Japan needs stiff punishment for data theft

Updated: 2007-03-20 07:02

Personal data theft in Japan is barely punished.

In a shocking case of data theft in Japan, personal information on more than 8.6 million consumers was stolen from a printing company that handles direct mail for dozens of corporate clients.

According to Dai Nippon Printing Company, the data affects customers of 43 of its clients, including consumer credit credit companies, insurers, retailers and consumer loan firms.

The data was apparently pilfered by a former employee of a subcontractor that processed the information for the printing company. The suspect, Hirofumi Yokoyama, 45, smuggled out the information on a magneto-optical disk, according to prosecutors.

They said he sold the data on some 150,000 customers of a major consumer credit firm to a fraud ring targeting online shoppers. Part of the data was used for credit card fraud totaling several millions of yen. Yokoyama was arrested after he left the company. He was later indicted on theft charges.

Under the new law for the protection of personal information that went into force in 2005, companies dealing with such data are required to enhance their information security management.

Dai Nippon Printing clearly bears a heavy responsibility for this data leak. It says similar leaks started several years ago.

Dai Nippon says it hadn't expected data theft to be committed by insiders. Still, the company could have prevented the crime if it had taken cautionary steps like prohibiting workers from taking recording media out of computer rooms and frequently checking records of access to databases.

The company clearly is out of touch in its awareness of the huge responsibility it shoulders in protecting such vast amounts of personal data provided by its clients.

The companies that entrusted the data to Dai Nippon also share blame. The privacy protection law stipulates that when companies provide personal data to other firms for processing they must properly supervise the information security management of those entities.

This is a data breach of an unprecedented scale that led to actual financial fraud. In order to identify the problems with Dai Nippon's information security system, the Ministry of Economy, Trade and Industry and other organizations need to start their own investigations into the case and warn the public about the risks of disclosing their personal information.

If necessary, they should consider issuing special recommendations to companies that have experienced similar data leaks.

If such cases of data theft continue, political momentum could grow again for a proposal to introduce a new crime category to punish information leaks, an idea that the ruling camp had considered for a while.

The current law imposes private information protection requirements on companies and organizations but doesn't provide any punishment for individuals who have stolen or sold such information.

In the Dai Nippon case, Yokoyama has been indicted only on the charge of stealing a magneto-optical disk worth 250 yen ($2), not of stealing the data.

We believe, however, it would not be wise to create new punishment for theft of all kinds of personal information. This kind of provision could be abused to deter acts that should be defended, such as whistle-blowing on corporate violations by insiders.

But it is worth considering how to establish category-specific regulations on the kinds of sensitive personal information that could be abused, causing serious consequences. This would include credit card numbers, data concerning personal savings and debts at financial institutions as well as data on patient charts at hospitals.

One reasonable proposal would be to establish specific rules for each of these areas - financial services, consumer credit and medical services - to hold individuals and companies that have stolen or traded personal information accountable.

The government's Quality-of-Life Council is now reviewing ways in which the information protection law has been enforced.

The panel should consider a wide range of steps to prevent damaging data breaches.

The Asahi Shimbun

(China Daily 03/20/2007 page11)