The Israeli Parliament recently approved the Protection of Privacy Regulations (Information Security) 2017 (the “Data Security Regulations”), which establish specific, granular requirements with respect to personal data collected and maintained in databases.
In certain respects, the Data Security Regulations bring data security obligations under Israeli law closer in line with other jurisdictions worldwide; in other respects, obligations under the regulations are unique among international data security regimes in their stringency and level of specificity.
The Data Security Regulations will become effective in March 2018 and are binding on all organizations that process or store personal data. In light of the broad changes introduced by the law, compliance programs will require substantive changes to the manner in which organizations secure, process and share data. Clients are advised to commence compliance efforts promptly.
What Databases are Subject?
The Data Security Regulations establish four categories of databases which vary according to data sensitivity, how data is used, the number of individuals having database access and the number of data subjects. Data security obligations vary according to the database's sensitivity classification:
Category 1: Basic Security Databases. These include:
- Databases that do not fall within any of the other categories below
- Certain employee or supplier databases
- Databases with 10 or fewer individuals with access credentials, notwithstanding the inclusion of data that would ordinarily cause a database to qualify as a Medium Security Database (see below).
Category 2: Medium Security Databases
A database falls within this category if either of the following are true:
(i) The primary purpose of the database includes making information available to other parties for business purposes(for example, for use for direct marketing), or
(ii) the database includes 'special categories' of data, such as:
- Information about the private life of individuals;
- medical , health, genetic or biometric data
- information about an individual’s political opinions, faith, religious beliefs or criminal convictions
- financial, asset or debt data, or consumption information that is indicative of other items in the 'special category' list
- Certain communications data, including traffic data or location data
Category 3- High Security Databases
A database falls within this category if both of the following are true:
(i) Either the primary purpose of the database includes making information available to other parties for business purposes (for example, for use for direct marketing), or the database includes 'special categories' of data (see description above under 'Medium Security Database'); and
(ii) Either the database includes data of 100,000 or more data subjects, or there are more than 100 individuals with access credentials to the database.
Category 4: Databases maintained by individuals
A fourth class of databases relates to databases that are owned either by a sole proprietor, or by a company with a single shareholder where fewer than three individuals have data access. These databases are subject to substantially lower compliance obligations than other databases noted above, subject to certain exceptions.
Who is Subject?
Database Owners (roughly equivalent to the EU 'data controller'), Database Holders (roughly equivalent to the EU 'data processor'), Database Managers, and the Data Security Officer (if appointed) all have obligations under the Data Security Regulations, though the scope of such obligations varies somewhat among the different actors.
Key Substantive Obligations
The Data Security Regulations supplement existing data security obligations under the Protection of Privacy Law- 1981 (the "Privacy Law") and other laws and regulations. Key changes include the following:
Data Breach Notification. One of the most notable changes is the addition of a data breach notification requirement for “serious data breaches” (i.e., in the case of a Medium Security Database, unauthorized use or data integrity compromise involving a substantial portion of the database, and in the case of a High Security Database, any unauthorized use or data integrity compromise). Database Owners must immediately notify the Database Registrar upon the occurrence of a “serious data breach.” While there is no uniform obligation to notify affected data subjects, the Database Registrar after consultation with the National Cyber Bureau Chief has the authority to order such notification. The existence of the data breach notification obligation increases the likelihood that entities experiencing a data breach will face data subject claims relating to such breach, including class action lawsuits to the extent permitted under law.
Required Security Measures. The Data Security Regulations impose specific and detailed requirements concerning required physical, administrative and technical security measures to be used in the protection of databases. These include, for example, segregation of computer system elements that enable access to database information from other systems elements, mandatory use of firewalls, antivirus or malware programs where appropriate, and mandatory encryption of database information transmitted over public networks.
Data Minimization. The Data Security Regulations include express data minimization requirements pursuant to which Database Owners must annually re-evaluate whether the database includes excess information not necessary to achieve the purpose of the database.
Audit and Testing Requirements: Owners of High Security Databases must conduct security risk assessments aimed at identifying data security risks, and perform mandatory penetration tests, at least every 18 months. In addition, Database Owners of Medium Security Databases and High Security Databases must perform security audits by suitably qualified personnel to ensure compliance with the Data Security Regulations; these audits must be performed every 24 months and may not be performed by the Data Security Officer. For High Security Databases, these obligations may be satisfied in the context of the 18-month risk assessments discussed above. Medium Security Databases must undergo annual data security event reviews and evaluate the need for updates to the Data Security Procedure; for High Security Databases, these reviews must take place quarterly.
Database Access Controls. For all databases, only individuals who require access for job performance are permitted database access. Detailed access and authentication requirements apply with respect to Medium Security and High Security Databases, including obligations to maintain and retain automated access logs, document security incidents and employ unique physical means (such as a smart card or dongle) to verify the identity of individuals with access permissions. Employees with access credentials must undergo appropriate screening and training.
Required Documentation. Database owners must prepare and maintain the following documentation: (i) a Database Specification defining general parameters of the database and its use; (ii) a Data Security Policy addressing physical security, database access protocols, management of security threats and security breaches; and (iii) a System Architecture Document summarizing and mapping the system architecture, including an inventory list of system elements having relevance to data security, hardware, software, communication elements and interfaces.
Security Officer. While the Data Security Regulations do not expand the category of companies which must appoint a Data Security Officer under the Privacy Law, they do include provisions aimed at ensuring the professional independence of the Data Security Officer, including an obligation to report directly to the database manager or a senior officer in the organization and a restriction on holding another position that would present a conflict of interest.
Outsourcing. The Data Security Regulations impose additional security requirements where data processing is outsourced to third party entities. These obligations supplement the current obligations in the 2011 Directive issued by the Israeli data protection authority on Use of Outsourcing for Personal Data Processing. Among incremental obligations imposed by the Data Security Regulations is the obligation for outsourced service providers to provide an annual report to data owners on efforts to comply with the Data Security Regulations and the outsourcing agreement in place between the parties. The requirements imposed by the Data Security Regulations may present challenges to Israeli entities using non-Israeli outsourced service providers for data processing functions since these service providers are not themselves bound by Israeli regulations.
Due to the significant changes introduced under the Data Security Regulations, clients are advised to commence compliance efforts as soon as possible.
As an initial step, clients are advised to perform an internal audit to ascertain whether their databases should be categorized as a Basic, Medium or High Security Database, with an eye towards developing a compliance plan. In most cases, compliance programs will require substantive changes to the manner in which organizations secure, process and share data. In all cases, mandatory documentation, including the Database Specification, Data Security Policy, System Architecture documents will need to be prepared and companies will need to develop and implement employee training programs.
New ventures are encouraged to consider requirements under the Data Security Regulations in designing their products and services; mature companies should similarly consider these requirements in connection with ongoing development efforts.