Companies Now Face Israel Data Security, Breach Notice Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jenny David

Companies doing business in Israel will soon face mandatory data security and data breach notification requirements under regulations recently cleared by lawmakers.

The data security and breach notice had been governed by voluntary guidelines issued in 2012 by the country’s privacy regulator, the Israeli Law, Information and Technology Authority (ILITA). Companies that didn’t implement measures when the voluntary guidelines were issued, including data breach notification, will have difficulty coming into compliance when the new regulations take full effect in 12 months, lawyers said.

Niv Sever, head of antitrust, competition and privacy at Tel Aviv-based law firm Mr. Firon & Co., told Bloomberg BNA that “even the largest companies and multinationals, which had to adopt the previous guidelines in order to function internationally, didn’t have reporting requirements.” The increased public exposure required by the new regulations will prompt more consumer class action lawsuits, he predicted.

Although the regulations will impose a heavy compliance burden on companies, adopting them gives Israel a boost in its efforts to prepare for the EU’s new privacy law, the General Data Protection Regulation, which takes effect in May 2018, practitioners said. In 2011, the EU certified Israel’s privacy regime as adequate to protect EU citizens’ computerized personal data but held back on full approval.

Israel is a major data processor and trade partner with Europe, so passing the regulations is “a game-changer” for the country in meeting EU privacy protection expectations, Sever said. The Israeli regulations are the necessary “quantum leap” toward gaining full EU approval, he said.

Mandatory Requirements

The new regulations, approved March 21, apply to all data collected, processed or held by public or private entities in Israel and will govern information collected by multinational companies with an Israeli presence, Jonathan Klinger, legal advisor to Israel’s Digital Rights Movement, told Bloomberg BNA.

U.S. technology giants Microsoft Corp., Intel Corp. and IBM Corp. have substantial Israeli operations, including cloud computing data centers and research and development facilities, according to company documents.

Some of Israel’s largest companies, particularly those with international affiliates and customers, implemented many of the regulations when they were issued as guidelines by ILITA. But now, every business with a database, “from barbers to supermarket chains, must factor in and adjust their protection mechanisms,” Klinger said.

The regulations allow courts to apply sanctions for data security breaches caused by negligence, with criminal sanctions available for some willful violations, Klinger said.

Each company covered by the regulations must appoint an information security officer, with specified data security functions and responsibilities.

To contact the reporter on this story: Jenny David in Jerusalem at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The Privacy Protection Regulations (Data Security), 5777-2017, are available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security