Companies in Israel Facing New Data Security Regulations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken

Highly detailed data security regulations are looming in Israel as countries around the world review privacy laws, with some companies still falling short of compliance standards.

Israeli companies and local authorities continue to gear up to meet precise domestic requirements on public and private sector organizations holding individuals’ personal information. The country’s new Privacy Protection Regulations (Data Security) take effect May 8.

Israel is known as a technology hub, and multinational companies such as IBM Corp., Microsoft Corp., and Google LLC have operations in the country.

“These regulations are ever more vital, in an era of increasing cyberattacks and challenging corporate practices,” Limor Shmerling Magazanik, director of strategic alliances with the country’s Privacy Protection Authority, told Bloomberg Law.

The regulations, based on internationally accepted information security standards, constitute a significant milestone in protecting personal information and the right to privacy in Israel,” Magazanik said.

Companies face major changes. They will be required, for the first time, to notify the nation’s privacy authority about data breaches, classify their databases by levels of risk, and appoint data security officers.

Database Risk Levels, Breach Notices

Imposing specific security requirements on any entity operating a database is a big shift away from the country’s previous “high level” provisions that held database owners and processors responsible for data security, according to Nurit Dagan, a partner with Tel Aviv-based Herzog Fox & Ne’eman, who advises on privacy and database issues.

By contrast, the incoming regulations will require all companies that own, manage, or maintain a database with personal information to implement specific data security measures based on security risks. Those would range from basic to high level, depending on who owns the database, the sensitivity of the data, how many people are on the database, and how many have access to it, Dagan told Bloomberg Law.

Previously, there was “no differentiation between a database of 500,000 people and a database of 10,000 people,” she said.

Also, for the first time, companies will be required to comply with data breach notification requirements. Owners of medium- and high-risk databases will be required to report incidents to the privacy authority, Dagan said, which will also have the ability to tell a data controller to notify people affected by a data breach.

Other changes companies face include increased documentation requirements, mandatory risk assessment and penetration testing for some database controllers, and creating new responsibilities for corporate data security officers, the privacy authority’s Magazanik said.

Some Still Unprepared

The Israeli market, as a whole, does not appear to be fully prepared to comply with the regulations, Yoheved Novogroder-Shoshan, a Jerusalem-based privacy and technology partner at Yigal Arnon & Co., told Bloomberg Law.

More sophisticated companies have demonstrated compliance efforts, particularly those that are also gearing up to comply with the European Union’s General Data Protection Regulation taking effect May 25, Novogroder-Shoshan said. But even companies that are implementing the high-level GDPR compliance need to focus on Israel’s “extremely granular requirements,” she said.

Some entities will likely take the new obligations seriously “only after we see an enforcement action by the Israeli privacy authority,” Dagan said.

Meanwhile, not all local authorities are ready, but the government rejected a January request from the Federation of Local Authorities in Israel for a two-year delay in putting the regulations into effect, according to Shlomo Dolberg, the federation’s chief executive. Dolberg said local authorities need more time to hire personnel and purchase new computer systems.

Magazanik, with the privacy authority, said the first year would be “dedicated to implementation.” The privacy authority said it would notify companies before taking any further action.

Magazanik said security programs “need time to develop and mature. The market needs time to adapt.” The privacy authority has increased its capacity to conduct audits, he said, and will “give special focus to compliance with the breach notification duty.”

Draft Bill Enhances Enforcement

The new regulations may not be Israel’s last data security measure. A draft bill pending in the Knesset, the Israeli parliament, would grant the privacy authority additional enforcement powers.

If passed, the bill would increase the fines that the privacy authority could impose for violations of the privacy law to a maximum of NIS 3.2 million, equivalent to over $890,000 USD, Ella Tevet, a Tel Aviv-based partner and head of Gross, Kleinhendler, Hodak, Halevy, Greenberg & Co.’s intellectual property and privacy group, told Bloomberg Law. The bill has passed its first reading and will go through two more.

The bill’s timing may relate to Israel’s status with the European Commission, which could conduct a review of its 2011 adequacy decision on Israel’s data protections.

Israel is one of 12 countries recognized as having adequate data protection, which allows nations to exchange personal data with the European Union without additional safeguards. The commission said in November 2017 that it is reviewing the agreements it has with outside countries.

“We assume that the promotion of such bill results from the Israeli regulator’s attempt to correlate between the Israeli Privacy Law and the requirements imposed under the GDPR” to ensure that Israel maintains its adequacy, Tevet said.

Request Bloomberg Law: Privacy & Data Security