How Will Corporate Risk Management Change with the Revision of the Personal Information Protection Law? The Growing Importance of Digital Forensics

The revised Personal Information Protection Act came into effect in April 2022, mandating notification and reporting obligations for companies in the event of personal data leaks. When reporting a leak incident, it is necessary to determine the cause of the incident and secure legal evidence if there was unauthorized access or illegal information removal. Against this backdrop, "digital forensics" – which identifies the causes and locations of unauthorized access and information tampering – is gaining attention.

Digital forensics refers to "digital investigation"—the collection and analysis of information recorded on devices to uncover legal evidence. As a risk management measure for companies handling digital data, preparing for digital forensics will become increasingly indispensable.

With the tightening of personal information protection regulations, we will explain the significance and importance of digital forensics preparedness for companies.

What is digital forensics, which verifies traces of data manipulation or tampering?

"I neglected to save frequently, and a sudden PC malfunction cost me valuable data and time." "I should have kept the original data, but I accidentally overwritten it." — Most people have had such unfortunate experiences at least once or twice. Furthermore, beyond human error, data may become altered from its original state due to third-party modifications or tampering.

In such cases, digital forensics may be performed. This involves collecting the remaining data and the recovered data, then analyzing what operations or changes were made leading up to the incident. "Forensics," literally meaning "for the court," refers to forensic investigations aimed at finding legal evidence. Specifically, "digital forensics" involves investigating and analyzing evidence left on computers and digital storage media.

Types of Digital Forensics

Digital forensics is broadly categorized into the following three types, each requiring distinct expertise and techniques:

・Computer Forensics
Information analysis targeting computers and storage media. This involves investigating and analyzing data stored on a computer's hard disk, examining operation histories, connection histories of external storage media like USB drives, and recovering deleted data.

・Mobile Device Forensics
Information analysis targeting mobile devices such as smartphones. This involves investigating data left on the device and collecting/analyzing call logs, app usage history, internet access logs, etc.

・Network Forensics
Information analysis targeting network equipment. Using tools like packet capture, we collect data flowing through the network. By analyzing when, via which route, and from which terminal data was sent or received, we identify terminals exhibiting suspicious activity. This also aids in pinpointing the source of incidents when cyberattacks occur.

Digital Forensics Procedure

While the process varies depending on the specific incident and circumstances, it generally follows the steps below.

Furthermore, digital forensics does not merely verify traces of data manipulation or fabrication. It also includes data preservation, which uses techniques like hash values and digital signatures to prove that data has not been altered. A hash value is a value generated from the original data using a predetermined calculation procedure. Even the slightest modification to the data significantly changes the hash value, making it a key indicator for verifying data integrity.

Increased Corporate Responsibilities Under the Revised Personal Information Protection Act

We have explained the basics of digital forensics thus far. The sudden surge in attention to digital forensics is largely due to the impact of the Revised Personal Information Protection Act. Enforced since April 2022, the amended law mandates reporting to the Personal Information Protection Commission and notifying affected individuals when personal information leaks due to unauthorized access or similar incidents are confirmed. Even with robust internal measures against leaks or tampering, companies cannot always prevent cyberattacks. Security incidents can also occur due to internal misconduct, such as employees removing information externally via USB drives.

Indeed, according to the "Survey on the Actual Conditions of Corporate Organizations under the Revised Personal Information Protection Act" (Trend Micro Inc.) conducted in March 2022, the most common reason for personal information leaks was "unintended accidents by employees or contractors (e.g., transmission errors)" at 49.0%. However, responses such as "intentional acts by employees or contractors (internal offenses)" (39.1%) and and "cyberattacks from external sources" (32.5%) were also frequently cited.

Recent years have seen incidents causing significant damage, such as employees selling customer information to directory companies or a newly launched payment service being forced to suspend operations due to unauthorized access. While these were caused by system flaws or intentional acts, early detection of the problem through digital forensics and identification of the cause and route might have prevented the damage from spreading so extensively.

The revised Personal Information Protection Act broadens the scope of personal data held and imposes stricter penalties for violations. To ensure transparency regarding security measures, disclosure of these measures is now mandatory in principle. Reporting data breaches requires a two-step process: an initial report within 3-5 days and a detailed report within 30 days (or 60 days for unauthorized access cases), demanding swift and meticulous response.

While thorough security management and employee IT literacy training remain essential, it will also become increasingly important to establish mechanisms that can legally prove data validity and to ensure appropriate responses in the event of an incident.

Preparing for Digital Forensics Protects Both Customers and Companies

As such, preparing for digital forensics is now indispensable for companies. Properly conducting digital forensics enables the implementation of countermeasures to prevent similar incidents from recurring. Furthermore, should litigation arise, data collected through digital forensics can be presented as evidence. In essence, digital forensics protects both customer information and the company itself.

So, what specifically should be done and how? First, it's crucial to plan countermeasures assuming incidents will occur, as eliminating the risk of personal information leaks or confidential data tampering entirely is difficult.

Next, digital forensics investigations require advanced expertise in computers, networks, and cybersecurity. Therefore, consulting external specialists when necessary should be considered.

However, relying solely on external specialists without internal preparation can lead to difficulties in data recovery or reduced analysis accuracy when incidents occur. Examples of necessary preparations include: establishing an IT environment capable of capturing log evidence, developing internal rules, creating incident response manuals, and forming a "CSIRIT (Computer Security Incident Response Team)" to respond swiftly to incidents caused by cyberattacks. Failing to make these preparations can hinder the smooth progress of digital forensics, potentially significantly increasing the time and cost of the investigation. Thorough preparation and communicating these measures internally can also serve as a deterrent against insider threats.

Therefore, it is essential to implement countermeasures through a dual approach: collaborating with security vendors and strengthening internal systems. Furthermore, actively communicating the fact that security measures are in place and striving for transparency not only acts as a deterrent against misconduct but also helps build strong, trusting relationships with customers, business partners, shareholders, and other stakeholders. Protecting important personal information from misuse ultimately contributes to gaining the trust of the company.

For those who utilize data daily, personal information leaks are not someone else's problem. As digitalization increases the risk of information leaks, preparing for digital forensics will become indispensable for many companies advancing DX. Why not take this opportunity to review your company's security measures?