Personal information protection for companies in Japan

Information morals and human rights

Institute for Hyper Network Society

Aoki Eiji

2015/4/14 Privacy Global Edge 2015 1

Pr ivacy Global Edge 2015

Agenda

1. Act on the Protection of Personal Information Cyber security Basic Law

2. Agencies for personal information protection measures Information security threat Top 10, 2015

3. Current status of personal information leakage JNSA’s Report (Reference)

4. Concept of information morals Human rights, Privacy, and Corporate social responsibility

5. Activities for Information moral Case study of companies for information morals

6. Conclusion

2015/4/14 Privacy Global Edge 2015 2

Act on the Protection of Personal Information

• Summary – Law enforcement on April 1, 2005 – Clarify the responsibility of the nation and local governments and

provisions of the compliance obligation for companies – The basic philosophy is to consider the usefulness of personal

information, and to protect the rights and interests of the individual – The fact that the original idea of the individual's personality respected,

sought careful and proper handling

• Issues – Definition of personal information? Overreaction problem? – No stipulation for "right to privacy“ – No intend to regulate universally cover personal information – The consistency of the international standards and unexpected issues

at the legislation – Ambiguous gray zone that can not be adapting rapid progress of

information technology and internet services

2015/4/14 Privacy Global Edge 2015 3

Act on the Protection of Personal Information

• Law amendment – June 2014: Law Outline, December: Outline proposal – February 2015: Draft, March 10: Cabinet decision, The bill submit on this year's National

Assembly – Discussion points are, the purpose of use restriction relaxation, definition review of personal

information, the use of anonymous processing information – But amendment outline can not catch up technological advances on this year’s National

Assembly, therefore re-view after a few years

• Still challenge – Not anyhow only domestic law for big data world – Limit of legislature and government, personal information over the companies and servers

around the world (Which prohibits discrimination on the basis of genetic information in the genome method) – Other countries of privacy laws, it might be safer than Japan?

• From a global standpoint – Making the enormous privacy information list by the integration name identification,

Improvement of importance and value of personal information – Recognize cyber security, possibility to connect national security issues by leakage of privacy

information list

2015/4/14 Privacy Global Edge 2015 4

Cyber security Basic Law

• Summary – November 6, 2014: House of Representatives passed – The full enforcement on January 9, 2015 – What is cyber security? – Philosophy on cyber security and basic measures – Establish of cyber security strategy headquarter

• Points – In headed by the Chief Cabinet Secretary as an organization with a legal basis – Becomes "control tower" with a very strong authoritative against each ministry – Ensure cyber security for governments and domestic companies – Strengthening of promotion and international competitiveness of cyber

security industry – Activity promotion of private companies and educational institutions through

industry-academia-government collaboration – To be "independence" through international cooperation

2015/4/14 Privacy Global Edge 2015 5

Cyber security Basic Law

• Influence or difficult international situation (The Snowden Effect) – Collection of personal information by the Nation – Crisis of the back door by the Nation and IT vendor connection – Exclusion and contracts destruction of IT equipment and services of foreign-

made – International cooperation or conference, Cyber Defense and Network Security 2014 / Cycon 2014 / Blackhat2014 / DEFCN22

• For private companies – "National Information Security Center“, legislation to be "National center of Incident readiness and Strategy for Cyber security“ (NISC) – Ensure the technology and manpower for information security field – Lack of information security researchers and engineers in Japan, because they are not so much get evaluation and respect – The dispel of domestic negative recognition for superior human resource

development

2015/4/14 Privacy Global Edge 2015 6

Agencies for personal information protection measures

• Information-technology Promotion Agency(IPA)http://www.ipa.go.jp/security/ • Japan Computer Emergency Response Team Coordination Center

http://www.jpcert.or.jp • Japan Information Processing Development Association(JIPDEC)

http://www.jipdec.jp • Japan information Security audit Association(JASA) http://www.jasa.jp/ • Japan Users Association of Information Systems(JUAS) http://www.juas.or.jp • Japan Electronics and Information Technology Industries Association(JEITA)

http://www.jeita.or.jp • Japan Information technology Service industry Association(JISA)

http://www.jisa.or.jp • Japan Quality Assurance organization(JQA) http://www.jqa.jp • next generation Electronic COMmerce promotion council of Japan(ECOM)

http://www.jipdec.or.jp/archives/ecom/ • Information Technology Standards Commission of Japan(ITSCJ)

http://www.itscj.ipsj.or.jp • Systems Auditors Association of Japan(SAAJ) http://www.saaj.or.jp • Information Systems Audit and Control Association(ISACA) http://www.isaca.gr.jp • Japan Network Security Association(JNSA) http://www.jnsa.org 2015/4/14 Privacy Global Edge 2015 7

Agencies for personal information protection measures

• Japan Information Processing Development Association (JIPDEC) – Privacy mark certification (14,003 companies/

2015.03.30) – Information Security Management System (ISMS)

certification (4,608 organizations/ 2015.03.16) – Cyber Security Management System (CSMS)

certification (2 organization/ 2015.03.09)

• Information-technology Promotion Agency (IPA) – Information Security White Paper – Information security threat Top 10, 2015

2015/4/14 Privacy Global Edge 2015 8

Information security threat

Top 10, 2015 No. 1 Unauthorized use of Internet banking and credit card information Authentication information of Internet banking and credit card information is theft by virus and phishing, fraud

remittance and unauthorized use by attackers trying to impersonate users has been made. 2014, illegal remittance damage from the corporate account not only the personal account has been increasing rapidly.

No. 2 Information leakage by internal fraud It has become a social problem that employees of companies to steal, and sell the internal information. When the

internal employees have a malice, can be stealing the information freely in a range that can be accessed. Therefore companies should perform strict management and monitoring continuously that settings of access authority or cancellation access privileges or retirees according to the importance of information.

No. 3 The intelligence activities by targeted attacks No end in damage targeted attacks to steal the internal information against government agencies and private

companies due to PC infected with computer virus by remote control from outside. 2014, further sophisticated the modus operandi is confirmed, tended such as aim targeted organization by business partners and affiliates to the springboard.

No. 4 Illegal logging in to the web service Unauthorized login damage occur by attacker know ID and password. 2014, it has been damaged that is illegally

logged in to another service frequently by exploiting ID and password stealing from vulnerable web services. Users who are turning to use ID and password for multiple services are a victim.

No. 5 Theft of customer information from the web services There are many incidents that being stolen customer information such as name and address from web service. In

case, stolen information may include ID, password, and credit card information, there are possibility impact of extensive that incorrect login or monetary damages occur.

2015/4/14 Privacy Global Edge 2015 9

Information security threat

Top 10, 2015 No. 6 Cyber terrorism by hackers group 2014, the video media companies in the United States is attacked the damage such as information leakage and

services stop. And internal document of nuclear power plant management company is leaked and published in South Korea. It had a major impact socially by crime group has published a statement or stealing information.

No. 7 Falsification of web site There are many cases occur falsification that web site of companies and organizations is tampering to infection

with a virus simply by viewing. By being tampered with web site, as well as damage of its own by the service stop until recovery, sometimes damage also extends to web site visitors.

No. 8 Misuse of Internet infrastructure technology Various services on the Internet is built on confidence in the foundation technologies such as DNS and e-

certificate. 2014, attacks such as to induce to virus infection site occurs by exploiting these technologies. This attack, since it is difficult to correspond by detecting the user's side, the operator measures the Internet provider is strongly required.

No. 9 Attack by vulnerability publication 2014, Apache Struts, OpenSSL, bash, etc., succession of publication of software vulnerability countermeasure

information that has been widely used, attacks against their vulnerability occurs. System administrators and general users need to quickly measures depending on the degree of influence of vulnerability, such as use of the product status and attacks occur.

No. 10 Malicious smart phone apps By malicious smart phone apps disguised as there is a useful feature, it would have been stolen personal

information of a phone book in the terminals while you do not know. Stealing information is exploited to spam and fraud, in some cases damage to the friends in a phone book.

2015/4/14 Privacy Global Edge 2015 10

Current status of personal information leakage

• Government, municipalities, private companies, universities, and individual – Various information security measures have been made,

However, information leakage is still happening somewhere, every day, now – If you net search <personal information leakage company>, you will find many cases.

• For example ... July 2014, Benesse Corporation

– Leakage: 3,504 million items, about 4,858 million people – Cause: Fraud and corporate culture – Points: Internal crime over the long term, resale to many mailing list brokers, post

correspondence and public relations problem Empathy with customers is not good

September 2014, Japan Airlines Co., Ltd. (JAL) – Leakage: 4,131 items – Cause: Unauthorized access by malware – Points: Quick initial response, customer support, contact to the relevant agencies, public

relations, damage expanding prevention, solving behavior Empathy with customers is good

2015/4/14 Privacy Global Edge 2015 11

Current status of personal information leakage

Successive information leakage Accident premise society? inevitable? No idea such custom, difficult to understand

How can prevent against incident for companies? Or reduce? inevitable ? like disaster mitigation? “No sorrow as long with”, necessity risk management

• NPO Japan Network Security Association (JNSA)

– FY2013, Information security incident investigation report About personal information leakage(revised February 23, 2015) • Personal information leakage numbers: 9,252,305 people • Personal information leakage items: 1,388

2015/4/14 Privacy Global Edge 2015 12

（Reference）

• NPO Japan Network Security Association (JNSA) • Information security incident investigation report - personal information leakage edited by fiscal 2013 - (revised

February 23, 2015)

2015/4/14 Privacy Global Edge 2015 13

• Information leakage accident Top 10 No. Leakage numbers Type of industry Cause

1 4,000,000 Information and communication industry Unauthorized access

2 1,692,496 Information and communication industry Unauthorized access

3 470,000 Wholesale, retail Unauthorized access

4 426,000 Public service (except classified as others) Lose, misplaced

5 243,266 Information and communication industry Unauthorized access

6 175,297 Information and communication industry Misconfiguration

7 150,165 Wholesale, retail Unauthorized access

8 120,616 Financial services, insurance industry Mismanagement

9 109,112 Information and communication industry Unauthorized access

10 97,438 Information and communication industry Unauthorized access

（Reference）

• Information leakage cause Ratio

2015/4/14 Privacy Global Edge 2015 14

• NPO Japan Network Security Association (JNSA) • Information security incident investigation report - personal information leakage edited by fiscal 2013 - (revised

February 23, 2015)

Leakage items leakage number of people

Unauthorized access 79%

Mismanagement 9%

Lose, misplaced 6%

Misconfiguration 3%

Misoperation 2%

Theft 0%

Others 1%

Misoperation 35%

Mismanagement 32%

Lose, misplaced 14%

Theft 6%

Unauthorized access

5%

Misconfiguration 3%

Others 5%

Concept of information morals

Thinking and its attitudes and behavior when dealing with information and data

• Information morals for respect for human rights – Respect for the individual

• Respect of personality, privacy, honor credit, freedom of expression

– Consideration of safety • Personal information protection, information security

– Considerations of social justice • Consumer protection, information accessibility, intellectual

property rights

Leading to philosophy of “the Personal Information Protection Act”

2015/4/14 Privacy Global Edge 2015 15

Human rights

Human rights: right people are respected as a human

• New developments and understanding in the Internet community – Utilization of cloud services, SNS, and Big data – Mobility such as smart phones, tablet PC’s, and wearable

devices – Expansion and speed of damage in information space

Internet use at companies Distinction of public and private

• Respect for new rights in the new environment – Consideration for its human rights

2015/4/14 Privacy Global Edge 2015 16

Privacy

Increase utility value of privacy-related data • Privacy rights as fundamental human rights

– Human dignity, Pursuit of Happiness rights, as 1890 new human rights

• New developments and understanding in the Internet community – Writing of slander on the net

• Abuse, evil-speaking, lie information, real name information, temptation, and casual bitches, to be human rights violations

• Most of people write to no consider, no respect, no feel, only Self-satisfaction

– Gathering personal information without consent on the net • Individual specific, name, address, photo, GPS information, dynamic history,

and targeting advertising

– “Right to be forgotten” in EU January 2012

Appearance of “KIJO” Information space is sometimes accelerating privacy infringement

2015/4/14 Privacy Global Edge 2015 17

KIJO: Abbreviation of married women on 2 channel board. Their research capabilities of up to strange is very scary, so the name “KIJO” means woman-demon. Once Kijo are angry about some social news incident, thorough investigation to the original blogs and SNS, therefore address and real name is identified entirely personal information, such as even telephone number and background, you would have been naked on.

Corporate social responsibility

• Privacy protection is the protection of individual rights • Personal information protection is management responsibility of

companies held personal information

2015/4/14 Privacy Global Edge 2015 18

Employees work Company

responsibility

Private action Private

responsibility

• Byte Terrorism(Part-time job employees individual behavior) on the net is company responsibility(regular employees the same)

Byte terrorism: Part-time job employees at restaurants or retail stores prank using store goods (especially food) and furniture, posting to SNS such nasty behavior. It makes net flames about responsibility of companies. Most of case president to apologize to customers or the public, just in case company is crushed due to criticism.

Activities for information morals by our institute

• Activities with Ministry of Economy, Trade and Industry (The Small and Medium Enterprise Agency)

– Planning and holding of awareness seminars • From 2003 nationwide 58 city more than 10,000 people • Lectures, panels, training guidances, workshops, consultations

– Production and distribution of video drama and brochures

• Activities with Municipalities as a regional security center – Operation of “Net Safety Center”

• Consultation services (telephone, visit), alert by e-mail, Q & A site

– Cooperation with relevant organizations • Police, Consumer center, Law office, Board of Education, Legal Affairs Bureau

– Lectures and workshops at elementary school, junior high school, and high school • More than 100 times every year for students, teachers, and PTA

2015/4/14 Privacy Global Edge 2015 19

Case study of companies for information morals

• T & Kay package Co., Ltd. (about 60 people) – Business expansion by getting Privacy Mark certification, to appoint female employees that play an active role

• Lines Co., Ltd. (about 50 people) – Carefully performs ground-of the business, to create a "actually protect Rules"

• DMS Co., Ltd. (about 300 people) – To secure measurement for 300 million personal information “visualization of reassurance"

• Toppan Printing Co., Ltd. West Division (about 8,700 people) – Thoroughly rules conforming to the scene and making mechanism to help accident prevention using mistake

• Metro Computer Service Co., Ltd. (about 70 people) – The trust of proof externally to the appeal, and lead to growth security strategy

• Fujitsu FSAS Co., Ltd. (about 5,000 people) – Convert the concept from “Bad personality theory" to “Weak personality theory", prompting the "awareness"

by the video "education of heart"

• Fuji Xerox Co., Ltd. (about 9,900 people) – Put the emphasis on awareness to the people and organization, and to add measures conforming to the scene

• Sakaeya Co., Ltd. (about 20 people) – Leverage web to "raise cattle together consumers" system making

• Fujitsu Design Co., Ltd. (about 130 people) – Eliminate inconvenience of daily life by the mobile apps, and contribute to the ICT society that everyone can

participate

• Mitsukoshi Co., Ltd. (about 4,300 people) – Web and barrier-free declaration that led to the meeting with a new customer

2015/4/14 Privacy Global Edge 2015 20

Case study of companies for information morals

• Knowledge plan Co., Ltd. (7 people) – Ingenuity of system maintain to protect personal information that a small company a total of 7 people tackle

• DMS Co., Ltd. (about 280 people) – In system that keep personal information 300 million servings is persistent "review“ and steady education

training

• Toppan Printing Co., Ltd. West Division, Kyushu Division(about 8,500 people) – Consciousness in the guideline "Risk casebook" booklet to prepare for new threats education

• KDDI Corporation (about 20,200 people) – Collective manage the company account for safe use of social media

• Limited Liability Company earth voice project (15 people) – Support the "Story video" outgoing corporate, human resource development that can operate information is key

• East Japan Railway Company (about 59,300 people) – Using ICT to collect customer needs and provide information, aim to train everyone can be used with confidence

• Radishbo-ya Co., Ltd.(about 240 people) – To obtain reliable thorough information disclosure for connecting organic agriculture producers and a consumer

• Fukuya Co., Ltd. (about 690 people) – Win the trust in the consumer-oriented since its inception, "the eyes of the net" of complaints resolved

penetrate internal

• SiM24 Co., Ltd. (18 people) – Expanding female employment taking advantage of features of ICT, basis is security measures of moral

importance

• Fellow system Co., Ltd. (14 people) – Using ICT for job assistance to people with disabilities, technology acquisition and business share, also in job

hunting 2015/4/14 Privacy Global Edge 2015 21

Conclusion

• Transformation of industrial structure and social structure in the ICT fusion – ICT and automotive, agricultural, medical, social infrastructure,

retail and marketing, finance, manufacturing, education, media, business management

• In the future, importance of personal information is growing more and more – Not only the text data to identify individuals – Image, audio, video, 3D data, gene, etc,, unpredictable

Therefore, information morals that are required for companies business

And, need to empathy by communication with customers about personal information

2015/4/14 Privacy Global Edge 2015 22