Everybody talks about cyber attacks. It is THE hottest topic in all aspects.
Cyber attacks are an unauthorized intrusion by an outside software that can cause damage or disruption to your computer.
Startups spring up like mushrooms after the rain each and every one with its brand new way to assist us, the users of the modern world, with cyber dangers that we meet almost everyday. Such is with the latest cyber attack on WhatApp that resulted in a few hours of shut down to the users.
As always, the world of the law must follow the industry’s needs and contribute to the legal aspects of the cyber problem.
Within that effort and in line with international trends, Israel founded the Israeli National Authority for Cyber Defense (“the Authority”) and recently amended new Privacy Regulations as to Information Protection (“the Regulations”) which apply to anyone who owns, manages or maintains a database containing personal data in Israel. The Regulations will be effective as of May 8, 2018 and deal mainly with cyber issues.
The new Regulations differentiate between types of databases: databases that must meet basic security requirements; databases that are subject to medium level security requirements and databases that have high level security requirements.
The owner of a database should prepare a “specification paper” a description of the intended uses of the database; information with regard to the transfer of the database (or a substantial part thereof) outside Israel, the purpose of transfer, destination country, the identity of the transferee and so on. The Regulations also require the appointment of a data protection supervisor and the undertaking of acceptable measures in accordance with the nature of the data base, in order to ensure that access to the database is only by those allowed by the supervisor. Drastic security events are to be informed to the Authority.
Further, the Regulations refer to the installation of appropriate protection against unauthorized intrusion or software that could cause damage or disruption if the data base is connected to the internet or to a public network. Backup of all data is obligatory.
The Regulations provide further detailed instructions with regard to the manner in which the controller or owner of a database is required to operate and secure databases in Israel in view of the current cyber threats.
It is further worth noting that the GDPR, which applies to all businesses that offer goods or services to EU-based customers or monitor their behavior, will also be entering into force on May 29, 2018, and if you are an Israeli company offering goods or services to EU-based customers, you will be required to meet both the Regulations and the GDPR.
The GDPR and the Regulations both cover cyber security. The Regulations go into a lot of detail with regard to the technical application of data base security, while the GDPR has a much broader scope and gives more general guidelines. It could be suggested that with regard to cyber security Regulations set the bar higher. With regard to data breach notification – one could argue that the reverse is true.
Since the Regulations and also the GDPR have yet to be subject to judicial review, the interpretation of the Regulations, the GDPR, alone and in concert, will be a challenge also for us lawyers.
 There is a long list of very specific requirements which the database owner must meet under the Regulations, amongst others is to draft a database specification document, maintain the computer systems in a secured location, in many cases to appoint a data security officer, implement data security protocols addressing physical and environmental security of the databases’ premises, the use of portable devices, access credentials and more. A data base owner is also required to compile a list of components and devices that comprise the databases computer systems. Art. 25 of the GDPR provides that “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
 Pursuant to the Regulations, prompt notification shall be provided to the privacy regulator regarding any severe data breach; while GDPR provides that “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority… unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
With certain limited exceptions.