Data Breach Notification Introduced into Israeli Law
It took the Israeli Justice Department almost 7 years to pass the new regulations. For over 30 years, the Israeli market and public authorities were subject to a vague and outdated set of information security regulations. The old regulations provided very little guidance and were rarely enforced.
4 Security Levels
According to the chairman of the Constitution Law and Justice Committee, the new regulations set a new era in information security. They include a comprehensive set of requirements, which is based on 4 separate levels of information security governance –
- Sub-basic level – up to 3 persons with access permission –mild requirements, including a database description document, annual review of redundant data, basic physical security, reasonable means to prevent unauthorized access, keep records of data breaches, appropriate measures with portable devices (e.g. encryption) and secured internet communications.
- Basic level – up to 10 persons with access permission – on top of the requirements from sub-basic level entities, Basic level entities will be required to adopt the following controls – appointment of an information security officer, basic information security policy, system mapping, reasonable background checks, access management, incident management policy, data segregation, system updates, secured remote access, outsourcing requirements and retention of security records.
- Mid-level – data brokers, certain public authorities and databases with sensitive information, e.g., financial data, biometric and genetic data, health and mental state, criminal records and behavioral data. On top of the requirements from Basic-level entities, Mid-level entities will be required to adopt the following controls: enhanced information security policy, enhanced physical security, data breach notification, personnel training, enhanced access identification and management, enhanced secured remote access, external audits once every 24 months, backup and data recovery.
- High-level – Mid level databases with over 100,000 records or over 100 persons with access permission and certain public authorities. The entire set of requirements under the regulations is applicable to high-level databases. On top of the requirements from Mid-level entities, High-level entities will be required to adopt the following controls: risk assessments and penetration tests at least once every 18 months, quarterly security incidents discussions, quarterly discussion about incidents and updates to the information security policies, enhanced back-up and disaster recovery requirements.
Data Breach Notification
Owners of Mid and High level databases will need to report actual breaches to the Database Registrar (the local data protection regulator, which is part of ILITA – the Israeli Law Information and Technology Authority).
The report must be immediate and the database owner is required to provide details of the actions already taken to confront the breach.
While owners of Mid-level databases will only need to report substantial breaches, owners of High level databases will need to report each and every breach.
The Registrar may conduct investigations of the breaches, pursuant to its general investigatory authority under the Protection of Privacy Act. Furthermore, the Registrar, after consulting the National Cyber Security Authority, may order the database owner to send a notice of the breach to all affected data subjects.
There are no administrative or criminal sanctions against violations of the regulations. However, the Registrar may publish a finding of a violation, which may set the grounds for civil action, including potentially class actions.
Further Enactment Proceedings
The regulations were approved by the Minister of Justice, and their enactment process is complete. A final version of the approved regulations will be published soon.
The regulations will take effect 1 year after their enactment.
This article does not constitute a legal advice.