Morrison & Foerster : Legal Updates & News : Legal Updates : 20/20 Hindsight: Recently Released Text of Yahoo! BB Case Puts Companies on the Hook For Preventable and Foreseeable Breaches

This article was originally published in the dataprotectionlaw&policy report, October 2006, Cecile Park Publishing, www.e-comlaw.com.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: International Privacy and Data Security

20/20 Hindsight: Recently Released Text of Yahoo! BB Case Puts Companies on the Hook For Preventable and Foreseeable Breaches

October 2006
by Miriam Wugmeister

Approximately three months after a Japanese district court ordered BB Technology Corp. to compensate some of its subscribers for the emotional distress suffered in connection with a massive 2004 security breach, the text of the court’s precedent-setting decision has been made publicly available and offers insight into the court’s reasoning in this case. Most significantly, the court concluded that that a business can be on the hook for any breach of security resulting in a leak of personal information, even if such information is not used or misused, if the leak was foreseeable and preventable. Given that hindsight is 20/20, it may be relatively easy for plaintiffs to claim that a breach was foreseeable and preventable. Moreover, nothing in the Law Concerning the Protection of Personal Information (the “Privacy Law”) that went into effect in April 2005 prevents individuals from making such tort claims in the future.

Background of the Case

In early 2004, a man who accessed the customer database using a username and password he had received from a former contract worker of BB Technology who was hired to do server/database management, accessed and downloaded the personal information of at least 4.6 million customers of the Yahoo! BB broadband service, and then gave the personal information to persons associated with a criminal organization. The criminal organization then attempted to extort approximately 2 billion yen from Softbank Corp. (parent company of BB Technology). The personal information that was accessed and ultimately disclosed included customers’ names, addresses, phone numbers, e-mail addresses, subscriber ID, and registration date.

This case is the first private lawsuit to be filed in connection with this incident. Plaintiffs, a small group of subscribers, sued Yahoo! Japan and BB Technology seeking 100,000 yen (approximately $893) for each plaintiff because they alleged that the company breached its duty of care in managing their personal information and causing the plaintiffs emotional distress as a result of the disclosure of their personal information.

The Decision

The Court found for the plaintiffs and held that BB Technology had breached its duty of care and caused the emotional distress of the plaintiffs and awarded 6,000 yen each to the plaintiffs. The claim against Yahoo! Japan was dismissed, because there was no leakage of information that was managed by Yahoo! Japan and it had no supervisory obligations over BB Technology.

The Duty of Care

The court examined whether BB Technology had a duty of care, first as a general matter, and then in connection with its remote access system. In terms of the general duty of care, the court stated that BB Technology had a duty of care to prevent unauthorized access and leakage of personal information, and to take necessary measures to manage the personal information appropriately, in light of two laws and regulations that explicitly require such measures: (1) Guidelines regarding the Protection of Personal Information in the Electronic Communications Industry (effective December 1998), providing that businesses in the electronic communications industry must take necessary measures; and (2) The Law Concerning the Protection of Personal Information (enacted on May 30, 2003, and effective April 1, 2005).

In this matter, unauthorized access of its customer information database was made possible through the remote maintenance server. BB Technology implemented remote access to its servers in December 2002. The court found that, in view of Japan Industrial Standards regarding remote access and Standards for Measures Against Unauthorized Access to Computers issued by the Ministry of Economy, Trade and Industry in 1996, remote access in itself raises the risk of unauthorized access and thus BB Technology had a duty to take appropriate measures to prevent unauthorized access by remote access.

Breach of the Duty of Care

It was noted by the court that remote access was controlled only by the use of only one username and password, and that BB Technology did not implement other methods of access control, such as using a “call back” function that would only allow access from specified computers. In terms of management of such username and password, the court found that: (1) just one common username and password was used by a group of workers called “Genbatai” (translation: “onsite troop”), whose job it was to maintain the database and servers, and the username and password were the same word -- “Genbatai”;(2) when the former employee who divulged the username and password (hereinafter referred to as “Leaker”) left the company, the username and password was not changed; (3) the password was not periodically changed; and (4) even after other Genbatai members noticed that the username and password had been altered and tampered with (the Leaker had done this to prevent another employee from gaining access to the database) the Genbatai simply reset the username and password to the old one, and kept on using it. The court found that such management of the username and password was “extremely inadequate,” given that it was the only method that BB Technology was using to control remote access, and concluded that BB Technology had breached its duty of care to prevent unauthorized access.

Foreseeability and Preventability of Unauthorized Access

The court found that unauthorized access was foreseeable by BB Technology, in light of the type of work that the former contract worker was doing, the scope of authorization given to the former worker to access confidential information of the company, and the fact that BB Technology had the former contractor sign a Confidentiality Agreement before he started working. In addition, the court determined that unauthorized access was preventable by appropriate management of the username and password, by changing the password after a worker on the maintenance team left the company, or changing the password on a regular basis.

From the above analysis, the court determined that BB Technology was indeed liable in tort for the damages suffered by the plaintiffs.

Violation of the Right of Privacy of Plaintiffs

The court then determined to what extent the rights of the plaintiffs were violated, by looking at whether there was any secondary leakage, and the nature of the personal information that was leaked. The court did not find that the plaintiffs’ data was included in the customer information that had been leaked to the internet or other media.

In terms of the personal information that was leaked, the court noted that only basic contact information of the customers was leaked, but stated that it was natural for individuals to expect that their personal information, even such non-sensitive information, would not be divulged to unwanted third parties, and that expectation of privacy can and should be protected by law.

Damages

Although the plaintiffs had claimed that their damages for emotional distress amounted to 100,000 yen in pain and suffering, the court disagreed.

The court determined that 5,000 yen was more appropriate for the emotional distress and feelings of “insecurity” that the plaintiffs felt from the violation of their privacy for the following reasons: (1) there was no secondary leakage of the information, (2) the personal information that was leaked did not contain sensitive information, (3) after the attempted extortion and the leakage of personal information came to light, BB Technology took various measures, such as announcing the leakage to the public, contacting customers whose information was determined to have leaked, apologizing to all subscribers to the service by issuing a 500 yen check to all such subscribers, taking measures to strengthen security of the personal information it manages.

In addition, 1,000 yen was awarded to each plaintiff to cover attorneys’ fees in the case against BB Technology.

Implications for Companies

As previously stated, this case makes clear that in Japan, even if the personal information of an individual that has been leaked is not used or misused, such as for identity theft purposes or marketing purposes, businesses can be on the hook for any breach of security resulting in a leak of personal information, even general contact information, if the leak is foreseeable and preventable. Given this standard, it will be relatively easy for individuals to make tort claims in the wake of a security breach.

BB Technology seems to have done everything right in terms of how it dealt with the security breach after the extortion incident, in terms of taking measures to prevent further incidents, by notifying the authorities, the affected individuals and the public regarding the breach, investigating the breach and implementing further security measures. Nevertheless it was still found liable for failing to take appropriate and reasonable security measures to protect the personal information entrusted to it.

So what should businesses do? Now that the various ministerial Guidelines have been issued pursuant to the Privacy Law, businesses should be more aware of their obligations to strengthen their data security practices. Some data, such as financial information or health information of individuals, are subject to separate, more stringent security guidelines. The Ministry of Economy, Trade, and Industry Guidelines, which are applicable to general businesses, have many examples of technical, administrative and physical security measures that businesses might take, although most of the requirements are not mandatory, but are characterized as “desirable,” leaving the businesses to decide for themselves what are appropriate measures to take.

At a minimum, companies doing business in Japan should review their data security practices and ensure that they have in place:

A written information security policy;
A data classification system, with security measures that are appropriate to each category;
Access controls (technical, administrative and physical) appropriate to the level of sensitivity of the data;
A policy covering data in transit (i.e. passwords, encryption.).
A document retention / disposal policy that includes proper and complete disposal of sensitive information;
Employee training;
Inspection / audit system to confirm compliance with policies.

The court case is available online at:

http://www.courts.go.jp/search/jhsp0030?action_id=dspDetail&hanreiSrchKbn=04&hanreiNo=33228&hanreiKbn=03