2. On Issue 2
(1) Illegality, for the purposes of the State Compensation Act, of the defendant Tokyo metropolitan government’s conduct regarding the Incident
A) Firstly, although each of the reports made by the National Police Agency and the Metropolitan Police Department in December 2010 noted that the Data includes information with a high probability that they were handled by members of the police, it was not revealed specifically how the Data was removed to the outside. Police investigation into the course of the posting of the Data continued further, but the details have still not been made clear to this day, as in (4) of the Undisputed Facts.
To be sure, each of the documents that were the bases of the Data had been in the possession of the Third Foreign Affairs Division, as found in 1(1)A above. Also, as a result of wide-scope and intensive investigations conducted in an effort to solve the case, each of the reports mentioned earlier (Exhibits A-2, A-3) take note of revelations e.g. that some of the computers used in the Third Foreign Affairs Division lacked sufficient controls, including that of the history of external memory media usage, and that the fact that removal of the information using external memory media was possible cannot be denied. This description assumes that the Data was removed from the computers used in the Third Foreign Affairs Division using external memory media, without any mention of other possibilities such as hacks by outsiders, and there is no particular evidence suggesting such alternative scenarios.
In light of this, it is fair to regard the Data as having been removed using an external memory media by a member of the police (most likely a Metropolitan Police Department employee, considering the fact that according to Exhibit A-5, access to the exclusive folder that the Data was saved in was limited to the direct administrator and senior officers).
B)
a) Then, in considering the negligence of the Metropolitan Police Department in the Incident originating from such an act of removal, as the most newly created data in the Data is dated 1 January 2009 (Exhibits A-2, A-3), the Data can be regarded as having been removed to the outside world on or after the same month at the earliest, and, according to evidence (Exhibit A-23) and the totality of the pleadings, by this time, incidents of leaks from government agencies, including the police, had been happening frequently, including incidents involving the removal of data using external memory media, incidents involving the use of personal computers, incidents resulting in the posting of police information on the Internet, and incidents causing damage in the form of the disclosure of personal information as a result of leaks, as seen in Attachment 1, and it can be found that these leak cases had been reported in newspapers etc. Also, it is in the public knowledge that around that time, Winny was causing numerous leaks onto the Internet from computers other than that of the police and government agencies.
Further, the Data contained Personal Data which is the plaintiffs’ personal information, and particularly, the content included matters that directly relate to the inner world of individuals and the autonomy of personhood, in the form of information that not only directly revealed that the plaintiffs are Muslims but also indicated the strength of their faith, as well as criminal history, which directly relate to a person’s honour and reputation, as previously found and explained. It can be said that such information, even among the contents of personal privacy, amounts to information that one least wants others to know, and such information, once leaked onto the Internet, carries a risk of being communicated to the general public due to their high capacity to diffuse and spread, and it is extremely difficult, if not almost impossible, to later retrieve all of the information.
As a result, it can be said that it was sufficiently foreseeable to the Superintendent General that if the Data were removed and connected to an external computer, there was a danger of it being leaked onto the Internet through Winny etc., being communicated to the general public, and inflicting great damage to the plaintiffs.
Accordingly, the Superintendent General was under a duty of care in the area of information control to take thorough anti-leak measures so that the plaintiffs’ personal information would never be leaked.
b) In response to this, the defendant Tokyo metropolitan government, citing a 1986 Supreme Court case, argues to the effect that clearly it cannot be said that the specific course of events leading to the Leak Incident, much less the outcome, namely, of the Data being posted on the Internet, was foreseeable to the Superintendent General, in light of the circumstances such as (i) Administrative Notices (On the Administration of Rules Regarding the MPD Information Security) prohibiting employees from removing electromagnetic memory media that constitute the police information system from the police buildings; (ii) the illegality of data removal, subject to criminal and disciplinary penalties as a violation of Article 34 of the Local Government Employee Act; (iii) the multiple acts required in the course of posting the Data on the Internet; and (iv) the complete absence of information leak cases through the removal of data after the February 2008 completion of the introduction of an automatic encryption system when recording data on external memory media from terminal devices (hereinafter referred to as the Automatic Encryption System).
However, penalty rules and administrative notices themselves do not make the removal of data impossible or difficult in a physical or technical sense, and as previously noted, there had already been numerous occasions of leaks from computers onto the Internet through Winny, by around January 2009. As for the Automatic Encryption System, there is insufficient evidence to hold that it had been installed on every computer used in the Third Foreign Affairs Division during the period between that month and the October 2010 date of the Incident. In fact, evidence (Exhibit A-5) shows that some computers used in the Third Foreign Affairs Division lacked the Automatic Encryption System. Accordingly, none of the points raised by the defendant Tokyo metropolitan government can be said to defeat the Superintendent General’s foreseeability illustrated above in subparagraph (b).
The defendant Tokyo metropolitan government also cites in its argument a 2005 Sapporo High Court case ((1) of Exhibit C-11) denying the foreseeability for the manager etc. in a information leak case, but this judgment can be distinguished from the present case due to the specific facts giving rise to foreseeability at the time of the incident. Therefore, consideration of this case does not influence the above decision.
C) Next to consider is whether or not the Superintendent General breached his duty of care in information management.
a) Evidence (Exhibits A-2, A-3, C-6, C-7) show that the Metropolitan Police Department established and published the “Rules Regarding Information Security of the MPD” (hereinafter referred to as the Security Rules) etc. on 28 June 2005. This (i) appointed a Metropolitan Police Department Information Security General Officer (hereinafter referred simply as the ‘General Officer’) to the Metropolitan Police Department headquarters, imposed with a duty to make efforts to appropriately maintain and manage computers, terminal devices, electronic communication lines or any connected machines, and electromagnetic memory media etc. (Article 10 of the Security Rules). Specifically, only authorised electromagnetic memory media could be used in police duties, in order to secure regular functioning of the police information system etc. and to prevent information leaks; Information Management Officers (whose duty involves information security relating to the police information system etc. in order to maintain the information security within their division) who accept into their division an electromagnetic memory media for the use of police duties were to receive an inspection by the head of their division at least once a month regarding its management; and Information Managers (whose duty involves the management of computers etc. in order to maintain information security relating to the police information system etc. within their post), if delivered an electromagnetic memory media by the Information Managing Officer, were to store it in a secure locker etc.; the handling of electromagnetic memory media was to be disclosed in a “Electromagnetic Memory Media Removal and Return Log” (7 (5) of the Administrative Notice No. 2 etc.). It also (ii) imposed an obligation on the General Manager to encrypt necessary information according to the objectives of the duty, in order to maintain information security (Article 11 of the Security Rules). Specifically, when storing information on an electromagnetic memory media, encryption measures were to be taken unless authorised by the General Manager, and the Information Manager was to verify trails of exports onto the electromagnetic memory media by the encryption file, and report the results to the head of the division (8(1) and (4) of the Administrative Notice No. 2). It further (iii) imposed an obligation on employees to properly handle the police information system etc. as well as the information processed by it (Article 14 of the Security Rules), specifically, prohibiting in general: transferring electromagnetic memory media to others, computers relating to personal ownership, bringing electromagnetic memory media etc. into the National Police Agency building, and removing devices and electromagnetic memory media comprising the police information system etc. from the National Police Agency building (11(3), (10), and (11) of the Administrative Notice No. 2).
b) However, none of these measures made the removal of data from the building inherently impossible or difficult in a physical or technical sense, and it can be said that compliance with the above rules ultimately depended on the actions of each individual employee. What is more, in terms of the above (a)(i) and (ii), no evidence clarifies to what degree each of the procedures such as inspection of the management of electromagnetic memory media by the head of the division, entry into the “Electromagnetic Memory Media Removal and Return Log” of the removal and return of electromagnetic memory media, and the verification and reporting of trails of exports to electromagnetic memory media by encryption files, were practiced in reality.
As for the Automatic Encryption System, the fact that computers lacking its installment were being used at the Third Foreign Affairs Division was found above in B(b).
If so, as merely establishing and publishing security rules etc. and introducing an automatic encryption system does not ultimately serve as a conclusive factor in preventing information leaks to the outside, it should be said that constructing a management regime to ensure actual compliance of the Security Rules etc. by each employee or information manager etc. was necessary and essential as a genuine preventative measure.
c) Yet it has been revealed that the management of trails of the history of external memory media usage etc. for some of the computers used in the Third Foreign Affairs Division was insufficient as held above in (a), and thus it must be observed that the management regime to ensure the actual compliance of security rules etc. in the Third Foreign Affairs Division was inadequate, and that this fact led to the removal of data using external memory media.
It must therefore be said that the Superintendent General negligently breached his duty of care in information management, which is illegal for the purposes of the State Compensation Act. As such, it follows that the defendant Tokyo metropolitan government is liable.
(2) Illegality, for the purposes of the State Compensation Act, of the defendant Japanese government’s conduct regarding the Incident
A) The plaintiffs allege to the effect that under Article 7 (1) of the Security Orders, The National Police Agency must designate an Inspection Officer to perform inspections relating to the police information system, and in light of duties that the role entails, as established by Article 7 (3), the Inspection Officer was under a duty of care, through opportunities such as regular inspections, to accurately assess the substance of the numerous information leak incidents between 2006 and 2008, analyse their causes and responses, reflect them in the Annual Information Security Inspection Plan, and secure, by the 2009 regular inspection of the Metropolitan Police Department at the latest, the implementation of measures to prevent information leaks using external memory media, and that breach of this duty resulted in the Incident.
B) Upon consideration, it is true that the National Police Agency, under Article 7(1) of the Security Orders (Exhibit B-28), is to appoint an Inspection Officer to supervise the execution of inspections regarding information security related to the police information system, and according to the Execution Guidelines for Police Information Security Inspections (Exhibit B-30), the Inspection Officer, in conducting regular inspections of the prefectural police etc., is to formulate an Annual Information Security Inspection Plan, and based on this, establish an Inspection Execution Plan for each individual inspection; and after conclusion of the regular inspection, the Inspection Officer is to create a Inspection Report and submit it to the Chief Information Security Manager, who, based on the Report, instructs the heads of the divisions in question on necessary matters such as improvements to be made; the leaders receiving said instructions are to promptly take adequate measures based on the substance of the instructions, and report back to the Chief Information Security Manager on the outcome; and in addition, the Inspection Officer is to execute Special Inspections when the necessity of such is particularly recognised by the Chief Information Security Manager. The fact that the Incident was due to a breach of the duty of care in information management in the Third Foreign Affairs Division has already been elaborated on, and the possibility that the Incident might have been prevented had the inadequacies in information management been indicated at the National Police Agency’s inspection stage, cannot itself be denied.
However, inspections carried out by the National Police Agency’s Inspection Officer, besides the annual regular inspection, are special inspections responding to particular necessities, and are not of a kind involving, for instance, an Inspection Officer permanently stationed in each division to monitor compliance with information security (the National Police Agency is in a position to supervise the prefectural police in general, and it is impossible for Inspection Officers to be permanently stationed in each division of all the prefectural police forces in order to monitor compliance with information security, and it cannot be said that a duty to carry out such inspections exists), so cases in which the defendant Japanese government would be held liable for the Inspection Officer’s inspections should be said to be limited to cases, for example, such as a chronic failure to inspect, or a failure to articulate an inadequacy found through an inspection, and such circumstances cannot be found regarding the Incident, in compiling the totality of the evidence in this case.
On the other hand, evidence (Exhibit B-52) shows that the 2009 Police Information Security Inspection on the Metropolitan Police Department and the prefectural police etc., was carried out with a focus on improvements in response to indications from past inspections etc., the implementation of increasingly thorough preventative measures against the reoccurrence of information leaks, the implementation of information security measures concerning external memory media etc., the management of the police information system, and measures against breaches of information security. As a result, in some divisions inappropriate circumstances were identified such as (i) indications of the use of unauthorised external memory media on computers unable to acquire trails of their use; (ii) that encryption when recording information on external memory media was not thoroughly practiced; and (iii) verification of the trails of exporting information onto external memory media done by the very employees using the said media. Considering these findings, improvements were requested of the divisions in question to (i) reinforce the management and inspections etc. of the use of computers and external memory media; (ii) make thorough encryptions when recording information onto external memory media; (iii) have the manager of media usage verify trails in the import and export of information regarding external memory media; and to report the results to the administrative manager etc.
Further, according to evidence (Exhibit A-23) and the entirety of the pleadings, the National Police Agency implemented countermeasures for each of the following cases listed on Attachment 1: (i) In response to the leak of personal information onto the Internet at A and B police agencies in March 2006: measures such as the inspection of personal computers etc.; submission of confirmation documents (that no employee was to manage police information on personal computers or external memory media that is not authorised to use on duty, or use computers running Winny (both of which are held to standards at the time)); a reinforcement of information management based on remarks made by the Chief Cabinet Secretary at the meeting of administrative vice-ministers etc. held on the 9th of the same month, to the effect that information leaks through the use of personal computers were creating an extremely concerning situation, and that the relevant ministries and agencies were to reinforce warnings to each and every employee regarding computer use against information leaks; a sweep of personal computers used on duty; reinforcement of inspections; and special inspections against all of the prefectural police agencies etc., (ii) in response to the leak of personal information onto the internet from C police agency in February 2007: measures such as compliance with fundamental measures in information security including the implementation of self-inspections and individual interviews; compliance with rules regulating the management of police information; and limiting the use of external memory media as well as taking encryption measures etc., (iii) in response to the leak of personal information onto the Internet from D police agency in June of the same year: measures such as the reinforcement of fundamental matters regarding the management of police information; deleting of unnecessary police information; sweeping unauthorised personal devices; and inspecting personal computers etc., (iv) in response to the leak of police information onto the Internet from E police agency in May 2008: measures such as the inspection of personal computers and actual devices; prohibition on the use of unregistered external memory media; resubmission of confirmation documents; small group discussions etc. to raise awareness; recording and managing trails; and limiting the use of external memory media drives by USB keys.
Accordingly, it can be found that the National Police Agency’s Inspection Officer had been carrying out the necessary regular inspections and implementing possible measures every time an information leak onto the Internet happened.
C) Therefore, the plaintiffs’ above argument cannot be accepted, and the defendant Japanese government cannot be found liable for the Incident.
(3) Illegality, for the purposes of the State Compensation Act, of the defendants’ omissions following the Incident
A) The plaintiffs allege to the effect that the Metropolitan Police Department is liable in state compensation because while it should have taken concrete measures such as promptly acknowledging the Data as documents created and managed by the Metropolitan Police Department and the National Police Agency, and making requests against Internet providers etc. continuing to publish and post the material to delete them, in reality the Metropolitan Police Department and the National Police Agency refused to acknowledge that they had created and managed the documents in the Data, and failed to take effective measures until admitting to the leak and making a formal apology on 24 December 2010.
B) Upon consideration, certainly, according to the pleadings in their entirety, the Metropolitan Police Department and the National Police Agency could not have comprehensively deleted the Data including the plaintiffs’ personal information.
However, evidence (Exhibits A-2, A-3) show that the National Police Agency recognised the Incident on 29 October of that year, contacted the Metropolitan Police Department, and in cooperation, commenced investigations etc. At the same time, it can be found that the Metropolitan Police Department immediately requested cooperation, to delete the Data, from providers etc. that offered spaces for webpages posting them.
Also, despite the fact that completely deleting the Data, which included the plaintiffs’ personal information, was not ultimately possible as above, according to the totality of the pleadings, the reason for this was a combination of multiple factors such as that in this Incident, methods were used to inhibit identification of the leak source such as transiting through numerous overseas servers; that due to Winny, the file sharing software used, retrieval of the information was virtually impossible; and that the police could not compel erasure of the Data from the servers onto which the leaked information was posted, merely making requests against overseas servers to voluntarily delete them.
Consequently, it is fair to say that the Metropolitan Police Department and the National Police Agency, in cooperation, fulfilled their duty as they should, and cannot be said to have failed in their duty to mitigate loss as the plaintiffs claim.
While this Court notes the fact that the defendants have not acknowledged that the Data consists of documents created and managed by the police even in this lawsuit, evidence (11(1)-(114) of Exhibit A-1) and the totality of the pleadings demonstrate that the Data contains information regarding individuals or organisations, information about cooperation with foreign countries, as well as information-gathering activities by the police etc., and it can be found that a straightforward admission that the Data had been created and managed by the police involves the risk of further harming the rights and interests of those individuals and organisations, as well as damaging the trust of the countries in question and impeding the appropriate execution of information-gathering activities etc. regarding future police strategies against international terrorism. Thus, it cannot be said that this itself is an act that is independently illegal for the purposes of the State Compensation Act.
C) Therefore, the above arguments of the plaintiffs cannot be accepted.