Q Please explain points to keep in mind in relation to cyber security and data strategy from a legal perspective.
A It is important to analyze laws, guidelines, cases of administrative penalties, etc. to discover the risk of administrative penalties, as well as the risk of damage due to unauthorized remittance, leakage, etc., and to take well-balanced security measures that are appropriate to those risks.
1 Cyber Security Measures
Cybercrime is on the rise as more people work from home, due to the impact of COVID-19, and cyber security measures are becoming increasingly important. Cyber security measures are like a foundation in relation to data strategy, and it is essential to have certain cyber security measures in place.
Even though cyber security measures are essential, balance is also important. It is necessary to strike a good balance between the convenience of data use and cost in relation to data strategy objectives.
The authors are sometimes asked questions such as “From a legal perspective, what is the minimum level that needs to be done?”. With budgetary constraints and other factors, every company has concerns on the extent of implementing measures and how to prioritize the measures to be taken.
In this Q, we would like to explain what aspects we focus on in relation to cyber security from a legal perspective.
2 Risk Assessment and Legal/Compliance Perspectives
(1) Analysis of Administrative Penalties Risks and Administrative Guidance Risks
Based on the Act on the Protection of Personal Information, each business operator is required to take measures to safely manage the personal data of its own individual customers, etc. (Act on the Protection of Personal Information Article 20).
In addition, financial institutions such as banks, funds transfer companies, and crypto-asset exchange providers are obliged under laws related to their businesses to manage customer information securely and take cyber security measures as part of compliance with laws and regulations.
If a cyber-attack results in (1) leakage of personal data, (2) fraudulent remittance/stolen crypto-assets, or (3) ransom demand due to infection by ransomware (virus), the company may be subject to administrative penalties such as business improvement orders/business suspension orders or administrative guidance. Administrative guidance may not sound like a big deal, but in many cases like the administrative guidance given by the Ministry of Internal Affairs and Communications (MIC) to a certain company under the Electricity Business Act, it may widely reported and criticized.
Each business operator needs to analyze laws, regulations, guidelines, court cases, and administrative penalty cases and make sure that it can withstand on-site inspections, etc. Therefore, when constructing/reconstructing a system, it is important for the security and systems departments to consult with the legal and compliance departments in advance to ensure that there are no fatal problems. In addition, periodic coordination of information is also important, as revisions to laws, regulations, and guidelines may require prompt action.
As such, ensuring compliance with laws and regulations and avoiding administrative penalties are the minimum points that need to be addressed.
In some cases, laws and regulations are quite specific about the level of security required, such as for credit card numbers. For example, if you want to become a merchant that can accept credit card payments, you need to take safety management measures (Article 35-16 of the Installment Sales Law), and it is understood that you need to comply with PCI DSS standards or take measures to not retain credit card numbers (Ministry of Economy, Trade and Industry, “Basic Policy on Supervision Based on the Installment Sales Law (Post-Payment Field)” II-2-2-5, “Credit Card Security Guidelines”). For this reason, we are sometimes asked to review from a legal perspective whether the criteria for non-retention measures have been met.
In addition, in relation to financial laws and regulations, a risk-based approach to cyber security measures is common, which is that the measures should commensurate with the risks involved. So, we are sometimes asked to provide opinions on whether our security measures are commensurate with the risks involved (e.g., whether they may be subject to administrative penalties).
It is beneficial for legal and compliance departments to take the lead in making risk judgments in this area, as they are well versed in the relevant laws, guidelines, and supervisory guidelines.
To give a concrete example, the Financial Services Agency (FSA) has strongly promoted multi-factor authentication in response to a large number of fraudulent remittances from bank deposits through the accounts of a certain telephone company-affiliated payment processor (funds transfer agent/electronic payment processor). As a funds transfer agent or electronic payment agent, you will need to be familiar with the FSA’s guidelines and supervisory guidelines when considering whether you need to comply with multi-factor authentication and when you should do so. In addition, legal and compliance departments that are more sensitive to the FSA’s expectations will be able to make more precise decisions.
We are now in an age where it is commonplace for customer IDs and passwords to be leaked through phishing and other means. In Europe, multi-factor authentication is basically mandatory based on the Payment Services Directive and other global trends. Based on these elements and other global trends, the FSA has been emphasizing the importance of multi-factor authentication.
Further, as a result of these circumstances, there are trends for the National Police Agency to strengthen identity authentication (authentication is necessary to omit identity verification for the second and subsequent transactions) based on the Criminal Proceeds Act.
When authenticating customer identity, it is necessary to determine the company’s response policy in light of such trends by the regulatory authorities, and there are times when legal and compliance knowledge plays an important role.
(2) Assessing the Risks of Damage
If unauthorized remittance occurs, the company may suffer significant damages.
For example, in 2018, it was reported that Japan Airlines Inc. fell prey to a business email scam and mistakenly paid approximately 380 million yen based on a fake invoice (Yomiuri Shimbun, January 10, 2018).
The number of cases of unauthorized remittance (embezzlement) by company employees and subcontractors continue to rise.
There have also been repeated cases of crypto asset exchange providers having their crypto assets stolen. In the “Coincheck incident”, 58 billion yen worth of crypto assets were stolen.
In the case of financial institutions (banks, money transfer companies, credit card companies, etc.), unless the customer is found to have been negligent, the financial institution often bears the damages from fraudulent remittance, and there are many cases where financial institutions bear the loss of hundreds of millions of yen per year.
In the case of debit/credit card transactions due to identity theft, if the merchant does not take measures such as 3D-Secure (a method of identification recommended by international brands), the merchant is in most cases responsible for all losses due to fraudulent transfers under the rules of international brands such as Visa/Mastercard (if the card issuer can show that it supports 3D-Secure).
Also, if a company leaks personal information, credit card numbers, customer/business partner data, etc., there is a risk of being sued for damages as a breach of contract.
In addition, reputational risks (risks of loss of trust) must also be considered. It is not uncommon for customers to leave a company or for stock prices to plummet due to a loss of trust caused by a scandal.
Thus, it is useful to carefully analyze the risks of damage to the company based on assumptions of various possible cyber security incidents, since various types of damage may occur in the event of a cyber security incident.
And, for example, in relation to indemnity risks from other companies, it is useful to examine the content of contracts with other companies, and in relation to the risk of card number leakage, it is useful to analyze international brand rules. So, it is beneficial to work with legal and compliance departments which are familiar with contracts.
(3) Legal and Compliance Perspectives
The Legal and Compliance Department should examine matters from the above perspectives, and if it determines that the risk is too great after considering alternative plans and other factors, it will give the red light.
Some executives and data strategists may be under the impression that the legal and compliance department only functions like a car brake. But, please imagine a car without brakes. It would be too dangerous to drive.
The final risk decision should be made by the management team. However, the management team needs to make a risk judgment about cyber risks and take measures commensurate with the risks, taking into account legal and compliance factors while also considering various other factors such as convenience and cost.
3 Cyber Security and System Development
As with many challenges for a company, cyber security needs to be a company-wide effort. Just as a small hole in an embankment can cause it to break, cyber security needs to be done as an organization with a proper system in place.
From this perspective, it is necessary to (i) confirm the objectives of data strategy, (ii) identify information assets (databases, etc.), the risks associated with them, and determine the security level/security measures required for each information asset, (iii) establish internal rules to ensure relevant information security measures, and (iv) ensure compliance with the internal rules through education, training, and checks (internal audits, etc.).
When creating company internal rules, my personal experience is that it is important to (1) make sure that the rules are well-balanced and commensurate with the risks involved, (2) not place too much trust in people, and (3) conduct periodic training and verification.
In relation to (1), possible risk scenarios should be considered, and then measures that are effective against those risks should be introduced. If the rules are too strict to be followed, or if following them would only be troublesome and significantly less effective for the risks involved, revision should be considered. It is meaningless if it’s like a pie in the sky.
In relation to (2), the concept of “security by default” is important. People make mistakes, and some employees may even take out information with malicious intentions or embezzle. It is necessary to establish a system that can detect and prevent mistakes and criminal acts by officers and employees without placing too much trust in them. For example, I have come into contact with a case where remittance rights for a bank account with a balance of billions of yen was given to a subcontractor. No matter how much you trust your subcontractors, you may need to have certain checks and balances in place.
In relation to (3), for example, in its “Policy for Enhancing Cyber Security in the Financial Sector,” the FSA first categorizes cyber measures for normal times and for incident responses for emergencies. For the former, it stresses the importance of understanding the actual situation and implementing countermeasures such as vulnerability assessments, as well as basic system establishments. For the latter, the report stresses the importance of practical penetration tests (TLPT) and participation in exercises such as those conducted by the FSA and NISC. In short, if the countermeasures do not work in the event of a cyber-attack, they are useless. Therefore, it is necessary to ensure that the countermeasures work by conducting proper exercises and training (penetration tests, etc.).
For example, a Computer Security Incident Response Team (CSIRT) should be set up in case a cyber-attack or information leak occurs and should collect information on a daily basis and conduct practical training on how to respond to actual incidents. The Personal Information Protection Law revised in 2020 stipulates the obligation to report to the Personal Information Protection Commission (PPC) in the event of an incident such as leakage of personal information, as well as the obligation to notify the individual (data subject) (Article 22-2 of the Personal Information Protection Law). The importance of advance preparation is expected to increase more than ever, as a quick response is required.
A significant number of incidents involving the leakage or improper use of personal information occur through subcontractors. Recently, a social networking service provider announced that a Chinese subcontractor was able to access its domestic server and view personal data, and in response, the PPC and the MIC announced that they had issued administrative guidance to the company for insufficient management of the subcontractor. It is necessary not only to impose appropriate security management obligations based on contracts with subcontractors, but also to properly monitor the performance of such obligations.
4 Conclusion
Due to the impact of COVID-19, cyber security measures are becoming increasingly important, but it is also necessary to implement cyber security measures that take into account legal and compliance aspects.
If you have any questions concerning this article, please feel free to contact us.