Cybersecurity 2025

JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto

• if there is a legal reporting requirement by law or regulation; • if the operator has determined that an inci - dent has had a serious impact on the lives of people or the operator’s services and that information must be shared; and • in other cases where the operator has deter - mined that information must be shared. Definition of Data Security Incident, Breach or Cybersecurity Event The APPI stipulates mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the occurrence or possible occurrence of the leakage or loss of, or damage to personal data. The details of the requirements are discussed below. There is also a special rule for “my numbers” under the My Number Act. There is no gener - al regulation to impose a mandatory reporting obligation for a cybersecurity incident that does not involve a personal data breach. However, there are various regulations generally mandat - ing certain types of service providers to report an incident affecting their service to the authori - ties. This reporting obligation also covers cases where service failure happens as a result of a cyber-attack. For example, under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than the prescribed number of hours and affects a certain number of users specified by the relevant ordinance, the telecom - munications business operator must report the accident to the MIC. Furthermore, the MIC has the authority to issue orders to improve the busi -

ness practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sec - tors oblige them to report material service failure to its authorities. Data Elements Covered Breach of data security is applicable to personal data. The APPI defines personal data as per - sonal information that is contained in a personal information database (Article 16.3), which is a collection of information (which includes person - al information) that is systematically organised to enable a computer or some other means to search for particular personal information. How - ever, this term excludes a collection of informa - tion that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system. The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach includes personal data (excluding advanced encryption or other measures that are neces - sary to protect the rights and interests of the individual): • containing “special care-required personal information”; • that is likely to cause property damage if used inappropriately; • that is likely to have been committed for an improper purpose (effective from 1 April 2024, personal information that is already col - lected or will be collected and expected to be treated as personal data is also included in this requirement); or • of more than 1,000 individuals.

170 CHAMBERS.COM

Powered by