Eight measures to prevent personal information leaks | Essential security measures for companies, including how to investigate leaks when they occur
2023/ 11/ 16
What is cyber security?Easy-to-understand explanation of specific examples of cyber attacks, countermeasures, and the difference from information security
2023/ 11/ 20
All companies that handle customer information are at risk of personal information leaks.Since it is difficult to reduce the number of leaks to zero, it is necessary to understand the necessary reporting and other responses in the event that personal information is leaked.In this article, we will explain the reporting obligation and how to respond in the event of a personal information leak.
What is personal information (personal data) and personal information leakage?
We will explain specific items of personal information under the Personal Information Protection Act and the definition of personal information leakage.
What is the Personal Information Protection Act?
This law stipulates rules for handling personal information, and was fully enforced in 2005.It strikes a balance by promoting the appropriate use of personal information while also protecting the rights and interests of individuals, and stipulates the definition of information subject to protection and the rules for its use.Failure to comply may result in guidance, recommendations, and fines.
Specific examples of personal information, personal data, and items
Personal information is information that can identify a specific individual, specifically name, date of birth, address, blood type, gender, occupation, telephone number, income, biometric information, credit card number, financial institution. information, and a PIN number.Personal data is personal information that composes a personal information database compiled by a company for management purposes.For example, data that is systematized and organized so that it can be searched using a business card management tool falls under personal data.
What is personal information leakage?
Personal information leakage is when information is passed on to a third party against the intentions of the person holding the personal information or the person whose personal information falls under the category.Under the Personal Information Protection Act, "loss," in which data contents are lost, and "damage," in which data is changed in an unintentional manner, are collectively defined as "leakage, etc."
What is the reporting obligation when personal information is leaked?
We will explain what reporting is required in the event of a personal information leak and how to do so.
Requirements for reporting obligation
The Personal Information Protection Act stipulates four cases in which a reporting obligation arises in the event of a personal information leak.First, if "sensitive personal information" that should be handled with special care, such as race, creed, medical history, or criminal record, is leaked.Second, if something is leaked that could cause property damage if used illegally.Additionally, if the disclosure is made with fraudulent intent.And if the data of more than 4 people is leaked.Reporting obligations also apply if it is not possible to accurately determine whether one of these four cases has occurred, or if there is only a possibility that it has occurred.
Report to the Personal Information Protection Commission
We will promptly submit a "breaking report" to the Personal Information Protection Commission within 3 to 5 days after the information leak is discovered.Next, we will submit a final report, including details, within 30 days.The nine items stipulated in the Personal Information Protection Act are: "Summary", "Items of personal data that have been or are likely to be leaked", "Personal data that have been or are likely to be leaked" ``number of individuals involved'', ``cause'', ``existence of secondary damage or risk of it, and its details'', ``implementation status of responses to individuals'', ``publication implementation status'', ``measures to prevent recurrence'', and ``others that may be helpful.'' Regarding "matters," it is necessary to accurately report only what is known at the time of breaking news, and everything in final reporting.
Notification to the person
As mentioned above, the Personal Information Protection Act stipulates that when making a report, the person whose information has been leaked must also be notified by means such as a document or email.However, even if the standards are not met, if the person whose personal information was leaked somehow finds out about the leak, trust in the company will be lost.If you are concerned about the impact on the person in question, you should consider notifying them.
Announcement to the public
The Personal Information Protection Act states that public disclosure is an alternative measure when it is difficult to notify the person in question, but the guidelines state that depending on the nature of the situation, public disclosure may be necessary to prevent secondary damage or similar incidents from occurring. It is also stated that it is desirable to make public announcements.
Main causes of personal information leaks
The main causes of personal information leaks can be broadly divided into human error and external attacks.Information leaks caused by human error include things like sending an email to the wrong person or having a laptop taken outside the office stolen.Information leaks due to external attacks include being infected with malware that sends internal information to the outside, and being subject to unauthorized access.In addition, there are many cases of data being taken out by retired employees.
[Related article] What are the security risks of data removal by retired employees?Explaining specific examples and countermeasures
How to respond in the event of personal information leakage
We will introduce specific measures to be taken in the event of personal information leakage.
Necessary responses in case of personal information leakage
- Reporting within the business operator and preventing the spread of damage
Immediately report to the relevant department, and if unauthorized access is suspected, block access from outside to prevent further damage and secondary damage, and protect the data to prevent it from being deleted. We will take appropriate initial measures such as
- Investigation of facts and investigation of causes
We will investigate what caused the information leak and how it occurred.
- Identifying the scope of impact
We will organize the circumstances in which the information leak occurred and set the scope of detailed investigation.
- Examining and implementing measures to prevent recurrence
We will investigate the cause, create measures to prevent recurrence, and share them within the company.
- Report to the Personal Information Protection Commission and notify the person
Based on the Personal Information Protection Act, we will report to the committee and notify the person concerned.
External reporting/response
- Press conference
When holding a press conference, by preparing FAQs in advance, you can avoid secondary damage caused by inaccurate or misleading questions and answers.
- Coverage correspondence
Requests for interviews from reporters from various news organizations may have short deadlines for responses, so be prepared to respond quickly.
- Report to government agencies
If you interact with a government agency in the course of your work, the government agency may be waiting for your report even if you are not requested to do so.After responding quickly via e-mail, etc., you should also provide a definitive report in the specified format.
- Explanation to business partners
We may also receive inquiries from our business partners.Explain that you are reporting to the Personal Information Protection Commission and that you are taking appropriate action.
How to prepare for personal information leakage?
It is important to be prepared during normal times so that you can respond quickly in the event of a leak of personal information.First, create an initial response flow within your company, including who in which department to report to, and how to handle the device that has occurred, and ensure that all employees are thoroughly informed.
[Related article] What are the 8 measures to prevent personal information leaks?Explaining the cause of the leak and countermeasures
If personal information leakage occurs, immediately conduct a forensic investigation.
In the event of an information leak, a company should conduct a “forensic investigation”.Let me know what kind of research you do.
What is a forensic investigation?
A field of forensic science that collects and analyzes information stored on digital devices to uncover evidence of crimes and wrongdoing.By investigating the cause, you can take measures to prevent it from happening again, and by clarifying who is responsible, you can prepare in case your company is sued.
FRONTEO's forensic investigation service using AI
The use of AI is now essential in modern forensic investigations that handle huge amounts of data.By training AI to judge criteria using a small number of sample files reviewed by experts, it is able to sort large amounts of data into those that are likely to be related and those that are not.The simple data sorting work that must be done at the beginning of an investigation can be done in a short time by a small number of people, which not only improves the efficiency of the investigation, but also improves accuracy by concentrating the resources of experts.
[Related article] What is an information leak investigation?Explanation of research methods, examples, and how to choose a research company
Forensic investigation case study at FRONTEO
We would like to introduce an actual case study of a forensic investigation into personal information leakage conducted by FRONTEO.
Investigation case of personal information leakage due to malware infection
It was discovered that a company's PC was infected with malware, and personal information was suspected to have been leaked, so a forensic investigation was requested from FRONTEO, a specialized investigation company.We decided to identify the infection route and trace any traces of information leakage from the infected device.
We analyzed hundreds of devices using an analysis tool, visualized the attack route, and identified the victim devices.Furthermore, we conducted a survey targeting around 30 cyber black markets to see if leaked information was being bought and sold on the dark web.As a result of the investigation, we were not only able to identify the PC where the information had been leaked, but also that the information had been leaked to the dark web.
*Detailed survey content"Investigation of Personal Information Leakage due to Malware Infection"please look at
Forensic investigation when personal information is leaked, contact FRONTEO
Since its founding in 2003, FRONTEO has been working to solve the problems of various companies as a pioneer of forensic investigations in Japan.We have an established reputation for our technology and know-how based on outstanding experience.
By utilizing our in-house developed AI engine, KIBIT, we have achieved significant labor savings and cost reductions during document reviews, and by combining our experience in dealing with projects with our in-house AI engine, we have achieved high accuracy and efficiency that cannot be achieved by other companies. We are realizing this.
We have data centers in Japan, North America, South Korea, and Taiwan, and we have a system that allows us to store data without taking it out of the country, and we have perfect security.We provide seamless services to our clients' headquarters, local subsidiaries, and law firms.Fast support with global operations.
