Information Security and Privacy

INDEX

The internet has enhanced the convenience of our lives and has become an indispensable infrastructure that supports our society. On the other hand, issues such as personal information leaks, fraudulent activities and invasions of privacy have surfaced, leading to widespread demand for appropriate responses and the creation of a robust and secure IT society.
Rakuten Group offers a wide range of online and offline services, including e-commerce, fintech, digital content and communications. Information assets, including personal information obtained through these services and the hardware and software that make up our information systems, are essential for implementing our business activities. Ensuring the security through appropriate protection and management of these assets is one of the highest management priorities of Rakuten Group. We are continually bolstering our efforts to ensure information security and protect the privacy of our stakeholders.

Information Security

  1. Establishment of the information security management system

    Build an information security management system under a management-team initiative and strive to enhance and maintain information security.

  2. Appropriate management of information assets

    Recognize the importance of information assets held, evaluate risks and properly manage these assets.

  3. Establishing regulations for ensuring information security

    Establish regulations and other guidelines for ensuring information security and thoroughly extending these to all related persons.

  4. Compliance with laws and norms

    Comply with all laws and norms related to information security.

  5. Continuous improvement

    Implement audits on a regular basis and continuously improve our information security management system.

Governance System

We strive to strengthen information security governance by sharing the same policy and values throughout the Group, from management to employees. The Rakuten Group Information Security & Privacy Committee, chaired by the Group CISO (Chief Information Security Officer), is held monthly to report on and make decisions regarding policy implementation and recent incidents. The major resolutions made by the committee and matters of importance are reported at the Corporate Management Meetings and communicated to the CISOs and employees in charge of information security appointed at each Group company to ensure they are implemented on the front lines.

Governance System

Ensuring Information Security

Aligning with global standards

Rakuten Group sets standards and regulations based on ISO/IEC 27001, aiming to maintain the confidentiality, integrity and availability of information assets by constructing, operating and continuously improving its Information Security Management System (ISMS), which manages various risks, such as the loss or falsification of information assets and service outages.
Rakuten Ichiba became ISO/IEC27001-certified for the first time in November 2006, and today we are further committed to ensuring information security with the following 27 Rakuten Group companies having received this certification as a result of annual external independent audits.

  • Rakuten Group, Inc.
  • LINKSHARE JAPAN K.K.
  • Target, Inc.
  • Rakuten Socio Business, Inc.
  • Rakuten Baseball, Inc.
  • Rakuten Travel Service, Inc.
  • Rakuten ANA Travel Online Co., Ltd.
  • Rakuten Communications Corp.
  • Rakuten Insight, Inc.
  • Rakuten Card Co., Ltd.
  • Keiba Mall, Inc.
  • Rakuten Ticket, Inc.
  • Rakuten Edy, Inc.
  • Rakuten Mobile, Inc.
  • Rakuten Mobile Engineering, Inc.
  • Rakuten Mobile Customer Service, Inc.
  • Rakuten SQREEM,Inc.
  • Rakuten Payment, Inc.
  • Rakuten Wallet, Inc.
  • Rakuten Vissel Kobe, Inc.
  • Rakuten Energy, Inc.
  • Rakuten Car, Inc.
  • K Dreams Co.,Ltd.
  • Rakuten India Enterprise Private Limited
  • Rakuten Europe S.à.r.l.
  • Rakuten Asia Pte Ltd
  • Rakuten Travel Xchange Pte Ltd

In addition, our activities ensure thorough compliance with PCI DSS (Payment Card Industry Data Security Standard), an international information security standard for businesses that handle payment cards, including credit cards. These activities have been recognized, and in early 2021, we became the only company in in Asia to be elected as a member of the PCI SSC* Board of Advisors.

*Payment Card Industry Security Standards Council

Information security education

In order to ensure information security, raising employee awareness is important.
To that end, Rakuten Group holds Asakai meetings, our weekly morning meeting attended by all employees, on the topics of security and privacy. We also provide annual information security training to all executives and employees, including directors, regular employees, contract employees, temporary staff, partner staff, outsourced workers and part-time employees. Participants deepen their understanding of the importance of information security with case studies of actual incidents and pledge to commit to complying with and adhering to internal regulations.
In addition, at the annual Global CISO Conference, in which CISOs from each Group company participate to improve Group-wide information security literacy, best practices and technical expertise of each Group company were shared, subcommittees met to discuss the important themes of the year, and lectures by external experts were held, as well as policy explanations from headquarters.

Strengthening Cyber Security

Cyber security is about ensuring the safety of a virtual environment (cyberspace) composed of the internet, computer networks and information systems, devices such as personal computers and smartphones, and their users, and taking measures against threats, including but not limited to falsification of information, computer viruses, destructive behavior and phishing attacks (including fraudulent acts via email).
Rakuten Group has established a specialized organization dedicated to cyber security and a proactive system to develop safe services while eliminating vulnerabilities (information security flaws) by ensuring thorough security education for developers, implementing security reviews during the software development process, and conducting inspections for vulnerabilities. Our efforts to prevent security incidents also include monitoring illegal access, as well as surveying and responding to information security flaws.
In addition, we have established Rakuten-CERT (Computer Emergency Response Team) to cooperate with external stakeholders such as relevant ministries, organizations specialized in cybercrime and other companies. Through measures related to cyber security, we are committed to not only maintaining our own security but also to strengthening information security for society as a whole.

Measures against phishing email

In recent years, the number of fraudulent practices carried out over the internet using email – known as phishing email – is increasing. To protect our customers from such attacks, we accelerated the implementation of Sender Domain Authentication Technologies (SPF, DKIM, DMARC) for our advertising emails, which certify that Rakuten is the sender of the emails. Through the use of such technology, it is possible to identify malicious emails falsely associated with Rakuten and to discard them on a recipient’s email server without them being delivered.
Rakuten has introduced this technology to the domains used in our 70+ services and will further deploy it to include all outgoing e-mails from Rakuten. In addition, we continue to work with IT companies and mobile carriers to introduce a system that displays the Rakuten logo on emails received from Rakuten through their email services to officially confirm that emails are from Rakuten.

Please see here for more information on our efforts against phishing e-mail.

Privacy

Rakuten Group recognizes that privacy is not merely a compliance issue but is indeed the enabling factor for building the Rakuten Ecosystem sustainably through innovation, technologies and stakeholders’ trust, and strives to implement, enhance and enforce privacy requirements above and beyond legal requirements.

Governance System

We have established a strong privacy governance system that ensures appropriate and prompt decision-making and risk reporting to management. Rakuten’s Binding Corporate Rules (BCRs), our set of internal privacy regulations, is the first of its kind from a Japanese company to gain approval from the National Data Protection Commission in Luxembourg.
Additionally, in accordance with the requirements of the General Data Protection Regulation (GDPR), an EU privacy regulation, a Global Privacy Manager and a Global Data Protection Officer have been appointed to oversee and monitor the status of compliance and related matters within the Group.
The Global Privacy Manager and the Global Data Protection Officer work together with the Regional Privacy Officers in charge of each overseas region and the Privacy Officers of each Group company to monitor compliance and risks within the Group. They report, in a timely manner, to the Group Information Security & Privacy Protection Committee as well as at Corporate Management Meetings.

Governance System

Protecting Privacy

Personal Information Protection Initiatives

Rakuten Group prioritizes the provision of services that customers feel safe using and thorough compliance with laws concerning the protection of personal information in the areas where we operate. However, some countries have only limited or fragmented privacy rules, or may lack a general privacy code to follow. Therefore, Rakuten uses its own privacy code for our operations worldwide.

Introduction of Binding Corporate Rules

To comply with Europe’s General Data Protection Regulation (GDPR) – a newly adopted EU law on data protection and privacy that is considered to be best practice for personal information protection – we introduced a set of global privacy protection standards, referred to as Binding Corporate Rules (BCR), which have been approved by the European Union data protection authorities.
The rules comprise the main privacy principles such as purpose limitation and data quality, as well as right to information, rectification and erasure.

Please see here for details.

Aligning with domestic standards

As part of our business activities in Japan, we regularly check and monitor compliance with the Personal Information Protection Law and other laws and guidelines established by relevant authorities. Moreover, three companies in the Rakuten Group have received Privacy Mark Certification (see below), given to accredited businesses that have established systems for appropriately protecting personal information in accordance with the Japanese Industrial Standard, "Personal information protection management systems - requirements (JIS Q 15001).”

  • Rakuten Securities, Inc.
  • Rakuten Communications Corp.
  • Rakuten Insight, Inc.

Monitoring privacy regulation

Since Rakuten operates globally, it is essential for us to monitor trends such as the enactment, revision and repeal of privacy laws in various countries. The Global Privacy Office cooperates with the Regional Privacy Officers and the Privacy Officers of each Group company to monitor and quickly escalate any operational changes that may be necessary. On a regular basis, the Global Privacy Office shares a privacy dashboard that visualizes the privacy compliance status of, as well as the risks and challenges faced by each of our businesses. This ensures that potential risks and challenges are communicated to all business leaders. In this way, we promote an effective, forward-looking approach to privacy that anticipates future trends while also taking into consideration existing laws.

Compliance with privacy-related laws

Ensuring transparent data handling

Rakuten collects, uses and stores customer information to provide better services. We strive to ensure transparency in each of our services by disclosing our privacy policy regarding the usage of personal data, and when necessary, by giving clear explanations with easy-to-understand illustrations.
In addition, a review process for new data collection, sharing and use by privacy specialists and other relevant internal stakeholders has been established to confirm that our data use is following our privacy policy, internal rules and applicable laws.

Ensuring transparent data handling

Employee training on privacy

To ensure that all employees have a shared understanding about the importance of privacy, we have established a team dedicated to privacy training and awareness. In addition to annual companywide training and training for new hires, this team organizes a variety of programs for employees, including Rakuten Privacy Awareness Week – held in conjunction with the globally recognized Data Privacy Day – and educational content, published on a monthly basis.

Please see here for details of privacy initiatives.