Cybersecurity 2025

JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu

(ii), and to handle both at the same time and in a timely manner. • (i) The situations that require reporting under the APPI (Article 26, paragraph 1 of the APPI) are when personal data has been leaked, etc (ie, leakage, loss, damage or other circum - stances pertaining to the security of personal data) and there is a significant risk of harm to the rights and interests of individuals. Under the APPI, there are two types of reports: a preliminary report (promptly after learning of the situation); and a definitive report (within 30 days (60 days in certain cases) from the date of learning of the situation). • (ii) The situations that require reporting under the TBA (Article 28 of the TBA) are: (a) when there is a leakage in respect of secrecy of telecommunications (eg, content of chats); (b) when there is a leakage of specified user information (eg, telecommunications account information) – in which case, only designated businesses are required to report; and (c) when a “threat” of such a situation arises. There are two types of reports under the TBA: a first report (promptly after becoming aware of the situation); and a detailed report (within 30 days). In addition, as is common for both procedures, it is necessary to comply with the deadlines for submitting each of the above reports, and there - fore it would be advisable to establish a response process in advance – ie, in normal times prior to any such incident. In addition, when submitting a report, it is necessary to (i) describe the status of implementation in respect of security control measures and supervision of contractors, and (ii) investigate the technical causes of the leak. With the increase in the number of cases of leak - age, there is an inevitable increase in the number of cases necessitating the use of the reporting

procedures, and thus the day when a report is required may come at any time. Therefore, it is important, regarding (i), to establish and conduct the appropriate security control measures and supervisory procedures in advance, and, regard - ing (ii), to establish relationships with security vendors who have the necessary capabilities to conduct required investigations so that they can be immediately engaged when needed. In addition, there has been an increase in the number of cases of public disclosure of admin - istrative guidance, order and the like, and there - fore de facto risks such as reputational risks, that are not purely legal in nature in recent years. • In 2023, NTT West discovered that an employee of a re-outsourcee had accessed the server where customer data was stored and had illegally appropriated customer data for about ten years. In response, in 2024, the PPC issued recommendations and admin - istrative guidance to the outsourcee and the re-outsourcee, directing them to improve the inadequate organisational security control measures. In addition, the MIC issued admin - istrative guidance to NTT West, directing it to review its supervision of its outsourced companies and strengthen its measures. The content of said guidance, including the name of the company, has been made public. • In 2023, an incident occurred involving NTT DOCOMO and NTT NEXIA, whereby tempo - rary employees of NTT NEXIA, NTT DOCO - MO’s outsourcee for customer information management, appropriated personal data of a total of approximately 5.96 million people. In response, in 2024, the PPC issued admin - istrative guidance to NTT DOCOMO and NTT Risks in respect of disclosure of administrative guidance and recommendations

178 CHAMBERS.COM

Powered by