Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Sept. 29 — Japan's Ministry of Economy, Trade and Industry (METI) will amend its guidelines implementing the Personal Information Protection Law, Minister Yuko Obuchi said Sept. 26 as she announced enforcement action against a company that faced the largest data breach in Japan.
The announcement came a day after Benesse Holdings Inc. released an independent investigation report concluding that the breach affected 48.6 million of its customers, more than twice the number of affected customers the company previously reported.
The company, which sells correspondence education programs for schoolchildren, initially reported July 9 that 20.7 million customers were affected (136 Privacy Law Watch, 7/16/14)(13 PVLR 1288, 7/21/14). On July 16, the company increased that number to 22.6 million customers (143 Privacy Law Watch, 7/25/14)(13 PVLR 1332, 7/28/14).
Obuchi didn't comment on the details of planned amendments to the METI's data protection guidelines, but she said the changes would reinforce provisions related to data breaches and cybersecurity. She said the guidelines would be amended in 2015.
Obuchi told reporters that METI instructed Benesse that it should reinforce its management structure to prevent the recurrence of the lax data security that allowed a former employee to download the personal information of customers and then transfer it to third parties.
METI said Benesse's lax data security safeguards and poor personal information management violated Article 20 of the Personal Information Protection Law.
Benesse also violated Article 22 of the statute by providing inadequate supervision of personnel, according to a METI spokesman.
Obuchi said that as a result of confirming the violations her ministry was issuing an administrative recommendation to Benesse's management to take measures for better protection of customer private information.
The recommendation included advising Benesse to take responsibility for the actions of its business partners.
The enforcement recommendation focused on the need for the company to reinforce its management attention to data security and ensure that its data protection administrative structure is in place, the METI spokesman said.
The enforcement action didn't include fines or other penalties.
METI's recommendations to Benesse are similar to those made in the independent investigation report released by the company.
That report said the company should :
In addition, the company should clarify its organizational responsibility for protecting personal information, the report said.
To contact the reporter on this story: Toshio Aritake in Tokyo at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Full text of Benesse's breach report is available, in Japanese, at http://op.bna.com/pl.nsf/r?Open=dapn-9pfm7e.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)