MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

IT

Legal Responsibilities and Data Loss Risks for System Operation Service Providers

IT

Legal Responsibilities and Data Loss Risks for System Operation Service Providers

There are instances where a company’s crucial information stored in a database may be lost due to unforeseen circumstances. This often occurs in the system department. In such cases, if the system operation tasks are outsourced to an external contractor, is it legally possible to hold the contractor responsible?

In this article, we will discuss who bears the legal responsibility in the event of information loss incidents within a company.

What is “Operation” in IT Systems?

In the context of IT systems, “operation” can be simply described as the task of “continuing to use the existing system as it has been used so far.” The system that IT engineers and programmers have newly created (= developed) is not something that ends once it is made. For example, if you want to execute an operation that cannot be executed from the screen side, you may need to connect a computer to the database and directly input computer language (such as SQL). This could be for tasks like extracting or modifying data that cannot be executed from the screen side.

Such operational tasks are often easier to standardize, such as by preparing procedure manuals, compared to tasks like implementing new programs, and are often easier to outsource to external contractors.

However, even if the task is easy to standardize, it is important to keep in mind that it often goes hand in hand with large-scale incidents because it involves directly operating the company’s database. Risks such as leakage or loss of information held by the company can inadvertently inflate if outsourcing is promoted carelessly, regardless of the seriousness of the responsibilities of the task.

The Risk of Information Loss is Closer Than You Think

There are various types of databases used by companies, but they are essentially a type of software. The extraction, modification, addition, and deletion of data managed in these databases are primarily performed using a computer language called SQL.

The Importance of Legal Affairs

There are various types of work involved in IT systems, such as development, operation, and maintenance. What they all have in common is that they primarily involve handling abstract entities such as “data” and “computer languages”. Therefore, even if the appearance of the work being done is just a mistake in pressing a button or a slight input error, the impact of that mistake can spread unpredictably wide. This basic premise should be recognized by everyone involved in system-related work, whether they are IT professionals or not. By nature, if a problem occurs in a system-related job, its impact often spreads beyond the department and even the company’s boundaries in an instant. The importance of legal affairs in systems can be uniformly explained from both the client’s and contractor’s perspectives.

Risk of Corporate Data Loss

Let’s take a simple example. The query (command) to delete all the data in a table in SQL is just one line: “TRUNCATE”. When considering the risk of data loss for a company, it may not be so important to be familiar with SQL syntax or the operation of database software. However, it should be recognized that even the method of deleting all the data stored by a company can be as simple as this. This recognition of reality may be the starting point for considering the risk of data loss for a company.

Indeed, operational tasks are easy to standardize, and there are often no problems if they are carried out according to procedures. However, at the same time, if we consider the scenario where procedures are not followed and irregular situations occur, the importance of legal affairs becomes self-evident.

Who is Legally Responsible for the Loss of Information?

What is the legal responsibility in the event of an unexpected data loss?

The Legal Nature of an Operator’s Work

So, when data is lost due to an unexpected incident and there is no way to recover it, who is legally responsible? Let’s analyze such incidents from a legal perspective.

It’s Difficult to Pursue the Obligation to Store Based on a Deposit Contract

One theoretical construct that can be considered when questioning the responsibility of a data operation service provider is the pursuit of the duty of care based on a paid deposit contract. In simple terms, this is the issue of whether it is possible to pursue the responsibility for the loss of “data” in the same way as pursuing the liability for damages in principle when a business operator who has accepted the deposit of goods in a paid locker, for example, loses the goods. However, it is not realistic under current law to assume that the “obligation to store data” arises naturally, just as the “obligation to store goods” does.

It Depends on the Specific Contract Content

In the end, the issue of “who bears the obligation to store data” should be said to be difficult to derive a uniform solution based on the provisions of the Civil Code. Therefore, the answer is that it depends on how it is stipulated in the individual contract content.

And the point of “what was the content of the contract” is not only determined by the contract itself, but also by the minutes of meetings. The importance of the minutes is explained in detail in the article below.

https://monolith.law/corporate/the-minutes-in-system-development[ja]

It’s Difficult to Pursue Liability for Unlawful Acts from Third Parties Other Than the Contracting Party

It is clear from court precedents that it is impossible to pursue liability for unlawful acts from third parties with no contractual relationship. In a court case, the issue of whether a user could claim damages based on an unlawful act in a data loss accident in a rental server service was at issue.

Typical examples of unlawful acts include traffic accidents. For example, if a person is injured due to the negligence of a driver in a car accident, the driver is liable not only criminally but also civilly. Even between strangers, it is conceivable that liability for damages arises, even though there is no contract to “not hit a person with a car”. Based on this framework of liability for unlawful acts, it was disputed whether it was possible to pursue responsibility for the loss of data, even if the other party had no direct contractual relationship.

However, the court pointed out the personalityistics of digital information and indicated that it is difficult to naturally lead to the existence of such obligations.

Servers are not perfect and can fail, resulting in the loss of programs and other data stored on them. However, programs and other data are digital information that can be easily duplicated, and if the user has recorded and stored this information, they can restart the program even if it is lost. This is widely known (the whole gist of the argument), so the plaintiffs could have easily taken measures to prevent the loss of the program and data in question. Given the interests of both the plaintiffs and the defendant, there is no reason or need to impose on the defendant, who installs and manages the server, the obligation to prevent the loss of the above-mentioned records in order to protect them. (Omitted) The plaintiffs argue that the rental server contract has the nature of a deposit contract for third-party programs or data, and that the defendant, as a rental server operator, has a duty of care to all those who store records on the server, specifically, the duty not to lose the records on the server, and that the defendant’s loss of the plaintiffs’ records stored on the server violates this duty to prevent loss.


However, the defendant has only entered into a shared server hosting service contract with User A, and there is no contractual relationship with the plaintiffs, and it cannot be said that there is a depositary nature in the storage of the program and data in question stored on the server, so it is difficult to find a basis for the defendant to bear a duty of care under the tort law for the records stored on the server to the plaintiffs with whom the defendant has no contractual relationship. Therefore, just because the defendant is a rental server operator, it cannot be said that the defendant naturally bears a duty of care for the records stored on the server or a duty to prevent the loss of the records in relation to third parties with whom the defendant has no contractual relationship.

Tokyo District Court, May 20, 2009 (Heisei 21)

This judgment pointed out that it is not reasonable to assume a duty not to erase data for a third party (plaintiff) with whom there is no direct contractual relationship. This judgment has attracted some attention as it could become a leading case for similar cases in the future.

In Conclusion, Pursuing Responsibility Tends to be “Difficult”

In practice, if we talk about commonly used contracts, there are not so many cases where a contract is used that makes the storage and backup of data the responsibility of the operating company, and rather, it is overwhelmingly more common for the user (i.e., the client company) to be responsible for this.

Therefore, unless there is some special agreement, it should be said that it is extremely difficult under the law to consider that the system operating company bears the obligation to take measures to prevent the loss of data.

Preparing for the Risk of Information Loss

Always back up to prevent data loss.

Ultimately, the risk of information loss that a company faces is largely about the information that the company itself stores. Therefore, how to consider this loss risk and what kind of storage system to build is something that the company itself should decide. It is likely that this will be the case.

Even if the responsibility of the business operator is recognized, it is possible that the compensation for damages will not be fully recognized due to contributory negligence. There have been court cases in the past where the defendant, who was storing the plaintiff’s data on a server, erased the data, and the fact that the plaintiff did not have a backup was considered “negligence”, and contributory negligence was recognized.

The plaintiff could have easily taken measures such as backing up the contents of the file in question, and could have prevented the occurrence of damage or kept the damage to a very minimum, yet it is recognized that at the time of the disappearance accident, the plaintiff had not retained any data content of the file in question.

In this case, when determining the amount of the defendant’s liability for damages, it should be said that it is appropriate to apply the provision of contributory negligence, taking into account this point, in accordance with the concept of equity in the law of damages. (Omitted)

On the other hand, the plaintiff argues that it was impossible for the plaintiff to foresee that the file in question would be erased from the server by the defendant, who is a provider, and that it cannot be said that the plaintiff should have foreseen this, so it is not possible to recognize the obligation to take a backup as a legal obligation, and that the failure to do so cannot be said to be negligence in a legal sense, and argues that the application of contributory negligence should be denied.

However, in applying contributory negligence, it is sufficient to recognize the foreseeability of the occurrence of the result of the disappearance of the file in question for the plaintiff, and it is not necessary to foresee the possibility of the disappearance of the file due to the defendant’s violation of the duty of care as a causal process leading to that result.

In this case, (omitted), it is clear that the plaintiff was aware of the risk of hackers and others invading the homepage, and the plaintiff admits that there is a risk of alteration and destruction of information in Internet communication, and that this risk was foreseeable, so it is judged that the plaintiff had foreseen the risk of the file disappearing due to inherent causes of Internet communication, and the foreseeability of the occurrence of the result of the disappearance of the file is fully affirmed, and there is no obstacle to affirming the application of contributory negligence.

Tokyo District Court, September 28, 2001 (Heisei 13)

In this case, it was ruled that “since no backup was taken, it was foreseeable that the file could be lost due to reasons such as hacking, and therefore, contributory negligence applies”, and the amount of damages was halved.

Summary

While it’s not limited to the risk of data loss, when outsourcing system-related tasks, users often tend to focus only on the user interface experience. As a result, the organization’s governance often fails to extend to the database area where the data is stored.

However, past court cases suggest that these issues are not something that can be dismissed as ‘someone else’s problem’. In other words, users should be aware that establishing a management system that takes into account the risk of information loss, such as taking backups, is ultimately an internal issue within the organization.

Past court cases also serve as a warning of the need for prevention, suggesting that failing to prepare for such risks could lead to irreversible situations. Isn’t it necessary to understand this?

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Category: IT

Tag:

Return to Top