The Japanese government’s Personal Information Protection Commission (PPC) will require companies who experience breach of personal information due to a cyberattack to notify everyone whose information was compromised. Non-compliant companies will be fined a maximum of 100 million yen. Names of those who are non-compliant with malicious intent will be disclosed. The requirement will be implemented as early as spring of 2022. Risk of lawsuits will increase for companies that take a wrong action. Companies will need to adhere strictly to the rules.
Out of all the listed companies and their subsidiaries, 372 companies experienced a breach or loss of personal information between 2012 and 2019, according to Tokyo Shoko Research. There were 685 incidents during the same period, implying that personal information of 88.89 million people may have been breached or lost.
Some breaches were major incidents, such as the case of Benesse Holdings, in which personal information of 35.04 million people was breached in 2014. About 80% of the incidents, however, involved breaches or losses of less than 10,000 individuals.
Although some companies notify each person whose information was breached, the decision to inform individuals is left up to the companies under the current regulations. Masanori Kusunoki, Visiting Research Fellow at the Center for Global Communications, International University of Japan, says that there may be cases that are not made public because “it is difficult to determine whether there was a breach.”
The amended Act on the Protection of Personal Information enacted in June 2020 requires notification to the concerned individuals in cases where “a breach may pose a threat to individual rights.” The PPC will state the strict rules explicitly in the regulations so that companies will need to take action.
If the data breach is caused by unauthorized access such as cyberattacks, companies will be required to notify individuals without exception. The purpose of many cyberattacks is fraud or sale of personal information on illegal websites. Over 70% of corporate data breaches are caused by external attacks, according to U.S. Verizon.
Even if a breach is not caused by a cyberattack, companies will be required to notify affected individuals if the effect of the breach is deemed to be severe. Such cases may be breaches of medical histories or incidents involving information of a large number of individuals.
A detailed investigation will become necessary in order to notify every single person. Currently, many companies post an apology on their websites or inform people of the breach in an email. In the future, companies will need to inform each individual in detail of the data that was leaked.
Companies perform data analysis called digital forensics in order to investigate the type of data that was breached. Such data may be communications records, email addresses, bank accounts, or purchase histories. The process is said to cost over 1 million yen per computer. If there is wide-ranging damage, costs will surge.
There is increased risk of a lawsuit upon the disclosure of a company’s inadequate response when the rules are clearly stated. There are cases in the U.S. of damages reaching an estimated 1 billion dollars or companies being forced into bankruptcy. The damages range from collective damage claims, system improvements, and reissuing credit cards.
The California Consumer Privacy Act requires entities to notify individuals of data breaches. The European Union’s General Data Protection Regulation (GDPR) requires notification within 72 hours. Takeshige Sugimoto, a lawyer, says that the U.S. and European countries have strict requirements to deal with data breaches due to unauthorized access, and that Japan is now moving closer to the global standard.
The market for cyberinsurance, which may compensate for the cost of cause analysis and notification, is over 3.5 billion dollars in the U.S. and Europe. In Japan, Tokio Marine & Nichido Fire Insurance, which offers cyberinsurance, has teamed up with a consulting company affiliated with the legal firm TMI Associates to launch a business to support forensic surveys and notifications. Only 10% of Japanese companies have cyberinsurance. The market for cyberinsurance may expand to meet the needs of stricter regulations.