Financial Crime World

Incidents Alone Do Not Trigger Mandatory Notification in Japan

In a recent analysis of Japan’s data breach notification requirements, it has been revealed that incidents alone do not necessarily trigger mandatory notification. According to the country’s Act on the Protection of Personal Information (APPI), organizations are only required to notify affected individuals and relevant authorities if a data breach is likely to result in harm or disadvantage.

Determining Whether a Breach Constitutes a “Risk of Harm”

The APPI sets out specific guidelines for determining whether a breach constitutes a “risk of harm” that requires notification. This includes factors such as:

  • The type and amount of personal information compromised
  • The likelihood of the information being misused
  • The potential impact on individuals

Sector-Specific Laws and Regulations

In addition to the APPI, certain sector-specific laws and regulations require organizations to report incidents to relevant authorities. For example:

  • The Telecommunications Business Act (TBA) mandates telecommunications companies to notify the Ministry of Internal Affairs and Communications (MIC) if an incident:
    • Compromises communications secrecy
    • Causes service disruptions or deteriorations for 30,000 or more users for over two hours
    • Meets other criteria set by the MIC

The Basic Act on Cybersecurity

The Basic Act on Cybersecurity also imposes general obligations on critical information infrastructure operators (CII operators) to ensure cybersecurity and cooperate with national or local government-set cybersecurity measures. However, this act does not set specific notification or reporting obligations.

Assistance and Incident Response

Organizations affected by a cyber incident in Japan can seek assistance from:

  • The Information Technology Promotion Agency of Japan’s Cyber Rescue and Advice Team (J-CRAT), which provides technical help to victimized organizations
  • The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), which coordinates cyber incident response with network service providers, security vendors, government agencies, and others

Consequences of Non-Compliance

In addition to reporting incidents to authorities, organizations can face regulatory enforcement actions, including fines and imprisonment, if they fail to comply with relevant laws and regulations. Individuals affected by a data breach can also bring tort claims based on violations of privacy rights under Japan’s civil code or breaches of contract.

Further Information

For more information on Japan’s data breach notification requirements and incident response procedures, please see the accompanying Practice Note, “Cyber Incident Response and Data Breach Notification (Japan)”.