Editorial by Dr. Alan F. Westin

This is the first in a series of JPR editorials that will comment on privacy developments in Japan, and also relate the Japanese privacy scene to privacy events and experiences in other democratic nations.

Data Leakage and Harm

Since 2001, when the Japan-US Privacy and Data Protection Program began to track the issue of personal data leakage by businesses, there have been well over 50 such incidents reported in the Japanese media. Personal data leaks have occurred in businesses of all sizes, representing almost all sectors of the Japanese economy, and including not just Japanese companies but also multi-national firms operating in Japan. The number of victims per incident has varied from a dozen or so to several million, and businesses have leaked all types of personal information, from names, addresses and birthdates to sensitive health and financial data.

In fact, a recent survey by Kyodo News revealed that almost ten percent of Japanese firms admitted to having leaked or lost customers' personal data in the past two years. Of 159 firms polled, 15 had experienced losses of customer information such as names, addresses and phone numbers. If this is representative of Japanese consumer product and service companies, this could mean that millions of items of customer personal information has been leaked over a two-year period.

Clearly, Japanese consumers feel a sense of insult when such leakages take place. They feel that companies that have promised to keep their personal information confidential, and to use robust security measures to keep it confidential, have broken their promises. Consumers experience a loss of trust. But have they experienced financial damages, loss of credit-worthiness, or have they had to spend weeks of personal time correcting adverse actions created by the data leakage?

When similar stories of data leakage are reported in the American, British, Australian and Canadian media, they often include reports of specific harm resulting to individual consumers as a result of the disclosures. Victims have large purchases made on their credit cards, funds withdrawn from their bank accounts, even major loans taken out in their names. These actions cause the victim’s credit reports to show bad actions, and victims find their credit cards canceled, lawsuits brought against them, and they cannot obtain mortgages when they want to buy a home or condominium. Even when the charges are shown to have been made by identity thieves and victims do not pay for them, it usually takes 1-2 years for a typical victim to fully repair their consumer lives.

This is almost never the case with Japanese media reports. Japanese business chiefs usually apologize to their customers, in writing and at press conferences. And the cost to businesses - for example, the ¥4 billion that Softbank will pay out to its customers over its subscriber record leak - is often widely reported by the Japanese press. However, while there have been scattered reports of individuals fraudulently obtaining JukiNet cards, and of isolated instances of credit card fraud, news of financial or credit-standing harm to victims is extremely rare.

Internationally, the leading cause of harm sustained by victims of personal data leaks appears to be identity theft. Over the past few years, the international incidence of identity theft has skyrocketed. According to a survey by Privacy & American Business and Harris Interactive, some 33.4 million Americans have been the victims of identity theft since 1990, at an average cost of US$740 per person. Identity theft is hitting other nations equally hard. The Securities Industry Research Centre of Asia Pacific has estimated that identity theft caused losses of AUD$1.1 billion in Australia during 2001-2002. Canadian consumer center PhoneBusters identified 13,000 victims of identity theft in 2003, with losses estimated at over CAN$2.5 billion. And the Home Office has estimated the 2003 cost of identity theft to the United Kingdom at some £1.3 billion.

It is not at all clear from the news reports that Japan has a problem of a similar magnitude on its hands. This raises two possibilities. The first is that the media, while attentive to data leakage itself, is yet to focus on its associated harms. The second is that Japanese consumers are simply not experiencing a significant level of harm as a result of data leakage incidents.

The available evidence suggests the second possibility might best describe the reality. There are few indications that Japanese crime rings have gravitated towards identity theft in the way that similar groups, such as telemarketing fraudsters, have in the United States, or immigration fraudsters have in Australia. In addition, Canadians, Americans, Australians and the British are all avid users of credit cards, and personal data leaks can often provide criminals with all the information they need to fraudulently obtain credit cards. For a variety of reasons, however, the Japanese have not traditionally been such enthusiastic credit card users. This may explain much of the discrepancy between the harm sustained by Japanese victims of data leakage, and that sustained by victims elsewhere.

There is increasing evidence, however, to suggest that this situation might change rapidly in the future. As a result of changes among Japanese attitudes to credit purchases, as well as regulatory changes to the consumer finance market, Japanese credit card ownership and use is set to surge. As of March 2004, 78% of eligible Japanese hold credit cards, a rise of 7% from 2001, and the trend looks certain to continue. With increased credit card use comes an increased threat of financial harm as a result of leakage of personal data. And if data breaches come to be seen by Japanese criminal groups as a promising new area of activity, ID theft could surge in Japan, as it has in so many other nations over the past five years. Indeed, identity theft has proved a target of crime rings in the past – as, for example, in the well-publicized 2000 incident in which criminals used an electronic “skimmer” to steal the credit card details of approximately 80,000 customers of the department store Takashimaya.

It appears that Japanese businesses have a unique opportunity to prevent the rise of identity theft and associated frauds before they begin to cause substantial harm to the Japanese consumer. Data leakage is not so much a privacy issue as a data protection issue. Businesses that suffer data leaks have generally gone about the process of collecting and using consumers’ personal information properly. They have not matched those efforts with similar attention to information security. By focusing on implementing state-of-the-art data security methods, Japanese businesses may be able to forestall the wave of personal information-related fraud that has caused so much harm to consumers elsewhere.

In any case, it appears that businesses will be soon be required by law to implement a high level of data security. On March 3, 2004, the Yomiuri Shimbun reported that guidelines soon to be released by the Ministry of Economy, Trade and Industry will contain detailed information security requirements and will necessitate the appointment of a designated personal data security manager. The guidelines are likely to form the basis of binding regulations that will come into effect at the same time as the new Personal Information Protection Act, in April 2005.

It will take strong leadership by both business and government to address the current all-too-easy leakages of personal consumer data in Japan. Clear data-security standards need to be set, and both funds and personnel efforts dedicated to meeting those standards. And, as in other democratic nations, having independent organizations such as auditors examine data security procedures and see that they are working properly can go a long away to assuring security effectiveness, and also raising consumer trust.

Improved personal data security in both business and government databases is a goal very much worth pursuing, if a program to restore consumer trust in Japan is to succeed.

鲜花