Easy-to-understand instructions on how to report and respond to personal information leaks

Every company that handles customer information is at risk of personal information leaks. Since it is difficult to eliminate leaks, it is necessary to understand the reporting and other measures that are required in the event of a personal information leak. This article explains the reporting obligations and response methods in the event of a personal information leak.

What is a personal information (personal data) or personal information leak?

This article explains the specific items of personal information under the Personal Information Protection Law and the definition of a personal information leak.

What is the Personal Information Protection Law?

The Personal Information Protection Law is a law that establishes rules for handling personal information, and was fully enforced in 2005. It strikes a balance by encouraging the appropriate use of personal information while also protecting the rights and interests of individuals, and defines the information to be protected and the rules for its use. Failure to comply may lead to guidance, recommendations, fines, etc.

Specific examples of personal information and personal data and items

Personal information is information that can be used to identify a specific individual, specifically name, date of birth, address, blood type, gender, occupation, telephone number, income, biometric information, credit card number, financial institution information, and PIN number. Personal data is the personal information that makes up the personal information database that a company compiles for management purposes. For example, information that is organized in a systematic manner so that it can be searched using a business card management tool falls under the category of personal data.

What is a personal data breach?

A personal data breach is when information is passed to a third party against the intent of the person who possesses the personal data and the person to whom the personal data pertains. Under the Personal Information Protection Law, "loss," in which the contents of data are lost, and "damage," in which the contents of data are unintentionally altered, are also collectively defined as "leaks, etc."

What are the reporting obligations when personal information is leaked?

This section explains the reporting required in the event of a personal information leak and how to make such a report.

Requirements for Reporting Obligations

The Personal Information Protection Law defines four cases in which a reporting obligation arises in the event of a personal information leak. First, there is the leakage of "sensitive personal information," such as race, creed, medical history, and criminal record, which should be handled with special care. Secondly, when information is leaked that may cause property damage due to unauthorized use. Furthermore, the information was leaked with an unauthorized purpose. Then, there is the case where the data of more than 1,000 persons is leaked. The reporting obligation also arises when it cannot be accurately determined whether or not these four cases have occurred, and when there is only a possibility that they may have occurred.

Reporting to the Personal Data Protection Commission

Within 3 to 5 days of the discovery of an information leak, a "preliminary report" is promptly made to the Personal Information Protection Commission. Next, within 30 days, a "Confirmation Report" including all details will be submitted. The nine items stipulated in the Personal Information Protection Law are: "Summary," "Items of personal data that have been or may have been leaked," "Number of individuals whose personal data have been or may have been leaked," "Cause," "Existence or non-existence of secondary damage or the threat thereof and its details," "Status of response to individuals," and "Status of implementation of public disclosure. The following items must be accurately reported in the final report: "the status of response to the individual," "the status of public disclosure," "the status of measures taken to prevent recurrence," and "other items of reference.

Notification to the individual

As mentioned above, the Personal Information Protection Law stipulates that when a report is made, the individual who is the subject of the leakage, etc. must also be notified in writing or by e-mail. However, even if the standard is not met, if the person whose personal information has been leaked learns of the leak for some reason, trust in the company will be lost. Notification should be considered if there is concern about the impact on the individual.

Disclosure to the Public

Under the Personal Information Protection Law, public disclosure is referred to as an alternative measure when it is difficult to notify the individual concerned.

Major Causes of Personal Information Leakage

The main causes of personal information leaks can be broadly classified into those caused by human error and those caused by external attacks. Information leakage due to human error occurs when an e-mail is sent to the wrong person, or when a laptop computer is stolen while outside the company. Information leakage due to external attacks can be caused by infection with malware that transmits internal information to external parties, or by unauthorized access. In addition, there have been a few cases of data being taken out of the company by retirees.

What to do in the event of a personal information leak

Specific measures to be taken when a leak of personal information occurs.

Necessary Responses in the Event of a Personal Information Leak

• Reporting within the business and preventing the spread of damage
  If unauthorized access is suspected, take appropriate initial measures such as blocking access from the outside to prevent further damage and secondary damage, and preserving data so that it will not be erased.

• Fact-finding and investigation of the cause
  We investigate the cause of the information leak and how it occurred.

• Identification of the scope of impact
  We organize the situation in which the information leak occurred and define the scope of the detailed investigation.

• Investigate and implement measures to prevent recurrence
  Determine the cause of the leak, create recurrence prevention measures, and share them within the company.

• Report to the Personal Information Protection Committee and notify the individual concerned
  In accordance with the Personal Information Protection Law, we will report to the Committee and notify the individual concerned.

External Reporting and Response

• Press Conference
  When holding a press conference, prepare FAQs in advance to avoid secondary damage caused by inaccurate or misleading questions and answers.

• Handling of Interviews
  Interview requests from various media outlets may have short response deadlines, so be prepared to respond promptly.

• Reporting to government and municipal offices
  If you communicate with public offices in the course of your work, they may be waiting for your report even if they have not requested it. After providing a preliminary response by e-mail or other means, you should also provide a definitive report in the designated format.

• Explanation to business partners
  Inquiries may be received from the company's business partners. Explain that you have reported the matter to the Personal Information Protection Committee and convey your stance that you are taking appropriate measures.

How to prepare for a leak of personal information?

It is important to be prepared to respond quickly in the event of a personal information breach. First, create an internal initial response flow, such as which department and to whom to report the incident and how to handle the device that caused it, and make sure employees are aware of this flow.

If a leakage of personal information occurs, forensic investigation should be conducted immediately.

When an information leak has occurred, a company should conduct a "forensic investigation. Here is an introduction to what kind of investigation it is.

What is a forensic investigation?

A forensic investigation is a field of forensic science that collects and analyzes information stored on digital devices to reveal evidence of criminal or fraudulent activity. By determining the cause of the crime, measures can be taken to prevent its recurrence, and by identifying the responsible party, the company can prepare for a lawsuit in which it will be questioned.

FRONTEO's AI-based forensic investigation services

The use of AI is now essential in modern forensic investigations that deal with enormous amounts of data. By having AI learn decision criteria on a small number of sample files that have been looked over by experts, large volumes of data can be sorted into potentially relevant and irrelevant categories. The simple data sorting work that must be done at the beginning of a survey can be done by a small number of people in a short time, which not only improves the efficiency of the survey, but also improves its accuracy by concentrating the resources of experts.

FRONTEO Forensic Investigation Case Studies

This section introduces actual examples of forensic investigations conducted by FRONTEO regarding personal information leaks.

Case study of personal information leakage due to malware infection

A company's PCs were found to be infected with malware, and there were suspicions that personal information had been leaked, so FRONTEO, a specialized investigation company, was asked to conduct a forensic investigation. We asked FRONTEO, a specialized investigation company, to conduct a forensic investigation to identify the infection route and to trace the traces of information leakage from the infected terminal.

Analysis was conducted on several hundred terminals using analysis tools to visualize the attack route and identify the affected terminals. In addition, we conducted a survey of less than 30 cyber black markets to determine if the leaked information was being traded on the dark web. As a result of the investigation, we were able to identify not only the PCs on which the information leak had occurred, but also the fact that the information had been leaked to the Dark Web.

*For details of the investigation, please refer to "Investigation of Personal Information Leakage Due to Malware Infection.

Contact FRONTEO for forensic investigation of personal information leakage

FRONTEO has been a pioneer in forensic investigation in Japan since its establishment in 2003, and has worked to solve a wide variety of corporate problems. We have an established reputation for our technology and know-how based on our outstanding experience.

By combining our experience in handling cases with our own AI engine, we have achieved a high level of accuracy and efficiency that no other company can match.

We have data centers in Japan and South Korea, and we have full security measures in place. We seamlessly provide services to our clients' headquarters, local subsidiaries, and law firms. We provide prompt support through our global operations.