A Practice Note addressing key legal requirements and considerations when handling data breaches, cyberattacks, or other information security incidents in Japan or drafting data breach response notifications regarding personal data originating from Japan. This Note also discusses guidance from the Personal Information Protection Commission (PPC) and obligations under the Act on the Protection of Personal Information (APPI), the Basic Act on Cybersecurity, and sector-specific laws and regulations. The Japan-specific guidance in this Note may be used with the generally applicable resources listed in the Global Cyber Incident Response and Data Breach Notification Toolkit.