Most of the critical infrastructure business operators are private entities and, accordingly, there is an issue in relation to the possibility of excessively strict obligations being imposed on such entities, resulting in pushback from such entities owing to the huge expenses and manpower required from them in ensuring cybersecurity. In this regard (see question 22), it can be said that this issue has been resolved by the Basic Cybersecurity Act being preconditioned on the furtherance of the voluntary efforts of private business operators, while limiting their obligations merely to making an effort to improve the security of their systems. In addition, pursuant to the Basic Cybersecurity Act, the position of the Cyber Security Strategy Headquarters (the Chief Cabinet Secretary acting as the head of the headquarters) as an organisation demonstrating a control tower function extending across ministries and agencies has been made legally clear, allowing for the Cyber Security Strategy Headquarters to fulfil its role in a more effective manner (as outlined in Chapter 4 of the Basic Cybersecurity Act). Much attention continues to be paid to the effective measures to be taken hereafter by the state in relation to cybersecurity under the leadership of the Cyber Security Strategy Headquarters.
The specific measures that are currently being considered concerning cybersecurity include the following.
The FSA is currently considering and intends to reach a conclusion concerning issues such as the possibility of cyberattack-related incidents taking place at listed companies and indicating such possibilities to investors as business risks, etc, referring to the practices of the US Securities and Exchange Commission. With regard to the said issues, the FSA is also considering and intends to reach a conclusion concerning possible incentives for furthering the disclosure of such incidents. The Ministry of Economy, Trade and Industry (METI) is now working on establishing Cybersecurity Management Guidelines that will describe desirable cybersecurity measures, set forth an organisational framework, including the appointment of a Chief Information Security Officer, and describe technical measures and information disclosure methods, etc.
In view of increasing threats to cybersecurity, the Basic Cybersecurity Act has been partly amended (promulgated on 21 October 2016) to fundamentally reinforce the countermeasures taken by the national administrative organs. More specifically, under the amended Act, the scope of parties to be evaluated by the national government in terms of cybersecurity measures has been expanded to cover special corporations and authorised corporations (in addition to the central government and incorporated administrative agencies that had already been covered under the pre-amended Act). Further, the scope of parties whose information systems will be monitored unanalysed by the national government to deal with wrongful activities targeting the same has been expanded to cover incorporated administrative agencies, special corporations and authorised corporations (in addition to the central government that had already been covered under the pre-amended Act). Such amendments have been triggered by an incident made public in June 2015 wherein there was a cyberattack on the Japan Pension Service (a special and authorised corporation) resulting in the leakage of approximately 125 million items of personal information. In relation to such amendments, the Act on Promotion of Information Processing was also amended, and a national qualification system of cybersecurity specialists (registered information security specialists) has been newly established.
Additionally, the Unfair Competition Prevention Act, which regulates the wrongful acquisition of trade secrets, has been amended in view of factors such as the expansion of cyberspace (with the rapid spread of cloud computing) and the development of technologies enabling the wrongful acquisition of information (including cyberattacks), and also considering the purpose of the Basic Cybersecurity Act.
Under the amended Unfair Competition Prevention Act, promulgated on 1 January 2016, regulation on the wrongful acquisition of trade secrets has been principally reinforced by:
- expanding the scope of subsequent acquirers of trade secrets who are punishable (ie, wrongful use or wrongful disclosure by a third or subsequent acquirer becoming additionally punishable);
- causing any attempt of wrongful use or wrongful disclosure of trade secrets to be punishable; and
- expanding the scope for punishment of crimes committed outside Japan (making it clear that any wrongful acquisition of trade secrets committed outside Japan, in respect of trade secrets stored on overseas servers, will also be punishable).
Moreover, under the amended Unfair Competition Prevention Act promulgated on 30 May 2018 (to become effective within one year and six months thereafter), in line with the expanded use of big data, any valuable data that fulfils certain requirements will be deemed as ‘data provided to limited users’, and any highly wrongful acquisition or use, etc, of such data will be regarded as an act of unfair competition and be subject to civil remedies such as the right to file an injunction.
As mentioned above, a bill to amend the Basic Cybersecurity Act is currently being deliberated in the Diet for the purpose of further ensuring cybersecurity.
Furthermore, in view of the increasing seriousness of internet failures owing to cyberattacks caused through the misuse of IOT devices, the revised Telecommunications Business Act was enacted on 1 November 2018 and such Act enables the establishment of telecommunications carriers being able to share information concerning malware-infected devices, etc, that may become sources of cyberattacks, through a third-party institution, which is to be newly established (ie, a general incorporated association established by telecommunications carriers and approved by the Minster of Internal Affairs and Communications in accordance with the Telecommunications Business Act).
In addition, as stated in question 9, the amended Act on Wiretapping for Criminal Investigation will become effective by June 2019 and such Act will streamline and allow for more efficient wiretapping procedures for criminal investigation purposes.
In addition, due to factors such as an increased number of cases of damage caused by the divulgence or wrongful use of credit card numbers, and the entry of fintech companies into the service payment business, the amended Instalment Sales Act promulgated on 9 December 2016 has become effective, newly containing provisions for: (i) obliging member stores to take countermeasures against wrongful use, such as by way of making credit card terminals compatible with IC cards; and (ii) introducing a registration system in respect of payment service companies (fintech companies, etc).
Further, on 28 December 2015, METI issued its Cybersecurity Management Guidelines, which were subsequently revised on 28 December 2016 and further on 16 November 2017 (as version 2.0). The Guidelines are intended for large, and small to-medium-sized companies that provide IT-related systems or services and that essentially require the use of IT in accordance with their managerial strategies, from the perspective of protecting companies from cyberattacks. The Guidelines prescribe: (i) three principles that manager of a company should be aware of; and (ii) 10 significant items that a manager of a company should instruct to the officer responsible for execution of information security measures (eg, the Chief Information Security Officer in charge of supervising information security within the company). The current version 2.0 provides further detailed information about the ‘detection’ and ‘recovery’ processes in the subsequent measures.
In addition, in line with circumstances such as the need to make preparations for the Tokyo Olympic and Paralympic Games scheduled for 2020, as well as increased threats to cyberspace, related laws and regulations may be developed and it will be necessary to pay careful attention to such developments.
Back to top