Don’t Drink and Data

Don’t Drink and Data! How a Man Lost the Personal Data of His Entire City: Cybersecurity Trends

Hat tip to David Greetham for this story! ICYMI, a worker in Japan could be nursing a protracted hangover after he lost a USB memory stick following a night out with colleagues. Why? It contained the personal details of nearly half a million people. Lesson learned, don’t drink and data!

As reported by the BBC (Japanese man loses USB stick with entire city’s personal details, written by Matt Murphy), The (fortunately for him) unnamed man placed the memory stick in his bag before an evening of drinking in the city of Amagasaki, north-west of Osaka. He spent several hours drinking in a local restaurant before eventually passing out on the street, local media reported.

When he eventually came around, he realized that both his bag and the memory stick were missing.

OpenText

Whoops. That’s why you don’t drink and data!

The Japanese broadcaster NHK reports that the man, said to be in his 40s, works (or is it “worked” now? Hmmm…) for a company tasked with providing benefits to tax-exempt households.

He had transferred the personal information of the entire city’s residents onto the drive on Tuesday evening before meeting colleagues for a night on the town.

City officials said the memory stick included the names, birth dates, and addresses of all the city’s residents. It also included more sensitive information, including tax details, bank account numbers and information on families receiving social security.

UnitedLex

That’s about as sensitive as you can get.

Luckily for the man, city officials said the data contained on the drive is encrypted and locked with a password. They added that there has been no sign that anyone has attempted to access the information so far.

But the embarrassing incident prompted an apology from officials, with the city’s mayor and other leaders bowing in apology to residents.

“We deeply regret that we have profoundly harmed the public’s trust in the administration of the city,” an Amagasaki city official told a press conference.

According to a 2020 census, Amagasaki has a population of 459,593 residents. That’s a lot of personal data at risk.

Of course, thanks to EDRM and the Asia Pacific (APAC) Primer for eDiscovery that EDRM recently published (available for download here), I know that in May 2017, the Amended Act on the Protection of Personal Information came into effect in Japan (“PIPA”).

PIPA establishes the Personal Information Protection Commission (the “PPC”), which is tasked with the establishment and enforcement of privacy regulations and created regulations regarding disclosure of personal information to third parties, international transfers, and the collection and use of personal information.

The PPC’s enforcement powers include penalties for the theft or misappropriation of personal information. Current penalties depend on severity of the infraction and can include fines of not more than ¥500,000 or imprisonment for not more than one year. However, amendments in 2020, to be effective before 2022, will increase penalties for legal entities to not more than ¥100,000,000.

People who need people may be the luckiest people in the world, but people who have people’s data need to be the most cautious people in the world. Because the USB drive was encrypted, and password protected, this man may have survived his drunken mistake without exposing the city’s highly personal data – that is, assuming he doesn’t get drunk again and reveal the password to somebody who has access to the USB drive. Don’t drink and data!

So, what do you think? We all know to don’t drink and data, right? Even on the weekend! 😉 Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

One comment

Leave a Reply