After years of deliberation, the Israeli Parliament (the “Knesset”) approved the most significant expansion of Israel’s data security laws in over two decades. The Protection of Privacy Regulations (Data Security), 5777-2017 (the “Regulations”), apply to any business that owns, manages or has access to a database in Israel containing personal information. The Regulations will come into effect in March 2018 and impact a wide range of data security practices, from breach notification to access monitoring. Entities with operations in Israel should carefully review the Regulations.
The collection, use and disclosure of personal information stored on electronic databases in Israel is governed by the Protection of Privacy Law, 5741-1981 (the “Privacy Law”). In addition to baseline privacy protections, the Privacy Law also mandates security standards for specific types of personal information, including credit history, medical records and biometric data. Despite its extensive coverage, the Privacy Law has remained relatively static since 1996, when its most recent significant amendment was enacted. The Regulations are viewed as necessary to ensure the continued “adequacy finding” of Israel’s privacy framework in the eyes of EU regulators ahead of the EU General Data Protection Regulation coming into force.
As described in the Explanatory Notes to the draft version of the Regulations, multiple layers of privacy defense are included in the Regulations’ text:
- the first layer requires database owners to identify the types of personal information they possess and the material risks to the security thereof;
- the second layer requires entities to draft and implement formal, written policies and procedures with respect to data security; and
- the third layer imposes specific data security practices on database owners.
Among the Regulations’ numerous provisions, a few stand out as particularly significant:
- Database Classification. The Regulations classify databases into four categories: Individual-Managed Databases, Basic Security Databases, Medium Security Databases and High Security Databases. The Regulations impose the fewest obligations on Individual-Managed Databases and the most obligations on High Security Databases.
- High Security Databases are intended to deliver information to third parties or contain special categories of data, such as medical records or political affiliation, cover at least 100,000 persons and are accessible by more than 100 users.
- Medium Security Databases are intended to deliver information to third parties or contain special categories of data, and are accessible by more than 10 users.
- Basic Security Databases do not meet the criteria for any of the other three categories.
- Individual-Managed Databases are maintained by an individual or sole proprietorship, are not intended to deliver information to third parties, and contain no data subject to professional confidentiality obligations, cover fewer than 10,000 persons and are accessible by no more than three users.
- Breach Notification. Each owner of a Medium Security Database must immediately report to the Israel’s data privacy authority and database registrar, the Israeli Law, Information and Technology Authority (ILITA), any unauthorized access to or use or disclosure of a material segment of the database, as well as any measures the owner is taking in response to such incident. The same obligation is imposed upon each owner of a High Security Database, except that the “material segment” qualification is not applicable; any breach must be immediately reported to ILITA. In turn, ILITA may, after consultation with the Israel National Cyber Bureau, direct the database owner to provide notice to any individual whose personal information may have been compromised.
- Documentation Obligation. Each database owner must draft and annually update a specification manual that describes its database’s contents and objectives, processing mechanisms, cross-border transfer practices and third-party access, as well as document the security practices applicable to the database.
- Data Minimization. Each database owner must annually evaluate whether its database contains more information than is necessary to achieve the objectives set forth in the database’s specification manual.
- Risk Assessment/Penetration Testing. Each owner of a High Security Database must conduct a comprehensive risk assessment with respect to and penetration testing of its database at least once every 18 months and remediate any vulnerabilities discovered.
- Authentication and Logging/Monitoring. For Medium and High Security Databases, access must be authenticated by means of a physical token and automatically monitored by a system that identifies the user accessing the database, the time and date of access and the information retrieved and/or processed.
- Security Officer. The Regulations expand on the current requirement under the Privacy Law that certain companies retain a qualified Security Officer. The Regulations impose seniority standards and conflict-of-interest rules specifying, among other things, that the Security Officer must be directly subordinate to the individual manager or owner of the database.
- Outsourcing. Before transferring data to a third-party service provider, a database owner must conduct an appropriate review of the risks attendant to such transfer and enter into a detailed agreement with the service provider regarding the proper use and safeguarding of the transferred data.
It remains to be seen how aggressively the Regulations will be enforced upon effectiveness. In some circumstances, such as when an entity is otherwise complying with the provisions of a security plan imposed by another authorized agency, ILITA may temporarily waive compliance with certain of the Regulations. However, it is also expressly stated in the Regulations that compliance is a shared responsibility among each of a database’s owners, managers and users. Therefore, all businesses with a presence in Israel should actively engage and cooperate with partner stakeholders and closely watch for further guidance as March 2018 approaches.