Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
The general obligation regarding data security under Israeli law is generally defined in Section 17 of the Protection of Privacy Law, which provides that: “A database owner, possessor or manager, are each responsible for the information security in the database.”
The term ‘information security’ is defined in Section 7 of the Protection of Privacy Law as “protection of the integrity of the information, or protection of the information from being exposed, used or copied, without lawful permission.”
According to Israeli law, one should act reasonably with respect to all matters concerning data security (taking into account the security considerations to be taken by other entities in similar situations), and must implement reasonable measures, procedures and security efforts to secure the data on the database.
The Protection of Privacy Regulations (Conditions for Possessing Data and Procedures for Transferring Data Between Public Bodies), 5766-1986 impose specific duties regarding data security (see in particular, Section 3(b)). Such duties include, for example, the duty to physically protect the system and the duty to lay down policies and directives regarding the management, storage, processing and transfer of data. Thus, a specific list of people with authority to access the data will need to be prepared and updated from time to time (see Section 3(b)(3a) of the regulations); in addition, Section 3(b)(4) imposes a general duty that reasonable security measures be taken to prevent unlawful database penetration.
Are data owners/processors required to notify individuals in the event of a breach?
Israeli law has no specific provisions for notifying individuals in the event of a breach.
Nonetheless, such a duty may arise by virtue of general obligations set out in Israeli law (including, contracts law, by virtue of the duty of care doctrine and depending on the potential damage, and other parameters giving rise to the nature of the event).
As a rule of thumb, where the risk of harm being caused to individuals increases as a result of the breach (and especially when time is of the essence), the duty to notify individuals intensifies correspondingly.
Are data owners/processors required to notify the regulator in the event of a breach?
Data owners or processors are not required to notify the regulator in the event of a breach.
However, there are specific areas (especially with regard to sensitive data, such as banking) where such notification does becomes mandatory.
Click here to view the full article.