MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

Internet

Confidential Information such as Customer Data Leaked on Anonymous Bulletin Boards! Methods for Deletion and Identifying the Poster

Internet

Confidential Information such as Customer Data Leaked on Anonymous Bulletin Boards! Methods for Deletion and Identifying the Poster

It is, of course, a serious matter for a company when confidential information managed within the company, such as personal information about customers, is leaked on internet bulletin boards and the like. In the event of such information leakage, you would want to promptly delete the relevant information and, if necessary, identify the perpetrator who leaked the information.

However, such deletion and identification of the poster are not naturally achievable. As will be explained later, both deletion and identification of the poster can only be realized if it can be said that the company’s ‘some rights’ have been violated by the fact that the relevant facts have been posted. This is a difficult issue to determine what rights can be said to have been violated when confidential information is posted.

The company’s ‘some rights’ have been violated by the posting of the relevant facts

This is the premise of the law, and it is a difficult issue to determine what rights can be said to have been violated when confidential information is posted.

While the deletion of leaked information and the identification of the poster are highly difficult and specialized tasks, our firm has been successful in deletion and identification of the poster (disclosure of IP address) in such cases.

Deletion and Identification of Posters Requires an Infringement of ‘Some Right’

As a premise, the following logic is necessary to carry out deletion and identification of posters.

  • Because the posted information infringes on ‘some right’ of the company, it should be permissible to delete it.
  • Because the posted information infringes on ‘some right’ of the company, it should be permissible to disclose information about the poster (based on the provisions of the Japanese Act on the Limitation of Liability for Damages of Specified Telecommunications Service Providers).

In other words, it is necessary to claim that ‘some right’ is being infringed upon in either case.

The typical example of this ‘some right’ is the right to reputation (defamation). For example, if it is written that “Company XX is window-dressing its financial statements,” it can be said that “This statement is claiming that the company is committing a criminal act, and being accused of such would lower the company’s reputation in society (in legal terms, ‘social evaluation would decrease’), and there is no fact that window-dressing of financial statements has been conducted,” thus, there is an infringement of the ‘right to reputation’.

https://monolith.law/reputation/defamation[ja]

Other examples include the right to privacy. If information about an individual’s love affairs is posted, that individual can claim an invasion of privacy.

https://monolith.law/reputation/privacy-invasion[ja]

Is the Leakage of Confidential Information a Defamation or Invasion of Privacy?

So, what rights can be said to have been violated when confidential information, such as customer information, is leaked?

Claiming defamation is quite difficult. While it’s true that being perceived as having caused a leak of customer information might lower your social reputation, the fact that a leak occurred is unfortunately true, so defamation does not apply.

Claiming an invasion of privacy is also challenging. Certainly, from the perspective of a customer who has suffered from an information leak, there is room to claim an invasion of privacy regarding information such as “the individual in question is a customer of the company” or their own name and address. However, the only ones who can claim this violation are the customers themselves, and the company cannot claim an invasion of privacy on behalf of its customers. In other words,

  • It is possible for the company to inform the customer of the leak, have the customer request a lawyer, and for the lawyer to use the customer’s power of attorney to claim an invasion of privacy and carry out deletions, etc. The company can then compensate the customer for the equivalent of the lawyer’s fees.
  • It is not possible for the company to request a lawyer, and for the lawyer to use the company’s power of attorney to claim an invasion of the company’s privacy and carry out deletions, etc.

This is the situation.

What is the Infringement of “Business Rights or Business Execution Rights”

The case our firm was asked to handle involved the leakage of customer information. Specifically, a company’s customer information was leaked on an anonymous bulletin board, presumably by an insider.

We asserted the infringement of “business rights or business execution rights”.

“Business rights or business execution rights” are the rights of a company to conduct its business. These rights are constituted by the company’s property rights and the labor actions of its employees, and include the personal rights of those engaged in the corporation’s business. Although this is a complex concept, it essentially means:

  • While the conduct of business by a for-profit company is essentially an economic activity and not inherently protected by law,
  • The core of this activity is the specific employees’ “personal rights”, and if these are infringed upon to a certain extent, they are worthy of legal protection.

In past court cases, it has been stated:

Regarding actions against a corporation, if ① the action exceeds the appropriateness of exercising rights, ② significantly harms the originally intended use of the corporation’s assets, and also causes confusion and discomfort to its employees beyond their tolerance, and ③ the degree of disruption to the “business” is significant, and it is recognized that significant damage that is difficult for the corporation to recover from occurs through subsequent damage compensation, this action can be evaluated as an illegal interference with the “business execution rights”, and the corporation can request the cessation of the interference based on the “business execution rights”.

Tokyo High Court Decision, Heisei 20 (2008) (Ra) No. 181

Based on this, in this case, we specifically raised the following facts with evidence and claimed the infringement of business rights or business execution rights:

  1. The customer information in question is strictly handled as confidential information within the company.
  2. If the leakage of the customer information expands, such as being reposted on other sites, the company’s social credibility could significantly decrease, and the amount of damages that may have to be borne to the customers could potentially become so high that it is difficult to estimate.
  3. If such a situation occurs, the disadvantage related to the execution of duties by the company’s employees would become severe.

Furthermore, the first point is a concept similar to trade secrets under the Japanese Unfair Competition Prevention Act. However, this article will not go into detail, but even if it is deemed to fall under “trade secrets under the Unfair Competition Prevention Act”, it does not necessarily mean that deletion or identification of the poster is permitted.

https://monolith.law/corporate/trade-secrets-unfair-competition-prevention-act[ja]

Summary

In this case, our firm argued for the infringement of “business rights or the right to carry out business” as mentioned above. The judge acknowledged this and granted:

  • The removal of the article in question
  • The disclosure of the IP address related to the poster of the article

However, it is not always clear whether one should claim the infringement of “business rights or the right to carry out business” in all cases where confidential information has been leaked. To achieve deletion or identification of the poster, it is sufficient to claim the infringement of “some right”, and depending on the case, it may be more appropriate (and easier to gather evidence, and the court is more likely to acknowledge it as “illegal”) to claim other rights. The decision on which rights to claim under specific circumstances is a sophisticated legal argument that should be made by a lawyer who handles many such cases.

Furthermore, even if one were to claim the infringement of “business rights or the right to carry out business”, what kind of facts and evidence should be gathered in a specific case is also a sophisticated legal judgment.

If a leak of confidential information occurs, the information should be deleted as soon as possible. Once information is released on the Internet, if left unattended, it may be reposted on other sites, posing a risk of further damage.

Moreover, generally speaking, identifying the poster is a battle against a strict time limit.

https://monolith.law/reputation/prescription-of-defamation[ja]

In the event of a leak of confidential information, it is necessary to make the above-mentioned sophisticated judgments promptly and take appropriate measures for deletion and identification of the poster.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top