Privacy laws are very strict in Japan and since 2004, punishment for leaking private information has become stricter and stricter. In February 2004, Softbank BB/Yahoo! BB(Broadband provided jointly by Softbank and Yahoo Japan) leaked private information (name, address, email, and phone number) of many of their customers. I am not sure if any court mandated this, but Softbank/Yahoo paid 500 Yen (about $5) to all of their customers including those who stopped using their services, those on a free trial period and even to people who they didn't even leak their personal information!"Five dollars!! That's nothing!", you say?
Well, it sort of is when you have to pay that to 4,517,039 customers...
Until then there was no real ruling on how much private information was worth and it was not really brought up as an issue. After this incident, however, things changed completely and every company's worst nightmare here is definitely leaking personal information no matter how trivial it might be. When talking to companies requesting security assessments, they tell us straight up that they don't really care about if their website gets defaced or their servers crash, just as long as they don't loose a single piece of personal information. That usually gets highly publicized, is bad for the reputation and now is resulting in financial losses which is definitely the biggest fear.
When I was in training for my company 3 years back, they told me that it is unacceptable to leave anything in a public area that could be traced back to an individual. So say somebody calls for Taro but he is not at his desk. I can not write down a name and number on a sticky note and put it on his computer telling him to call that person back because somebody else could walk by and see that said person called for Taro. This would be considered a personal information leakage and while I would probably not be fired I would be highly reprimanded. If I knew for sure that Taro would be back in say 10 minutes, I could write him a note and place it face down on his desk. If not, I would have to wait for him to come back to tell him. Also, after Taro sees the note I gave him, he can not throw it away but has to shred it because it could lead to personal information leakage followed by a lawsuit if someone happened to be dumpster diving and found even just a person's name. (well, in theory at least.)
Another interesting story I heard about is a salesman of a company accidently CC'd an email to all of their clients instead of BCC'ing it resulting in all of the clients finding out who that company's other client's emails are.... They did not suffer any legal punishment but they lost an entire day of productivity because they had all of their 100 employees stop their project for the day to call and apologize to every client personally over the phone. In the U.S., a simple apology email or even just ignoring the issue may work but in Japan doing so would be considered as an extreme insult. There is no doubt that many lost trust in that company due to the incident.
Fast forward to January 2009.
For the past 5 years, Japan has been dealing with personal information leakage almost daily from individuals and companies large and small mostly through the anonymous P2P network Winny. The courts are getting tired of dealing with all of these incidents and each time they get a case the punishment gets harsher. This month, the courts decided to fine a person 120,000 Yen (about $1200) for merely posting the name, address and phone number of an individual on the supposed anonymous infamous forum Channel 2 (or "2 Channel" in Japanese).
The victim is still not satisfied with this and is appealing the case for more money as "unless the fines are not more severe no one will take this matter seriously" he claims.
So imagine you are the CEO or the person responsible for the security of a company with millions of customers and if you leak that informaiton you now have to pay $1200 for each person instead of $5...
I am sure there are many people here that do not sleep well at night...
P.S. The picture at the top is the notorious typical shot of the executives of a company at the press release after a personal information leakage incident bowing their heads in shame apologizing to the world.
Sources:
http://bb.watch.impress.co.jp/cda/news/4427.html
http://www.a902.net/topics/2009/0216.html
I am not a lawyer, but to me it sounds there is a big distinction between the two cases. In Softbank's case, the private information leaked was due to negligence, while, in the 2ch case, it (from your description) was due to malice, which would probably be punished much more severely by law.
返信削除In addition, the JPY500 amount was settlement money, which is likely lower than what Softbank would have had to pay, had it been to court. (I don't know if Japan has class-action lawsuits like in the US, but presumably, there is some sort of equivalent?)
Thank you for the insight!
返信削除That is very interesting. I wish I knew more about either U.S. or Japanese law to say more. Every time I hear from a lawyer here or about laws here, it is as vague as the language itself.
I hear much is up to interpretation and there is a much bigger grey zone then in the U.S. laws. Also, there has not been many cases involving IT security here which creates a much bigger grey zone...