How to Prevent Security Incidents at Outsourced Companies? Explaining the Construction and Operation of the Ordering Party's Internal Control System

Companies are obligated to establish an internal control system under the Japanese Companies Act and the Japanese Financial Instruments and Exchange Act. The term “internal control system” may sound complex, but simply put, it is a system to properly manage the operations of a company and prevent risks.

So, how does the internal control system function in relation to external business partners? This becomes an issue particularly because companies often outsource various tasks such as logistics and maintenance to external parties.

In this article, we will explain the operation of the internal control system at the outsourcing party and measures to prevent security incidents.

What is an Internal Control System?

An internal control system refers to the organizational means and methods necessary for companies and organizations to conduct appropriate management. It is defined in both the Japanese Companies Act and the Japanese Financial Instruments and Exchange Act.

Under the Japanese Companies Act, the following companies are obligated to establish an internal control system:

• Large corporations
• Companies with a nominating committee
• Companies with an audit committee

Furthermore, the Japanese Financial Instruments and Exchange Act imposes an obligation on listed companies to establish an internal control system, and they must submit an internal control report for each business year. This internal control report requires an audit certification from a certified public accountant or an audit corporation.

If damage occurs due to deficiencies in the internal control system, such as information leakage, the company and its directors may be liable for damages. For more information on the internal control system for information protection, please refer to the following article.

Related article: Explaining Measures to Prevent Information Leakage: What Should Be Included in Company Regulations[ja]

Risks to Internal Control Systems that May Arise During Business Outsourcing

Even if your company has established its own information security regulations, there is a possibility of a security incident occurring at the outsourcing party if they have not established such regulations or if their content is insufficient.

In the event of a security incident, even if the accident occurred at the outsourcing party, there is a risk that the image of the outsourcing company, which has management responsibility, may be tarnished.

Therefore, when outsourcing business, it is important to establish a system at the outsourcing party that prevents security incidents and the like from occurring.

Internal Control System Including Contractor Management is Necessary

Considering precedents, the establishment of an information security system is one of the crucial elements in building an internal control system.

If a company or organization causes damage to a third party due to deficiencies in its information security system, directors may be held accountable for violating their duty of care for neglecting to establish an internal control system. Furthermore, if damage to a third party occurs due to deficiencies in the information security system of a contractor, the company or directors that commissioned the work may also be held responsible.

While there are no confirmed cases where claims for damages based on a violation of the duty of care due to a violation of the obligation to establish internal controls have been recognized against directors of the commissioning party when a security incident occurs due to management deficiencies at the contractor, it is considered that there is a possibility of lawsuits being filed in the future.

Learning the Importance of Internal Control Systems through Case Studies

Here, we will look at what measures should be taken when outsourcing work, based on past examples.

Information Leakage Incident at the Japan Pension Service

In 2015, an unauthorized access incident occurred at the Japan Pension Service, resulting in the confirmed leakage of personal information such as basic pension numbers and names.

In relation to this incident, a Verification Committee on the Unauthorized Access and Information Leakage Incident at the Japan Pension Service (hereinafter referred to as the “Verification Committee”) was established, and a verification report dated August 21, 2015 (Heisei 27) was compiled. According to this report, the LAN system of the Japan Pension Service was attacked, resulting in the leakage of a large amount of personal information from shared folders.

When the system was built, it was supposed to not handle personal information on the LAN system, but it seems that personal information could be put into shared folders on the LAN system under certain conditions. Also, the LAN system of the Japan Pension Service was not operated to be able to respond to targeted attacks, so it took time to grasp the situation even after the attack was noticed.

The Verification Committee listed the following as preventive measures:

• Establishment of a human system (such as the establishment of a security measures headquarters)
• Establishment of the Ministry of Health, Labour and Welfare’s supervisory system (such as the establishment of the Ministry’s information security system)
• Technical improvements (such as system development based on the actual situation and risks of the business)
• Reform of awareness at the Japan Pension Service

Furthermore, only a general agreement on information security protection was made with the contractor, and there was no clear agreement on specific responses in the event of an actual incident, which delayed the response and increased the damage. (Source: Ministry of Health, Labour and Welfare “Verification Report dated August 21, Heisei 27[ja]“)

To prevent such situations, it is necessary to:

• Conclude a Service Level Agreement with specific content
• Clearly agree that the contractor will respond in emergencies

A Service Level Agreement (SLA) is a contract that is concluded between the service provider and the service recipient to agree on the quality, scope of application, method of receipt, responsibilities, costs, etc. of the service. Also, by agreeing in advance on the response in the event of an incident, it is possible to respond quickly and appropriately.

Personal Information Leakage Incident at Benesse Corporation

In 2014, a personal information leakage incident occurred at Benesse Corporation. This was caused by an employee of the contractor copying customer data and selling it to a list company, resulting in the leakage of about 29.89 million pieces of customer information.

One of the causes of this incident was that despite granting data access rights to subcontractors and even further subcontractors, there was no sufficient monitoring system in place to prevent information leakage.

As countermeasures, it is possible to:

• Clearly define the scope of work and access to information for contractors in the contract
• Conduct regular audits of contractors
• Impose a reporting obligation on contractors regarding the monitoring system
• Determine who will handle important information at the contractor and conduct a review

One of the customers later filed a lawsuit against Benesse Corporation, the service provider, seeking 100,000 yen in damages for the leakage of his and his child’s personal information in this incident.

In the first and second trials, the customer lost, but in the Supreme Court decision dated October 23, 2017 (Heisei 29),

“The decision to immediately dismiss the appellant’s claim solely on the grounds that there was no claim or proof of damage beyond discomfort, without sufficiently examining the existence and degree of the appellant’s mental damage due to the invasion of privacy,”

Damage Claim Case No. 1892 (Received) Heisei 28, Second Petty Bench Judgment dated October 23, Heisei 29[ja]

the second trial judgment was overturned and the case was remanded to the Osaka High Court.

On November 20, 2019, the Osaka High Court recognized the invasion of privacy and ordered Benesse Corporation to pay 1,000 yen.

In the first and second trials, not only the invasion of privacy but also whether actual damage had occurred was emphasized, but in the Supreme Court, it was judged that the invasion of privacy should be examined regardless of the existence of damage. In other information leakage incidents as well, there are many cases where damage claims based on information leakage are recognized, and this Supreme Court judgment is considered to be in line with such trends.

Conclusion: Consult a Lawyer Regarding Internal Control Systems

For the sound management of a company or organization, it is necessary to properly construct and operate an internal control system. Even if a contractor causes a security incident such as information leakage, the client may be held responsible, and the company’s image may also be damaged. To avoid such situations, it is necessary to establish a system in advance that ensures the internal control system functions adequately at the contractor’s end as well.

Please consult a lawyer regarding the construction and operation of an internal control system, including the establishment of an information security system.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. The need for legal checks related to the construction and operation of internal control systems is increasingly growing. Details are described in the article below.

Areas of practice at Monolith Law Office: Corporate Legal Affairs for IT & Startups[ja]