Attorney Ryu Nakasaki
Nakasaki & Sato Law Firm’s Japanese translation of the FATF Recommendations 2012 (Updated June 2021) has been posted on FATF’s website. Please see here for more details.
Though we have translated with the utmost care, if you happen to find any mistranslations or translations that are hard to understand, please inform us through the contact form. Thank you.
Q Please explain points to keep in mind in relation to cyber security and data strategy from a legal perspective.
A It is important to analyze laws, guidelines, cases of administrative penalties, etc. to discover the risk of administrative penalties, as well as the risk of damage due to unauthorized remittance, leakage, etc., and to take well-balanced security measures that are appropriate to those risks.
1 Cyber Security Measures
Cybercrime is on the rise as more people work from home, due to the impact of COVID-19, and cyber security measures are becoming increasingly important. Cyber security measures are like a foundation in relation to data strategy, and it is essential to have certain cyber security measures in place.
Even though cyber security measures are essential, balance is also important. It is necessary to strike a good balance between the convenience of data use and cost in relation to data strategy objectives.
The authors are sometimes asked questions such as “From a legal perspective, what is the minimum level that needs to be done?”. With budgetary constraints and other factors, every company has concerns on the extent of implementing measures and how to prioritize the measures to be taken.
In this Q, we would like to explain what aspects we focus on in relation to cyber security from a legal perspective.
2 Risk Assessment and Legal/Compliance Perspectives
(1) Analysis of Administrative Penalties Risks and Administrative Guidance Risks
Based on the Act on the Protection of Personal Information, each business operator is required to take measures to safely manage the personal data of its own individual customers, etc. (Act on the Protection of Personal Information Article 20).
In addition, financial institutions such as banks, funds transfer companies, and crypto-asset exchange providers are obliged under laws related to their businesses to manage customer information securely and take cyber security measures as part of compliance with laws and regulations.
If a cyber-attack results in (1) leakage of personal data, (2) fraudulent remittance/stolen crypto-assets, or (3) ransom demand due to infection by ransomware (virus), the company may be subject to administrative penalties such as business improvement orders/business suspension orders or administrative guidance. Administrative guidance may not sound like a big deal, but in many cases like the administrative guidance given by the Ministry of Internal Affairs and Communications (MIC) to a certain company under the Electricity Business Act, it may widely reported and criticized.
Each business operator needs to analyze laws, regulations, guidelines, court cases, and administrative penalty cases and make sure that it can withstand on-site inspections, etc. Therefore, when constructing/reconstructing a system, it is important for the security and systems departments to consult with the legal and compliance departments in advance to ensure that there are no fatal problems. In addition, periodic coordination of information is also important, as revisions to laws, regulations, and guidelines may require prompt action.
As such, ensuring compliance with laws and regulations and avoiding administrative penalties are the minimum points that need to be addressed.
In some cases, laws and regulations are quite specific about the level of security required, such as for credit card numbers. For example, if you want to become a merchant that can accept credit card payments, you need to take safety management measures (Article 35-16 of the Installment Sales Law), and it is understood that you need to comply with PCI DSS standards or take measures to not retain credit card numbers (Ministry of Economy, Trade and Industry, “Basic Policy on Supervision Based on the Installment Sales Law (Post-Payment Field)” II-2-2-5, “Credit Card Security Guidelines”). For this reason, we are sometimes asked to review from a legal perspective whether the criteria for non-retention measures have been met.
In addition, in relation to financial laws and regulations, a risk-based approach to cyber security measures is common, which is that the measures should commensurate with the risks involved. So, we are sometimes asked to provide opinions on whether our security measures are commensurate with the risks involved (e.g., whether they may be subject to administrative penalties).
It is beneficial for legal and compliance departments to take the lead in making risk judgments in this area, as they are well versed in the relevant laws, guidelines, and supervisory guidelines.
To give a concrete example, the Financial Services Agency (FSA) has strongly promoted multi-factor authentication in response to a large number of fraudulent remittances from bank deposits through the accounts of a certain telephone company-affiliated payment processor (funds transfer agent/electronic payment processor). As a funds transfer agent or electronic payment agent, you will need to be familiar with the FSA’s guidelines and supervisory guidelines when considering whether you need to comply with multi-factor authentication and when you should do so. In addition, legal and compliance departments that are more sensitive to the FSA’s expectations will be able to make more precise decisions.
We are now in an age where it is commonplace for customer IDs and passwords to be leaked through phishing and other means. In Europe, multi-factor authentication is basically mandatory based on the Payment Services Directive and other global trends. Based on these elements and other global trends, the FSA has been emphasizing the importance of multi-factor authentication.
Further, as a result of these circumstances, there are trends for the National Police Agency to strengthen identity authentication (authentication is necessary to omit identity verification for the second and subsequent transactions) based on the Criminal Proceeds Act.
When authenticating customer identity, it is necessary to determine the company’s response policy in light of such trends by the regulatory authorities, and there are times when legal and compliance knowledge plays an important role.
(2) Assessing the Risks of Damage
If unauthorized remittance occurs, the company may suffer significant damages.
For example, in 2018, it was reported that Japan Airlines Inc. fell prey to a business email scam and mistakenly paid approximately 380 million yen based on a fake invoice (Yomiuri Shimbun, January 10, 2018).
The number of cases of unauthorized remittance (embezzlement) by company employees and subcontractors continue to rise.
There have also been repeated cases of crypto asset exchange providers having their crypto assets stolen. In the “Coincheck incident”, 58 billion yen worth of crypto assets were stolen.
In the case of financial institutions (banks, money transfer companies, credit card companies, etc.), unless the customer is found to have been negligent, the financial institution often bears the damages from fraudulent remittance, and there are many cases where financial institutions bear the loss of hundreds of millions of yen per year.
In the case of debit/credit card transactions due to identity theft, if the merchant does not take measures such as 3D-Secure (a method of identification recommended by international brands), the merchant is in most cases responsible for all losses due to fraudulent transfers under the rules of international brands such as Visa/Mastercard (if the card issuer can show that it supports 3D-Secure).
Also, if a company leaks personal information, credit card numbers, customer/business partner data, etc., there is a risk of being sued for damages as a breach of contract.
In addition, reputational risks (risks of loss of trust) must also be considered. It is not uncommon for customers to leave a company or for stock prices to plummet due to a loss of trust caused by a scandal.
Thus, it is useful to carefully analyze the risks of damage to the company based on assumptions of various possible cyber security incidents, since various types of damage may occur in the event of a cyber security incident.
And, for example, in relation to indemnity risks from other companies, it is useful to examine the content of contracts with other companies, and in relation to the risk of card number leakage, it is useful to analyze international brand rules. So, it is beneficial to work with legal and compliance departments which are familiar with contracts.
(3) Legal and Compliance Perspectives
The Legal and Compliance Department should examine matters from the above perspectives, and if it determines that the risk is too great after considering alternative plans and other factors, it will give the red light.
Some executives and data strategists may be under the impression that the legal and compliance department only functions like a car brake. But, please imagine a car without brakes. It would be too dangerous to drive.
The final risk decision should be made by the management team. However, the management team needs to make a risk judgment about cyber risks and take measures commensurate with the risks, taking into account legal and compliance factors while also considering various other factors such as convenience and cost.
3 Cyber Security and System Development
As with many challenges for a company, cyber security needs to be a company-wide effort. Just as a small hole in an embankment can cause it to break, cyber security needs to be done as an organization with a proper system in place.
From this perspective, it is necessary to (i) confirm the objectives of data strategy, (ii) identify information assets (databases, etc.), the risks associated with them, and determine the security level/security measures required for each information asset, (iii) establish internal rules to ensure relevant information security measures, and (iv) ensure compliance with the internal rules through education, training, and checks (internal audits, etc.).
When creating company internal rules, my personal experience is that it is important to (1) make sure that the rules are well-balanced and commensurate with the risks involved, (2) not place too much trust in people, and (3) conduct periodic training and verification.
In relation to (1), possible risk scenarios should be considered, and then measures that are effective against those risks should be introduced. If the rules are too strict to be followed, or if following them would only be troublesome and significantly less effective for the risks involved, revision should be considered. It is meaningless if it’s like a pie in the sky.
In relation to (2), the concept of “security by default” is important. People make mistakes, and some employees may even take out information with malicious intentions or embezzle. It is necessary to establish a system that can detect and prevent mistakes and criminal acts by officers and employees without placing too much trust in them. For example, I have come into contact with a case where remittance rights for a bank account with a balance of billions of yen was given to a subcontractor. No matter how much you trust your subcontractors, you may need to have certain checks and balances in place.
In relation to (3), for example, in its “Policy for Enhancing Cyber Security in the Financial Sector,” the FSA first categorizes cyber measures for normal times and for incident responses for emergencies. For the former, it stresses the importance of understanding the actual situation and implementing countermeasures such as vulnerability assessments, as well as basic system establishments. For the latter, the report stresses the importance of practical penetration tests (TLPT) and participation in exercises such as those conducted by the FSA and NISC. In short, if the countermeasures do not work in the event of a cyber-attack, they are useless. Therefore, it is necessary to ensure that the countermeasures work by conducting proper exercises and training (penetration tests, etc.).
For example, a Computer Security Incident Response Team (CSIRT) should be set up in case a cyber-attack or information leak occurs and should collect information on a daily basis and conduct practical training on how to respond to actual incidents. The Personal Information Protection Law revised in 2020 stipulates the obligation to report to the Personal Information Protection Commission (PPC) in the event of an incident such as leakage of personal information, as well as the obligation to notify the individual (data subject) (Article 22-2 of the Personal Information Protection Law). The importance of advance preparation is expected to increase more than ever, as a quick response is required.
A significant number of incidents involving the leakage or improper use of personal information occur through subcontractors. Recently, a social networking service provider announced that a Chinese subcontractor was able to access its domestic server and view personal data, and in response, the PPC and the MIC announced that they had issued administrative guidance to the company for insufficient management of the subcontractor. It is necessary not only to impose appropriate security management obligations based on contracts with subcontractors, but also to properly monitor the performance of such obligations.
4 Conclusion
Due to the impact of COVID-19, cyber security measures are becoming increasingly important, but it is also necessary to implement cyber security measures that take into account legal and compliance aspects.
If you have any questions concerning this article, please feel free to contact us.
Designated drugs are dangerous drugs designated by the Minister of Health, Labor and Welfare. For more information on the scope of designated dangerous drugs, please refer to the Ministry of Health, Labor and Welfare’s website. The importation of designated drugs for purposes other than medical use is prohibited. In addition, methamphetamine is regulated by the Stimulants Control Law, marijuana by the Cannabis Control Law, narcotics and psychotropic drugs by the Narcotics Control Law, and opium and poppy seeds by the Opium Law, so they are not considered designated drugs.
There are products called “legal drugs” that are sold on the Internet, claiming to have hallucinogenic effects, but they often fall under the category of designated drugs even if they do not fall under the category of narcotics, marijuana, or stimulants. In addition, drugs that do not fall under the category of designated drugs, but they claim to have hallucinogenic effects, it falls under the category of unapproved “drugs” and are prohibited from being sold or advertised to in Japan.
Drugs
In principle, importation of drugs such as marijuana, stimulants, narcotics, psychotropic substances, and opium is prohibited.
|
|
Restricted Subject |
Import Regulations |
|
|
Cannabis Control Law |
Marijuana (Cannabis plant, Cannabis plant products) |
Importation is prohibited except for marijuana researchers who import with a permit. An import permit or a copy of the permit is required for importation. |
|
|
Stimulants Control Law (1951) |
Stimulant |
Import is prohibited |
|
|
Methamphetamine ingredients (ephedrine) |
remarks |
Importing requires a permit. Customs requires a “Permit for the importation of methamphetamine materials or a copy thereof. |
|
|
Individual Purposes |
Permission may be granted to carry and import “methamphetamine materials that are medicinal products” for the purpose of treating one’s own illness. Customs requires a “Permit for the importation of methamphetamine materials or a copy thereof. |
||
|
Import by Designated importers |
Designated importers of methamphetamine materials may obtain a permit to import. Customs will require the import permit or a copy thereof. |
||
|
Narcotic |
Remarks |
A permit is required for import. |
|
|
Individual Purposes |
Medical narcotics (morphine/fentanyl) may be approved for importation by a person who has been instructed by a physician to take them and carry them as baggage for the purpose of treating his or her own illness. Customs requires a “Portable Import Permit” or a copy thereof. |
||
|
Licensed drug importers |
In the case of importation by a licensed drug importer, an import license is required, and customs will require an import permit or a copy of the permit. |
||
|
Psychotropic drug |
Remarks |
A permit is required for importation. |
|
|
Individual Purposes |
Permission may be granted to carry and import medical psychotropic drugs (diazepam, triazolam) for the purpose of treating one’s own illness. Customs will require an import permit or a copy of the permit. |
||
|
Licensed psychotropic drug importers |
○A permit is required for the importation of psychotropic drugs of the first class. ○For the importation of Class 2 or 3 psychotropic drugs, import approval based on the Foreign Exchange and Foreign Trade Law is required instead of requiring a permit based on the Narcotics Control Law. In addition, if the government of the exporting country requires an import certificate from the government of Japan, it is necessary to obtain an import certificate and send it to the exporter in the other country. ○When the importation of “Class 1”, “Class 2” or “Class 3” psychotropic substances for which the government of the exporting country requires an import certificate” is completed, a psychotropic substance import completion report must be submitted. |
||
|
Establishers of psychotropic drug testing and research facilities |
○An import permit or a copy of the permit is required. ○When the importation is completed, a psychotropic drug import completion report must be submitted. |
||
|
Ingredients for narcotic psychotropic drugs |
Remarks |
At the time of importation of narcotic psychotropic raw materials, an import permit based on the Narcotics Control Law is not required, but an import approval based on the Foreign Exchange and Foreign Trade Law is necessary. |
|
|
For Business Purposes |
Importers of narcotic ingredients are required to submit a notification at the time of commencement of business, as well as in the case of individual imports of specified narcotic psychotropic raw materials. |
||
|
For Non-Business Purposes |
○No notification of commencement of work is required. ○Notification is required when importing narcotic psychotropic materials that exceed the amount specified for each narcotic psychotropic material. |
||
|
Opium Law |
Opium |
Importation is prohibited except for those who have been entrusted by the government. |
|
|
Poppy seed |
A permit is required for importation. |
||
Please contact us if you have any questions.
For importing veterinary drugs into Japan, the provisions for conventional medicinal products, quasi-drugs, medical devices and medical products for regenerative medicine are applied in the same way. However, unlike pharmaceuticals, the Ministry of Agriculture, Forestry and Fisheries has jurisdiction over this topic.
1 Importation as a Business
In the case of importing veterinary medicinal products as a business:
2 Import other than business purposes
In principle, importation by person without a manufacturing and sales license is prohibited. However, there are certain exceptions, such as for the purpose of testing and research. In the case of importation based on such exceptions, import verification is required.
In addition, import verification is not required in the case of:
3 Prohibition of Importation
The import of illicit veterinary drugs is prohibited.
4 Prohibition of Advertising
Advertising for unapproved and uncertified drugs, medical devices, and regenerative medicine products is prohibited.
Please contact us if you have any questions.
Processes for importing medical devices and in vitro diagnostic products into Japan differs depending on if the import is for business purposes or not.
1 Imports as a Business
In the case of importing medical devices and in vitro diagnostic products as a business and selling them in Japan. First, the business operator conducting the importation is required to obtain a manufacturing and sales license. Secondly, registration of foreign manufacturers is required for each manufacturing site for business operators who manufacture in foreign countries. Third, if there is a business operator in Japan that manufactures label replacement, that business operator is required to register as a manufacturing business. Fifth, the manufacturer or distributor must submit a notification and make it public with regard to the matters described in the attached document.
2 Imports other than for business purposes
Import verification is required for imports other than for business purposes. However, in the case of contact lenses, importation of two pairs (two-month supply for disposable lenses) does not require import verification. You can find more information on the Ministry of Health, Labour and Welfare website.
3 Prohibition of Importation
The importation of illicit medical devices and in vitro diagnostic products is prohibited.
4 Prohibition of advertisement
It is illegal for overseas distributors to advertise unapproved/uncertified medical devices and in vitro diagnostic products on sales websites, even to those in Japan. In many cases advertising by import agents is also illegal.
Please contact us if you have any questions.
The processes for importing regenerative medicine products into Japan differs depending on if the import is for business purposes or not.
1 Import as a Business
When importing a regenerative medicine product as a business and selling it in Japan, the first step is to obtain a manufacturing and sales license for the importer. Second, a foreign manufacturer’s approval is required for each manufacturing site for those who manufacture in a foreign country. Third, if there is a business operator in Japan that manufactures label replacements a manufacturing license is required for that business operator. Fourth, manufacturers and sellers of regenerative medical products need to obtain approval for each item. Fifth, manufacturers and sellers are required to submit notifications and make public the information contained in the attached documents.
2 Imports other than for business purposes
Import verification is required for imports other than for business purposes. However, import confirmation is not required for imports of products with a monthly supply or less in terms of dosage, administration, and usage. You can find more information on the Ministry of Health, Labour and Welfare website.
3 Prohibition of Importation
Importation of illicit regenerative medical products, etc. is prohibited.
4 Prohibition of advertisement
It is illegal for an overseas distributor to advertise unapproved regenerative medicine products on sales websites, targeting also those in Japan. In many cases, advertising by import agents is also illegal.
Please contact us if you have any questions.
The processes for importing cosmetics into Japan differs depending on if the import is for business purposes or not.
1 Imports for business purposes
When importing cosmetics as a business and selling them in Japan, the process is as follows:
2 Imports for non-business purposes
Import confirmation is required for imports for non-business purposes. However, import verification is not required for up to 24 units (120 units for cosmetics weighing 60 grams or less per unit or 60 ml or less per unit). You can find more information on the Ministry of Health, Labour and Welfare website.
3 Prohibition of imports
The import of illicit cosmetics is prohibited.
Please contact us if you have any questions.
Section 1: What is Domestic Consumption Tax?
Foreign goods taken over from bonded areas, so-called “imported goods”, are in principle subject to domestic consumption tax, and the individual who takes over the imported goods is obliged to pay domestic consumption tax. If you are an importer, it is necessary for you to file a domestic consumption tax return and pay it.
Domestic consumption tax refers to consumption tax, liquor tax, tobacco tax, gasoline tax, local gasoline tax, oil and gas tax, or petroleum and coal tax (See Article 2, Item 1 of the Act on Collection, etc. of Domestic Consumption Tax on Imported Goods).
Section 2: When does Domestic Consumption Tax not apply?
For the time being, no domestic consumption tax is imposed on goods to which the simplified tax rate for imported goods by entrants is applied (Article 2-2 of the same law). In addition, when customs duties are exempt, it is not uncommon for import consumption tax to also be exempt (Article 13 of the same law); however, it should be noted that there are cases where import consumption tax is not exempt.
It should be noted that even in cases where the tariff rate is zero and therefore no duty is payable, there are cases where import consumption tax must be paid.
———————————————————————————————————————–
Please contact us if you have any questions.
In cases where a foreign company imports goods from a foreign country to Japan and sells goods to a customer in Japan, the Companies Act may become an issue.
The Companies Act stipulates that “a foreign company shall appoint a representative in Japan if it intends to continue to conduct business in Japan” (Article 817, Paragraph 1 of the Companies Act). Therefore, for example, if a foreign company wants to open up a bank account in Japan, it will be necessary to have at least a branch office and a registered representative in Japan. In addition, when importing home appliances into Japan, notification is required. However, in the case of foreign corporations not registered in Japan, imports of home appliances into Japan will not be permitted.
In addition, the Companies Act stipulates that “a foreign company whose main purpose is to conduct business in Japan may not continuously conduct business in Japan” (Article 821, Paragraph 1 of the Companies Act), and any violation of this provision shall be subject to a fine (Article 979, Paragraph 2 of the Companies Act).
———————————————————————————————————————–
Please contact us if you have any questions.
Unfair Competition Prevention Law
Based on the Unfair Competition Prevention Law, the importation of the following products is illegal and is subject to injunctions and claims for damages (Article 2, 3, 4, 16 of the same law).
(1) Merchandise bearing a foreign flag, emblem or a trademark similar thereto, which has not been approved by a foreign government agency.
(2) A product indication that is the same as or similar to a well-known product indication of another product or business. [e.g., a bag with a logo imitating Chanel, the original plate of a counterfeit credit card with a logo of Visa, MasterCard].
(3) Merchandise that uses the same or similar product indication as that of a well-known other company as its own product indication
(4) Goods that imitate the form of another’s goods (excluding the form essential for securing the function of said goods) [So-called dead copy products, etc.]
(5) Items resulting from the unauthorized use of trade secrets
(6) Devices that illegally circumvent technical restriction measures [unprotected devices].
(7) Products that are misleadingly labeled as to origin, quality, content, manufacturing method, or use.
For example, counterfeit brand-name products like (2) and (3), imitations of other companies’ products (dead copy products), and original plates of counterfeit credit cards with logos like Visa, MasterCard, etc. are illegal.
When parallel import of genuine products becomes illegal
Recently, the popularity of resale business (sedori) has increased, and there have been cases of people being sued for trademark infringement or violation of the Unfair Competition Prevention Law when they purchase authentic products overseas and sell them in Japan.
Please contact us if you have any questions.