JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu
NEXIA, directing them to implement measures to prevent a recurrence and to report on the implementation status. The content of this guidance, including the names of the compa - nies, was made public. In both cases, the incidents occurred at the outsourcee, and the authorities identified issues related to the maintenance of organisa - tional security control measures. It is becoming increasingly difficult for large companies that outsource parts of their business handling per - sonal information to third parties to manage the personal information on their own, and thus it is important to ensure that security control meas - ures are implemented, including at outsourcees. As mentioned above, in recent years there have been an increasing number of cases of admin - istrative guidance and public announcements in response to leaks. Businesses that handle large volumes of personal data are likely to be more vulnerable to attacks and to risks of leak - age and therefore must employ caution because of the increased risk of administrative guidance, administrative order and public disclosure. Civil risks In 2014, a very well-known Japanese company (the “Company”) in educational and publishing industry suffered a massive leak (the “Case”), in which an insider (a former employee of the out - sourcee) appropriated the personal information of tens of millions of people and sold the infor - mation to a directory company. Over the past few years, a series of court judgments have been issued to determine civil liability in the Case. Corporate responsibility In the Case, numerous victims filed lawsuits for damages. The court stated that “regarding information security, necessary measures must
be taken in consideration of each company’s business, environment, risks, and suchlike” and noted that “a large amount of personal informa - tion from customers forms the subject of busi - ness activities, and in light of the general public perception of information management, close attention is to be paid to information security measures.” As a result, the court concluded that “the Company is in a position to pay close atten - tion to information security measures, in light of the fact that it handles a large amount of per - sonal information from its customers in its busi - ness activities and in light of the general public perception of information management”, and partially granted the plaintiffs’ (victims’) dam - ages claims against the Company (Tokyo High Court, 17 March 2021, (Ne) No 102). From this, it can be concluded that businesses handling large volumes of personal data have a heightened duty of care in terms of the security measures required to prevent information leaks of personal data. Therefore, such businesses are susceptible to the risk that a finding of either default (contract liability) based on a breach of the obligation to implement security controls or negligence based on foreseeability (tort liability) may be easily made. In particular, since foresee - ability is more likely to be established in rela- tion to known security risks, it is of paramount importance for companies to constantly collect the latest information and take technical coun - termeasures. Liability of company officers If the company were to post an extraordinary loss due to payment of a large amount of com - pensation for damages or loss in respect of operating profit, the officers could be accused by shareholders and others of violating their duty of care (Article 330 of the Companies Act and Article 644 of the Civil Code) due to the inad -
179 CHAMBERS.COM
Powered by FlippingBook