Plug leaks in privacy protection law

The massive customer data theft from education service provider Benesse Corp. has highlighted the danger of such data — which included the names, dates of birth, gender and parents’ address and telephone numbers of millions of children in this case — spreading quickly and limitlessly among businesses that pay to obtain the information they need for targeted marketing. Along with the efforts by companies to prevent leaks of their customer data, measures need to be taken to close the loopholes that allow private information to easily proliferate.

A 39-year-old systems engineer was arrested July 17 for allegedly stealing data from customers of Benesse’s services, including a correspondence education courses for children, while he was working as a temporary staffer at a database management contractor for a Benesse affiliate. Given access to the company’s database, he is suspected of downloading and copying onto his smartphone data on more than 20 million customers over nearly a year until June. He has reportedly told police that he sold some of the data to a Tokyo-based firm that deals in name lists for ¥2.5 million.

According to some media reports, the name list trader sold the data to 50 companies, including cram schools, kimono stores and cosmetics companies.

Although the vender has denied selling the data to fellow name list traders, investigators suspect that at least 10 name list brokers got hold of the data. A dealer that sold the data to software developer Justsystems Corp., which has admitted using the information to send mail ads to parents of the children on the list promoting its own education service, reportedly bought the data from a fellow broker, who in turn had purchased the list from yet another trader.

Benesse, which is paying dearly for the data leak both in terms of lost customer trust and the ¥20 billion it set aside to compensate customers for invasion of their privacy, is said to have restricted access to its computer terminal linked to the database. The terminal was installed in a room that is off-limits except to a limited number of staffers and was set up so they couldn’t download data on UBS memory devices. The suspect allegedly found “by chance” that he could download the data to his own smartphone.

Benesse needs to find out why it failed for nearly a year to detect that customer data had been repeatedly downloaded and copied. It was reportedly alerted to the data theft only when its customers complained that they were receiving mail from Justsystems bearing personal information that they had registered only with Benesse.

A number of other companies have been hit by customer data theft — including by their own employees. What’s of utmost concern about the largest customer data theft to date is that once the data gets stolen, no mechanism appears to be in place to legally stop the personal information from being spread and reused by others.

The suspect reportedly signed a pledge when he sold the data to the Tokyo-based name list trader that it was not stolen. The trader has told investigators he didn’t realize the data had been illegally obtained. Other venders that resold the data similarly claim they had no idea it had been stolen. Justsystems denies being aware that the data it bought originated at Benesse. Unless they traded or used the data knowing that it had been improperly obtained, they are not punishable by law and are not legally obligated to delete the data.

Since the privacy protection law was fully implemented in 2005, companies and public organs have tightened control of the personal information they handle, and the supply of name lists for certain groups of people — such as students and graduates of schools — that used to be traded widely for use in direct marketing are said to be in decline. But such lists, when circulated, are said to be highly prized by businesses.

Personal data on children is reportedly in high demand, because it can be used in the marketing of products and services for a long time — in each stage of a child’s life. Since the privacy law made it difficult for businesses to access resident registry information for commercial purposes, it would seem strange to assume that children’s personal data in such large numbers as in the Benesse case would be made available through entirely legitimate means.

The privacy protection law prohibits parties that handle people’s personal information from providing the data to third parties without obtaining the consent of people, but there are some exceptions to the rule.

Meanwhile, businesses such as name list traders are allowed to sell such data as long as they make it clear that they trade in such information. The law does not provide an effective way to block the circulation of personal data once it has been leaked. Privacy information like that leaked and traded in the Benesse case might even be used for criminal purposes such as fraud. Measures need to be taken to close the loopholes in a system that’s meant to protect people’s privacy.