Q&A – Reporting security breaches involving personal data in Israel
The Israeli Privacy Protection law includes a data breach notification. Israeli member AYR – Amar Reiter Jeanne Shochatovitch & Co. prepared a Q&A memo about matters in which clients are required to notify; when, how and to whom.
Q: Which law requires notification of personal data breaches?
A: The Privacy Protection Regulations (Data Security), 5777-2017 (“Regulations”). An unofficial English translation of the Regulations is available here: nevo.co.il (www.gov.il)
Q: Who is the Regulator?
A: The Privacy Protection Authority (“PPA”), which is an independent unit within the Ministry of Justice.
Q: Do the Regulations apply to data processed out of Israel?
A: The Regulations are silent about this. It is unlikely the Regulations apply to entities which are not established in Israel, but they are likely to apply to data that is exported by Israeli entities (which are subject to the Regulations) for processing abroad. Nevertheless, the PPA encourages notification of data breaches affecting Israeli data subjects.
Q: Which personal data breaches must be reported to the PPA?
A: “Severe” data breaches must be reported.
The Regulations define a “severe” data breach in a database subject to high level of security as an unauthorized or excessive usage or data infringement (damage to the data integrity). There is no indication in the regulation to the scope of the usage or infringement for this classification of a breach.
In medium security level database, a “severe” data breach can be considered as an unauthorized data usage or data infringement in major or substantial fraction of the database.
A database subject to medium level security if it is used for data brokerage; is owned by a public body; or contains sensitive personal data, including criminal records, telecommunication data, biometric data and consumption habits that may denote information regarding a person’s personality or other sensitive information mentioned above.
However, if the database contains only health information, criminal records, telecommunication data, financial data or biometric data in the form of a face photo on employees or suppliers of the controller, for the sole purpose of business management and does not contain any other sensitive data or the controller has no more than ten staff – then the database is subject only to a basic security which means breaches are not reportable.
A database subject to high-level security is a medium level security database which contains data about 100,000 or more data subjects or the controller has more than 100 staff.
In a database subject to high-level security, even a leak of a small number of records can trigger notification.
Q: What are common examples of severe data breaches?
A: The PPA details an unexhaustive list of examples which qualify as “severe” (https://www.gov.il/he/Departments/General/data_security_report_examples). Common examples include:
- Identifying a hack into the organization’s network that gives rise to a reasonable concern that an unauthorized party had physical or digital access to the organization’s systems in a manner that enables it to view, change, or delete information contained therein.
- Damaging, deleting, disrupting or preventing temporary or permanent access to the organization’s data, through deliberate physical damage to systems, including ransomware and a Denial of Service (DOS) attack.
- Deliberate or accidental leak of sensitive information by employees acting without approval or authorization, such as the sending of a file containing personal customer information by e-mail to an unauthorized party, transferring a data file containing sensitive information to a mobile phone or personal computer without authorization and without protective measures.
Q: Is there an obligation to notify data subjects?
A: No. However, the PPA may, in consultation with the head of the Israel National Cyber Directorate, order the notification to data subjects who might suffer damage as a result of the incident.
Q: Who must notify?
A: Both the controller and the processer are independently under an obligation to notify, although they may coordinate their filing. Processors are also usually contractually obliged to notify the controllers about data breach incident that is related to the controller’s data.
Q: What is the timeframe?
A: The Regulation states the notification must be “immediately” after becoming aware of the incident, without specifying exact timeframe. The PPA also expects immediate notification.
Q: How is a breach reported to the PPA?
A: By sending a specific form (formatted by the PPA), online or via email. Information required includes:
Contact details for the reporting entity, its senior management, and data security officer, date of incident, existence (or not) of a data leak, database registration status, status of the organization (controller or processor), whether the incident has been reported to another regulator or law enforcement, the existence of cyber insurance coverage, the types of personal data the organization processes, how many data subjects are there, how many people have authorized access to the data in question, etc.
Q: What happens after a breach notification?
A: The PPA is likely to request additional information and may launch an enquiry.
Q: Is a data breach notification to the PPA a procedure that is subject to confidentiality?
A: No. The PPA can and does sometimes publish data breaches on its website, sometimes naming the organizations involved.
The stated in this document is general information only and does not constitute a legal opinion or legal advice and should not be used in any other way.
For any further information you are welcome to contact me.
Eyal Roy Sage, Partner
Head of Law & Tech
AYR – Amar Reiter Jeanne Shochatovitch & Co.
Click here to view the article.
Click here to learn more about our Tel Aviv, Israel member firm AYR – Amar Reiter Jeanne Shochatovitch & Co.