September 30, 2021 Guidance to Internet Initiative Japan Inc. concerning Measures for Protection of Secrecy of Communications and Appropriate Management of Personal Information

The Ministry of Internal Affairs and Communications (MIC) instructed Internet Initiative Japan Inc. (headed by KATSU Eijiro, President & COO) in writing today to thoroughly protect the secrecy of communications and properly manage personal information in relation to leakage cases of the secrecy of communications and personal information uncovered at the company. MIC also instructed in writing the company to promptly take measures including those to prevent recurrences and report the results of implementing the measures.

1. Background

According to a report from Internet Initiative Japan Inc., six leakage cases of the secrecy of communications and personal information have been uncovered in diverse services provided by the company since March 2020.
Specifically: (1) Leakage of call records and other information through the IIJ Mobile MVNO Platform Service, a platform service for MVNOs (uncovered on March 10, 2020), (2) Leakage of email addresses and other information through the IIJ Secure MX Service, an email-hosting service for corporate customers (uncovered on September 16, 2020), (3) Leakage of records on SMS transmissions numbers and other information through the IIJ Mobile Service, a mobile communication service for corporate customers (uncovered on March 8, 2021), (4) Leakage of data communications connection history and other information through the IIJ Mobile Service (uncovered on March 12, 2021), (5) Leakage of data usage charge history and other information through the IIJmio Service, an Internet service for individuals (uncovered on June 2, 2021), and (6) Leakage of data usage information and other information through the IIJmio Service (uncovered on July 15, 2021).

2. Details of measures

In every case, it is recognized that there has been a leakage of the secrecy of communication as stipulated in Article 4, Paragraph 1 of the Telecommunications Business Act (Act No. 86 of 1984). Furthermore, it is recognized that there has been a violation of the obligation to take security control action stipulated in Article 11 of the Guidelines for Protection of Personal Information in Telecommunications Business (MIC Public Notice No. 152 of 2017). Therefore, MIC today issued written guidance to the company to take immediate measures to prevent the recurrence of the reported incidents. MIC also instructed the company in writing to review from a company-wide perspective how to protect the secrecy of communications and personal information and strengthen data governance in light of the frequent occurrence of similar incidents.
MIC will continue providing necessary guidance and supervision to protect the secrecy of communications and ensure the proper handling of personal information held by telecommunications carriers.