Explaining Measures to Prevent Information Leakage: What Should be Included in the Company's Internal Regulations?

Data leakage can potentially inflict devastating damage on corporate activities. Therefore, it is crucial to establish preventative measures internally.

Specifically, it is advisable to develop internal regulations and operate in accordance with them. But what kind of internal regulations should be established? In this article, we will explain how to develop internal regulations to reduce the risk of data leakage, targeting corporate legal personnel.

What is an Internal Regulation Regarding Information Leakage?

Information leakage can occur at any time and under any circumstances. Therefore, it is crucial to establish a robust internal regulation in advance to prepare for potential information leakage.

Moreover, even in the unfortunate event of an information leak, by responding appropriately according to the pre-established internal regulations, the damage caused by the information leakage can be minimized.

Establishing a Basic Policy

Firstly, it is considered that a company should establish a basic policy on information leakage to clarify how it will respond to such incidents.

The basic policy may include provisions on the following:

• Responsibilities of the company and its management
• Compliance with laws and regulations
• Establishment of internal mechanisms
• Information management
• Initiatives towards employees
• Responses in the event of information leakage
• Regular review of the basic policy

In addition to being part of internal regulations, the basic policy can also be operated in a manner similar to a privacy policy, making the basic principles clear to the outside world. By making the basic principles clear externally, it is possible to demonstrate the company’s high level of awareness towards information leakage, which can also lead to an improvement in social credibility.

However, it goes without saying that it is not enough to simply establish a basic policy. It is necessary to set a basic policy that fits the actual situation of the company, and it is important to operate in accordance with the established basic policy.

Related article: What are the key points when creating a privacy policy in accordance with the Japanese Personal Information Protection Law?[ja]

Provisions on Information Protection

As part of the internal regulations, it is conceivable to establish provisions concerning the protection of information.

For the protection of information, for example, the following contents can be set.

Analysis of Information Leakage Risks

If the risk analysis for information leakage is not sufficiently conducted, it is impossible to take appropriate measures according to the risk. Therefore, it is important to establish provisions on the analysis of information leakage risks in the internal regulations for the protection of information.

Understanding and Database Creation of Information Held by the Company

As a company, if you do not fully understand the information the company holds, it becomes difficult to manage it adequately. Also, by databasing the information the company has, it is possible to manage the information appropriately.

Designating Information Handlers

In the internal regulations, if you designate the handlers of the information the company holds, you can limit the range of information usage to a minimum, and reduce the risk of information leakage.

Establishing Procedures for Disclosure and Provision of Information

In the internal regulations, if you firmly establish the contents of procedures for the disclosure and provision of information the company holds, operations will be conducted according to the procedures. Therefore, it is possible to avoid situations where employees use the company’s information based solely on their judgment, which can lead to the prevention of information leakage.

Restricting the Removal of Information to the Outside

In the internal regulations, if you establish the contents regarding the removal of information the company holds to the outside, you can prevent the situation where information is unnecessarily taken out to the outside, and it is expected to have a certain effect on the prevention of information leakage.

Establishing Audits of Information Protection Systems

Even if the company has built an information protection system, it is meaningless if operations are not conducted according to that information protection system.

Therefore, in the internal regulations, it is also conceivable to stipulate that an entity independent from the audit target conducts audits on the information protection system.

Regulations on Human Resource Management

Information leakage can occur due to human error. Therefore, it is conceivable to establish regulations in the company rules regarding the individuals who handle information.

These regulations on human resource management can be stipulated in the employment rules or in the confidential information management rules.

For example, the following contents can be stipulated:

Confidentiality of Information

In the company rules, it is conceivable to establish provisions regarding the confidentiality of information for employees. By stipulating the confidentiality of information, it becomes possible to impose a contractual obligation of confidentiality on employees.

Furthermore, it is expected that employees will be made aware of their obligation to keep information confidential.

Prohibition of Unauthorized Use of Information

The primary purpose of the confidentiality of information is to prevent information leakage. However, in addition to this, it is effective to establish provisions prohibiting the unauthorized use of information to prevent information leakage.

Confidentiality Agreement at the Time of Joining the Company

For employees, it is possible to stipulate that they submit a confidentiality agreement, including the obligation of confidentiality and the prohibition of unauthorized use of information, at the time of joining the company.

The agreement at the time of joining the company not only imposes contractual responsibilities but also serves to raise awareness among employees about the prevention of information leakage.

Confidentiality Agreement at the Time of Leaving the Company

For employees, it is necessary to prevent information leakage not only during their employment but also after they leave the company.

Therefore, it is conceivable to require the submission of an agreement at the time of leaving the company, which stipulates that the information learned during employment will not be leaked even after leaving the company. This is because the company rules generally only have effect on employees, and have no effect after leaving the company.

Employee Education on Information Leakage

By obtaining a pledge from employees, it is possible to raise awareness about information leakage to some extent. However, a pledge alone may not be sufficient to make employees fully aware of the seriousness of causing information leakage.

Therefore, it is useful to stipulate in the company rules that education to prevent information leakage will be provided to employees, such as conducting in-house training at regular intervals.

Regulations on Physical Management

To prevent information leakage, it is necessary to create an environment that is physically resistant to information leakage.

For example, in internal regulations, the following contents can be stipulated as the contents related to information management.

Access Control of Rooms Storing Information

By clearly defining security zones according to the information handled within the company and managing the access and locking of each zone, it is possible to reduce physical access to information.

By reducing physical access to information, it is expected that the risk of information leakage can be reduced.

Access to Servers

If information is stored on servers, it is possible to limit the authority to access the servers in the internal regulations.

If any employee can easily access the information, the risk of information leakage increases accordingly. Therefore, limiting access to the servers storing information can be effective in preventing information leakage.

Handling of Documents and Other Media

In the internal regulations, it is also important to specifically define the handling and storage of information when actually handling it.

For example, if the information is on paper media, it is possible to stipulate that it should be stored in a lockable cabinet and that a room for viewing information should be provided and that it cannot be taken out to other rooms.

Regulations on the Use of IT Equipment

Recently, due to the development of the internet and the increase in remote work, the opportunities to exchange information using IT equipment have increased.

Therefore, it is conceivable to establish the following contents in the company’s internal regulations regarding the use of IT equipment.

Procedures for Borrowing IT Equipment from the Company

Firstly, when borrowing IT equipment such as computers from the company, it is important to manage who borrowed the equipment and when.

Also, it is important to understand the usage status periodically to ensure that those who have borrowed IT equipment from the company are not using it in an environment where information leakage is likely to occur.

Procedures for Using Personal Devices (BYOD)

With the increase in remote work, there are more cases where employees use their personal IT devices for work. In the case of personal items such as PCs and USB memory, there may not necessarily be sufficient security measures in place.

Also, because it is the IT device that they usually use, employees may lose their sense of crisis about handling work-related information, and management may become insufficient.

Therefore, in the company’s internal regulations, when the company allows employees to use personal devices (BYOD), it is also conceivable to establish procedures and prohibitions for the use of personal devices (BYOD).

Other Provisions Regarding Information Leaks

In addition to the above, the following points can be considered for inclusion in internal regulations regarding information leaks.

Regulations on Personal Use of Social Networking Services (SNS)

There are SNS that are used with real names and those that are used anonymously. In the case of anonymous use, there is a possibility that posts may be made carelessly due to the anonymity. Also, there are cases where posts made with the light-hearted thought that they won’t be seen by many people end up going viral and being seen by many.

Given the potential for rapid dissemination on SNS, there is a risk that information leaks could spread instantly.

Therefore, it may be considered to stipulate in the internal regulations the content regarding employees’ use of SNS.

For example, the purpose of using SNS could be divided into “business purposes” and “non-business purposes (private)”, and for business purposes, it could be required to apply for and obtain approval, and to report in case of a viral incident. Even for non-business purposes, it could be prohibited to write about company confidential information or legal violations, and it could be required to report in case of a potential information leak or a viral incident.

Information Leak Measures Should Be Taken by the Entire Group of Companies

In the case of large companies, there may be multiple group companies. There is a possibility that confidential information may be exchanged between group companies, but it is not necessarily the case that the entire group has the same level of security.

Therefore, for example, there may be individuals who attempt to gain unauthorized access to a subsidiary with weaker security than the parent company and illicitly obtain information.

In order to respond to such situations, it is important not only for individual group companies to take measures against information leaks separately, but also for the group companies to work together to take measures against information leaks.

Conclusion: Consult a Lawyer for Internal Regulations on Information Leakage

We have explained the development of internal regulations to reduce the risk of information leakage, targeting corporate legal personnel. To prevent information leakage, it is important to implement measures from various angles.

When it comes to such internal regulations, it is necessary to carefully consider them with a professional perspective. We recommend consulting with a lawyer who has specialized knowledge when establishing internal regulations.

Related article: Risk of Personal Information Leakage and Damage Compensation in Companies[ja]

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the Internet, and law. Specialized knowledge is essential when establishing internal regulations. Our firm handles reviews for a variety of cases, from Tokyo Stock Exchange-listed companies to venture businesses. If you are having trouble with internal regulations, please refer to the article below.