1 Legal framework
1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?
These concepts are not legally distinguished.
'Cybersecurity' is defined by the Basic Act on Cybersecurity (the 'BAC') essentially as the taking and maintaining of measures to manage data safely, such as preventing security breaches or the loss or damage of data, and guaranteeing the safety and reliability of information and telecommunications systems and networks. This definition is so extensive that it overlaps considerably with 'data protection' under the Act on the Protection of Personal Information (the 'APPI') described below and 'trade secret protection' under the Unfair Competition Prevention Act (the 'UCPA'). Moreover, that definition includes countermeasures against not only cyber attacks but also system failures.
While the term 'Data protection' is not legally defined, it is often used in conjunction with personal information protection under the APPI and the right to privacy that is recognized and protected by case law as a constitutional right. The right to privacy is the right of a person to not have their private information disclosed to a third party or made public without good reason.
'Cybercrime' is not legally defined, but according to The White Paper on the Police (Keisatsu Hakusho) issued by the National Police Agency, the police generally interpret that term as referring to the crime of violating the Act on the Prohibition on Unauthorized Computer Access (the 'UCAL'), or a crime involving computer and electromagnetic records and other crimes that use advanced information and telecommunications networks.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Cybersecurity. The BAC does not impose any specific obligations on private companies. Rather, statutory and regulatory provisions that address Cybersecurity as defined in the BAC are scattered across various laws. While it is difficult to comprehensively list all relevant laws, one of the key laws is the UCPA, which protects trade secrets and other valuable data defined as 'Data for Limited Provision' (Gentei Teikyo Data) (Article 2).
Data protection. A personal information handling business operator must take necessary and appropriate actions for the security control of personal data that it is handling, including preventing the leakage, loss or damage of personal data (APPI, Article 23).
Cybercrime. Various cybercrimes are regulated under several laws. Articles 168-2 and 168-3 of the Penal Code impose criminal sanctions on any person who creates, provides, uses or stores 'Improper Command Records', which refers to electronic records that give improper commands, such as a computer virus or a malware, to a computer (fusei shirei denji-teki kiroku). The UCAL imposes criminal sanctions on any person who accesses a computer without authorization. The UCPA imposes criminal sanctions on persons who illegally acquire, use, or disclose trade secrets. The APPI imposes criminal sanctions on any person who illegally uses or discloses any personal information database.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Certain cyber laws and guidelines apply to critical infrastructure of certain businesses, such as financial services and healthcare. In addition, so-called Critical Information Infrastructure Operators are required to make an effort to deepen their interest and understanding of the importance of cybersecurity, and to voluntarily and proactively ensure cybersecurity for the purpose of providing services in a stable and appropriate manner (BAC, Article 6). Article 3(1) of the BAC defines 'Critical Information Infrastructure Operators' as operators of businesses that provide any infrastructure which is foundational to people's lives and economic activities and the functional failure or deterioration of which could significantly impact that infrastructure.
The Cybersecurity Strategy Headquarters (the 'CSHQ'), established under Article 25 of the BAC to promote Japan's cybersecurity measures, formulated the Cybersecurity Policy for Critical Infrastructure Protection as a non-mandatory guideline which designated 14 critical infrastructure areas under its coverage. These 14 areas are information and communication, financial services, aviation, airport, railway, electric power, gas supply, government and administrative supply, medical, water, logistics, chemical, credit card, and petroleum.
Information which is particularly necessary to be kept secret as part of national security is protected under the Act on the Protection of Specially Designated Secrets.
The Act on the Promotion of National Security through Integrated Economic Measures (the 'Economic Security Promotion Act') was passed in May 2022. This act introduces four main matters: (i) ensuring the stable supply of critical materials, (ii) ensuring the stable provision of essential infrastructure services, (iii) supporting the development of advanced critical technologies, and (iv) suspension of the disclosure of patent applications. The first and the third matters are already enacted. The remaining matters will be effective in multiple stages but no later than 18 May 2024.
In June 2020, the Information System Security Management and Assessment Program ('ISMAP') commenced. The purpose of ISMAP is to ensure security in governmental cloud service procurement by evaluating and registering cloud service that meets the security requirements of the government, thereby contributing to the smooth introduction of cloud services. This system is based on the Federal Risk and Authorization Management Program (FedRAMP) of the United States.
Cloud services that are the subject of an application for registration and that meet the requirements under ISMAP are listed and published. In principle, governmental agencies are supposed to select from this list when procuring cloud services. This system is intended for governmental agencies, but it is expected that the private sector will also refer to it to promote the proper use of cloud services in Japan.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The APPI applies to personal information. It also protects what is referred to as special care-required personal information by imposing additional restrictions, such as requiring consent before it may be obtained. A 'special care-required personal information' is defined by Article 2(3) of the APPI as personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having been victim of a crime, or other information the handling of which has been prescribed by cabinet order as requiring special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.
For health information, in addition to the APPI, there are guidelines which provide special data protection rules.
For financial information, in addition to the APPI, there are business-related laws and guidelines which provide special data protection rules.
Classified information is protected under the Act on the Protection of Specially Designated Secrets.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Cybersecurity. The BAC does not have extraterritorial reach.
Data protection. If a personal information handling operator processes, in a foreign country, personal information the data subjects of which are located in Japan and which relates to the provision of goods or services to a person located in Japan , the main provisions of the APPI apply to the operator directly (APPI, Article 171).
Cybercrime. In general, if the effect of a crime occurs in Japan, criminal penalties may be applied, even if the crime was committed overseas. The Penal Code and the UCAL apply to anyone who commits a crime which is governed by a treaty even if the crime is committed outside the territory of Japan (Penal Code, Article 4-2; and UCAL, Article 14). Therefore, the Penal Code and the UCAL apply if a server or a person in Japan suffers damage from cyber attacks initiated from overseas. In addition, the UCPA and the APPI have extraterritorial reach (UCPA, Article 21(6), (7) and (8); and APPI, Article 183).
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Yes.
Data protection. Japan has recognized EEA member countries and the UK as foreign countries with systems for the protection of personal information that are deemed to be at the same level as Japan (APPI, Article 28), and the EU and the UK have recognized that Japan ensures an adequate level of protection (See Article 45 of the EU General Data Protection Regulation). Hence, an international data transfer from Japan to EEA member countries and the UK is free from additional regulations under the APPI specific to data transfer to third parties outside Japan. Data transfer from EEA member countries and the UK is free from certain international data transfer regulations under the GDPR and each local law; however, a data importer subject to the APPI must follow supplementary rules stipulated by the Personal Information Protection Commission ('PPC').
Cybercrime. Japan is a signatory to the Convention on Cybercrime (2001 Budapest Convention). In 2011, Japan established substantive and procedural domestic laws under the convention. Japan ratified the convention in 2012. In addition, Japan has signed a Mutual Legal Assistance Treaty ('MLAT') with each of the United States, South Korea, China, Hong Kong, the EU, and Russia to collect and obtain evidence in those other countries.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
Any person who creates, provides, or uses Improper Command Records, such as a computer virus or a malware, is subject to imprisonment of up to 3 years or a fine of up to JPY 500,000 (Penal Code, Article 168-2), and any person who obtains or stores Improper Command Records for the purpose of using such records is subject to imprisonment of up to 2 years or a fine of up to JPY 300,000 (Id., Article 168-3).
Hacking is considered to be unauthorized access under the UCAL and is punishable by imprisonment of up to 3 years or a fine of up to JPY 1,000,000. Article 7 of the UCAL prohibits phishing, which is subject to imprisonment of up to 1 year or a fine of up to JPY 500,000 (UCAL, Article 12).
Any person who illegally acquires, uses, or discloses trade secrets is subject to imprisonment of up to 10 years or a fine of up to JPY 20,000,000, and a corporation whose employee commits the crime in the course of performing his duties as an employee is also subject to a fine of up to JPY 500,000,000 (UCPA, Articles 21(1) and 22(1)).
Any person who illegally uses or discloses a personal information database is subject to imprisonment of up to 1 year or a fine of up to JPY 500,000, and a corporation whose employee commits the crime in the course of performing his duties as an employee is also subject to a fine of up to JPY 100,000,000.
2 Enforcement
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Japan does not have a civil penalties system for violations of cyber laws and regulations. Other economic sanctions, except for criminal penalties, that may be imposed by authorities include administrative surcharges and fines. However, they are not imposed in the case of violations of the provisions listed in question 1.2.
As for Cybersecurity, the CSHQ and its secretariat, the National center of Incident readiness and Strategy for Cybersecurity ('NISC'), are responsible for the promotion of Cybersecurity policy. Note, however, that while the NISC has the authority to oversee government agencies, it does not have jurisdiction over private companies.
On the other hand, the PPC, in principle, has enforcement powers through measures such as the issuance of guidance, advice, and recommendations, and orders, and the collections of reports from subject entities,.
Prosecutors and the police have the power to enforce laws against cybercrime by conducting investigations and arrests. Criminal penalties are usually imposed only on individuals (e.g., directors, officers, and employees), but some special provisions impose criminal penalties on corporations (ryobatsu-kitei).
The application of laws overseas is described in question 1.4. In addition, in order to collect and obtain evidence from foreign countries, Japan entered into MLATs and the Convention on Cybercrime in order to ask certain governments for assistance, as described in question 1.5.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Yes. If a company is subjected to a cyber attack and leaks personal data, the data subject can file a claim for damages against the company under tort or contract theory. In addition, if specific actions of directors, officers, or employees cause damages to data subjects, the directors, officers or employees may be personally responsible for the damage. It is also possible to pursue the liability of directors and officers in what is referred to in Japan as a shareholder representative lawsuit, assuming that the company suffered from damages due to the negligent actions of the directors and officers.
2.3 What defences are available to companies in response to governmental or private enforcement?
With respect to defences against administrative guidance, advice, or recommendations in accordance with Article 36-2 of the Administrative Procedure Act, if the guidance, advice, or recommendations do not conform to the requirements set forth in the law, the affected entity has the right to request the administrative agency to discontinue that guidance, advice or recommendation.
Regarding defences against administrative orders, the subject of the order, whether an individual or a corporate, may file a complaint under the Administrative Complaint Review Act or a lawsuit to seek the revocation of the order under the Administrative Case Litigation Act.
In addition, another defence that companies may raise in an action described in question 2.2 is denial of negligence in the case of tort claims or denial of breach in the case of claims based on breach of contract.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Cybersecurity. On March 17, 2023, Maebashi District Court awarded Maebashi city approx. JPY 140 million in compensation in a lawsuit where the city sued a system vendor. The city alleged that the vendor failed to set up security equipment appropriately, which resulted in unauthorized access to the city and caused a data breach of approx. 47,000 public school students. The system vendor appealed to the Tokyo High Court.
Data protection. In 2014, an employee of a system vendor secretly copied and sold personal information of 48,580,000 individuals at Benesse Corporation, one of the largest private distance-learning companies for children in Japan. Some of the affected data subjects filed multiple lawsuits against Benesse for damages on the ground that Benesse had problems with information security management. Some of the lawsuits were commenced by groups consisting of numerous plaintiffs. Some of the cases ended with court judgements awarding the plaintiffs JPY 1,000 or 3,300 in compensation, but several of the cases are still pending. In addition, a shareholder representative lawsuit was filed to hold the officers of Benesse liable, but this case was dismissed.
Cybercrime. In the Benesse data breach above, the person who illegally removed the personal information was sentenced to imprisonment of 2 years and 6 months and a fine of JPY 3,000,000 for violating the UCPA in March 2017.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
In June 2022, an employee of a service provider lost a USB memory stick containing the personal data of all Amagasaki city residents (approx. 460,000). The background is that the service provider hired by Amagasaki city secretly outsourced the work to another system vendor in violation of the procurement contract, and the second vendor further outsourced the work to another vendor. An employee of the service provider, to perform the work, saved the resident data in the USB memory stick and carried it out without taking the necessary procedures. However, in the midst of performing his duty, the employee went for a drink, drank too much and slept on a street at night. Upon awaking, the employee discovered that their bag, containing the USB memory stick, was missing. Fortunately enough, the bag was found two days later nearby and the USB memory stick was retrieved. After investigation, Amagasaki city concluded that no one accessed the data in the USB memory stick. The PPC gave guidance to the service provider for improvements in the way personal data is processed.
In October 2021, Handa Hospital, operated by Tsurugi town, was the subject of a ransomware attack, and in October 2022, Osaka General Medical Center, operated by Osaka prefecture, was also subject to a ransomware attack. Their operations were significantly suspended for a couple of months. Taking these incidents into consideration, the Enforcement Regulations on the Medical Care Act was updated on 1 April, 2023, to newly require that hospitals take appropriate actions to ensure cybersecurity.
Regarding major data breaches, see question 3.1 (regarding the 2014 Benesse incident). In addition, in a December 2019 incident affecting Kanagawa Prefecture, the prefecture engaged a contractor to dispose of HDDs, but an employee of the contractor secretly carried away and sold a part of the HDDs at an internet auction even without taking necessary steps to securely erase the HDDs data. The breach involved a total of 18 HDDs and up to about 54 terabytes of data.
As of this writing, there have been no recent notable events relating to major cyber related innovation or technology development.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The Ministry of Economy, Trade and Industry and the Information Technology Promotion Agency ('IPA') jointly released the 'Cybersecurity Management Guidelines'. The guidelines cover specific industries and summarize what managemental personnel need to be aware of and what they should direct the person in charge of Cybersecurity to do to protect the company from cyber attacks. The guidelines updated to version 3.0 in March 2023.
The Ministry of Internal Affairs and Communications, the NISC, the National Police Agency, and the Ministry of Economy, Trade and Industry jointly published 'Guidance on Sharing and Publicizing Information on Cyber Attack Damage' on March 8, 2023 to promote the smoother sharing of cyber attack information.
In the financial industry, the Center for Financial Industry Information Systems ('FISC') published the 'FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions' to promote security measures for financial institutions.
As a reference, the Cybersecurity strategy which was formulated by the government of Japan under the BAC will promote the 'Proactive Cyber Defense' policy. This involves the sharing and utilization of information on cyber threats and information on vulnerabilities.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
The CSHQ and the NISC jointly issued the Common Standards on Information Security Measures of Governmental Entities as voluntary guidance under Article 26(1) of the BAC. The standards are a unified framework for improving the level of information security of governmental entities and define the baseline for information security measures to ensure a higher level of information security.
As for other formulated voluntary guideline by governmental agencies, see question 4.1.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
Directors of large companies must determine relevant matters concerning the establishment of an internal control system (i.e., a risk management system based on the size and characteristics of the company's business), which includes a system to ensure Cybersecurity. If company directors have not determined such matters, for example, if the internal regulations concerning Cybersecurity have not been put in place at all, they may be deemed to be in violation of this obligation.
In addition, if company directors, including those in small- or medium-sized companies, do not take appropriate Cybersecurity measures to prevent their companies from causing undue damage, they may be in violation of their duties of due care and loyalty.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
Publicly listed entities are subject to the Financial Instruments and Exchange Act and the Securities Listing Regulations which are self-regulations, in addition to the Companies Act. These regulations cover, among others, information disclosure about Cybersecurity in relation to proactive cyber compliance.
Listed companies are required to submit securities reports describing important matters related to their business each business year. These important matters include risks related to their business, so it is also possible to describe risks related to Cybersecurity. Further, the security report addressing a business year ending on and after 31 March 2023 should include an explanation about their approach and initiative regarding sustainability, and the Financial Services Agency suggests that such explanation may include matters regarding cybersecurity and data security.
In addition, companies applying for new listing are required to submit a report on corporate governance under the Securities Listing Regulations, and if there is a change in the contents of the report, the applicant must revise and resubmit the report. Since this report describes the basic concepts and development status of a company's internal control system, it is conceivable that Cybersecurity matters will be described as part of the internal control system.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There are several information sharing systems on Cybersecurity, such as the following.
(1) Cyber Security Council
This is a statutory information sharing system organized under the amended BAC described in question 3.2. The Cyber Security Council aims to share information among a wide range of entities beyond the boundaries of each industry and the public and private sectors.
(2) J-CSIP
IPA launched the 'Initiative for Cyber Security Information sharing Partnership of Japan ('J-CSIP') in 2011, which shares information on targeted e-mail attacks, focusing on manufacturers of equipment used in critical infrastructure such as heavy industry and heavy electric power.
(3) ISAC
In each industry, the setting up of so-called Information Sharing and Analysis Centers ('ISAC') is gradually increasing in various industries for the purpose of gathering, analysing and sharing information across such industries. For example, ICT-ISAC Japan, Financials ISAC Japan, and Japan Electricity ISAC are active working centers.
(4) CISTA
The Japan Computer Emergency Response Teams Coordination Center ('JPCERT/CC') provides information about Cybersecurity threats, analysis and countermeasures as a form of early warning information through the portal site 'Collective Intelligence Station for Trusted Advocates' ('CISTA') to organizations that provide infrastructure, services and products that have a great impact on the social activities of the Japanese people.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Data protection. A business operator which causes a certain breach of personal data must submit a report of the data breach incident to the PPC and notify the affected data subjects if the data subjects' rights and interests are likely to be infringed.
Cybersecurity. If cyber incidents occur, mandatory notification is not required. But as a form of voluntary notification, under the Cybersecurity Policy for Critical Infrastructure Protection formulated by the CSHQ, critical infrastructure operators are encouraged to report information system failures, including signs of these failures and cyber incidents which threaten confidentiality, integrity, and availability of information, to the NISC through competent ministries and agencies.
In addition, in the financial industry, guidelines require financial companies to report data breaches. In the telecommunications industry, if a serious accident including a cyber incident occurs, the business operation must report the incident without delay to the Minister for Internal Affairs and Communication (Telecommunications Business Act, Article 28). Similar duties apply to a few other industries.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Regarding data protection, if there is a breach of personal data held by a business operator and the data subjects' rights and interests are likely to be infringed, the operator must submit a report to the PPC and notify the affected data subjects as described in question 5.1. The reporting obligation is two-staged; when a business operator recognises that a data breach happens, it must promptly submit an initial report on the matters known at the time of reporting, and it must submit a final report within 30 days (60 days in the case of a data breach caused by wrongful intent). If the breached data is under advanced encryption, there is no obligation to submit a report to the PPC.
Furthermore, if mandatory reporting to the PPC is required, the operator must notify the affected data subjects unless such notification is difficult and alternative measures are taken.
In addition, some industries, such as the financial industry, are subject to special regulations.
5.3 What steps are companies legally required to take in response to cyber incidents?
If a business operator intentionally or negligently causes a data breach and damage to a data subject, it must, under the Civil Code, compensate for damages caused by the data breach. In addition, the guidelines of the PPC require the operator to report the incident to a responsible person and take measures to prevent the spread of harm, investigate the facts and the cause, identify the scope of impact, and consider and implement measures to prevent recurrence.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
If a company does not have an established policy regarding its internal control system for information management, and a cyber incident occurs and the company suffers damages, the corporate directors and officers may be liable for damages, including damages incurred by the company.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Cyber insurance is gradually becoming recognized in Japan, but the enrolment rate of companies is not high. According to a survey conducted by the General Insurance Association of Japan ('GiAJ') in 2020, about 49% of large companies and 47% of small- and medium-sized companies responded that they are aware of the availability of cyber insurance, but only about 8% of large companies and about 7% of small- and medium-sized companies answered that they have taken cyber insurance.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The regulation for ensuring the stable provision of essential infrastructure services pursuant to the Economic Security Promotion Act will fully come into force by February 2024.
The government started a discussion to introduce a system of security clearance from February 2023.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
(1) CISO
Management understanding of the role of a Chief Information Security Officer ('CISO') is not well established. Although company management is recognizing that each company should address Cybersecurity as an organization, in many cases, company policies are vague and do not identify specific issues. In addition, the role, tasks, duties and obligations of CISOs seem to be vague; thus, there is a risk that organizational measures are not being promoted. In this regard, it is necessary for companies to clearly assign the work content, responsibility, and authority to a CISO, and then establish communication links between management and the CISO.
(2) Lack of human resources
In order to promote Cybersecurity measures, it is necessary to have secure resources relating to persons who can qualitatively and in sufficient numbers become CISOs or who can support CISOs. But it is generally not clear how much budget and what kind of human resources are needed. Thus, many companies are struggling to secure human resources. In order to address the problem, it is necessary to build a model of security personnel, and to design a working internal CISO system such as career path formation, evaluation, and salary.
(3) Appropriate evaluation of security operation status
An increasing number of companies are preparing internal regulations to promote Cybersecurity measures. However, only a few companies are conducting exercises and training to check whether their measures are operating properly. Therefore, it is necessary to strengthen countermeasures by reviewing internal rules, and conducting exercises and training, vulnerability diagnoses, penetration tests, and internal audits as regular check activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
