Israel’s Knesset Approves Revolutionary Protection of Privacy Regulations

On March 21, 2017, the Constitution, Law and Justice Committee of Israel’s parliament, the Knesset, approved the Protection of Privacy Regulations (Information Security), 5777-2017 (hereinafter, the “Regulations”). The Regulations mark a landmark change in the field of information security in Israel and they impose substantial obligations on database owners. Among other duties, every database owner will be required to adopt a comprehensive policy and set of procedures on information security, map out the information systems in the organization and carry out a risk assessment review, implement information security practices in the area of human resources management, and comply with requirements relating to reporting of security incidents. In addition, for databases containing information that are more sensitive, the Regulations establish the requirement to carry out vulnerability assessments and penetration tests as well as the implementation of advanced security mechanisms. The Regulations will come into force one year following their publication.

Different Database Security Levels

In general, the Regulations will apply to every database that is required to be registered under the Protection of Privacy Law. However, some provisions will only apply to medium or high security level databases, which will be subject to stricter practices. Medium security level databases include, among others, databases that contain medical information, personal information, information on an individual’s political opinions or religious beliefs, biometric information, or economic information such as the individual’s consumer habits, as well as databases designated for direct mailings. High security level databases include those that hold the information contained in the medium security databases described above, if such information is collected on 100,000 or more individuals, or if the number of people who are authorized to access such database is greater than 100. 

Policy Statements, Practices, and Officers

The Regulations obligate every database owner to adopt an information security policy statement that defines the purposes of its database, the ways it is used, the main risks for security breaches, and the methods for handling such breaches. It is necessary to update the policy statement from time to time to correctly reflect how the organization is using the database.

In addition, every database owner will be obligated to establish a set of information security procedures that suits the nature of his or her database. All employees in the organization will be bound by the procedures that will, among other things, deal with: mapping and securing the information systems in the organization, authorizations to access the databases and the information systems, security measures that have been deployed, and existing security risks and ways of dealing with them – including in real time. Owners of medium and high security databases will be obligated to also include a description of how they back-up the information in their possession, a description of their periodic database checks, and a description of how portable devices are used in the organization.

The Regulations also mandate that the Information Security Supervisor, appointed in accordance with the Protection of Privacy Law – whether the appointment is statutorily required or made voluntarily – will not carry out another role at the organization that may cause him or her to be in a conflict of interest (for example, as chief information technology officer or as manager of the information systems in the organization). The Regulations establish that the Supervisor will be subject to the CEO or another senior officer and that the Supervisor shall have all required resources to enable his or her compliance with the Regulations.

Mapping Information Systems, Vulnerability Assessment, and Penetration Tests

In addition to developing policy statements and internal practices, database owners will be required to prepare and keep a document that outlines the information systems that are connected to each and every database (including hardware, software, and user equipment) and the security measures employed to protect them. Once every 18 months, owners of high security databases will also be required to carry out vulnerability assessments and penetration tests on their information systems, deliberate over the results of these assessments and checks, and adopt practices and security measures in accordance with the conclusions that are reached.

Information Security Measures

The Regulations require database owners to implement various information security measures. For example, database owners will have to ensure, among other things, the physical security of the database, management of access authorizations, establishment of identification and verification mechanisms (including strong passwords and sophisticated identification measures), documentation of security incidents on the information systems, separation between different information systems connected with  the database, and the encryption of information in transit from the database to public networks.

Further, owners of medium and high security databases will be required to document the physical access to the information systems at their organizations, to operate a stringent user identification and authentication mechanism (including automatic disconnection mechanisms and physical identification measures), to document automatically the electronic access to the information systems at their organizations, and to keep the documentation data for a period of at least 24 months. The Regulations also mandate that the owner of the database establish procedures for backing up and restoring information and execute, at least once every 24 months, an internal or external audit that is aimed at assessing the level of compliance with the provisions of the Regulations.

Information Security in Human Resources Management

The Regulations require database owners to take appropriate measures to ensure that employees who have access to the databases are suitable to receive such access, taking into account the sensitivity of the information contained in the databases. In addition, database owners will be mandated to hold training sessions for the employees before they receive access to the databases. Owners of medium and high security databases will be required to hold periodic training sessions for their employees – at least once annually. These obligations will also pertain to current employees in an organization who have access to the database.

Reporting an Information Security Incident

Apart from the provisions relating to information security measures that the organizations must take, the Regulations impose – in certain circumstances – a reporting obligation to the Registrar of Databases for those organizations that experienced information security incidents. The Regulations grant the Registrar of Databases the authority to order such organizations to also report the information security incidents to every individual whose information was revealed.

Summary

The Regulations constitute a revolution in the regulation of information security in Israel and their application is far reaching. We emphasize once again – every owner who is required to register his or her database will be subject to at least some of the Regulations. Although the Regulations do not establish which information security measures a database owner must adopt, the Regulations do mandate the adoption of a series of corporate and managerial measures, as well as technological measures that conform to the types of information that the organization keeps and the uses that are made of the information. Therefore, the Regulations demand that each company carry out its own internal assessment and preparation.

Though the Regulations will come into force one year following their publication, we recommend organizations consider beginning the necessary internal processes, since these include both legal and technological aspects that will require cooperation between various professionals both external to and from within the organization.

By Adv. Amit Dat and Adv. Dr. Omri Rachum-Twaig, Fischer Behar Chen Well Orion & Co., Israel, a Transatlantic Law International affiliated firm. 

For further information or for any assistance regarding Israeli privacy and data protection law please contact  Amit Dat at israel@transatlanticlaw.com. 

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 95 affiliated independent law firms worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.