by Dr. Alan F. Westin
This is the
first in a series of JPR editorials that will comment on privacy developments
in Japan, and also relate the Japanese privacy scene to privacy events and experiences
in other democratic nations.
Data Leakage and
Since 2001, when
the Japan-US Privacy and Data Protection Program began to track the issue of
personal data leakage by businesses, there have been well over 50 such incidents
reported in the Japanese media. Personal data leaks have occurred in businesses
of all sizes, representing almost all sectors of the Japanese economy, and including
not just Japanese companies but also multi-national firms operating in Japan.
The number of victims per incident has varied from a dozen or so to several
million, and businesses have leaked all types of personal information, from
names, addresses and birthdates to sensitive health and financial data.
In fact, a recent
survey by Kyodo News revealed that almost ten percent of Japanese firms admitted
to having leaked or lost customers' personal data in the past two years. Of
159 firms polled, 15 had experienced losses of customer information such as
names, addresses and phone numbers. If this is representative of Japanese consumer
product and service companies, this could mean that millions of items of customer
personal information has been leaked over a two-year period.
Clearly, Japanese consumers feel a sense of insult when such leakages take place.
They feel that companies that have promised to keep their personal information
confidential, and to use robust security measures to keep it confidential, have
broken their promises. Consumers experience a loss of trust. But have they experienced
financial damages, loss of credit-worthiness, or have they had to spend weeks
of personal time correcting adverse actions created by the data leakage?
When similar stories of data leakage are reported in the American, British,
Australian and Canadian media, they often include reports of specific harm resulting
to individual consumers as a result of the disclosures. Victims have large purchases
made on their credit cards, funds withdrawn from their bank accounts, even major
loans taken out in their names. These actions cause the victim’s credit
reports to show bad actions, and victims find their credit cards canceled, lawsuits
brought against them, and they cannot obtain mortgages when they want to buy
a home or condominium. Even when the charges are shown to have been made by
identity thieves and victims do not pay for them, it usually takes 1-2 years
for a typical victim to fully repair their consumer lives.
This is almost
never the case with Japanese media reports. Japanese business chiefs usually
apologize to their customers, in writing and at press conferences. And the cost
to businesses - for example, the ¥4 billion that Softbank will pay out to
its customers over its subscriber record leak - is often widely reported by
the Japanese press. However, while there have been scattered reports of individuals
fraudulently obtaining JukiNet cards, and of isolated instances of credit card
fraud, news of financial or credit-standing harm to victims is extremely rare.
Internationally, the leading cause of harm sustained by victims of personal
data leaks appears to be identity theft. Over the past few years, the international
incidence of identity theft has skyrocketed. According to a survey by Privacy
& American Business and Harris Interactive, some 33.4 million Americans
have been the victims of identity theft since 1990, at an average cost of US$740
per person. Identity theft is hitting other nations equally hard. The Securities
Industry Research Centre of Asia Pacific has estimated that identity theft caused
losses of AUD$1.1 billion in Australia during 2001-2002. Canadian consumer center
PhoneBusters identified 13,000 victims of identity theft in 2003, with losses
estimated at over CAN$2.5 billion. And the Home Office has estimated the 2003
cost of identity theft to the United Kingdom at some £1.3 billion.
It is not at all clear from the news reports that Japan has a problem of a similar
magnitude on its hands. This raises two possibilities. The first is that the
media, while attentive to data leakage itself, is yet to focus on its associated
harms. The second is that Japanese consumers are simply not experiencing a significant
level of harm as a result of data leakage incidents.
The available evidence suggests the second possibility might best describe the
reality. There are few indications that Japanese crime rings have gravitated
towards identity theft in the way that similar groups, such as telemarketing
fraudsters, have in the United States, or immigration fraudsters have in Australia.
In addition, Canadians, Americans, Australians and the British are all avid
users of credit cards, and personal data leaks can often provide criminals with
all the information they need to fraudulently obtain credit cards. For a variety
of reasons, however, the Japanese have not traditionally been such enthusiastic
credit card users. This may explain much of the discrepancy between the harm
sustained by Japanese victims of data leakage, and that sustained by victims
There is increasing evidence, however, to suggest that this situation might
change rapidly in the future. As a result of changes among Japanese attitudes
to credit purchases, as well as regulatory changes to the consumer finance market,
Japanese credit card ownership and use is set to surge. As of March 2004, 78%
of eligible Japanese hold credit cards, a rise of 7% from 2001, and the trend
looks certain to continue. With increased credit card use comes an increased
threat of financial harm as a result of leakage of personal data. And if data
breaches come to be seen by Japanese criminal groups as a promising new area
of activity, ID theft could surge in Japan, as it has in so many other nations
over the past five years. Indeed, identity theft has proved a target of crime
rings in the past – as, for example, in the well-publicized 2000 incident
in which criminals used an electronic “skimmer” to steal the credit
card details of approximately 80,000 customers of the department store Takashimaya.
It appears that Japanese businesses have a unique opportunity to prevent the
rise of identity theft and associated frauds before they begin to cause substantial
harm to the Japanese consumer. Data leakage is not so much a privacy issue as
a data protection issue. Businesses that suffer data leaks have generally gone
about the process of collecting and using consumers’ personal information
properly. They have not matched those efforts with similar attention to information
security. By focusing on implementing state-of-the-art data security methods,
Japanese businesses may be able to forestall the wave of personal information-related
fraud that has caused so much harm to consumers elsewhere.
In any case, it appears that businesses will be soon be required by law to implement
a high level of data security. On March 3, 2004, the Yomiuri Shimbun reported
that guidelines soon to be released by the Ministry of Economy, Trade and Industry
will contain detailed information security requirements and will necessitate
the appointment of a designated personal data security manager. The guidelines
are likely to form the basis of binding regulations that will come into effect
at the same time as the new Personal Information Protection Act, in April 2005.
It will take strong leadership by both business and government to address the
current all-too-easy leakages of personal consumer data in Japan. Clear data-security
standards need to be set, and both funds and personnel efforts dedicated to
meeting those standards. And, as in other democratic nations, having independent
organizations such as auditors examine data security procedures and see that
they are working properly can go a long away to assuring security effectiveness,
and also raising consumer trust.
Improved personal data security in both business and government databases is
a goal very much worth pursuing, if a program to restore consumer trust in Japan
is to succeed.