It is with this understanding that the Company has prepared regulations for ensuring information security, established structures for reinforcing information security, conducts comprehensive employee education and guidance concerning the secure and appropriate management of information assets, and has taken the following actions to ensure proper handling of information assets.

1. Creation of information security management structures
To ensure secure and appropriate management and protection of information assets in the Company’s possession, the Company complies strictly with laws, regulations, and other rules concerning information security and has created advanced information security management structures to carry out its corporate social responsibility of ensuring information security.

Specifically, the Company has established, operates, and continuously improves a personal information protection management system that is compliant with JIS Q15001:2006 (Personal information protection management systems - Requirements) to promote measures concerning the protection of personal information.

2. Appointment of an Information Security Officer and creation of a Information Security Committee
The Company appointed an Information Security Officer to oversee all information security for the Marsh Group in Japan and established an Information Security Committee to perform group-wide information security functions. As a result, it is possible to understand the current status of information security and to implement a variety of group-wide policies relating to ensuring information security.

3. Adoption of internal regulations concerning information security
The Company adopted the Personal Information Protection Management System Basic Regulations and Management Regulations based on the Personal Information Protection Management System to promote the protection of personal information and received approval from the Japan Information Processing Development Corporation to use the Privacy Mark. In the future, the Company will adopt the Information Security Basic Regulations and Management Regulations, which are internal regulations concerning overall information security including the protection of the confidential information of customers, and will adopt clear initiatives concerning management of information assets overall.

4. Creation of audit systems
The Company will create systems that are able to perform periodic audits of compliance with basic policies, regulations, and rules and the implementation status of various policies concerning information security.

5. Reinforcement of management structures of external service providers
When the performance of services is outsourced, the Company performs reviews of the appropriateness of service providers and with respect to information security, requires that service providers maintain at least the same levels of security that the Company maintains. Also, the Company periodically confirms that these security levels are being maintained, performs continuous reviews of service providers, and is bolstering contractual provisions concerning information security.

6. Initiatives for the protection of personal information
In light of the importance of procedures concerning the protection of personal information, the Company complies with the Act on the Protection of Personal Information as well as other applicable laws, regulations, and guidelines, handles personal information properly, and takes appropriate measures concerning security and management. Also, the Company performs periodic reviews of personal information management systems based on the results of inspections and audits and makes improvements.

(1) Acquisition of personal information
The Company acquires personal information to the extent necessary for its business operations through lawful and fair means only.

(2) Use of personal information
The Company performs work under consignment from multiple insurance companies and operates as an insurance agent. The Company also performs risk consulting and various services relating to personnel programs and employee benefit programs under consignment from multiple firms. The Company uses personal information received through its transactions with customers (including personal information concerning members received through transactions with customer companies and organizations, personal information provided by outsourcing customers for the performance of services, and the content of telephone conversations recorded at the Company’s contact center) for the following purposes and shall provide such information to services providers to the extent necessary to achieve the intended objectives.

1. Development, proposal, and provision of risk management consulting services, products of insurers with which the Company does business, and ancillary and related services;
2. Planning, proposal, and implementation of Company events, campaigns, and seminars;
3. Performance of contracts and transactions; and
4. For business-related communications (including sending greeting cards and congratulation and condolence arrangements).

The Company does not engage in the use of personal information that exceeds the scope of purposes previously notified, announced, or made clear to the individual in question (“Use of Information Beyond the Intended Purposes”). The Company implements measures to prevent the use of information beyond the intended purposes. If the Company changes the intended uses of personal information, it shall announce the content of the changes by written notice to the individuals concerned or by posting on its Web site and other means.
Information concerning the intended uses of personal information by the insurers that consign the performance of work to the Company can be obtained on the Web sites of those companies. >Insurance companies

(3) Measures for the secure management of personal information
The Company has adopted adequate security countermeasures including the adoption of regulations concerning security management and the creation of implementation structures to prevent leaks and loss of and damage to personal information handled by the Company and to otherwise securely manage personal information. The Company also takes appropriate measures to ensure the accuracy of and timeliness of information necessary for achieving the objective of its use.

(4) Provision of personal information to third parties
The Company shall not provide personal information to third parties without the consent of the individual concerned except when permitted by law.

1. In case of the acquisition, use, and provision to third parties of Sensitive Information to the extent necessary for business purposes with the consent of the individual concerned to the extent necessary to perform appropriate insurance business operations;
2. In case of the acquisition, use, and provision to third parties of Sensitive Information to the extent necessary for the performance of payment of insurance benefits in conjunction with inheritance proceedings;
3. In case of the acquisition, use, and provision to third parties of Sensitive Information of employees concerning affiliation with or membership in political or religious organizations or labor unions to the extent necessary for performing collection of insurance premiums;
4. In case where acquisition, use, and provision to third parties is pursuant to law;
5. In cases where acquisition, use, and provision to third parties is necessary to protect the life, person, or property of another and obtaining the consent of the individual concerned would be difficult;
6. In cases where acquisition, use, and provision to third parties is necessary to improve public health or for the promoting the sound development of children and obtaining the consent of the individual concerned would be difficult; and
7. In cases where cooperation with the performance of the work of a governmental authority, local governmental body, or party cosigned to perform work by such as governmental authority or local governmental body is required by law and there is a risk that obtaining the consent of the individual concerned would interfere with the performance of that work.

(6) Complaints and consultations concerning the Company’s handling of personal information or personal information management structures
Complaints and consultations concerning the Company’s handling of personal information or personal information management structures can be made by contacting the Company at the address or telephone number indicated below. A response to the complaint or consultation will be made after confirming the individual’s identity.
If you do not wish to receive product and service information through the mail or other means, please contact the Company as indicated below.

【Complaint and Consultation Contact Information and Hours of Operation】
Toshiyuki Kitao, Information Security Officer
Marsh Japan, Inc.
Tokyo Opera City Tower 38F
3-20-2 Nishi-Shinjuku, Shinjuku-ku Tokyo 163-1438
Tel: 03-5334-8597
Hours of operation: 9:00 a.m. – 5:00 p.m., Monday through Friday (closed on holidays)
Web site:http://www.marsh-jp.com/mj/index_e.php

(7) Requests for disclosure of personal information pursuant to the Act on the Protection of Personal Information
Requests for notice, disclosure, correction, addition to or removal from, suspension of use, deletion, and suspension of provision to third parties (collectively referred to as “Disclosure”) shall be processed after confirming the requesting party’s identity. Requests relating to personal information in the possession of an insurer or other company will be forwarded to that company. If an investigation of personal information in the Company’s possession indicates that the information is not correct, the information shall be corrected based on those results. Requests for notice or disclosure concerning the use of personal information require the payment of a fee (1,000 yen (including consumption tax) per request). Please use the contact information above to make inquiries concerning procedures and application forms.

Adopted: April 1, 2005
Revised: September 8, 2008
Hirofumi Shimoyama, Representative Director
Marsh Japan, Inc.