Concrete Measures to Protect Customer Information
SOFTBANK BB Corp. has issued a press release on the attempted extortionusing “Yahoo! BB” customer information. Details are provided below.
In response to the recent case involving theft of customer information, SOFTBANK BB Corp.(“SOFTBANK BB”) has reviewed information management systems throughout the entire company and, as a result of this review, has determined the following measures to be of the utmost importance. The company has therefore decided to implement the emergency measures described below, all of which will be taken by the end of March, 2004.
Emergency measures to be taken by the end of March, 2004
1. Organizational security measures
a) Shinichi Ata, Senior Vice President, Director of the Board, has been appointed chief information security officer (CISO) to clarify responsibilities for information security and develop systems to faithfully implement programs.
b) New policies on information security shall be formulated and designated people in each department will be responsible for its enforcement.
c) An advisory committee of outside advisers on information security issues has been established (official name: Privacy Management Advisory Board).
- Members
- Mr. Raisuke Miyawaki (formerly with the National Police Agency, former Advisor to the Prime Minister for Public Affairs, the Senior Cabinet Secretariat, expert in risk management)
- Mr. Jiro Makino (author of “Introduction to how to fight against Business Information Crime”, noted authority on information management)
- Ms. Nobuko Takahashi (journalist, member of the Financial System Council)
2. Physical security measures
a) Development work related to the information system shall be carried out in a completely separated environment, where none of the customer information is to be used or accessed.
b) The operation of the information system and call center services shall be carried out in high-security areas only, and customer information shall be browsed only in those areas.
c) High-security areas shall be designated where the following measures are to be implemented.
Access to high-security areas shall be restricted with the use of such devices as an authentication system that records employee ID and time of entry. Such records are to be checked regularly. (Access to high-security areas must be approved by CISO.)
All of the equipment in the information systems department high-security area and some of the equipment in the call center high-security area, shall not be physically connected to the Internet.
3. Technical/operational security measures
a) Access to the customer information shall be significantly restricted as described below
Only a minimum number of people will be authorized by the CISO to have full-time access to all customer information (tentatively only 3 employees). Persons given full-time access authorization will issue time-limited passwords for others requiring access to information for others requiring access to information for operational purposes.
We will develop a system that will encrypt some of the fields of the customer information, making it impossible to print out or copy any customer information onto a storage media.
Whenever an employee accesses customer information, his or her user ID, the time the information was accessed, and what was done shall be recorded 24/7 and stored almost permanently.
b) Any output of information from high-security areas shall be restricted in the following ways
E-mail transmission with attached files shall be prohibited.
An environment will be created in which external memory devices can neither be brought in nor used.
All E-mail transmission shall be monitored.
c) We will conclude contracts with several well-experienced consulting companies that specialize in security measures, thereby greatly enhancing our security against illegal external access to our network.
4.Personal/outsourcing security measures
a) All employment agencies and company employees shall receive training (group training, E-learning, testing, etc.) on protecting personal information.
b) All employment agencies and company employees must sign new covenants with the company, and anyone who violates the company’s information security policy and operating rules shall be subject to penalty.
c) All contracts with outsourced companies shall be reviewed, and new contracts include the following stipulations shall be signed
- Confidentiality obligation
- Provisions regarding reconsignment
- Scope of responsibility of each party in case of an incident
- Handling of personal information at the time of contract termination
- Auditing right on the handling of personal information
In addition, SOFTBANK BB is committed to improving its security management capabilities and developing more fundamental, long- and medium-term activities. Below are examples.
Long- and Medium-Term activities to improve corporate security management capabilities
SOFTBANK BB will implement the following measures in line with its “Risk Response Principles,” “Security Design and Implementation Principles” and “Security Management Principles.”
1. Conduct company-wide risk analysis and respond to information security-related risks.
2. Reformulate information security rules and regulations and engage in ongoing programs to ensure that rules are known, understood and complied with.
3. Review all operational processes for the handling of customer information.
4. Conduct regular personal information protection training for all employment agencies and company employees.
5. Reinforce the information security auditing system to identify and improve problem areas early.
6. Formulate a risk management plan.
7. Seek third-party assessment under the following domestic and international information security standards.
Issuer Name of guideline Ministry of Public Management, Home Affairs, Posts and Communications - Information Communications Network Safety and Reliability Standards
- Guidelines for the Protection of Personal Information in Telecommunications Services
Ministry of Economy, Trade and Industry - Information Security Management Standards
- Information Security Auditing Standards
Japanese Standards Association (JSA) - JIS X 5080 Standards for the Implementation of Information Security Management
- JIS Q 15001 Requirements for Personal Information Protection Compliance Programs
SOFTBANK BB is committed to learning from this experience and resolved to become one of the top companies anywhere in the world for information security.
-
Releases, announcements, presentations and other information available from this page and elsewhere on this website were prepared based on information available and views held at the time of preparation and speak only as of the respective dates on which they are filed or used by SoftBank Group Corp. or the applicable group company, as the case may be. Such information is subject to change and may become out-of-date. Such information may also contain forward-looking statements which are by their nature subject to various risks and uncertainties that may cause actual results and future developments to differ materially from those expressed or implied by such statements. Please read legal notices in its entirety prior to viewing any information available on this website.