JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu
Causes of unauthorised access and content of administrative guidance For unauthorised access incidents in the second quarter of FY2024, the causes and the types of attack were analysed as follows. • By cause: (a) software vulnerabilities: 27 cases (includ - ing VPN: six, e-commerce sites: five); (b) weak ID/password protection: 22 cases; and (c) misconfigured access controls: 16 cases. • By type of attack: Most of the identified inadequacies in security measures for FY2024 concerned technical safe - guards. In the second quarter, the most common administrative guidance related to the require - ment of “preventing unauthorised external access” (42 cases), followed by “identification and authentication of users” (eight cases). Primary causes of breaches included: • known vulnerabilities in VPN devices or appli - cations used to build e-commerce sites left unaddressed by businesses; • easily guessable IDs and passwords; and • misconfigured system settings allowing improper database access control. Such inadequacies in security measures often led to the PPC’s enforcement actions. Implications for businesses (a) brute-force attacks: 12 cases; (b) cross-site scripting: six cases; (c) SQL injection: four cases; and (d) ransomware: 21 cases. The PPC’s reports provide detailed case stud - ies, including the specifics of incidents and deficiencies addressed in their administrative
guidance, offering valuable insights for practical countermeasures. Businesses in Japan, espe - cially those handling substantial volumes of per - sonal information, should regularly review these reports. They should also continuously update their technical security measures and implement robust oversight frameworks for contractors. Practical Measures to be Taken by Companies in the Event of a Data Breach Procedures for reporting leakages and the like In Japan, upon the occurrence of a leakage, or the like, in respect of personal data it is in principle necessary to report the incident to the authorities. In this regard: (i) for personal data, under the APPI the occurrence must be reported to the PPC (however, in relation to certain indus - tries, the leakage, or the like, must be reported to the competent ministries such as the Ministry of Internal Affairs and Communications (MIC)); and (ii) for information to which the secrecy of tel - ecommunications applies and/or which is speci - fied user information, under the Telecommunica - tions Business Act (TBA) the occurrence must be reported to the MIC. In addition: (iii) in the case of listed companies, timely disclosure under the relevant rules established by each security exchange in Japan and/or disclosure through extraordinary reports under the Financial Instru - ments and Exchange Act may be required in the event of a major incident. In such cases, care - ful consideration should be given to the scope of information to be disclosed, in order that the perpetrators of the incident or other persons do not use the information to cause further damage. As regards (i) and (ii) above, these entail different scopes, procedures and institutional purposes. In the event of a leakage, or the like, it is impor - tant to be aware of the difference between (i) and
177 CHAMBERS.COM
Powered by FlippingBook