JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto
• obtaining, supplying or storing someone else’s identification code without legitimate reason (Articles 3, 4, 5 and 6); and • phishing or creating a false impression of being the network administrator concerned and requesting identification codes (Article 7). The Penal Code prohibits: • the creation of false electromagnetic records that are related to rights, duties or the certifi - cation of facts (Article 161–2); • fraud by using computers (Article 246–2); • the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259); • the obstruction of a business by damaging its computers or electromagnetic records or causing them to operate counter to their original purpose (Article 234–2); and • the creation, provision, acquisition or stor - age of a computer virus (Articles 168–2 and 168–3). The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6 (iii)) and to report serious breaches to the Ministry of Internal Affairs and Communications (MIC). The Installment Sales Act requires businesses who handle credit card numbers to take neces - sary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35–16). The Payment Services Act requires prepaid pay - ment instrument issuers, funds transfer service providers, and virtual currency exchange ser - vice providers to take necessary and appropri - ate measures to prevent the leakage, loss of,
or damage to information pertaining to their respective businesses (Articles 21, 49 and 63–8). Sector-specific regulators impose additional information security obligations on some indus - tries including the financial and healthcare indus - tries. For the financial sector, the Financial Ser - vices Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. For details on cybersecu - rity guidelines in finance, see 3. Financial Sec- tor Operational Resilience Regulation . As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Includ - ing Pharmaceuticals and Medical Devices also requests pharmacies to do the same (Article 11.2). Further, various ministries have issued other relevant guidelines: • the Ministry of Health, Labour and Welfare (MHLW) issued the “Guidelines on Safety Management of Medical Information Sys - tems” (last amended in May 2023); • the Ministry of Economy, Trade and Industry (METI) and MIC jointly issued the “Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information” (last amended in July 2023); • the MIC published comprehensive measures for the security of the internet of things (IoT) (July 2016); and • the MIC published guidelines on the applica - tion of the Telecommunications Business Act to reports of serious accidents (volume 7, December 2023).
167 CHAMBERS.COM
Powered by FlippingBook