Personal data theft in Japan is barely punished.
In a shocking case of data theft in Japan, personal information on more than
8.6 million consumers was stolen from a printing company that handles direct
mail for dozens of corporate clients.
According to Dai Nippon Printing Company, the data affects customers of 43 of
its clients, including consumer credit credit companies, insurers, retailers and
consumer loan firms.
The data was apparently pilfered by a former employee of a subcontractor that
processed the information for the printing company. The suspect, Hirofumi
Yokoyama, 45, smuggled out the information on a magneto-optical disk, according
They said he sold the data on some 150,000 customers of a major consumer
credit firm to a fraud ring targeting online shoppers. Part of the data was used
for credit card fraud totaling several millions of yen. Yokoyama was arrested
after he left the company. He was later indicted on theft charges.
Under the new law for the protection of personal
information that went into force in 2005, companies dealing with such data are
required to enhance their information security management.
Dai Nippon Printing clearly bears a heavy responsibility for this data leak.
It says similar leaks started several years ago.
Dai Nippon says it hadn't expected data theft to be committed by insiders.
Still, the company could have prevented the crime if it had taken cautionary
steps like prohibiting workers from taking recording media out of computer rooms
and frequently checking records of access to databases.
The company clearly is out of touch in its awareness of the huge
responsibility it shoulders in protecting such vast amounts of personal data
provided by its clients.
The companies that entrusted the data to Dai Nippon also share blame. The
privacy protection law stipulates that when companies provide personal data to
other firms for processing they must properly supervise the information security
management of those entities.
This is a data breach of an unprecedented scale that led to actual financial
fraud. In order to identify the problems with Dai Nippon's information security
system, the Ministry of Economy, Trade and Industry and other organizations need
to start their own investigations into the case and warn the public about the
risks of disclosing their personal information.
If necessary, they should consider issuing special recommendations to
companies that have experienced similar data leaks.
If such cases of data theft continue, political momentum could grow again for
a proposal to introduce a new crime category to punish information leaks, an
idea that the ruling camp had considered for a while.
The current law imposes private information protection requirements on
companies and organizations but doesn't provide any punishment for individuals
who have stolen or sold such information.
In the Dai Nippon case, Yokoyama has been indicted only on the charge of
stealing a magneto-optical disk worth 250 yen ($2), not of stealing the data.
We believe, however, it would not be wise to create new punishment for theft
of all kinds of personal information. This kind of provision could be abused to
deter acts that should be defended, such as whistle-blowing on corporate
violations by insiders.
But it is worth considering how to establish category-specific regulations on
the kinds of sensitive personal information that could be abused, causing
serious consequences. This would include credit card numbers, data concerning
personal savings and debts at financial institutions as well as data on patient
charts at hospitals.
One reasonable proposal would be to establish specific rules for each of
these areas - financial services, consumer credit and medical services - to hold
individuals and companies that have stolen or traded personal information
The government's Quality-of-Life Council is now reviewing ways in which the
information protection law has been enforced.
The panel should consider a wide range of steps to prevent damaging data
The Asahi Shimbun
(China Daily 03/20/2007 page11)