1. Corporate Philosophy and Information Security

The Benesse Group empowers people to solve issues for themselves and to enjoy life to the fullest at every stage by offering them the tools and support they need to create well-being. Our Group's efforts to assure information security are essential in achieving this goal, demonstrating a vital concern in management and operation of each Group company.
The Benesse Group aims to achieve a first-class global security level, and has established an information security management system to effectively implement information security management.

2. Protection of Personal and Significant Information

The Benesse Group believes that our customers' personal information, our business partners' information that we maintain on a contract basis, and company trade secrets including such information are particularly significant. When we receive personal information, we respect the customer's intentions and handle this information based on the customer's consent. In order to protect significant information, we establish and implement appropriate management measures governing confidentiality, integrity, and availability. In particular, we build a security structure for the database containing our customers' personal information that includes controls limiting those with access rights, including outsourcers.

3. Compliance and Conforming to Standards

Benesse Group companies comply with laws and regulations regarding information security and privacy protection. In light of business expansion to several overseas countries, we adopt international standards for information security management, and ensure that each company's governing regulations comply with international standards. If a Group employee commits a violation, we investigate the cause to prevent recurrence, and severely punish those involved in the breach.

4. Continuous Improvement

The information security environment is constantly changing. To address these changes, the Benesse Group continually improves its information security management practices. In addition, we constantly endeavor to cope with emerging vulnerabilities, understanding that unaddressed vulnerabilities increase risks to information security.

5. Training

The Benesse Group implements training on information security for executives and employees of all Group companies, believing that complete understanding and participation by everyone in an organization is essential to information security management. In addition, we conduct effective enrichment activities, such as measures to ensure understanding and improve awareness.

(April 1, 2015)

In addition, details on the purposes for which personal information is obtained, the provision of personal information to third parties, procedures for responding to requests for disclosure, etc. and matters relating to the receipt of complaints / handling of browsing history, etc. are also published and can be found below.

• Public Statement Regarding Protection of Personal Information

We manage the plans and status of the enforcement of information security and protection of personal information through the Compliance Security Headquarters, led by a managing executive officer CRO and executive general manager of compliance and information security. An information security chief is appointed in each operating company to implement and promote information security. We have created a system to promote information security, plans to respond to emergencies, and steps to respond to incidents. We have also established an information security surveillance committee as an outside organization. We aim to create world-class information security by being regularly audited by outside experts.

Emergency Response

The Benesse Group has established a reporting route and has created a system to quickly take appropriate action when responding to incidents in an emergency.

Employees who discover any anomalies in information security or the handling of personal information or who have received a report of an abnormality from a contractor quickly report to the head of their department. The department head then quickly reports to the Information Security Reporting Office or the Emergency Case Reporting Office (the Benesse Group Hotline). A situation-dependent direct reporting route to the Emergency Case Reporting Office by the person who discovered the abnormality has also been established for reporting emergency cases that are especially urgent. The Compliance Security Headquarters gathers the information and reports the overall status of the incident to the president of Benesse Holdings while also establishing a system to take appropriate measures for the issue that has arisen.

Information Security Surveillance Committee

The Information Security Surveillance Committee regular checks data, system operation and maintenance, appropriate security standards for date usage and management, the state of the establishment of rules on usage and management, corresponding standards in Group companies and the state of compliance of rules, etc. within the Benesse Group. Our mission is to make fair decisions from the customer’s point of view, including taking necessary measures for improvement. The committee was established on October 15, 2014, and regularly meets once every quarter. Checks are continuously implemented by outside experts. Members are made up of outside experienced academics who are authorities on information security and the protection of personal information, and they also offer suggestions on how to further strengthen our information security.

Information Security Surveillance Committee Members (FY2023)

（Honorific titles omitted）

System and Environmental Improvements

We continue our initiatives to strengthen the operation and monitoring of our systems and to strengthen our system security with technological measures based on the latest information so that our customers will feel safe and have the confidence in Benesse to entrust their personal information to us. In addition, we will achieve the world's highest level of information security by receiving audits and advice from outside experts.

■Strengthening system security measures

New technologies arise every day in our internet-based society. We are implementing measures from the following viewpoints and work to continuously improve.

• Security measures in system operations (improving alert functions that detect abnormalities, etc.)
• Measures to prevent malware infections (implementation of a strict access system from inside to outside the network, etc.)
• Measures to protect the communications network (pertinent changes to network configuration, interception of external access, etc.)
• Access control to the system and information (Making authorization stricter and strengthening management of IDs and passwords, etc.)

■Strengthening our security environment

We continue to implement measures to strengthen our security environment to realize the world's highest level of security. The following are some specific examples.

1) Strengthening checks through metal detectors

We perform stringent checks at the entrances and exits of the locations where we manage databases with customer information so that electronic and recording devices cannot be brought in or taken out.

2) Managing and responding to limited risks and implement appropriate security measures

Benesse Corporation works to strengthen their security zoning at several levels at locations where they manage customer information data depending on the information being handled, the details of the work, and who can access the information. They implement security measures appropriate to each situation and handle customer information in a safe environment. The following are some specific examples.

[Risk Control in the Office]

Only employees and involved persons may enter. We respond to our customers by having personal information viewable only on devices with strengthened security that can only be used by a limited number of people.

[Risk Control in the Customer Information Database Viewing Area]

In addition to strictly managing who has access, we also fully monitor all operation logs and actions and implement security measures on our special network.

[Comments from customers about the handling of customer information and examples of responses]

In addition to strictly managing entrance to the area, we also fully monitor all operation logs and actions and have disabled data exporting, though operations are possible with the database.

Handling of Customer Information

The Benesse Group clarifies the purpose of use of personal information entrusted to us by our stakeholders and ensures the appropriate management of personal information in a transparent manner at each stage (acquisition, use, utilization, and deletion). In addition, we have established a contact point for requests for disclosure, etc., and respond promptly to such requests.

Please see below for details.

• Privacy Policy

To ensure that our products and services can be used with peace of mind, we are continually reviewing our privacy policy and response based on the feedback we receive.

Employee Training and Awareness

■Security Day

We set July 7 as Security Day in the wake of the breach on personal information that was discovered in 2014. Benesse Corporation carries out activities on this day each year where all employees pledge to remember incident training and work to strengthen information security. This includes holding morning meetings on information security, presenting internal initiatives, and having lectures from outside specialists.

■Information security training

Benesse Holdings and Benesse Corporation require all people who work for Benesse (i.e., from directors to part-time staff) to attend information security training. Through the training, all employees annually reconfirm the rules and behaviours they should follow and their basic knowledge of information security, particularly with regard to personal information. The training had a 100% attendance rate in FY2022. We have also prepared a system to ensure that security standards and operations are maintained even when employees work from home and conduct training to reconfirm security rules at the start of telecommuting. Other training is also provided in dedicated programmes in the departments responsible for system management in the Group.

Registered as a Business Approved to Display the PrivacyMark Symbol (November 2016) and Continuation of Actions to Protect Personal Information

After being assessed by JIPDEC, the Benesse Corporation was registered as a business approved to display the PrivacyMark symbol in November 2016.

We will continue to work to maintain and improve our information security and the management and protection of personal information and to further increase our customers' trust.

• November 2, 2016: Initial registration
• November 1, 2024: Expiry date

ISMS Certification (March 2016) and Continuation of ISMS Action

After ISO27001 (ISMS) certification was acquired by Benesse Corporation School Headquarters and Benesse BASE COM in May 2015, the same certification was also acquired by Benesse Holdings, Benesse Corporation (excluding some offices), and Benesse InfoShell in March 2016. Since the initial registration, we have continued to undergo external audits as annual maintenance audits and renewal audits every three years.

• May 5, 2015: Initial registration
• May 5, 2024: Expiry date