JAPAN Trends and Developments Contributed by: Masanobu Hara and Masashi Kobayashi, TMI Associates
Based on the judgment of the case, not only the business operator and engineer who made the update, but also the autonomous vehicles manufacturer, etc, may be liable for tort under Article 709 of the Civil Code if the manufacturer did not take the action mentioned in the points above when the defect was identified. Vulnerability of Cybersecurity and “Defects” The term “defect” as used in the PLA means a lack of safety that the product should ordinarily provide, taking into account the nature of the product, the ordinarily foreseeable manner of use of the product, the time when the manu - facturer delivered the product and other circum - stances concerning the product (Article 2 (2) of the PLA). Under the Product Liability Law Vulnerability of cybersecurity Regarding the concept of “safety” here, defects in quality and performance that are unrelated to safety are understood to be outside the scope of the PLA. There is no judicial precedent directly ruling whether a cybersecurity vulnerability in a prod - uct constitutes “defect” under the PLA. How - ever, there are cases in which contractual liability for default or tort liability was pursued on the grounds of security vulnerability (Tokyo District Judgment, 23 January 2014 – The hanreijiho No 2221, p 71). In the above case, regarding a contract for the design and maintenance of an order-receiving system on a website, the existence of con - tractual liability for default was a material issue because of the vulnerability of the application, produced by the defendant, which caused the leak of credit card information.
The court held that “Since the defendant entered into the System Ordering Agreement on Febru- ary 4, 2009, and received the order for the Sys- tem, it was implicitly agreed to provide a program with security measures in accordance with the technical level at that time” . On that basis, the court affirmed the defendant’s responsibility for defaulting on the fact that it did not implement countermeasures against SQL injection attacks, which is a typical attack meth - od announced by the METI and the Information- Technology Promotion Agency, Japan, etc. Taking this case as a reference, it is conceivable that there is room to remedy “defect” under the PLA when both security measures are not imple - mented in accordance with the technical level at the time of the delivery, and when, if safety is lacking, further damage is caused as a result. In the event of an accident due to hacking of the autonomous operation system Cybersecurity can also be an issue in autono - mous systems. For example, let us assume that an accident occurs when a vehicle is operated by a third party, who has hacked an autonomous driving system, and has no relationship with the driver or the vehicle owner. In this case, an acci - dent would not be due to the negligence of the owner or driver of the vehicle, and it would be difficult to hold them liable. For this reason, the MLIT study group has found that the situation would be the same as in the case of vehicle theft. In other words, in regard to accidents caused by stolen vehicles, the Auto - mobile Liability Security Act prescribes that damages will be compensated for by the Gov - ernment’s Program Guaranteeing Compensation for Automobile Accidents, and that the owner of the vehicle will not be held liable as a person that
176 CHAMBERS.COM
Powered by FlippingBook