What Companies Should Disclose in the Event of a Data Breach?

When a data breach occurs, there may be cases where administrative responses such as reporting are necessary, depending on the situation. In addition to responding to the administration, it is also necessary to disclose information in an appropriate manner about “what kind of information”, “when”, and “how it was leaked”.

In this article, we will explain the information disclosure that companies should perform in the event of a data breach, targeting those in the legal departments of companies.

Differences Between Administrative Response and Information Disclosure

When a personal information leak occurs, it is necessary to respond to administrative regulations such as the Japanese Personal Information Protection Law. However, it can be said that merely responding to administrative measures may be insufficient as a corporate response.

For instance, if a company causes an information leak, there is a possibility of social impact.

Furthermore, if the company is listed, there is a need to promptly disclose information to stakeholders such as shareholders, business partners, and customers.

While administrative responses have an aspect of compliance with the law, information disclosure by companies strongly carries the aspect of fulfilling social responsibility as a company handling information.

About Timely Disclosure of Listed Companies

For listed companies, it is mandatory to disclose information, as any leakage of information can have a wide-ranging impact.

For example, the Tokyo Stock Exchange’s regulations on listed securities stipulate the following regarding timely disclosure:

(Disclosure of Company Information)
Article 402
A listed company must immediately disclose the content in the following cases (excluding those that meet the criteria set forth in the enforcement rules and other matters that the Exchange deems to have a minor impact on investors’ investment decisions):
(Omitted)
x In addition to the facts listed from a to w, important facts related to the operation, business, or property of the listed company or the listed shares, etc., that significantly affect investors’ investment decisions.

Tokyo Stock Exchange | Regulations on Listed Securities

It is considered that the occurrence of information leakage falls under “important facts related to the operation, business, or property of the listed company or the listed shares, etc., that significantly affect investors’ investment decisions”, and therefore it is necessary to make timely disclosure.

Specifically, it is considered that the outline of the information leakage that occurred, the circumstances under which the information leakage occurred, and the future outlook for the response to the information leakage that occurred should be disclosed.

Voluntary Disclosure of Information by Companies

As mentioned above, there are cases where companies disclose information in accordance with regulations such as the Securities Listing Regulations. However, companies may also consider voluntarily disclosing information as a means of risk hedging.

When Should Information Be Disclosed?

For voluntary disclosure of information, companies can theoretically choose either to disclose or not to disclose information.

Therefore, it is important for companies to clearly establish the criteria for deciding whether to disclose information or not.

The first criterion could be whether there is a substantial risk of damage expansion due to information leakage.

If information leakage has actually occurred, but it is considered to have no practical impact, the necessity of voluntary disclosure of information is considered low.

If you voluntarily disclose information when there is no substantial risk of damage expansion due to information leakage, it may cause confusion and potentially exacerbate the situation.

The second criterion could be whether there is a risk of damage expansion due to information leakage by disclosing information.

If you disclose the fact that information leakage has occurred without sufficient response to the leakage, it may catch the eye of those who intend to obtain information illegally, and further information leakage may occur.

As a result, by voluntarily disclosing information, the damage from information leakage may expand, and the infringement of rights may further expand.

However, these criteria are not necessarily generalizable and need to be carefully examined on a case-by-case basis to determine whether or not to disclose information.

About Matters to Be Disclosed

When disclosing information, it is necessary to carefully consider the matters to be disclosed.

The matters to be disclosed may include the following:

• Type of information leakage that occurred
• Date the company became aware of the information leakage
• Date the information leakage occurred
• How it was discovered that information leakage occurred
• Cause of the information leakage
• Potential damage caused by the information leakage
• Possibility of future damage expansion or secondary damage
• Measures taken by the company against the information leakage
• Contents of the investigation into the cause of the information leakage
• Whether a report has been made to the police, etc.

However, the matters to be disclosed may vary depending on the case, so it is necessary to make individual judgments depending on the case.

About the Method of Disclosure

The method of disclosure may include the following:

• Posting on the company’s website
• Announcing at a press conference for the media
• Contacting individuals who may have their rights and interests infringed due to information leakage

The above methods of disclosure are just examples, and it is necessary to choose the appropriate method for each case.

Points to Note When Holding a Press Conference for the Media

When holding a press conference, the content of the disclosure will be widely recognized by many people. Therefore, it is necessary to carefully consider whether it is appropriate to disclose information by holding a press conference in the first place.

For example, if there is no information beyond what the company has already disclosed on its website, holding a press conference will not be able to disclose any new information. If you hold a press conference without any new information, those who watched the press conference may get the impression that the company is not disclosing information properly and is not fulfilling its responsibility to explain, which may give the impression of an insincere company. Therefore, caution is required.

Also, it may be practically difficult to retract or correct the content spoken at a press conference.

Therefore, it is necessary to prepare thoroughly for the content to be spoken at the press conference, such as deciding on the content to be spoken in advance with the help of experts such as lawyers.

Points to Note When Contacting Individuals Who May Have Their Rights and Interests Infringed Due to Information Leakage

If it is clear that there are individuals who may have their rights and interests infringed due to information leakage, it is considered desirable to contact the victims individually before announcing the fact of the information leakage.

If you proceed with the announcement before contacting the victims individually, the victims may develop a sense of distrust towards the company and strengthen their antagonistic consciousness.

Also, if you proceed with the announcement despite being able to contact the victims individually, the company’s social trust may be damaged.

How Can Companies Prevent Information Leaks?

So far, we have discussed the disclosure of information that companies should make in the event of an information leak. However, it is crucial to prevent information leaks from occurring in the first place.

Article 23 of the Japanese Personal Information Protection Act stipulates the following regarding safety management measures:

(Safety Management Measures)
Article 23: Personal information handlers must take necessary and appropriate measures for the prevention of leakage, loss, or damage of personal data they handle, and for other safety management of personal data.

e-Gov｜Japanese Personal Information Protection Act

Possible safety management measures include, for example:

• Formulating a basic policy on the handling of personal data
• Establishing rules for the handling of personal data
• Organizing the organizational structure
• Operating in accordance with the rules for handling personal data
• Establishing means to check the handling status of personal data
• Setting up a system to respond to information leak incidents
• Understanding the handling status of personal data and reviewing safety management measures
• Educating employees who handle personal data
• Implementing physical safety management measures to prevent leakage of personal data
• Implementing technical safety management measures to prevent leakage of personal data

By implementing the above safety management measures according to the company’s situation, it is believed that the risk of information leaks can be reduced.

Conclusion: Information Disclosure In Case Of Data Breach Needs Proper Consideration

In this article, we have explained the information disclosure that companies should carry out in the event of a data breach, targeting those in corporate legal departments.

While it is best to prevent data breaches from occurring, it is realistically difficult to completely prevent them.

Therefore, if a data breach does occur, it is important for the company to respond appropriately.

As careful consideration is required for responding to data breaches, we recommend consulting with a lawyer who has specialized knowledge in this area.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. Specialized knowledge is essential when establishing internal regulations. Our firm handles reviews for a variety of cases, from Tokyo Stock Exchange-listed companies to venture businesses.