September 22, 2019 | By Adam Arutz, CISO, Head of GRC, Audit and Consulting
Understanding the Privacy Protection (Data Security) Regulations in Israel
As of May 2018, the Privacy Protection (Data Security) Regulations came into effect. It requires every organization, both in private and public sectors, to report all personal information processing activities on its database(s), in accordance with the Privacy Protection Authority’s guidelines.
Therefore, the regulations categorize databases into four unique classes: High, medium, basic, and database managed by individuals who can provide authorized access to no more than three additional people. This classification is based on the risk level associated with each personal information processing activity. In principle, the roles of the database managers or controllers are determined by their levels of risk exposure.
In specific terms, the database owners are defined. However, in a situation whereby there is no definite owner assigned to a database, the CEOs or the company owners automatically become the database owners.
Financial penalties and criminal liability
Any organization that fails to comply with these Privacy Protection (Data Security) Regulations faces both financial penalties and possible criminal liability.
There is a sentence of up to one year in prison for failing to report databases and personal information processing activities conducted on them. More so, Amendment 13 to the Privacy Protection Law, which is currently under deliberation for approval, will increase the size of fines against violators from up to NIS 25,000 for violation to NIS 3.2 million.
In addition to official warning and fines, the Privacy Protection Authority will post infringement cases and privacy violations on the Authority’s website to expose the erring organizations.
Outcomes so far
Since the regulations came into effect about a year ago, the Privacy Protection Authority has held 146 enforcement proceedings following serious information security breaches. Only 103 of the serious security incidents were reported to the Privacy Protection Authority, as required by the regulations. The rest of the enforcement proceedings were carried out following complaints or actions taken by the Authority.
In 13% of the cases, the organizations were found to be in violation of the provisions of the law and regulations. And in 66% of the cases, the organizations were found to exhibit some deficiencies but no violation was established.
The sectors that recorded the most percentage of violations were insurance and finance (23%), the technology sector, which included companies in information systems (10%), health (10%), communications (8%), education (8%), Internet (7%) and science and technology (2%).
The severe security incident analysis reveals various types of attack events that occurred during the assessment periods, such as: SQL Injection(15%), Social engineering, damage due to brute force attacks, malicious code as well as human errors that included incorrect settings in the systems (9%), Unintentional disclosure of information without permission or loss of media (8%), misuse of data access information (7%).
The Privacy Protection Authority (PPA) may request that a database implement additional security obligations so as to strengthen the security level of its activities.
We at TrustNet stay conversant with any regulatory changes that could affect your business & Will help you comply with the latest changes.