Administrative Actions on Alico Japan

I. Following the leakage of customer information at American Life Insurance Co. Japan branch (which is commonly known as Alico Japan, hereinafter referred to as “Alico Japan”), the Financial Services Agency (FSA) issued an order to submit a report concerning factual relevance and factors, based on Article 200, paragraph 1 of the Insurance Business Act and Article 32 of the Act on the Protection of Personal Information. The following was identified from the report:

• 1. Facts based on the report submitted by Alico Japan

  • (1) Alico Japan conducted an internal investigation after it received information from a credit-card company in July 2009 to the effect that the credit cards of Alico Japan's customers may have been misused. The results of the investigation revealed that the customer information (credit card number, expiration date) held by Alico Japan had been leaked.

  • (2) Alico Japan conducted another investigation and concluded that an employee(s) of its subcontractor (hereinafter referred to as the “subcontractor”) accessed Alico Japan's host computer (located in the United States) from March 2008 to May 2008 from a computer terminal at his/her office by using the access right given him/her to do his commissioned work and removed information on customers (estimated approximately 32,000 cases) from the office.

    However, the scope of the leaked customer information has yet to be specified and the perpetrator has yet to be identified.

    • (Note): As of February 18, 2010, Alico Japan received a total of 6,592 inquiries from the credit-card companies about possible wrongful use of leaked information. Meanwhile, no monetary damage on customers has so far been reported.

• 2. Factors that caused the leakage of customer information

  Although the cause of the leakage of customer information is under investigation, the following problems with regard to the company's (including the subcontractor's) management of customer information were revealed as a result of examining the report submitted by Alico Japan.

  • (1) The business subcontractor's management of customer information was inappropriate and liable to cause information leakage, as the ID and password necessary for access to the host computer, for instance, were routinely shared by employees in charge of the commissioned work. The use of the same ID by employees has made it difficult to identify the perpetrator in cases of information leakage.

  • (2) Meanwhile, the following serious flaws were also identified with regard to Alico Japan's management of customer information.

    • i) Since Alico Japan's information system division was not fully aware that customer information was being handled by the subcontractor, Alico Japan did not conduct in-depth examination from the standpoint of protecting customer information during its on-site inspection of the subcontractor. Therefore, Alico Japan was unable to recognize the subcontractor's inappropriate management of customer information, as mentioned in (1) above, and failed to check or correct the situation sufficiently.

    • ii) In addition, the following problems were identified with regard to Alico Japan's information system management from the standpoint of protecting customer information.

      • a) The scope of employees authorized to access the host computer was not restricted to the minimum necessary for the execution of business.

      • b) Since some of the servers and some of the subcontractor's computer terminals were those that do not keep track of their usage, they were not effective in the prevention of misuse, making it difficult to investigate the cause in a case of misuse.

      • c) When giving employees of the subcontractor the right to access the host computer, the confirmation of such employees' identity was inadequate and the management of the access right was also inadequate.

    • iii) Problems i) and ii) above can be attributed to the fact that Alico Japan's department in charge of protecting customer information did not have a company-wide (including the subcontractor) system to comprehensively grasp and analyze the risk of leakage of customer information and to study preventive measures. Moreover, Alico Japan's management personnel failed to conduct in-depth examination by taking into account the importance of preventing the leakage of information and failed to provide necessary direction.

  • (3) As mentioned in (2) above, serious flaws in Alico Japan's management of customer information were identified. This violates Article 100-2 of the Insurance Business Act, which calls for appropriate handling of customer information and applies mutatis mutandis under Article 199 of the same Act, Article 53-8 of the Ordinance for Enforcement of the Insurance Business Act, which applies mutatis mutandis under Article 160 of the same Ordinance, and Article 20 and 22 of the Act on the Protection of Personal Information.

II. Administrative Actions on Alico Japan

Based on the above, the FSA today issued a Business Improvement Order to enhance the following business operations pursuant to Article 204, paragraph 1 of Insurance Business Act and made Recommendations pursuant to Article 34, paragraph 1 of the Act on the Protection of Personal Information.

• 1. Business Improvement Order based on Article 204, paragraph 1 of the Insurance Business Act

  • (1) Strengthen the management of customer information and promptly implement measures, including preventive measures now being worked out, for thorough safe management of customer information, and examine their effectiveness.

  • (2) Provide necessary and appropriate supervision in order to ensure that measures for thorough and safe management of customer information will be fully implemented by the subcontractor.

  • (3) Promote customer protection measures by continuing cooperation with the credit-card industry in order to restore credibility.

  • (4) Make continued efforts to look into the cause of the information leakage case.

  • (5) In view of the gravity of the case, which caused the leakage of credit-card information and prompted someone to attempt the misuse of numerous credit cards, clarify who is/are responsible for the case (including management personnel).

  • (6) Provide a written report on the progress of measures taken with regard to (1)-(5) above by March 24, 2010 (and on an as needed basis). In addition, publish the outline of progress reports in order to keep customers informed.

• 2. Recommendations based on Article 34, paragraph 1 of the Act on the Protection of Personal Information

  • (1) Take effective measures to ensure safe management of personal data

  • (2) Provide necessary and appropriate supervision to employees entrusted with the handling of personal data

  • (3) Provide a written report on the progress of measures taken with regard to (1) and (2) above by March 24, 2010.

III. Other

In light of the leakage of customer information, the FSA intends to revise the “Comprehensive Guideline for Supervision of Insurance Companies” etc. and add strengthening the management of customer information by the subcontractor and enhancing the management of credit-card and other information by taking advantage of their characteristics to the guidelines as the points of supervision.