Israel - Data Breach Guide

Israel

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

The Protection of Privacy Regulations (Data Security), 2017 (the "Security Regulations") stipulate that in the event of a "Severe Security Incident", defined as "any of the following: (i) in relation to a database to which the high security level applies – an event where data from the database was used without authorization or in breach of an authorization or where harm was caused to the integrity of the data; and (ii) in relation to a database to which the medium security level applies – an event where a material part of the database was used without authorization or in breach of an authorization or where harm was caused to the integrity of the information in respect of a material part of the database", the owner of the database (the Israeli equivalent to the EU data controller) must notify the Registrar of Databases (the "Registrar") within the Israeli Protection of Privacy Authority (the "PPA") of the incident immediately, and should also send a report to the Registrar with respect to the steps taken as a result of the incident.

The Registrar, after having consulted with the head of the National Authority for Cyber Security, may order the owner of the database to notify the affected individuals (namely, the data subjects) that may be harmed by the incident.

Certain databases, such as those owned by the Israeli security authorities (e.g. Israeli police, general security services, witness protection authority, etc.), the prison authority or the tax authorities are exempt from this requirement.

We note that there are additional sector-specific data breach notification requirements (e.g. in the fields of banking, finance, etc.). Therefore, a sector specific review should be made on a case by case basis.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 Data breach notifications are not triggered by types of data breached, but rather by the type of the database (i.e. medium or high level security databases) and by the scope of the breach. With respect to medium level security databases, a material part of the database must be used without authorization or in breach of an authorization or harm must be caused to the integrity of the information in respect of a material part of the database, and with respect to high level security databases any part of the database that was used without authorization or in breach of authorization or harm was caused to the integrity of the information in respect of the database, all as detailed in our response to question 1.1 above.

1.2.2 The notification requirements as detailed in our response to question 1.1 above, apply only to owners and/or holders (the Israeli equivalent to the EU data processor) of a database. However, under the guidelines issued by the PPA (the "Breach Notification Guidelines"), a single notification is sufficient in order to fulfil the notification obligation for both the controller and the processor (i.e., if the controller notified the PPA with respect to the Severe Security Incident, the processor is not required to notify the PPA of such incident as well).

Under the Security Regulations the owner of the database (i.e. controller) must enter into an agreement with a service provider which receives access to data (i.e. processor), and such agreement should include an obligation of the service provider to notify the owner of the occurrence of a data security incident.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

Note:

1.3.1 According to the Breach Notification Guidelines, a notification regarding a data breach should be given through the completion of an online form which should be sent to a designated email address of the PPA.

The online form (in Hebrew) can be found here. The address of the PPA for reporting data breach incidents is: ppa_securityEvents@justice.gov.il

The notification should include the following:

(a) name, identity number and address of the organization;

(b) number of a registered database;

(c) details of a contact person within the organization;

(d) details of the manager of the database;

(e) details regarding the incident (e.g. date of the incident, how was it discovered, how did the incident occur, was there any delay in the reporting to the PPA, what measures did the organization have in place to prevent such incident);

(f) types of personal data that are at risk, whether the data is encrypted, number of leaked records, amount of data subjects affected, potential negative impact on the affected individuals;

(g) whether the organization has implemented any recovery measures to restore the affected data and its security, actions taken by the organization to minimize the effect of the incident on the affected individuals, measures that were implemented in order to prevent the reoccurrence of a similar incident;

(h) whether the incident has been reported to other authorities (foreign DPAs, the police, etc.) and whether the organization has received instructions from such authorities to handle the incident; and

(i) details regarding any media coverage of the incident.

1.3.2 The Security Regulations do not set out a time period in which a notice must be given, except that such notification must be made immediately following the occurrence of a Severe Security Incident. Under the Breach Notification Guidelines, such notification should be made within 24 hours but no later than 72 hours from the occurrence of the incident.

1.3.3 See our response to question 1.3.1 above.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

Note:

The failure to comply with the data breach requirements under the Security Regulations has both civil and administrative implications:

Civil:

Under the Israeli Protection of Privacy Law, 1981 (the "Privacy Law"), any violation of the provisions of the Privacy Law and the regulations enacted thereunder (including the Security Regulations), constitutes a tort to which the Civil Wrongs Ordinance [New Version] shall apply (and in such case, the amount ruled by the court depends on the specific damages proven by the claimant).

Administrative:

In the event of a violation of the Security Regulations, the Registrar may suspend the registration of a database for a period that the Registrar shall determine or cancel the registration of the database in the Database Registry.

In addition, it is a common practice for the PPA to determine that someone breached a certain provision of the privacy legislation and to publish such determination on the website of the PPA. Such determination often serves as the basis for civil litigation, including the filing of petitions for certification of class actions (claiming that the regulator's determination of illegality is sufficient to meet the burden of proving a prima facia cause of action).

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

To the extent that the Israeli legislation pertaining to data breach notification does not apply, it is recommended to consider providing a notification to data subjects if such notification may reduce possible damages and consequentially reduce exposure under general tort and contract law.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The legal framework applicable to data breaches and reporting of data breach incidents is the Privacy Law, the Data Security Regulations which were enacted thereunder and the Breach Notification Guidelines issued by the PPA.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: