To protect information received from users, LINE has implemented all conceivable measures including formulation of basic policies and management rules related to the protection of personal information, creation of information security control systems, selection of appropriate subcontractors, confirmation of status of handling of personal information in other countries, deployment of advanced encryption technology, use of data centers with the world's top-level security facilities, etc.
Formulation of basic policy
LINE will exert efforts to properly handle and protect personal information by formulating and observing its personal information protection policy (https://linecorp.com/ja/legal/privacy).
Establishment of rules related to proper handling of personal information
LINE has formulated management rules related to security control measures for the protection of personal information, and established methods for the proper handling of personal information in connection with organizational security measures, personnel security measures, physical security measures, and technical security measures.
Organizational security measures
(1) Establishment of organizational structure
LINE has appointed a personal information protection administrator, and an organization specializing in security supervised by the personal information protection administrator is deciding policies and promoting activities related to the protection of personal information. A chief administrator is appointed in each business division handling personal information so as to clarify our internal responsibility and authority in the protection of personal information.
(2) Application according to rules on handling of personal information
LINE is recording and storing the status of use of information systems handling personal information to enable the verification of records related to the handling of personal information based on internal rules related to audit logs and storage.
(3) Establishment of means for confirming the status of handling of personal information
LINE has created a “personal information control ledger” for confirming the status of handling of personal information, and is using the “personal information control ledger” to manage the name, items, responsible person, purpose of use, access right holder, etc. of personal information.
(4) Establishment of system to deal with leakage incidents
In cases where LINE confirms any fact or sign of violation of the Act on the Protection of Personal Information or breach our management rules related to the handling of personal information, LINE has established a system for promptly dealing with the situation with transparency and fulfilling its accountability in good faith based on internal rules related to leakage incidents.
(5) Confirmation of status of handling of personal information and review of security control measures
LINE has established an internal audit system for confirming the status of handling of personal information and reviewing the security control measures, and is conducting an internal audit each year based on internal rules related to internal audits.
Personnel security measures
LINE is offering education and training to officers and employees on the protection of personal information each year, and educating officers and employees so that they are familiar with the proper handling of personal information based on internal rules related to information security training. Furthermore, LINE executes a written pledge with its officers and employees including matters related to confidentiality, and the written pledge provides that disciplinary action is taken in accordance with internal rules when there is any breach of the written pledge.
Physical security measures
(1) Management of zones where personal information is to be handled
LINE has prescribed security zones and is restricting physical access in the respective security zones based on rules related to business facilities. A zone that handles important personal information is designated as an important security zone, and only permitted personnel are allowed to enter the important security zone, and records of entry are also maintained.
(2) Prevention of theft of devices and electronic mediums
LINE is storing, in a lockable cabinet or the like, the electronic mediums and documents containing personal information in a zone where our officers and employees are permitted to enter based on internal rules related to the management of recording mediums.
(3) Prevention of leakage when carrying out electronic mediums
LINE allows its officers and employees to carry out electronic mediums and documents containing personal information only when they obtain the approval of their supervisor based on internal rules related to the management of recording mediums. Moreover, LINE is offering education and enlightenment programs to its officers and employees regarding countermeasures against loss and theft when carrying out electronic mediums and documents containing personal information.
(4) Deletion of personal information and disposal of devices and electronic mediums
LINE disposes electronic mediums and documents containing personal information by way of dissolution or use of a shredder so that they cannot be restored based on internal rules related to the management of recording mediums. Furthermore, when disposing information systems including PCs, data is erased and they are physically destroyed so that data recovery is rendered impossible. When consigning the foregoing disposal to an outside third party, LINE acquires a certificate of disposal as a record of such disposal.
Technical security measures
(1) Access control
LINE limits access by its officers and employees to the personal information database to the minimum extent required based on internal rules related to access authority management. Moreover, LINE periodically reviews the access authority of officers and employees.
(2) Identification and authentication of accessors
LINE issues authority only to one person for each account so that the tracking of the status of use by officers and employees can be verified based on internal rules related to access authority management.
(3) Prevention of unauthorized access from the outside
LINE has established a system for preventing unauthorized access to information systems by installing a firewall in the information systems handling personal information and external network boundaries, and introducing an intrusion detection system and monitoring intrusions.
(4) Prevention of leakage associated with use of information systems
LINE is designing secure systems for those handling personal information. Furthermore, LINE has established a system which periodically checks for any vulnerability and, when any vulnerability is discovered, promptly takes measures against such vulnerability.
Selection of proper subcontractor
When subcontracting all or a part of the handling of personal information, LINE is evaluating the personal information management system of subcontractors and selecting the proper subcontractor based on internal rules related to subcontractor management.
Execution of service agreement
LINE is executing a service agreement with the subcontractor which covers matters related to the security control of personal information, matters related to additional subcontracting, matters related to the reporting on the status of handling of personal information, matters related to measures in cases where the service agreement is breached, and matters related to the reporting of incidents and accidents on the handling of personal information based on internal rules related to subcontractor management.
Confirmation of status of handling of personal information by subcontractors
LINE is periodically evaluating the status of handling of personal information by subcontractors and confirming that security control measures are being taken based on internal rules related to subcontractor management. Moreover, when the subcontractor is to additionally subcontract the handling of personal information, the service agreement prescribes that the subcontractor must obtain LINE’s approval.
Confirmation of status of handling of personal information in other countries
In providing our services, LINE may store Personal Information and use cloud services, SaaS, etc. outside the country or region where a user resides. When that happens, LINE always takes the appropriate security measures for that country or region.
Assessment of method of handling personal information
Services provided by LINE will not be released through assessment by its legal affairs and personal information protection divisions. Rather, the division in charge of personal information protection conducts reviews and inspections from the standpoints of minimum personal information collection and of suitability in the objectives of use, acquisition process, encryption and storage periods for important data, access control, etc., as well as issues improvement instructions when necessary. Furthermore, personal information is controlled under Japanese laws.
LINE employs transport level encryption for chat contents exchanged between users. In addition, the following chat contents is protected with LINE's Letter Sealing end-to-end encryption (E2EE): text messages, location messages, 1-to-1 VOIP media streams (audio and video). Letter Sealing ensures that not only third-parties, but also LINE's server administrators cannot view message contents: neither in transit, nor when stored on our servers.
Both transport encryption and Letter Sealing employ standard encryption algorithms.
For details about the scope of transport level encryption and Letter Sealing, please click [here]. If you are interested in the technical details of the protocols that enable Letter Sealing, you can download our [encryption whitepaper].
All LINE user information that is designated as personally identifiable, such as phone numbers, email addresses, passwords, and so on is stored encrypted, and its management status is periodically reviewed.
Rigid access control
LINE servers that store its data are managed at data centers with the latest security facilities. They have 24/7 surveillance by full-time security personnel, access control with IC cards and biometrics, monitoring with surveillance cameras, etc. Rigid access control is being implemented at the data centers, allowing access by only a very limited number of LINE personnel. Access is not granted even to the LINE CEO unless advance permission is granted based on justifiable reasons.
Surveillance and vulnerability inspections
The LINE data center is under physical and logistical surveillance by a security team dedicated to this function on a 24/7 basis. The team monitors network traffic around-the-clock, conducting analyses of all events that have the potential of threatening LINE security. Trained personnel take immediate action when necessary. To bolster LINE security further, penetration tests (simulated hacking tests) are conducted by the security team and outside businesses to implement preventive measures against unauthorized access of both internal and external origins.