is the misuse of stolen credit card numbers to make credit card payments over the Internet;
  • the offense of the destruction of electromagnetic records (Articles 258 and 259 of the Penal Code) is subject to criminal sanction as an act of the destruction of electronic data. An example of this offense is gaining unauthorised access to and deleting electronic data on an access point server;
  • the offense of the obstruction of business by damaging computers, and the like (Article 234-2 of the Penal Code) is subject to criminal sanction as an act of obstructing a person's business by inhibiting the function of computers or electronic data used therein. The act of infecting a computer with ransomware is an example of this offense; and
  • the offense of creating malware (Articles 168-2 and 168-3 of the Penal Code) is subject to criminal sanction as an act of creating or transmitting computer viruses with the aim of causing computers to run them).

Notably, in January 2022, the Supreme Court of Japan ruled that Coinhive, a mining tool of virtual currency which uses viewers' computers' resources, was not malware because it did not meet one of the requirements for the offense of creating malware i.e., 'unauthorised' of Article 168-2 of the Penal Code, and thus, the accused who embedded Coinhive on his own website could not be found guilty. When the accused in this criminal case was prosecuted in 2018, many engineers in Japan strictly remonstrated with the police and public prosecutor, and the lower court decisions had been controversial.

As for the cybercrime, there are following digital investigation procedure:

  • the court or the investigation authorities (i.e., public prosecutors, public prosecutor's assistant officers or judicial police officials) may, when it is necessary, seize records created under a record copying order (Article 99-2 of the Code of Criminal Procedure);
  • the person executing the seizure warrant may copy the electronic or magnetic records onto some other recording medium, print them out or transfer them, and may then seize the said other recording medium in lieu of the said seizure (Article 110-2 of the Code of Criminal Procedure); and
  • the court or the investigation authorities may, when it is necessary, seize records after remotely download the subject data from another computer/server under a certain order (Article 99(2) of the Code of Criminal Procedure).

The National Police Agency is now submitting to the National Diet of Japan ('the Parliament') a draft amendment to the Police Act (Act No. 162 of 1952) (only available in Japanese here) in which (i) a Cyber Police Bureau will be established under the National Police Agency, and (ii) a Special Investigation Branch for Cybercrime, which directly (i.e., as the state organ; rather than the prefectural police) investigates 'serious cybercrime' (cybercrime targeting the Government of Japan or CII operators, etc.), will also be established under the National Police Agency.

The Act on Prohibition of Unauthorized Computer Access 1999 (as amended in 2013) ('the Computer Access Act') outlines that in order to prevent unauthorised access through network use, the misuse of another's identification code (i.e., identity document, passwords, among others) and unauthorised access, such as misappropriation of computer programs, are prohibited and subject to criminal sanction under Article 11 of the Computer Access Act. Incidental acts to unauthorised acquisition of information are also subject to sanction under the same section of the Act. Further, under the Computer Access Act, access administrators are obligated to take measures to prevent unauthorised access (Article 8 of the Computer Access Act).

Others

Other laws and regulations related to cybersecurity include:

3. DEFINITIONS

Under the laws of Japan, the following definitions are provided in relation to cybersecurity.

Cybersecurity: Is defined as the necessary measures that are needed to be taken to safely manage information, such as prevention of the leakage, disappearance, or damage of information which is stored, sent, in transmission, or received by electronic, magnetic, or other means unrecognisable by human perception; and to guarantee the safety and reliability of information systems and information and telecommunications networks, and that those states are appropriately maintained (Article 2 of the BAC).

CII operators: Operators of businesses that provide infrastructure which is the foundation of people's livelihood and economic activities and the functional failure or deterioration of which would pose an enormous risk of impacting them (Article 3 of the BAC).

Cybersecurity strategy: A basic plan for cybersecurity (Article 12 of the BAC).

Personal information database: An assembly of information including personal information as set forth, which is (Article 16(1) of the APPI from 1 April 2022):

  • an assembly of information systematically arranged in such a way that specific personal information can be retrieved by a computer; or
  • an assembly of information designated by a Cabinet Order as being systematically arranged in such a way that specific personal information can be easily retrieved.

Business operator handling personal information: A business operator using a personal information database, etc. for its business except for the State organs, local governments, etc (Article 16(2) of the APPI from 1 April 2022).

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Under the laws of Japan, no laws or regulations exist that generally require that certain information management systems be in place. However, as mentioned earlier, under the Companies Act, large companies, companies with nominating committees, and companies with audit and supervisory committees, among others, are obligated to establish internal control systems, and the prevailing view is that such internal control systems may cover information management system and other cybersecurity-related systems. The nature and structure of the appropriate system will depend on the specific circumstances of each company, but the Cybersecurity Management Guidelines are used as a reference for its determination.

Also, under the APPI, a personal information handling business operator is obliged to take necessary and appropriate action for the security control of personal data (Article 23 of the APPI from 1 April 2022). According to the PPC's guidelines, such action must be necessary and appropriate in light of the size and nature of the business, the status of the handling of personal data (including the nature and amount of personal data handled), and the nature of the media on which the personal data is recorded, taking into account the extent of the infringement of the rights and interests to be occasioned by the person concerned should personal data be leaked, among other matters. Under the amended APPI, a personal information handling business operator is required to disclose certain information about the actions and measures implemented to secure the security control of retained personal data (Article 10 of the amended Cabinet Order to Enforce the APPI, Article 32(1) of the APPI from 1 April 2022). In addition, anonymously processed information operators handling anonymously processed information must also fulfil obligations for security control measures (Article 46 of the amended APPI from 1 April 2022).

4.1.Cybersecurity training and awareness

No laws or regulations of Japan require cybersecurity training or the improving of employees' cybersecurity awareness. Notably, the Cybersecurity Management Guidelines encourages companies to conduct cybersecurity training for employee in general or employees in charge of cybersecurity. Also, there is the Cyber Security Research-Training Center in the National Police Academy (Article 89 of the Regulation for Enforcement of the Police Act (only available in Japanese here)), which was established as a special institute to research on analysis technique of digital data for countermeasures against cybercrime and train staff.

4.2. Cybersecurity risk assessments

No laws or regulations of Japan require cybersecurity risk assessments. However, when trying to obtain information security management system certification ('ISMS') (referred to in Section 11), it is taken into consideration whether companies conduct cybersecurity risk assessments.

4.3. Vendor management

The importance of the management of vendor cybersecurity has been recognised, but there are no specific laws or regulations of Japan that pose certain statutory obligations on an entity with respect to vendor cybersecurity.

In light of the protection of personal information, under the APPI, business operators handling personal data are required to conduct necessary and appropriate supervision over its service providers who process personal data for the benefit of the business operators (Article 25 of the amended APPI from 1 April 2022)). Such supervision may include:

  • selecting appropriate services providers;
  • executing service agreements; and
  • keeping being informed of the status of personal date handled by service providers.

4.4. Accountability/record keeping

Internal control systems (referred to in Section 2), including cybersecurity-related systems, may be audited via internal audits. Internal audits may include:

  • information security audits, which are conducted in accordance with; Information Security Management Standards (only available in Japanese here); and Information Security Audit Standards (only available in Japanese here); published by the METI; and
  • system audits, which are conducted in accordance with System Management Standards (only available in Japanese here) and the System Audit Standards (only available in Japanese here) published by the METI.

There are no general laws or regulations that require the recording of data processing activity except for those under the APPI with respect to personal data, and no laws or regulations of Japan that are similar to Privacy by Design or Privacy by Default as provided in the GDPR.

5. DATA SECURITY

No general requirements in relation to the topics above with respect to data security exist in Japan, but as mentioned earlier, certain companies are obligated to establish internal control systems, which may include information management system and other cybersecurity-related systems, and such internal control systems may cover some of the topics above such as a security policy, organisational, physical, or technical measures, and access control. The nature and details of the appropriate system will depend on the specific circumstances of each company, but the Cybersecurity Management Guidelines are used as a reference for its determination.

While no statutory obligations or requirements currently exist under the laws of Japan, following the assessment of the Japan Institute for Promotion of Digital Economy and Community ('JIPDEC'), companies' information security management systems ('ISMSs') may need to be certified in compliance with international standards. Not only would such certification ensure the credibility of information security externally, it could likely have the merit of strengthening ISMSs internally, as it would be necessary to construct and continuously operate an ISMS.

Under the APPI, as mentioned earlier, business operators handling personal information are obligated to take necessary and appropriate measures to manage personal data security (Article 23 of the APPI from 1 April 2022)), which may include organisational, personnel, physical, and technical security measures. Such security measures are elaborated on in the PPC's cross-sectorial administrative guidelines for the APPI. For instance, encryption of personal data is recommended as part of the technical security measures, and adoption of internal security rules or policies is required.

Due to the recent e-payment fraud incidents caused by inappropriate authentication processes, multi-factor authentication is strongly recommended particularly in the e-payment industry.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

In Japan, there is no general reporting obligations for cybersecurity incidents. However, in view of heightened levels of public interest in information leaks, and in order to minimise damage, including reputation risks, businesses and companies are required to respond quickly and appropriately to crises.

Further, efforts must be made to report personal information leaks to the PPC. In accordance with Article 26 of the APPI, which will enter into force on 1 April 2022, it would be mandatory, under certain circumstances, to report to the PPC and notify a data subject with regard to data breaches. The report must include an overview of the breach, the type of personal data leaked, the number of persons related to the leaked personal data, the cause of breach, etc. (stipulated in Article 8(1) of the amended Enforcement Rules for APPI, which will enter into force on 1 April 2022).  The report must be submitted twice, and in this regards, (i) the first report must be submitted promptly after recognising the above matters to be reported (Article 8(1) of the amended Enforcement Rules for APPI), and (ii) the second report must be submitted within 30 days (in the case of a cyberattack, 60 days) after recognising the above matters to be reported (Article 8(2) of the amended Enforcement Rules for APPI). In addition, it is noteworthy that reporting obligations under legislation to protect personal information overseas, such as the General Data Protection Regulation (Regulation 2016/679) ('GDPR'), could arise.

Furthermore, under the Telecommunications Business Act (Act No. 86 of 25 December 1984) ('the Telecommunication Act'), a telecommunications carrier must report without delay to the MIC confidential leaks of confidential information of communications or any other serious incidents concerning their telecommunications activities, together with the reasons or causes thereof (Article 28 of the Telecommunications Act).

7. REGISTRATION WITH AUTHORITY

Registration with a regulatory authority in relation to cybersecurity is not required in Japan.

8. APPOINTMENT OF A SECURITY OFFICER

No general obligations to appoint a security officer exists in Japan. In addition, regarding the protection of personal information, the obligation to designate a Data Protection Officer, which is required under the GDPR, does not exist under the APPI. Please note that the Cybersecurity Management Guidelines, above, recommend that management appoints a Chief Information Security Officer. In addition, registered information security specialists (Article 6 of the Act on Facilitation of Information Processing (No. 90 of 1945 as amended) (only available in Japanese here)) are expected to support cybersecurity operations or the implementation of cybersecurity measures in companies, etc.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services

Policies for Strengthening Cybersecurity in the Financial Sector 2018 published by the FSA illustrate its policies to, among others, strengthen financial institutions' cybersecurity management systems; improve the effectiveness of information sharing frameworks among financial institutions, and strengthen the development of human resources in the financial sector. Since 2016, the FSA has implemented annual financial industry-wide cybersecurity exercises (Delta Wall) for the purpose of improving the financial institutions' ability to respond to cyberattacks.

With the rise of cryptocurrency transactions, a Virtual Currency Exchange Service ('VCES') provider is subject to statutory obligations take necessary measures for preventing leakage, loss, or damage of information pertaining to the VCES and otherwise ensuring safe control of the handling of that information under the Financial Services Act.

The Instalment Sales Act (Act No. 159 of 1 July 1961) ('Instalment Sales Act'), which was amended and entered into effect on 1 June 2018, in order to address the increased risk of wrongful use of credit card numbers, obligates, among other things, member stores to appropriately handle credit card information and to take countermeasures against wrongful use thereof. In 2020, the Instalment Sales Act was further amended, as a result of which brokers for payment agents, QR code payment businesses, and EC mall businesses, etc., are also required to handle credit card information appropriately and to take countermeasures against wrongful use thereof. In addition, the Instalment Sales Act requires registration by acquirers and payment service providers ('PSPs') which are granted by acquirers an authority to execute membership agreements with member stores.

Health

Following security guidelines are specifically applicable to the health sector:

  • Security Guidelines for Medical Information Systems (Version 5.1, 2021) published by the MHLW;
  • Security Guidelines for Information System Service Providers Handling Medical Information (2020) (only available in Japanese here) published by the METI and the MIC, which was established by merging the following two guidelines:
    • Security Guidelines for Information Processing Operators Handling Medical Information for Others 2012 (Second Edition) published by the METI; and
    • Security Guidelines for ASP and SaaS Providers Handling Medical Information 2010 (Ver. 1.1) (only available in Japanese here) published by the MIC.

The MHLW is now considering an amendment of the Security Guidelines for Medical Information Systems because of the increased frequency of ransomware attacks on hospitals these days, and thus, Version 5.2 thereof, which newly includes measures for ransomware attacks, will be released on 1 April 2022.

Telecommunications / IT

As mentioned above in Section 1.1(2), Article 7 of the BAC provides the obligations of IT-related businesses, such as telecommunications carriers and internet access providers, to voluntarily and actively make efforts to maintain cybersecurity.

In addition, under the Telecommunication Act, certain telecommunications carriers are obligated to comply with, among other things, technical standards in order to improve the safety and reliability of telecommunications business. Under the Telecommunication Act, telecommunications services are defined as certain services that intermediate communications of third parties through the use of telecommunications facilities, or that otherwise provide telecommunications facilities for the use of communications by third parties. Telecommunications facilities are broadly defined to include machines, equipment, wires, and cables, or other electrical facilities for the operation of telecommunications. Also, any person who intends to operate a telecommunications business, whether located in Japan or outside Japan, must obtain registration from the MIC, except in cases where:

  • it installs no telecommunications circuit facilities;
  • it only installs small-scale telecommunications circuit facilities (i.e., relevant telecommunication facilities remain within certain local area); or
  • it installs radio facilities of radio stations which separately require a license under the Radio Act.

In these exceptional cases, such a person must file a notification with the MIC (instead of obtaining registration from the MIC).

The Radio Act (Act No. 131 of 2 May 1950) (as amended in 2014) ('the Radio Act') is applicable when telecommunications carriers use radio equipment in their networks; security-related regulations are also covered under the Radio Act.

Employment

The Cybersecurity Management Guidelines encourages companies to conduct cybersecurity training for an employee in general or employees in charge of cybersecurity.

As for telework, the Telework Security Guidelines (5th Edition, 2021) published by the MIC provides examples of security measures when introducing teleworking arrangements. In the 5th edition, COVID-19 was taken into consideration and a complete revision of the guidelines was introduced.

Education

The Guidelines on Educational Information Security Policies (the latest update was December 2019) (only available in Japanese here) published by the Ministry of Education, Culture, Sports, Science and Technology ('MEXT') provide useful information for the board of education in each local administration to implement its own educational information security policy, including the use of cloud computing services at schools. In addition, there exists the Guidelines for Cybersecurity Policy of Local Government issued by the MIC for the staff members of local governments.  Since the ICT is now being utilised in public schools, teachers and staff members of public schools should also be aware of such guidelines.

Insurance

Not applicable.

Mobility

The Road Transport Vehicle Act (Act No. 185 of 1951 as amended 2020) (only available in Japanese here) in order to permit certain types of autonomous driving. In this regard, the Safety Regulation for Road Vehicle was also updated by the MLIT to require cybersecurity measures for road vehicle electronic equipment.

10. PENALTIES

Under the laws of Japan, no penalties are directly imposed for a lack of adequate cybersecurity measures. However, as described in Section 2 above, instances may arise in which the board of directors in charge of the structure and operation of the internal control system is liable for a breach of the duty of care of a good manager, and should there be a violation of, or conflict with, any of the relevant laws and regulations mentioned above, such violation could lead to penalties being imposed under the relevant laws and regulations.

11. OTHER AREAS OF INTEREST

Critical information infrastructure operators

As mentioned above, under Article 6 of the BAC, CII Operators are obligated to voluntarily and actively provide efforts to maintain cybersecurity. These obligations of CII Operators are distinguished from those of IT-related business operators, which are private companies (Article 7 of the BAC), and they are also obligated to make efforts to deepen their interest and understanding of the importance of cybersecurity in order to provide such services in a stable and appropriate manner. In addition, matters concerning the promotion of cybersecurity at CII Operators and their organisations, as well as local governments, are clearly provided in the Cybersecurity Strategy (Article 12(2)(iii) of the BAC). The above-mentioned Cybersecurity Guidelines have been formulated to provide the specifics regarding the Cybersecurity Strategy.

The following 14 major infrastructural areas are provided under the Cybersecurity Strategy: ICT, finance, aviation, airports, railways, electricity, gases, governmental services, health care, water, logistics, chemicals, credits, and petroleum.

Essential services

Relevant ministries and agencies (i.e. the FSA, the MIC, the MHLW, the METI, and the MLIT) that have jurisdiction over critical infrastructure providers have also issued guidelines. Unlike under the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), operators subject to the jurisdiction of the ministries and agencies above are not individually specified.

Cloud computing services

Cloud services have the advantage of enabling multiple users to share resources by using services, allowing them to expand system resources inexpensively. By the same token, the centralised management of systems and data of multiple users by cloud providers leads to the risk of administrative errors being spread to multiple users. In addition, it is necessary to clarify the sharing of responsibilities between cloud providers and users. The Information Security Management Guidelines for the Use of Cloud Services (2013) (only available in Japanese here), published by the METI in March 2014, provides advice for the selection and implementation of appropriate controls from the ISO Q 27002 (code of practice) and guidance for optimal implementation in order to address risks associated with the use of cloud services. Also, the Information Security Measures Guidelines for the Provision of Cloud Services (2nd edition, 2018) (only available in Japanese here) published by the MIC in July 2018, provides advice for cloud service businesses to address risks associated with the provision of IoT or cloud services.

Under the APPI, the consent of the person concerned is required, in principle, when providing personal data to a third party; the consent of such person is not required in exceptional cases, such as when the handling of personal data is outsourced to the relevant third party (Article 27 of the amended APPI from 1 April 2022)). The use of a cloud service that constitutes providing personal data to a cloud service provider is often considered to be an outsourcing arrangement, in which case, cloud service users are obligated, as the outsourcing party, to supervise the cloud service provider. The exceptions do not apply to outsourcing to overseas cloud services (Article 24 of the APPI (Article 28 of the amended APPI from 1 April 2022)); therefore, the consent of the person concerned is required to be obtained to ensure that the cloud service provider takes appropriate measures.

However, cloud service providers who do not handle personal data are not required to obtain the consent of the provider of such data, as the PPC does not consider the use of cloud services in Japan or overseas to be the provision of personal data to a third party, where personal data on a server is not to be handled by the cloud service provider, contractual provisions stipulate to such effect, and appropriate access control may be put in place.

In addition, each ministry and agency has issued guidelines on safety management regarding the use of cloud services in the medical and financial sectors.

Digital Service Providers

According to the NIS Directive, three types of companies providing digital services are classified as Digital Service Providers (DSP):

  • online marketplaces;
  • online search engines; and
  • cloud computing services.

In Japan, there are no cybersecurity regulations specific to online marketplaces and online search engines, while cloud computing services regulations are discussed in Section 11. above.

5G Systems

With the increasing risks associated with IoT devices and anticipation of new risks in connection with the launch of 5G services, the Comprehensive Measures for IoT and 5G 2019 (only available in Japanese here) was published by the Cybersecurity Taskforce established by the MIC, in which the MIC sort out the necessary cybersecurity measures for IoT and 5G, including the furtherance of research and development, the development of human resources, the promotion of international cooperation, and promotion of information sharing and disclosure.

From February 2019, the MIC and the National Institute of Information and Communications Technology ('NICT') started conducting the National Operation Towards IoT Clean Environment ('NOTICE') project to survey vulnerable IoT devices and to alert users to the problem.

Notable Incidents

In September 2020, NTT Docomo Inc., a major mobile phone carrier in Japan, announced that a total of JPY 25.42 million (approx. €185,660) was stolen from customers' bank accounts linked to their respective Docomo Accounts, which were opened for NTT Docomo's e-payment service. A customer can use its Docomo Account for purchasing goods and services online and for transferring money to other bank accounts via the bank account linked to its Docomo Account. It is reported that multi-factor authentication was not implemented when users transact with the banks via their NTT Docomo Accounts, and that was one of the causes of the fraud.

In October 2021, Tsurugi Municipal Handa Hospital was attacked by ransomware, and this resulted in the Hospital being unable to handle its usual medical care operations for approximately two months. Given the nature of such a serious attack, the MHLW started considering an amendment of the Security Guidelines for Medical Information Systems, and in this regard, version 5.2 thereof (including measures for ransomware attack) will be released on 1 April 2022.

Soichiro Fujiwara Partner
[email protected]
Keiji Tonomura Partner
[email protected]
Nagashima Ohno & Tsunematsu, Tokyo

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback