Privacy and Security

To remain capable of continuously providing safe and secure services to its users, the Z Holdings Group strives to achieve maximum information security throughout the Group from a medium- to long-term perspective.

Measures on Privacy

Z Holdings Corporation uses various data including information on its users in order to improve the convenience and enrich its users' lives and to solve various social issues leveraging the power of the Internet.

・Yahoo Japan Corporation ("Yahoo! JAPAN") has compiled and introduced its basic view and policy on how it handles data based on the company's privacy policy, as well as its strict management of personal information and enhancement of information security, in its "Privacy Center."
In May 2020, Yahoo Japan Corporation newly established and appointed Data Protection Officer (DPO),* who is tasked with promoting appropriate utilization of data in the company through advice on protection of user data handled and supervision of how the data is used.
*Data Protection Officer (DPO) is responsible for implementing measures to protect privacy and personal information of users; specifically, the Officer provides advice on, supervises, and evaluates matters related to data protection from an objective standpoint, independent of any business divisions or the management in the company.

・In addition to ensuring the appropriate provision of services in accordance with its Privacy Policy, LINE Corporation ("LINE") conducts Privacy Impact Assessments when releasing services in order to assess privacy risks and take measures to avoid such risks.
LINE also regularly reports on how the data entrusted to it is handled in the "LINE Transparency Report."

Z Holdings Corporation has established an advisory board consisting of experts in various fields to discuss and determine, from a third-party perspective, whether the privacy-related initiatives of Group companies are appropriate from the perspective of customers and society.

Basic Approach to Information Security

The Z Holdings Group has made utmost efforts against information security threats in accordance with its information security policy of: protecting its users from information leaks (confidentiality), providing round-the-clock service (availability), and securely protecting the service contents from destruction or fabrication (integrity).
In addition to these ongoing efforts, the Z Holdings Group, with a view to detecting and countering ever-sophisticated cyberattacks, works to build information systems and provide services in compliance with the cybersecurity framework of U.S. National Institute of Standards and Technology (NIST).
The Z Holdings Group has put together these approaches in its statement of "Z Holdings Group's Cybersecurity Policy" published in June 2020.

Based on these basic approaches, the Z Holdings Group has specified rules to be followed by employees on matters such as handling of information, in its internal regulations. Violations of the rules are subject to disciplinary action. Also, for the purpose of ensuring full understanding about the personal information handled in the company, as well as recognition of rules relating to it, all employees are required to submit written pledges.

Establishment of a Special Advisory Committee

Z Holdings Corporation (hereinafter referred to as "ZHD") established the "Special Advisory Committee on Global Data Governance," a committee consisting of external experts, to verify and evaluate the handling of data from security and governance perspectives. The Special Advisory Committee verified and evaluated data governance and other issues related to access to data in Japan at LINE's global sites.
In response to the Special Advisory Committee's recommendations, ZHD will further promote and strengthen the initiatives that are already in place and implement new initiatives to strengthen the governance of the entire Group. In addition, ZHD will continue to sincerely address the opinions and suggestions of users and experts, and work to increase the transparency to society and to create an environment where users can use its services with a sense of security.

Information Security System

The Z Holdings Group has established a cross-functional information security system under medium- to long-term perspectives.

Information Security Management Structure -Z Holdings Corporation plays the central role to manage information security through the entire Group
  • ・GCTSO:Group Chief Trust & Safety Officer
  • ・CISO:Chief Information Security Officer

Yahoo! JAPAN's Information Security Management System

  • ※Notes on Yahoo! JAPAN's information security management system
  • ・CEO: Appoints the Chief Information Security Officer (CISO)
  • ・CISO: Instructs and evaluates measures related to the Group's information security through authority granted by the CEO
  • ・Security Strategy Team: Assists the CISO in the planning and promotion of security strategies and policies throughout the Group
  • ・Supervisory Organization of Information Security: Under the leadership of the CISO, manages information security-related initiatives to the Top Management
  • Committee (attended by the President and Representative Director, and directors serving for the Audit and Supervisory Committee)
  • ・Chief of information security at each Supervisory Division: Appointed by the corporate officers of each Supervisory Division. The information security of subsidiaries and affiliated companies is managed and guided by the chief of information security in the Supervisory Division, which supervises the respective subsidiaries and affiliated companies.
  • ・Yahoo Japan Corp. CSIRT: CSIRT stands for Computer Security Incident Response Team. As a base for comprehensively responding to incidents related to information security, CSIRT centrally manages/ operates information, coordinates within internal divisions and among external organizations, as well as supports the activities of divisions that directly deal with incidents.

LINE's Information Security Management System

  • ・CEO: Appoints CISO (Chief Information Security Officer).
  • ・CISO: Under the authority delegated by the CEO, evaluates and determines the security policy of the LINE Group, monitors the measures taken, and prevents incidents and responds to them when they occur.
  • ・Supervisory Organization of Information Security: An organization that spans LINE Corporation and other group companies, and is a working unit that promptly implements the privacy and security policies and measures decided by the management under the leadership of the CISO.
  • ・Security Supervising Teams by Functions: Made up of qualified professionals in various sectors such as IT security, information security, policy and legal affiars, as well as expert staff who have been involved in security and privacy issues for many years.
  • ・Bug Bounty Program (Vulnerability Reward System): Operated with the aim of detecting vulnerabilities in the communication application "LINE" and websites at an early stage and providing users with safer services.

Acquisition of Third-Party Certification

Acquisition of Information Security Management System (ISMS) Certification

Z Holdings Corporation, Yahoo Japan Corporation, Z Financial Corporation, LINE Corporation and some subsidiaries received third party audits and acquired Information Security Management System (ISMS) certification ISO/IEC 27001:2013, the ISMS international standard, and JIS Q27001:2014 certification, the Japanese standard, for all of their businesses.
Yahoo Japan Corporation, Z Financial Corporation and some subsidiaries, which are incorporated in the certification of Z Holdings Corporation, comply with information security rules of Z Holdings Corporation and manage information security under the same management system.
Yahoo Japan Corporation has a long history as an ISMS certified organization. In August 2004, it acquired BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the international standard at the time. Since then, we have complied with revisions to the international standard in order to maintain valid certification.

Acquisition of PCI DSS Accreditation

Yahoo Japan Corporation obtained Payment Card Industry Data Security Standard (PCI DSS) accreditation, a credit card security standard relating to cardholder information, transaction information, and payment processes, for its Yahoo! JAPAN Wallet online payment service in November 2008, and for Yahoo! JAPAN Shopping and YAHUOKU! in November 2009.
The accreditation obtained is the level 1 requirement, the most stringent requirement under PCI DSS geared toward participating merchants that handle a large volume of transactions. Through this accreditation, all systems related to information management and transaction processing of Yahoo! JAPAN Wallet, Yahoo! JAPAN Shopping, and YAHUOKU! have received verification that they have an international-level security in place.
Furthermore, it has acquired licenses for issuing and acquiring business from VISA and MasterCard, international credit card brands, and since March 2012, it has conducted the acquiring business for almost all credit-card payments in its services. Since obtaining PCI DSS accreditation for these operations in February 2012, it has continued to obtain the accreditation each year.

Images of Certificate of Validation For Service Providers

SOC2 & SOC3 (SysTrust)

LINE became the world's first organization to win recognition in both Service Organization Controls (SOC) 2 and 3 (as well as SysTrust), the international standards on internal control of services linked to personal information. SOC 2 and SOC 3 provide assurances not only in the secure protection of customer data from unauthorized access by third parties but also in guaranteeing users the reliability of its services through comprehensive internal control covering the managing organization, management systems and processes.

Efforts to Guarantee Information Security

Efforts to Provide Safe and Secure Services

As part of their efforts to provide robust services, Yahoo Japan Corporation and LINE Corporation address the vulnerabilities of applications by conducting such measures as vulnerability examinations through dedicated internal organizations and third-party institutions. In addition, they hold secure programming trainings for engineers with the aim of preventing application vulnerabilities. The trainings are positioned among important trainings for both strengthening the abilities of engineers and achieving compliance with international cybersecurity standards, and have been mandated for all engineers in the company. Z Holdings Corporation also conducts incident response trainings against cyberattacks (Z Holdings Cyber Training) five times a year in order to strengthen its responsiveness to such issues.
LINE operates the LINE Security Bug Bounty Program in order to quickly discover vulnerabilities in LINE messenger app or related websites, and to provide secure service to LINE users.

Mechanism put in place to ensure the provision of safe services. Safe and secure service operation is sustained through various training programs, including secure coding trainings for engineers and YJ-Hardening aimed at strengthening response to incidents. The services provided are continually checked through internal assessments, internal audits, third-party examinations, and third-party assessments.

System for Sharing Information with External Organizations

In order to keep abreast of new threats to information security, Yahoo! JAPAN is a member of the following organizations and work to keep abreast of technological trends.

Nippon CSIRT Association (external website)
FIRST (external website)
Through close collaboration with CSIRT, we strive to solve social issues commonly faced by the member companies of CSIRT.
JC3: Japan Cybercrime Control Center (Japanese only) (external website) By sharing information on cybercrime, we work to identify the roots of threats in cyberspace, reduce and nullify the threats, and prevent future incidents from occurring.
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) (external website) We contribute to inter-organizational collaborations during incidents from a technical standpoint.

Initiatives to Protect Users

Yahoo! JAPAN organizes its data into multiple categories based on the level of importance and has in place measures for protecting data in each category.

Efforts for data protection are categorized and implemented in several categories according to the importance of data. A diagram of protection efforts with systemic, physical, and human measures.

Thorough Education on Information Security

Group companies of the Z Holdings Group provide e-learning and other training to enable employees to acquire the information security knowledge necessary for their work.
Yahoo! JAPAN conducts online learning program every two months towards all employees (including temporary and subcontract employees) . In addition to the periodical trainings, Yahoo! JAPAN conducts a company-wide extraordinary online training in the event of an incident, so as to call renewed attention of all employees to security without delay. In addition, Yahoo! JAPAN provides the following training programs adapted to the employees' duties and job titles.

Training for new hires This online learning targets all new employees, both new graduates and mid-career hires (including temporary and subcontract employees). New hires learn general information security knowledge and countermeasures as well as internal rules on information management.
Training for newly appointed managers This online training helps newly appointed managers acquire necessary knowledge related to information security.
Training for engineers The secure programming training targets all engineers in charge of programming. In addition, update training is provided to those who have passed the exam every year to supplement new knowledge of technologies.
Training for officers and managers Each company conducts mock drills once a year for the CEO and other executives of each Group company to simulate media response in the event of an incident. Seminars are also held to learn about the latest information security threats and countermeasures from the perspective of economic security.
Targeted attack response drill Training is conducted at least once a year at each Group company to improve incident response capabilities by sending training e-mails that simulate targeted attacks to employees of each company.
Incident drills This virtual training is conducted once a year with employees engaged in services in each Group company. The employees learn the measures to be taken when information security incidents occur.

Initiatives to Protect Users

ZHD-CSIRT responds to phishing as part of the incident response related to information security of theZ Holdings Group companies. In collaboration with related companies and agencies, phishing is detected at an early stage and unauthorized websites are disabled on an ongoing basis.
To prepare for instances where a third party gains knowledge of a user's password, Yahoo! JAPAN and LINE conduct countermeasures to prevent fraudulent logins and mitigate damage should such logins occur. In addition, the two companies work to raise awareness among Japanese Internet users on managing login IDs in a secure manner. At the same time, they have preventive measures in place that anticipate a certain level of improper access.

Prevention of unauthorized logins and reduction of damages ・Biometric login (Yahoo! JAPAN)
Users can log into Yahoo! JAPAN by using fingerprint or face recognition installed on their smartphones instead of a password or a validation code sent via SMS, etc.
Biometric login (Android) (Japanese only)
Biometric login (iOS) (Japanese only)

・Passwordless login(Yahoo! JAPAN)
Yahoo! JAPAN promotes passwordless login by enabling users to opt not to set passwords at the time of ID registration or disable their already registered passwords. Since logins cannot be made using passwords, this login method resolves the risks of fraudulent logins in which a third party uses a list of combinations of accounts and passwords acquired from other websites (so called list-based attacks).
Yahoo! JAPAN also offer a passwordless login option that enables users to log into their accounts using the validation code sent to their mobile phone numbers registered to their IDs.
Passwordless setting (Japanese only)

・One-time password (Yahoo! JAPAN)
In addition to passwords, another authentication feature can be added to strengthen the login.
One-time password (Japanese only)

・Secret ID (Yahoo! JAPAN)
String of letters to be used for login only can be determined without changing the ID.
Secret ID (Japanese only)

・Login alert (Yahoo! JAPAN)
Notifies suspicious logins and quickly prevents the misuse of IDs.
Login alert (Japanese only)

・Login theme (Yahoo! JAPAN)
Can be customized to prevent users from logging into phishing sites. Login theme (Japanese only)
Login theme (Japanese only)

・Login history (Yahoo! JAPAN)
Users will be able to detect any unauthorized use of their accounts.
Login history (Japanese only)

・Biometric login (LINE)
How to login to LINE using biometric information (LINE Guidebook for All) (Japanese only)

・QR code login (LINE)
LINE Help center

・Login notification (LINE)
Security Upgrade - Receive Notifications When Logging In to the PC Version or LINE Store (LINE official blog)

・Two-step verification for account transfer (LINE)
LINE Announces Revamp of LINE Account Transfer

・Two-step verification for the first login to LINE (PC ver.)
Security Reinforced in LINE (PC ver,) - Entry of Verification Code Required (LINE official blog) (Japanese only)

・Setting login permission for LINE (PC ver.)
How to Avoid Being Hijacked - LINE's Guidebook for All (Login permission setting) (Japanese only)
LINE Help center

・Checking logged-in devices (LINE)
How to Avoid Being Hijacked - LINE's Guidebook for All (Logged-in device) (Japanese only)

Detection and measures against unauthroized logins ・Analysis, cut-off, and re-authentication of suspected logins by third parties with malicious intentions
・Verification and monitoring by dedicated internal departments
Awareness raising Information on measures that can be implemented by the users themselves to protect their accounts from fraudulent use is provided in the following pages.
Yahoo! JAPAN Security Center (Yahoo! JAPAN) (Japanese only)
How to Avoid Being Hijacked - LINE's Guidebook for All (Japanese only) (LINE)
LINE Safety Center (Japanese only) (LINE)

Enhancements to Anti-Spam Measures (Yahoo! JAPAN)

Yahoo! JAPAN provides a number of tools that offer protective measures for Yahoo! JAPAN Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of its efforts to support users in anti-spam measures.