Four major non-life insurance companies in Japan have announced that some of their employees have been illegally sharing customer records between their own firms and other insurance companies. On August 30, the four companies, which were investigating the issue following an order from the Financial Services Agency, revealed that the total number of such incidents across the companies was approximately 2.5 million.
This incident highlights a growing trend of deliberate information leaks by insiders in Japan. A survey found that such leaks were the third most common cause of security incidents in 2023 in Japan, with a five-fold increase in the number of incidents compared to the previous year (*1).
This trend is also reflected in a rise in trade secret breaches. In 2023, Japanese police investigated 78 trade secret cases and identified perpetrators in 26 cases, with both figures more than doubling over the past decade (*2). Most trade secret breaches are caused by insiders (*3), suggesting that many of these criminal cases involve deliberate leaks by insiders.
Recently, these incidents are also reviewed from the perspective of personal data protection law. In September 2023, police arrested an individual for violating the Act on the Protection of Personal Information by illegally sharing business card data maintained by his former employer with his new employer. This was the first arrest made under the act. In the case of the insurance companies mentioned, the Financial Services Agency issued an order to report about the handling of personal information based on this act.
While the Unfair Competition Prevention Act which protects trade secrets has been considered as a powerful tool against insider threats, in reality, proving that leaked information qualifies as a trade secret can be challenging, particularly in demonstrating that adequate measures were taken to ensure confidentiality. The Act on the Protection of Personal Information may offer an alternative to avoid those challenges, although the purpose of the act is to protect the rights and interests of natural persons rather than the business interests of the affected companies.
*1: https://www.tsr-net.co.jp/data/detail/1198311_1527.html (in Japanese)
*2: https://www.npa.go.jp/publications/statistics/safetylife/seikeikan/R05_nenpou.pdf (in Japanese)
*3: https://www.ipa.go.jp/archive/security/reports/2020/ts-kanri.html (in Japanese)