Corporate Personal Information Leaks and the Risk of Damage Compensation

Risks surrounding corporate management include management crises and accidents due to the company’s breach of safety obligations. However, in recent years, the leakage of personal information and the risk of resulting damage compensation have become significant issues.

Tokyo Shoko Research has reported that in 2019, 66 listed companies and their subsidiaries announced incidents of personal information leakage and loss. The number of incidents reached 86, and the leaked personal information amounted to 9,031,734 individuals. If we add unlisted companies, foreign companies, government agencies, municipalities, and schools, the number could potentially inflate to astronomical figures.

https://monolith.law/corporate/trends-in-personal-information-leakage-and-loss-accidents-in-2019[ja]

Among the incidents of personal information leakage and loss, the largest one to date is still the unauthorized acquisition of customer information by an employee of a subcontractor of Benesse Holdings (Benesse Corporation), which was revealed in July 2014, where personal information of 35.04 million individuals was leaked. In 2019, there were new developments in some of the lawsuits related to this incident.
While sorting out the issues with Benesse, let’s consider the risk of personal information leakage and damage compensation for companies.

What is the Benesse Personal Information Leak Incident?

Around June 2014, Benesse’s customers began receiving direct mail from the correspondence education company ‘Just Systems’. This led to a surge in inquiries questioning whether the personal information registered only with Benesse was being used, or if there had been a leak of personal information from Benesse.

On June 27, Benesse initiated an internal investigation, and on June 30, they reported to the police and the Ministry of Economy, Trade and Industry. On July 9, they held a press conference and announced that personal information such as the names, addresses, phone numbers, genders, and birth dates of children and their guardians, who were users of services like Shinken Seminar, had been leaked.

On July 17, a 39-year-old system engineer who was in charge of managing the database system of Synform, a Benesse affiliate company that was entrusted with customer information management, was arrested. The engineer, who had access to customer information, had taken out personal information and sold it to a list broker. This engineer was dispatched from a contractor to whom Synform had re-entrusted the work.

In September, Benesse held a press conference and announced that the number of customer information leaks was 35.04 million cases. They had already prepared 20 billion yen as compensation for the victims of the personal information leak. However, they decided to send an apology letter to the confirmed leak victims and, according to the customers’ choice, either send a 500 yen voucher (electronic money gift or nationwide common book card) or donate 500 yen per leak to the Benesse Children’s Foundation, which was established to support children affected by this leak.

In response to this, several legal teams were formed by some of the victims, and class action lawsuits were filed. There were several developments regarding this in 2019. As a criminal case, the system engineer who took out the personal information was charged with violating the Unfair Competition Prevention Act (reproduction and disclosure of trade secrets). In the criminal trial against him, a final sentence of 2 years and 6 months in prison and a fine of 3 million yen without probation was confirmed by the Tokyo High Court on March 21, 2017.

The Supreme Court’s Decision and the Remanded Appeal Trial

In a lawsuit where a man sought 100,000 yen in consolation money from Benesse on his own, claiming that he and his child’s names, addresses, phone numbers, etc. had been leaked and caused him mental distress, the Supreme Court overturned the original ruling of the Osaka High Court and remanded the case, stating that the trial had not been fully conducted.

The first trial before the remand, at the Himeji branch of the Kobe District Court on December 2, 2015, acknowledged as an undisputed fact that the man’s name managed by Benesse had been leaked. However, it dismissed the man’s claim, stating that there was no argument or evidence of specific circumstances sufficient to establish that this was due to Benesse’s negligence.

In response to this, the appeal trial (Osaka High Court, June 29, 2016) to which the man appealed, acknowledged that the appellant’s child’s name, gender, date of birth, postal code, address, phone number, and guardian’s name (the appellant’s name) managed by the defendant had been leaked. It was concluded that this could be considered as the leakage of the appellant’s personal information, such as his name, postal code, address, phone number, and the names, genders, and dates of birth of his family members. While acknowledging that the leakage of the appellant’s personal information could cause discomfort and anxiety in the general sense of an ordinary person, it was understood that damages could not be claimed immediately just because such discomfort, etc. was felt. The appeal was dismissed on the grounds that there was no argument or evidence of damage beyond the above-mentioned discomfort, etc.

The Supreme Court’s Decision

When the appellant filed a petition for acceptance of the final appeal against this, the Supreme Court accepted it and stated that the appellant’s privacy could be said to have been violated by the leakage in this case. However, the Osaka High Court dismissed the appellant’s claim immediately only from the fact that there was no argument or evidence of the occurrence of damage beyond discomfort, etc., without sufficiently examining the existence and degree of the appellant’s mental damage due to the violation of privacy. The Supreme Court overturned the original judgment, stating that such a decision by the original court was illegal because it misinterpreted and applied the laws concerning damage in tort without fully examining the above points. The case was remanded to the High Court for further examination of the existence of negligence on the part of the defendant and the existence and degree of the appellant’s mental damage, etc. (Supreme Court, October 23, 2017).

https://monolith.law/reputation/privacy-invasion[ja]

The Decision of the Remanded Appeal Trial

In the remanded trial, the Osaka High Court (November 20, 2019) ruled that the employee in this case had illegally obtained personal information by transferring data via MTP communication by connecting a smartphone compatible with MTP to a business computer’s USB port using a USB cable and sold it to a list dealer. Synform Corporation should have taken appropriate measures to prevent the MTP-compatible smartphone from being brought into the office and to prevent it from accessing the personal information in question, but it failed to do so and was negligent. Benesse was found to have caused the leakage by the employee as a result of violating its duty to properly supervise Synform Corporation, which it allowed to use the personal information it manages. Therefore, it was held liable for the damage caused by this under the joint tort (Article 719, Paragraph 1, first half of the Civil Code).

Then, in violation of Article 22 of the Personal Information Protection Act, which states, “When a personal information handling business operator entrusts all or part of the handling of personal data, it must supervise the entrusted party as necessary and appropriate to ensure the safe management of the entrusted personal data,” it acknowledged the violation of privacy. Taking into account factors such as the appellant’s address, name, and phone number being disclosed on websites, etc., it ordered the payment of 1,000 yen in damages.

This is the third case in which Benesse’s liability for damages has been recognized. At the beginning of this article, I wrote, “In 2019, there were some new developments in the lawsuits surrounding this incident,” and all three judgments recognizing Benesse’s liability for damages were issued in 2019.

https://monolith.law/corporate/act-on-the-protection-of-personal-information-privacy-issues[ja]

The First Court Case Acknowledging Benesse’s Liability

The First Instance Judgment

A man claimed that he, his wife, and his son suffered mental distress due to Benesse leaking their personal information to the outside. For the first time, Benesse’s liability was recognized in the appellate court ruling where the man sought compensation for emotional distress based on tort law.

The first instance (Yokohama District Court, February 16, 2017) acknowledged Benesse’s breach of duty of care, but rejected the claim against Benesse because there was no proof of concrete facts sufficient to acknowledge that they had violated the duty to grasp the handling of personal data. Therefore, the man and others appealed.

In the first instance, although Benesse received a recommendation based on Article 34, Paragraph 1 of the Personal Information Protection Law from the Minister of Economy, Trade and Industry for neglecting the duties of Articles 20 and 22 of the same law and causing this information leakage, the recommendation based on the same paragraph is made when it is necessary to protect the rights and interests of individuals, and it does not require the existence or violation of the duty to foresee or avoid the result at the time of the information leakage. Therefore, it was not enough to acknowledge that Benesse had negligence under Article 709 of the Civil Code at the time of the information leakage just because the recommendation was made.

The Appellate Court Judgment

In contrast, the appellate court, the Tokyo High Court (June 27, 2019), based on the fact that it was a simple crime executed by merely connecting a smartphone to a business computer with a commercially available USB cable for charging and realizing that data transfer was possible, acknowledged that there was negligence in Synform, which should have taken write control measures against MTP-compatible smartphones, and Benesse, which had entrusted the operation and management of a large amount of personal information, had neglected the duty of care to properly supervise the contractor in terms of personal information management at the time of the leakage. These illegal acts by the two companies were considered to be joint torts (Article 719, Paragraph 1, first half of the Civil Code).

Then, it was stated that “It is natural for the appellants to not want their personal information to be indiscriminately disclosed to others they do not want, so the personal information in this case is subject to legal protection as information related to the appellants’ privacy, and the appellants and the selected persons should be considered to have had their privacy violated by the leakage.” Furthermore, considering that they immediately started responding after the discovery of the leakage, took measures to prevent the spread of damage from the information leakage, conducted an investigation report based on reports and instructions to the supervisory authorities, sent apology letters to customers who were thought to have leaked information, and distributed gift certificates worth 500 yen according to the selection, and that the appellants each received 500 yen worth of electronic money gifts, Benesse was ordered to pay each of them 2,000 yen in damages.

The Second Court Case Acknowledging Benesse’s Responsibility

On September 6, 2019, the Tokyo District Court delivered a verdict in a lawsuit where 13 customers demanded a total of 980,000 yen in damages from the company and its affiliates. Benesse and Synform were ordered to pay 3,000 yen per person (one person was 3,300 yen), totaling 42,300 yen.

The court did not acknowledge Benesse’s employer’s liability to Synform, which the plaintiffs sought, on the grounds that it is a separate corporation. However, it was pointed out that Synform had failed to review the settings of its security software, which resulted in the ability to transfer data from business computers to MTP-compatible smartphones. Therefore, it was deemed that there was negligence in violation of the obligation to control the output of information. Benesse, in entrusting the handling of a large amount of customer information for the development of the system, should have had the obligation to select and supervise the contractor in good faith, including the plaintiffs and other customers. The court recognized joint tort (Article 719, Paragraph 1 of the Japanese Civil Code) and ordered them to pay damages to the plaintiffs jointly.

https://monolith.law/reputation/employer-liability-responsibility-in-defamation[ja]

In this judgment, Article 22 of the Japanese Personal Information Protection Act was quoted, stating, “When a personal information handling business operator entrusts all or part of the handling of personal data, it must conduct necessary and appropriate supervision over the person who has been entrusted with the handling to ensure the safety management of the personal data entrusted.” It was also pointed out that the “necessary and appropriate supervision” in the guidelines of the Ministry of Economy, Trade and Industry in Heisei 21 (2009) includes selecting the contractor appropriately, concluding necessary contracts to comply with the safety management measures based on Article 20 of the Personal Information Protection Act, and understanding the handling status of the entrusted personal data at the contractor.

Summary

Initially, Benesse had prepared a fund of 20 billion yen for compensation to the victims, but it turned out to be insufficient. In November 2014, the Japan Information Economy Society Promotion Association revoked the Privacy Mark that Benesse Holdings had obtained, which is given to companies that properly manage personal information. As of April 2015, the number of members of “Shinken Seminar” and “Kodomo Challenge” was 2.71 million, a decrease of 940,000 compared to the same month of the previous year. The consolidated financial results for the period from April to June showed a 7% decrease in sales and an 88% decrease in operating profit compared to the same period of the previous year. The operating profit and loss turned from a surplus of 3.91 billion yen in the same period of the previous year to a deficit of 430 million yen. The risk of damage compensation due to personal information leakage can potentially be a matter of life and death for a company.