Shostack + Friends Blog Archive

 

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:

In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1] by business operators (“Information Handlers”).

A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:

You may have obligations under Japanese privacy law if:

  • You are affiliated with a Japanese company or institution.
  • You use or have access to employee or student information maintained in Japan.
  • A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.

To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?

5 comments on "Japanese Breach Disclosure Law"

  • Migel says:

    so how you’d briefly explain what a “Breach Disclosure Law” is?

  • Chris says:

    “Although the PIPA requires Information Handlers to take certain measures to keep Personal Data[2] secure from such events as leakage, loss or damage (PIPA, Art. 20), it does not expressly require Information Handlers to generally disclose security breaches
    Emphasis mine

  • Adam says:

    Chris, you’re right, but it does allow ministries to define more stringent rules. Which I think is perhaps why we see so many disclosures from Japan.

  • Chris says:

    Sorry if I sounded snarky.
    I put Japan in with the UK. Nothing like our state laws, but they have stuff on the books that in some instances gets the job done (or could). I am thinking of the FSA’s power in the UK when I say this.
    It’s hard for me to be enthusiastic about half-measures when, in the UK at least until they gave up PII on half the population, the government actually disregarded the advice of their own expert panels — repeatedly.
    I realize you’re talking about Japan, but I am concerned that absent clear guidance, leaving it to ministerial choice gets you little.

  • Adam says:

    There’s no snarking on this blog.
    More seriously, I think you may be applying US experience to Japan. There, ministerial guidance may be enough. It’s not clear (to me) if disclosures are actually much higher, and only a small fraction are being translated into English.

Comments are closed.