Cybercrime in Japan: How Does the Penal Code Address Offenses Like Hacking and Data Falsification?

Japanese Attorney at Law - Bengoshi L.L.

9 min read

The rapid digitization of commerce and society has brought immense benefits but also new avenues for criminal activity. Cybercrime, encompassing a wide array of offenses from hacking and data theft to the spread of malicious software, poses a significant threat to individuals, businesses, and national infrastructure. Japan, like other technologically advanced nations, has developed a legal framework to combat these threats, primarily through specific provisions within its Penal Code (刑法, Keihō) and supplementary specialized legislation. This article explores how Japanese law addresses key cyber offenses such as unauthorized computer access ("hacking"), data falsification, and the illicit use of malware.

1. Foundation: General Penal Code Provisions Adapted to Cyber Contexts

While Japan has enacted specific laws targeting certain cyber activities, some foundational Penal Code offenses are also applied to crimes committed in or through cyberspace, particularly those involving interference with computer systems or the illicit creation of false digital information.

A. Obstruction of Business by Damaging Computers (電子計算機損壊等業務妨害罪, Denshi Keisanki Sonkai-tō Gyōmu Bōgai-zai - Article 234-2)

This offense, found in Article 234-2 of the Penal Code, is crucial for protecting the operational integrity of businesses reliant on IT systems. It carries a penalty of imprisonment with work for not more than 5 years or a fine of not more than 1,000,000 yen. An attempt is also punishable.

The crime is committed when a person:

  1. Damages a computer used for another person's business or its electromagnetic records (電磁的記録, denji-teki kiroku - essentially, data);
  2. Gives false information or an illicit command to such a computer; OR
  3. By any other means, causes the computer to not operate in accordance with its intended purpose or to operate contrary to its intended purpose,
    AND thereby obstructs the business of such other person.
  • "Computer used for business": This refers to computer systems integral to business operations. Personal computers used solely for hobbies would not be covered. The scale and nature of the "business" can be broad.
  • "Electromagnetic records": This broadly refers to digital data stored electronically or magnetically.
  • Acts: This covers physical damage to hardware, destruction or corruption of data, inputting false data or malicious commands (like those from malware, if it leads to the specified malfunction and business obstruction), or any other act (e.g., a DDoS attack overwhelming a server) that causes the system to fail or misbehave.
  • Result: Crucially, the act must not only cause the computer system to malfunction or operate incorrectly but also actually obstruct the business. This makes it a crime requiring a specific consequence beyond mere technical interference. If business operations are not demonstrably hindered, this particular charge may not apply, though other offenses might. The PDF highlights a Fukuoka High Court ruling (September 21, 2000) involving tampering with ROMs in pachinko machines where this charge was considered but ultimately, Obstruction of Business by Deceptive Means was applied because the specific requirements of Article 234-2 regarding the nature of the "computer" were not met by the pachinko machine's limited control system.

B. Illicit Creation and Uttering of Electromagnetic Records (電磁的記録不正作出・同供用罪, Denji-teki Kiroku Fusei Sakushutsu / Dō Kyōyō-zai - Article 161-2)

This offense, found in Article 161-2 of the Penal Code, addresses the digital equivalent of document forgery, protecting the trustworthiness and integrity of digital records that serve evidentiary or transactional functions. It is punishable by imprisonment with work for not more than 5 years (or 10 years if it's a public electromagnetic record) or a fine.

The crime involves:

  1. Illicitly Creating an Electromagnetic Record (不正作出, fusei sakushutsu): For the purpose of misleading another's data processing, creating an electromagnetic record concerning rights, duties, or the certification of facts that is intended for use in such processing.
    • "Electromagnetic record" (Article 7-2) refers to data processed by computers and stored in electronic, magnetic, or other imperceptible forms.
    • "Rights, duties, or certification of facts": This limits the scope to records with some legal or socially significant evidentiary function, akin to traditional documents (e.g., bank account balance data, customer databases, digital land registries). Purely instructional computer programs themselves are generally not considered records of "facts" in this context.
    • "Illicitly creating" means making such a record without authority or by abusing one's authority, in a way that misrepresents its authenticity or content (analogous to tangible or intangible forgery of paper documents). This could involve creating entirely fabricated data entries or altering existing ones without authorization.
    • "Purpose of misleading another's data processing": This subjective element is key, linking the creation to an intent to deceive an automated or human-involved data processing system.
  2. Uttering (供用, kyōyō) an Illicitly Created Electromagnetic Record: Making such a falsely created record available for use in another's data processing, with the same misleading purpose. An attempt to utter is also punishable.

This provision is central to addressing various forms of data falsification that have legal or transactional significance.

2. Targeting Malicious Software: The "Virus Crimes"

Recognizing the specific threat posed by malware, Japan amended its Penal Code in 2011 to introduce offenses specifically targeting computer viruses and other illicit programs. These are found in Articles 168-2 and 168-3. The protected legal interest is the reliability of computer programs and systems against unintended malicious operations.

A. Creation, Provision, or Execution of Illicit Command Electromagnetic Records (不正指令電磁的記録作成等罪, Fusei Shirei Denji-teki Kiroku Sakusei-tō Zai - Article 168-2)

This article criminalizes:

  1. Creating or Providing (Paragraph 1): Without justifiable reason, and for the purpose of executing it on another person's computer, creating or providing an "illicit command electromagnetic record." This record is defined as one that (i) causes a computer to perform operations not intended by its user, or (ii) prevents a computer from performing operations intended by its user. This directly targets the creation and distribution of viruses, worms, spyware, ransomware, etc. (Penalty: Imprisonment with work for not more than 3 years or a fine of not more than 500,000 yen).
  2. Executing (Paragraph 2): Knowingly executing such an illicit command electromagnetic record on another person's computer. (Same penalty).
    An attempt to commit these acts is also punishable.

B. Acquisition or Storage of Illicit Command Electromagnetic Records (不正指令電磁的記録取得等罪, Fusei Shirei Denji-teki Kiroku Shutoku-tō Zai - Article 168-3)

This article criminalizes, without justifiable reason and for the purpose of executing it as per Article 168-2(1), acquiring or storing an illicit command electromagnetic record. This targets the possession of malware with intent to use it. (Penalty: Imprisonment with work for not more than 2 years or a fine of not more than 300,000 yen).

These "virus crime" provisions provide specific tools to prosecute the individuals behind the creation and deployment of malicious software, regardless of whether immediate financial loss or business obstruction occurs (though such consequences might lead to additional charges).

3. Combating "Hacking": The Unauthorized Computer Access Act

While the term "hacking" covers a broad range of activities, unauthorized access to computer systems is primarily addressed not by the Penal Code directly, but by a specialized law: the Act on Prohibition of Unauthorized Computer Access (不正アクセス行為の禁止等に関する法律, Fusei Akusesu Kōi no Kinshi-tō ni Kansuru Hōritsu, often abbreviated as 不正アクセス禁止法, Fusei Akusesu Kinshi Hō), first enacted in 1999 and subsequently amended.

This Act prohibits:

  • Unauthorized Computer Access (Article 3): Accessing a "specified computer" (one connected to a network and protected by access control measures like IDs and passwords) by illicitly using another person's authentication credentials or by exploiting security vulnerabilities to bypass access controls.
  • Acts that facilitate unauthorized access, such as improperly acquiring or storing another person's password for the purpose of unauthorized access (Article 4, 5, 6).
  • Impersonating an administrator to illicitly obtain another person's password (Article 7).

Penalties under this Act can include imprisonment and/or fines. While the act of unauthorized access itself is punished under this specialized law, any subsequent criminal acts committed after gaining access (e.g., stealing data, damaging systems, illicitly creating electromagnetic records) would be prosecuted under the relevant Penal Code provisions (e.g., theft of the storage medium, Article 234-2 for computer damage and business obstruction, Article 161-2 for illicit record creation, or potentially specialized laws like the Act on the Protection of Personal Information if personal data is compromised).

4. Financial Cybercrime: Payment Card Data Offenses

To combat the rising problem of credit card skimming and counterfeiting, Japan introduced specific Penal Code provisions (Articles 163-2 to 163-5) in 2001 to protect the integrity of electromagnetic records on payment cards.

These offenses target:

  • Illicitly creating the electromagnetic record that constitutes a payment card (credit card, ATM card, stored-value card) for the purpose of misleading property-related data processing (Article 163-2(1)).
  • Uttering (using) such an illicitly created record (Article 163-2(2)).
  • Transferring, lending, or importing a card containing such an illicitly created record (Article 163-2(3)).
  • Possessing such an illicit card for the purpose of uttering (Article 163-3).
  • Preparatory acts, such as illicitly acquiring payment card information or preparing implements or materials for the purpose of illicitly creating card records (Article 163-4).

These provisions carry significant penalties (e.g., up to 10 years imprisonment for illicit creation or uttering under Art. 163-2) and aim to disrupt the entire lifecycle of payment card fraud, from data acquisition to the use of counterfeit cards.

5. Data Falsification: A Closer Look

"Data falsification" as a general concept can fall under several Japanese criminal provisions depending on the nature of the data and the context:

  • If the falsified data constitutes an "electromagnetic record concerning rights, duties, or the certification of facts" and is created or used to mislead another's data processing, Article 161-2 (Illicit Creation/Uttering of Electromagnetic Records) is the primary provision. This would cover, for example, altering digital contracts, academic records, or business ledgers that have evidentiary or transactional significance.
  • If the falsification involves giving "false information or illicit commands" to a computer used for business, causing it to malfunction or operate contrary to its intended purpose and thereby obstructing business, Article 234-2 (Obstruction of Business by Damaging Computers) could apply. This might cover acts like manipulating industrial control systems with false data to disrupt production, or altering system logs to conceal unauthorized activities if it leads to business obstruction.
  • If data falsification is part of a broader scheme to deceive a person into delivering property or conferring an economic advantage, then general Fraud (Article 246) or Computer Fraud (Article 246-2) might be more appropriate. Article 246-2 specifically addresses obtaining an unlawful economic advantage by creating false electromagnetic records related to property rights (e.g., illicitly altering one's own bank balance).

The choice of charge depends on the specific intent of the actor and the precise nature and effect of the data falsification.

6. Challenges and Corporate Responsibility in the Cyber Age

Combating cybercrime presents significant challenges for law enforcement, including the anonymity of perpetrators, the cross-border nature of many offenses, and the high level of technical expertise required for investigation.

For businesses, cybercrime is not just an external threat but can also involve internal actors or arise from corporate negligence:

  • Direct Corporate Liability: While less common for Penal Code offenses unless a specific Ryōbatsu Kitei (dual punishment provision) exists and applies, a company could theoretically be directly implicated if its official policies or high-level decisions lead to the commission of these cyber offenses (e.g., a company systematically illicitly creates false digital records).
  • Liability under Specialized Laws: Some specialized laws like the Unauthorized Computer Access Act or laws related to specific regulated industries might contain Ryōbatsu Kitei that could hold a corporation liable for an employee's cyber offense committed in relation to company business, if the company failed in its supervisory duties.
  • Failure to Maintain Adequate Cybersecurity: While not a direct Penal Code offense in itself for general businesses (unless specific duties are imposed by other laws), a severe failure to implement reasonable cybersecurity measures could, if it foreseeably leads to business obstruction (e.g., due to a ransomware attack that cripples systems), potentially raise questions under Article 234-2 if the elements of negligence and obstruction are met. Furthermore, data breaches resulting from inadequate security can lead to severe administrative sanctions and civil liability under data protection laws like the Act on the Protection of Personal Information (APPI).

7. Best Practices for Businesses to Mitigate Cybercrime Risks in Japan

Given the multifaceted nature of cyber threats and the legal framework in Japan, businesses should prioritize:

  • Robust Cybersecurity Infrastructure: Implementing and regularly updating technical security measures (firewalls, intrusion detection/prevention systems, encryption, multi-factor authentication).
  • Strong Internal Policies and Employee Training: Clear policies on acceptable computer use, data handling, password security, incident reporting, and prohibitions against creating or using illicit software. Regular training to raise awareness about phishing, malware, and social engineering.
  • Access Control Management: Limiting access to sensitive systems and data based on the principle of least privilege.
  • Regular Vulnerability Assessments and Penetration Testing: Proactively identifying and remediating security weaknesses.
  • Comprehensive Incident Response Plan: Having a clear plan for detecting, containing, eradicating, recovering from, and learning from cybersecurity incidents.
  • Compliance with Data Protection Laws: Adhering to the APPI and other relevant data privacy regulations to protect customer and employee data.
  • Cooperation with Authorities: Establishing relationships with law enforcement and cybersecurity agencies for information sharing and incident response.

Conclusion

Japan's legal response to cybercrime is an evolving tapestry woven from general Penal Code provisions adapted to digital realities and specific legislation targeting new forms of illicit online activity. Offenses like obstruction of business through computer damage, illicit creation of digital records, malware creation and distribution, unauthorized access, and payment card fraud are all addressed, each with specific elements and penalties. For businesses, the threats are diverse, ranging from external attacks to internal misconduct. Proactive cybersecurity measures, strong internal governance, employee education, and a clear understanding of the applicable legal framework are essential to mitigate these risks and ensure operational resilience in an increasingly interconnected world.