Japan Ministry to Amend Data Security Rules As Breached Company Says 48.6M Affected

By Toshio Aritake 

Sept. 29 — Japan's Ministry of Economy, Trade and Industry (METI) will amend its guidelines implementing the Personal Information Protection Law, Minister Yuko Obuchi said Sept. 26 as she announced enforcement action against a company that faced the largest data breach in Japan.

The announcement came a day after Benesse Holdings Inc. released an independent investigation report concluding that the breach affected 48.6 million of its customers, more than twice the number of affected customers the company previously reported.

The company, which sells correspondence education programs for schoolchildren, initially reported July 9 that 20.7 million customers were affected (136 Privacy Law Watch, 7/16/14)(13 PVLR 1288, 7/21/14). On July 16, the company increased that number to 22.6 million customers (143 Privacy Law Watch, 7/25/14)(13 PVLR 1332, 7/28/14).

Obuchi didn't comment on the details of planned amendments to the METI's data protection guidelines, but she said the changes would reinforce provisions related to data breaches and cybersecurity. She said the guidelines would be amended in 2015.

Enforcement Action 

Obuchi told reporters that METI instructed Benesse that it should reinforce its management structure to prevent the recurrence of the lax data security that allowed a former employee to download the personal information of customers and then transfer it to third parties.

METI said Benesse's lax data security safeguards and poor personal information management violated Article 20 of the Personal Information Protection Law.

Benesse also violated Article 22 of the statute by providing inadequate supervision of personnel, according to a METI spokesman.

Obuchi said that as a result of confirming the violations her ministry was issuing an administrative recommendation to Benesse's management to take measures for better protection of customer private information.

The recommendation included advising Benesse to take responsibility for the actions of its business partners.

The enforcement recommendation focused on the need for the company to reinforce its management attention to data security and ensure that its data protection administrative structure is in place, the METI spokesman said.

The enforcement action didn't include fines or other penalties.

Investigation Report Recommendations.

METI's recommendations to Benesse are similar to those made in the independent investigation report released by the company.

That report said the company should :

  • contract with an independent information security company to prepare measures to reinforce the group's data security;
  •  establish an alert system between all computer servers and client personal computers;
  •  create and ensure the use of security and data protection manuals;
  •  limit access to personal information; and
  •  more closely monitor access and communication logs for its telecommunications and computer systems.

In addition, the company should clarify its organizational responsibility for protecting personal information, the report said.

To contact the reporter on this story: Toshio Aritake in Tokyo at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Full text of Benesse's breach report is available, in Japanese, at http://op.bna.com/pl.nsf/r?Open=dapn-9pfm7e.