An Attorney's Explanation on Penalties and Statute of Limitations on the Japanese Act on Prohibition of Unauthorized Computer Access

As PCs and smartphones become more prevalent, and our dependence on the internet increases, cybercrimes such as unauthorized access are on the rise. The penalties and statutes of limitations for unauthorized access are stipulated in the Japanese Act on Prohibition of Unauthorized Computer Access and the Japanese Code of Criminal Procedure.

What penalties are imposed for violations of the Japanese Act on Prohibition of Unauthorized Computer Access? And, is there a statute of limitations for crimes that fall under violations of the Japanese Act on Prohibition of Unauthorized Computer Access?

What is the Japanese Act on Prohibition of Unauthorized Computer Access?

The Unauthorized Computer Access Law, or the Japanese Act on Prohibition of Unauthorized Computer Access, is a law enacted to prevent cybercrime, maintain order on the Internet through access control functions, and contribute to the healthy development of an advanced information and communication society. (Article 1)

The Act on Prohibition of Unauthorized Computer Access Prohibition prohibits the following actions:

• Unauthorized access (Article 3)
• Acts that promote unauthorized access (Article 5)
• Illegally obtaining or storing another person’s identification code (Articles 4 and 6)
• Illegally demanding the input of another person’s identification code (Article 7)

Unauthorized access under Article 3 refers to “illegal login” and “security hole attacks”. An illegal login is an act of entering someone else’s ID and password without permission and logging into their SNS account, etc. A security hole attack is an act of attacking the security flaws in a computer connected to a network.

An act that promotes unauthorized access is to provide someone else’s ID and password to a third party without the person’s consent, making it possible for unauthorized access to that account, etc.

The act of illegally obtaining another person’s identification code is defined as the act of obtaining someone else’s ID and password, etc., in order to carry out unauthorized access. Also, the act of illegally storing another person’s identification code is to store someone else’s ID and password that has been illegally obtained in order to carry out unauthorized access.

The act of illegally demanding the input of another person’s identification code is what is commonly known as phishing. Phishing is an act of deceiving and obtaining personal information such as ID, password, and credit card number by inducing them to enter it on a fake site disguised as a real site of a financial institution, etc.

Penalties under the Japanese Japanese Act on Prohibition of Unauthorized Computer Access

If you engage in unauthorized access activities (Article 3), you will be sentenced to imprisonment for up to 3 years or fined up to 1 million yen (Article 11).

If you engage in activities that promote unauthorized access (Article 5), illegally acquire or store someone else’s identification code (Articles 4 and 6), or illegally request the input of someone else’s identification code (Article 7), you will be sentenced to imprisonment for up to 1 year or fined up to 500,000 yen (Article 12).

However, for activities that promote unauthorized access, if you provide someone else’s ID or password without knowing that it will be used for unauthorized access, you will be fined up to 300,000 yen (Article 13).

Punishments for violations of the Japanese Act on Prohibition of Unauthorized Computer Access apply even if you did not commit or intend to commit any crime other than unauthorized access. In other words, the act of unauthorized access will be the target of punishment. For example, in the case of “illegal login”, an unauthorized access activity, you will be penalized simply for entering someone else’s ID or password. You will be punished even if you did not misuse or leak someone else’s personal information after the illegal login.

Examples of Penalties for Violations of the Japanese Act on Prohibition of Unauthorized Computer Access

So, what kind of cases have resulted in guilty verdicts and penalties for violations of the Japanese Act on Prohibition of Unauthorized Computer Access?

Below, we introduce some actual examples.

Personal Information Leakage Incident due to Cyber Attack

A former university researcher was prosecuted for violating the Japanese Act on Prohibition of Unauthorized Computer Access by illegally obtaining personal information from the server of the Association of Copyright for Computer Software (ACCS). The trial was held at the Tokyo District Court, and the verdict was 8 months imprisonment, suspended for 3 years (prosecution demanded 8 months imprisonment).

He admitted to modifying the HTML for CGI form submission and accessing personal information files on the server. The issue was whether this act constituted unauthorized access. The presiding judge ruled that “normally, one would access the file in question by entering an ID and password from an FTP server, and access via CGI constitutes unauthorized access.”

He also presented attack methods on the site at a security event. He argued that they announced the method of unauthorized access in their presentation “to encourage server administrators to take security measures,” but the presiding judge stated, “Even if that was the purpose, it cannot be justified to announce it without giving the administrators a chance to correct it. Copycat offenders have also appeared, and it is clear that this hinders the development of an advanced information and communication society.”

The reason for the suspended sentence was that “there are many programs with similar security holes, and server administrators should take appropriate measures. The defendant has already received social sanctions and is working to prevent further expansion of the damage, such as checking whether personal information has leaked.”

He has initially appealed the guilty verdict. However, the judge withdrew the appeal, resulting in the guilty verdict becoming final.

Unauthorized Access Incident to a University

A company employee was charged with crimes such as violating the Japanese Unauthorised Access Prohibition Law for changing the password of the university network where he was enrolled and logging in illegally. The verdict was 1 year and 6 months imprisonment, suspended for 3 years (prosecution demanded 1 year and 6 months imprisonment).

The judge criticized the defendant for “impersonating other students and sending emails, changing course registrations, etc., causing actual harm and inconvenience.” On the other hand, the execution was suspended because he apologized to the university and showed an attitude of reflection.

Unauthorized Access Incident to a Celebrity’s Email and SNS

The verdict handed down to the defendant, who was charged with crimes such as violating the Japanese Unauthorised Access Prohibition Law for illegally accessing the emails and SNS of multiple women and obtaining personal information, was 2 years and 6 months imprisonment, suspended for 4 years (prosecution demanded 2 years and 6 months imprisonment).

The judge pointed out that “there is absolutely nothing to consider in the motive and circumstances of unauthorized access by guessing the password just to see the personal information of women.” On the other hand, the judge explained the reason for the suspended sentence as “there is no previous conviction, and he has also received social sanctions such as dismissal.”

Customer Information Leakage Incident

A former employee of the system department of a securities company, who was charged with crimes such as violating the Japanese Act on Prohibition of Unauthorized Computer Access and theft for illegally obtaining about 1.48 million pieces of customer information of the securities company, was sentenced to 2 years imprisonment.

According to the verdict, the former employee entered the ID and password of another employee, illegally accessed the server where customer information was stored, obtained customer information, and stole three CD-Rs recorded with customer information and company overview information.

The judge handed down the verdict, taking seriously the fact that he stole and leaked the information with the intention of selling customer information and company overview information. Regarding the leaked customer information, the judge pointed out that “it contains highly private information such as workplace and annual income, which is difficult to convert into money,” and that it is impossible to evaluate it as the value of one CD-R.

Incident of Sending Emails Illegally by Misusing ID and Password

The verdict for the defendant, who was charged with crimes such as violating the Japanese Act on Prohibition of Unauthorized Computer Access and defamation for using the ID and password of a former partner without permission and sending emails illegally, was 2 years imprisonment, suspended for 3 years (prosecution demanded 2 years imprisonment).

According to the verdict, the defendant used the ID and password of a former partner, illegally accessed the server, and sent emails to the woman’s acquaintances as if he was in a romantic relationship with the woman, defaming the woman.

First Domestic Arrest for a Phishing Incident

A former company employee, who was charged with violating the Japanese Act on Prohibition of Unauthorized Computer Access for setting up a phishing site and stealing users’ personal information, was sentenced to 1 year and 10 months imprisonment, suspended for 4 years (prosecution demanded 2 years imprisonment).

The defendant was charged with violating the Copyright Law for infringing the copyright of the real site and violating the Japanese Act on Prohibition of Unauthorized Computer Access for misusing the personal information of users who accessed the fake site and illegally accessing the real site.

The verdict pointed out that “the responsibility for violating privacy is heavy,” but the execution was suspended because “a settlement has been reached with the victims, he is fully remorseful,” and “he has not used the obtained information to commit other criminal acts.”

Statute of Limitations for the Japanese Act on Prohibition of Unauthorized Computer Access

Violations of the Japanese Unlawful Access Prohibition Law fall under the category of crimes punishable by “imprisonment for less than five years or a fine”. Therefore, the statute of limitations for public prosecution is set at three years (Article 250, Paragraph 2, Item 6 of the Japanese Code of Criminal Procedure). The statute of limitations for public prosecution refers to the period within which a public prosecution can be initiated from the point when the criminal act has ended. It is important to note that if three years have passed, prosecution by a public prosecutor becomes impossible.

Summary: Consult a Lawyer to consider a Case on the Japanese Act on Prohibition of Unauthorized Computer Access

Crimes due to unauthorized access are on the rise in recent years, and any company or individual using the internet is potentially at risk. Furthermore, the damage caused can often result in significant losses.

If you fall victim to a crime that violates the Japanese Unauthorized Computer Access Prohibition Law, you can file a criminal complaint, but the statute of limitations is three years. Therefore, if you discover unauthorized access, it is advisable to consult with a lawyer who is familiar with the Japanese Act on Prohibition of Unauthorized Computer Access, as soon as possible.