What to Do in the Event of a Personal Data Breach? Explanation of Administrative Measures Companies Should Take

With the advancement of the internet and the ability to exchange information online, there has been an increase in cases where important corporate information is inadvertently leaked in unexpected ways.

In recent years, the value of information has been increasing, and once a leak occurs, it can become a major problem that damages credibility. As a corporation, it is required to respond appropriately and promptly in the event of an information leak.

In this article, we will provide a detailed explanation of the administrative responses that a company should take in the event of an information leak.

Administrative Response Required for Information Leaks

Not all information leaks are the same; the content and importance of the information vary. Administrative action is required when personal information is leaked.

The definition of personal information is stipulated in Article 2, Paragraph 1 of the Japanese Act on the Protection of Personal Information (hereinafter referred to as the “Personal Information Protection Act”).

(Definition)
Article 2 In this Act, “personal information” refers to information about a living individual that falls under any of the following categories:
1. Information that can identify a specific individual by name, date of birth, or other descriptions contained in the information (excluding personal identification codes), whether recorded in documents, drawings, or electromagnetic records (records created by electromagnetic methods, including electronic and magnetic methods, that cannot be recognized by human perception. The same applies hereinafter.), or expressed by voice, action, or other methods (including information that can be easily compared with other information and can identify a specific individual).
2. Information that includes a personal identification code.

e-GOV｜Act on the Protection of Personal Information

Information that falls under the above definition is protected as personal information under the Personal Information Protection Act.

In addition to administrative responses, companies may need to disclose information when a leak occurs.

Obligation to Report Personal Information Leaks

Personal information handlers are obligated to report to the Japanese Personal Information Protection Commission when a situation arises where personal information has been leaked or there is a risk of a leak.

Before April 1, 2022 (Reiwa 4), reporting to the Personal Information Protection Commission in the event of a leak or potential leak was not an obligation, but rather a recommended action. However, with the amendment of the Personal Information Protection Law, reporting to the Personal Information Protection Commission became mandatory from April 1, 2022 (Reiwa 4).

The term “personal information handler” refers to those who use personal information databases for business purposes (Article 16, Paragraph 2 of the Japanese Personal Information Protection Law). However, national institutions, local public entities, independent administrative agencies, and local independent administrative agencies are not included as personal information handlers.

“Personal information databases” refer to collections of information containing personal information, excluding those designated by government ordinance as having little risk of infringing on individual rights and interests, that meet either of the following two requirements (Article 16, Paragraph 1 of the Personal Information Protection Law):

• Those systematically organized to enable the search for specific personal information using a computer
• Those systematically organized to enable easy search for specific personal information

Personal information handlers who use personal information databases for business purposes are obligated to report to the Personal Information Protection Commission.

Four Cases Requiring Reporting to the Japanese Personal Information Protection Commission

There are four cases in which it is necessary to report to the Japanese Personal Information Protection Commission when a personal information leak occurs, as stipulated in Article 7 of the Enforcement Regulations of the Act on the Protection of Personal Information (Japanese Personal Information Protection Act).

1. When a leak of personal data containing sensitive personal information has occurred or is likely to occur
2. When a leak of personal data that could result in financial damage if misused has occurred or is likely to occur
3. When a leak of personal data that is suspected to have been carried out with malicious intent has occurred or is likely to occur
4. When a leak involving more than 1,000 individuals’ personal data has occurred or is likely to occur

We will explain these cases in detail below.

Leak of Sensitive Personal Information

“Sensitive personal information” refers to personal information that requires special consideration in its handling to prevent unfair discrimination, prejudice, or other disadvantages to the individual. This includes information about the individual’s race, creed, social status, medical history, criminal record, and victimization.

For example, information about an employee’s medical history, such as the results of health examinations, would fall under sensitive personal information.

Leak of Personal Information That Could Result in Financial Damage

This refers to cases where personal data, which could result in financial damage if misused, has been leaked.

A concrete example would be a company leaking customer credit card information.

Leak of Personal Information Carried Out with Malicious Intent

This applies when the party responsible for the leak of personal data had a malicious intent.

For instance, if a third party or a company employee illegally accesses the company’s network with the intention of misusing personal information, causing a leak of personal data, this would be applicable.

Large-Scale Personal Information Leak

This applies when a leak involves personal data of more than 1,000 individuals.

Companies that handle large amounts of personal data need to be cautious, as there is a possibility of a large-scale leak of personal data occurring at once.

Reporting to the Personal Information Protection Commission in the Event of Information Leakage

When a situation arises that requires reporting to the Personal Information Protection Commission, it is necessary to report the matters stipulated in Article 8, Paragraph 1 of the Enforcement Regulations of the Act on the Protection of Personal Information.

(Reporting to the Personal Information Protection Commission)
Article 8: When a personal information handling business operator is to make a report pursuant to the provisions of the main clause of Article 26, Paragraph 1 of the Act, the operator must promptly report the following matters related to the situation (limited to those that are known at the time of the intended report. The same shall apply in the next article.) after becoming aware of the situation stipulated in each item of the preceding article.

e-GOV｜Japanese Act on the Protection of Personal Information

If any of the four cases requiring the above-mentioned report applies, the business operator must promptly report the following matters to the Personal Information Protection Commission:

• Overview
• Items of personal data that have been leaked or are at risk of being leaked
• Number of individuals related to the personal data that has been leaked or is at risk of being leaked
• Cause
• Presence and content of secondary damage or risk thereof
• Status of response to the individual
• Status of public announcement
• Measures to prevent recurrence
• Other matters of reference

However, it is acceptable to report only those matters that are known at the time of the report.

Deadline for Reporting Information Leaks to the Japanese Personal Information Protection Commission

There is a specified deadline for reporting to the Japanese Personal Information Protection Commission (Article 8, Paragraph 2 of the Enforcement Regulations of the Act on the Protection of Personal Information).

As a general rule, reports to the Japanese Personal Information Protection Commission must be made within 30 days from the day the leak or similar incident was discovered. If the entity that caused the leak or similar incident of personal data had malicious intent, the report must be made within 60 days.

Notification Obligation to the Individual

In the event of a personal information leak, in addition to the obligation to report to the Japanese Personal Information Protection Commission, there is also a provision for the obligation to notify the individual concerned (Article 26, Paragraph 2 of the Japanese Personal Information Protection Act).

The purpose of notifying the individual is to prevent the infringement of the individual’s rights and interests by enabling them to respond to the leak of personal information as soon as possible. Therefore, it is stipulated that business operators handling personal information must promptly notify the individual.

Conclusion: Consult a Lawyer for Administrative Responses to Personal Data Leaks

We have explained the necessary responses that companies must take, focusing on administrative responses, in the event of a personal data leak.

As a company, it is crucial to establish systems that prevent data leaks. However, if a data leak does occur, it is necessary to respond appropriately.

The ‘Japanese Personal Information Protection Law’ is frequently amended and has complex structures. Therefore, we recommend consulting with a lawyer who has specialized knowledge to respond appropriately.

Introduction to Our Firm’s Measures

Monolith Law Firm is a legal office with high expertise in both IT, particularly the Internet, and law. In recent years, the leakage of personal information has become a significant issue. In the event that personal information is leaked, it can have a devastating impact on corporate activities. Our firm possesses specialized knowledge in preventing information leakage and in implementing countermeasures.