JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu
Handling status of breach notifications In the second quarter of FY2024, there were 3,599 reports of breaches from businesses handling personal information. Of these, 1,087 cases (30.2%) stemmed from unauthorised access, including breaches caused by external cyber-attacks. Overview of the exercise of monitoring and supervisory authority During the second quarter of FY2024, it was reported that there were 87 cases in which the PPC gave administrative guidance and/or gave advice to private businesses. Of these, 70 cases related to security measures (Article 23 of the Japanese Act on Protection of Personal Infor - mation (APPI)) and supervision of contractors (Article 25 of the APPI), and 33 cases concerned delays in breach notification submissions. (Note: a single case may fall under multiple categories.) Among the said 87 cases, 48 involved breaches due to unauthorised access. Excluding formal violations such as delayed reporting, administra - tive guidance on unauthorised access breaches was most frequent course of action. The PPC gave the following reasons to explain this trend. • Unlike cases such as the leakage of sensitive personal information, which require report - ing even for a single incident, unauthorised access incidents often involve a large number of individuals (most unauthorised access cases involved breaches affecting over 1,000 individuals). • These incidents were often linked to busi - nesses failing to implement the necessary security measures that should have been in place as a matter of course.
Introduction In 2024, as in previous years, numerous inci - dents involving the leakage of personal data occurred in Japan due to cyber-attacks such as ransomware and internal misconduct by out - sourced contractors. In response, the Personal Information Protection Commission (PPC), the Japanese data protection authority, has decided to publish quarterly summaries of its supervision activities, detailing the content of its administra - tive guidance and advice. In this context, the PPC has focused on issues related to the “han - dling of large volumes of personal information”, identifying problems with security measures and the need for necessary and appropriate over - sight of data processors. Taking into considera - tion past judicial precedents in Japan regarding data breaches, these insights provide valuable references in order for businesses managing significant volumes of personal information to assess the required security standards. This article highlights these developments and intro - duces trends in legal reforms surrounding cyber - security in Japan. Recent Enforcement and Administrative Guidance by the PPC Since August 2024, the PPC has published quarterly reports summarising its “Overview of the Exercise of Monitoring and Supervisory Authority” and the “Handling Status of Breach Notifications” (as of the end of December 2024, the latest being the second quarter of FY2024). While the PPC has previously disclosed cases of administrative guidance or advice based on the severity of incidents, these announcements were limited in scope. The quarterly reports thus serve as valuable reference materials for busi - nesses to understand the PPC’s enforcement policies on data breach incidents.
176 CHAMBERS.COM
Powered by FlippingBook