1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
The law in Israel uses the terms ‘cybersecurity' and ‘data protection' for similar purposes with regard to privacy issues in civil procedures. The term ‘cybercrime' is used for criminal procedures.
The terms ‘cybersecurity' and ‘data protection' are not distinguished in current legislation. The Cyber Defence and National Cyber Directorate (see question 3.2) includes a definition of ‘cyber protection' and refers to ‘data protection'.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
The key statutory and regulatory provisions that address cyber issues under Israeli law are:
- the Computer Law, 1995;
- the Privacy Protection Regulations (Data Security), 2017 (based on the 1981 Privacy Protection Law);
- the Emergency Regulations, 2020 on the and processing of ‘technological information' on Israeli citizens to stop the spread of COVID-19;
- the Cyber Defence and National Cyber Directorate Bill, which is under negotiation in the Israeli Knesset (Parliament); and
- the Copyright Law, 2007 – Amendment 5 (2019) on the procedure for the disclosure of the identity of internet users under certain circumstances.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Special cyber laws apply in sectors such as insurance, banking, healthcare and cybersecurity.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The Privacy Protection Regulations (Data Security), 2017 specify the levels of security required for certain types of information, based on the level of data sensitivity as defined under the regulations. They are categorised as follows:
- databases to which a basic level of security applies;
- databases to which a medium level of security applies; and
- databases to which a high level of security applies.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Paragraph 15 of the Privacy Protection Regulations (Data Security), 2017 deals with outsourcing and specifies the obligations of the outsourced service provider with regard to cybersecurity. The regulations govern the agreement between the Israeli entity and its outsourced service provider (which may be a non-Israeli entity).
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Bilateral or multilateral instruments relating to cyber are provided under paragraph 15 to the Privacy Protection Regulations (Data Security), 2017 (see above).
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The Israeli Computer Law, 1995 sets out the following criminal penalties for cybercrime (eg, hacking, theft of trade secrets).
Paragraph 3 sets out a punishment of imprisonment for five years for those who:
- transmit or store false information or act on information in a way that results in false information or false output; or
- write software, transfer software to or store software on a computer so that its use will result in false information or false output, or operate a computer using such software.
In this regard, ‘false information' and ‘false output' are information and output that may be misleading, depending on their use.
Under Paragraph 4, illegal intrusion of a computer or illegal infiltration of material found on a computer is punishable by three years' imprisonment, except where this is based on the Wiretap Act, 1979.
Paragraph 5 provides that anyone who commits an act that is prohibited by Section 4 in order to commit an offence under any law will be sentenced to five years in prison.
Paragraph 6 provides that:
- anyone who edits software in such a way that makes it capable of causing damage or disruption to a computer or material stored on a computer, whether specified or unspecified, will be sentenced to three years in prison; and
- anyone who transfers to another or installs on another's computer software that is capable of causing damage or disruption as stated above, in order to cause unlawful damage or disruption, shall be liable to imprisonment for five years.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Cyber-related civil issues concerning personal information and data security breach are the responsibility of the Israeli Privacy Protection Authority (PPA). The Privacy Protection Regulations (Data Security), 2017 impose a mandatory requirement to notify the PPA of any personal data breach. The PPA is authorised by law to initiate enforcement and supervision of any organisation which must register its databases in Israel by law. The PPA has the legal means and justification, under the Privacy Protection Law and its regulations, to impose administrative fines and entry and search orders, which it executes in some cases. The PPA enforces the legal requirement to register any database as defined by law. On the database registration application form, the applicant must provide full details of:
- the data owner (equivalent to a data controller); and
- the personal details of the registered database manager who has legal personal liability. The manager is legally liable if it fails to supervise the organisation's data control.
National civil cyber threats are monitored by the Israel National Cyber Directorate to improve Israel's defence and create a common base of civil knowledge on protecting data through the Israeli Cyber Emergency Response Team. The National Cyber Directorate has no enforcement authorisation.
National and international cybersecurity issues are actively addressed and enforced through the Cyber Authority and other government agencies. These entities have unlimited authority to take any steps necessary to prevent national or international security risks.
The Israeli police force has established a cybercrime central unit to address criminal acts conducted on virtual platforms, such as paedophilia, drug trafficking, credit card fraud and identity theft. The cybercrime unit has investigation and prosecution authorisation.
Other government-supervised entities, such as banks and insurers, have implemented cyber-related guidelines and procedures to match international standards.
Excluding homeland security matters, none of the above authorities or government entities has exterritorial powers over companies which are not established in Israel and have no local representation (including subsidiaries and related companies).
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Private parties have the legal right to take several actions in case of a cyber breach or data leak.
A private party can file a complaint with the PPA, which may initiate an investigation or issue an inspection order requiring full discovery of a personal data collection. The unauthorised collection of personal data is considered a privacy breach and a private party can submit a claim to the civil courts for up to NIS 50,000 in statutory damages. If the privacy breach was intentionally initiated and executed, the court may award damages of up to double of the sum awarded as statutory damages.
2.3 What defences are available to companies in response to governmental or private enforcement?
The best defence is to demonstrate full compliance with the Privacy Protection Regulations (Data Security), 2017 – for example, by providing documents and guidelines issued by the company with regard to:
- data control;
- the implementation of internal procedures and policies to comply with the regulations; and
- the appointment of personnel to ensure compliance.
The company must prove that:
- it took all necessary steps to protect the data; and
- the data breach could not have been expected by a reasonable manager.
Civil cyber incidents, such as ransomware and denial of service attacks, are subject to the privacy protection legislation, but only where personal data is involved. Commercial information breaches which do not involve a personal data breach are not subject to the privacy protection legislation. Therefore, another potential defence is to challenge the legal definition of a data breach by arguing that the specific case does not fall under the legal requirement to register a database (the Database Registrar operates under the PPA), and that thus no registered database has been breached or compromised and the incident is not subject to the privacy protection legislation.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
The Privacy Protection Regulations (Data Security), 2017 took effect in May 2018. They impose specific legal requirements in relation to the collection, registration and processing of personal data. Failure to comply with the applicable legislation may be regarded as a breach of privacy and incur such sanctions as may be imposed by the Privacy Protection Authority (PPA), such as administrative fines; it may also be subject to a court ruling on statutory damages for breach of privacy.
Cyber enforcement actions with regard to civil cyber incidents are subject to the PPA if they involve personal data stored through magnetic/optic means which forms a database requiring registration. Failure to comply with the privacy protection legislation in the event of a personal data breach may be subject to administrative and criminal enforcement actions by the PPA.
Since the entry into force of the privacy protection legislation, the PPA's approach with regard to enforcement has been to conduct proactive supervision in several sectors that control and process large quantities of personal information or sensitive personal information, such as biometric, medical or financial information.
As yet, there have been no significant landmark enforcement activities or judicial rulings with regard to cyber incidents.
The cyber defence authority faces daily attempts to challenge Israel's digital assets, which may also be linked to the functionality of physical assets and pose a threat to national security. These are dealt by the relevant government agencies.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
On 20 June 2018, a draft Cyber Defence and National Cyber Directorate Bill was issued, which has since been amended following public consultation on the draft. The bill defines the terms ‘cyber protection' and ‘cyberattack', adding other types of information which are not necessarily privacy-related information as defined by the privacy protection legislation. These include trade secrets, financial information and commercial information.
The cyber defence industry is one of Israel's fastest-growing industries, offering hardware and software solutions to prevent cyber threats targeted at end-user equipment and networks.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The first industry to implement cyber compliance guidelines and procedures was the banking industry in 2015. Other regulated industries, such as insurance and critical infrastructure, followed suit. In 2018 the Privacy Protection Regulations (Data Security), 2017 came into force; these apply to all organisations that control or process personal data.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
In 2015 the supervision commissioner of the banking industry issued guidelines on the implementation of cyber defence measures to protect data stored on databases controlled by banks. At the time, the guidelines were voluntary, to ensure compliance with foreign banking standards. The supervision commissioner of the insurance industry followed suit, issuing dedicated guidelines for cyber-related issues. In 2017 the Parliament adopted the Privacy Protection Regulations (Data Security) 2017, which took effect in May 2018, imposing legal operative instructions for data management which apply to personal data stored on digital databases.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
‘Cyber compliance' is not defined in Israeli law. However, a cyber breach which involves personal data is regarded as a security incident as defined in the Privacy Protection Regulations (Data Security), 2017. The regulations set out the proactive cyber-related measures that organisations should implement to strengthen their cyber defences and improve their responsiveness to cyber-related issues. Corporate officers may be held liable for personal data breaches if they did not act as a reasonable corporate officer should act or would be expected to act in the event of such incidents.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
The Privacy Protection Regulations (Data Security), 2017 set out the proactive cyber-related measures to be taken by organisations that control or process personal data, including companies in the private sector and government offices and entities. These include:
- documentation requirements;
- appointment of dedicated personal;
- supervisory activities that increase personal awareness of personal data; and
- periodic penetration tests of the organisation's digital infrastructure.
Specific regulated industries have implemented their own guidelines and procedures with respect to cyber defence methodologies and proactive measures in this regard.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
The Computer Emergency Response Team (CERT) is a designated centre that deals with cyber incidents. CERT is part of the operational unit of the Israeli National Cyber Directorate – a state-run defence technology entity devoted to protecting Israeli cyberspace. CERT handles cyber incidents in the civilian cyber sphere. CERT cooperates with most of the world's leading cyber organisations and industries and:
- shares information;
- provides assistance and advice;
- responds to cyber incidents;
- promotes preventive activities;
- creates tailored partnerships;
- coordinates between industries, government and international partners to respond to cyber incidents;
- enhances information sharing; and
- prepares and issues alerts to the public
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Since May 2018, the Privacy Protection Regulations (Data Security), 2017 have required mandatory notification of severe security incidents.
A ‘severe security incident' is defined as follows:
- in the case of databases which are subject to a high security level, an incident involving the use of data from the database without authorisation or in excess of authorisation, or damage to the integrity of the data; and
- in the case of databases which are subject to a medium security level, an incident involving the use of substantial parts of the database without authorisation or in excess of authorisation, or damage to the integrity of the data in a substantial part of the database.
Upon discovering a severe security incident, the data controller must notify the Database Registrar (a unit of the Privacy Protection Authority (PPA)) within 24 hours, and in any event within no more than 72 hours. Notification must include a detailed description of all measures taken by the data controller or processor following the discovery of the incident. After consulting with the National Cyber Authority, the registrar may instruct the data controller on further measures, such as personal notification of any data subject whose personal data has been breached or a media announcement to notify data subjects. Each case is evaluated according to its unique circumstances.
Currently, a mandatory notification requirement applies only where the data breach is a personal data breach as defined in the privacy protection legislation.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
A cyber incident which involves any kind of breach of personal data which must be registered as a ‘registered database' must be notified to the Israeli PPA, assuming that the data controller or data processor operates in the territory of in Israel and that the data breach was discovered locally.
The PPA is notified through a digital online form which is available on its website, providing the most up-to-date information collected between discovery of the incident and the time of notification.
The Privacy Protection Regulations (Data Security), 2017 require immediate notification, but the PPA's guidelines on the implementation of the regulations suggest 24 hours as an immediate timeframe and up to 72 hours if more time is required to gather information on the scope of the incident and the nature of the data which was breached.
The PPA and the National Cyber Authority have the legal right to instruct the data controller to take additional measures to contain the incident, including providing personal notification to each data subject affected.
The current legal status in Israel that only a cyber breach that involves a personal data breach must be notified to the PPA. If there is no personal data breach, no mandatory notification requirement applies.
5.3 What steps are companies legally required to take in response to cyber incidents?
Data controllers must document each incident that may harm the data stored in the affected database or involving the unauthorised use of data. The data controller should act in accordance with its policies and operational procedures and protocols to control, contain and recover from the cyber breach. Cyber incidents which involve a personal data breach must be notified to the PPA. Where such incidents involve a medium-risk security database, they must be documented and discussed at least annually, to assess whether company policies or procedures should be amended to prevent similar breaches in the future. Companies with high-risk security databases must review all data breaches at least once every three months and verify that all related documentation has been updated according to those quarterly reviews.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Company officers and directors have no explicit duties with regard to cyber incident response. Therefore, a company may determine its own internal guidelines and procedures regarding responsibilities in case of an incident.
The privacy protection legislation determines legal liability in case of a personal data breach: for data controllers, which are usually companies; for data processors; and for database managers, which are usually officers of a company.
Company officers and directors can be held liable if they knew about data management issues which led to the cyber breach, or if they should have anticipated the breach but failed to do so.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Cyber insurance is a growing market in Israel and many companies and businesses have taken out such insurance. Cyber policies offer companies first response services to support them with the requisite legal advice and IT forensic services in order to investigate the incident, contain it, support the company with recovery from the breach and monitor their networks to verify that they are safe and secure. Cyber insurance policies can provide companies and their officers with immediate assistance to control and contain the incident, provide immediate legal advice on privacy-related issues, and assist them in complying with the legislative requirements, such as notification of the PPA, filing of a complaint with the police cybercrime central unit, the potential retention of a PR consultant to minimise reputational damage as a result of the cyber breach and other crises management activities.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
At a national level, cyber-related issues are dealt with on a daily basis by the local authorities and government agencies. This may be linked to the fact that many Israeli-based companies are investing and developing cyber defence and cyberattack tools and technologies, which have been exported from their homeland security-related functionalities to the civil market, to improve the security of cyberspace and network traffic.
As regards the development of local legislation, while endeavouring to adopt international standards in general, and those of the General Data Protection Regulation in particular, the Parliament has issued a draft bill to amend the privacy protection legislation, which would introduce some of the European terminology (eg, ‘data controller' and ‘data processor'). The bill also elaborates on what is included within the term ‘data' and defines the types of data which will be regarded as sensitive data. All data as defined by law is personal data; the law does not apply to commercial data or informative data.
Due to the COVID-19 pandemic, cyber and privacy-related laws – like many other legislative issues – are expected to be postponed.
The government has issued emergency regulations which prevail over other legislation, including the privacy protection legislation, in order to help prevent the spread of COVID-19. As an example, government agencies use the location indications provided (whether knowingly or not) by citizens' mobile phones, in order to locate COVID-19 cases and their contacts. The use of this tracking technology has a major impact on privacy, but trying to stop the spread of the virus and protect the health of the public has been prioritised over privacy concerns.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
The main cyber-related problems and challenges are as follows:
- Human error: Most common cyber breaches in companies and organisations occur due to human error, usually by an employee or service provider who opens a contaminated file or other document containing malicious software. Human error must be addressed by educating employees and having them operate in accordance with company data control policies and procedures.
- Backups: Continually backing up data is critical if a company is to recover from an attack which encrypts the data it uses in its day-to-day activities. Having the ‘freshest' backups will significantly reduce the time it takes to get back to full functionality. A lack of updated backups may result in the loss of many hours of work.
- Legislation and standardisation: Currently there is no specific cyber law which defines the legal terms ‘cyber' and ‘cyberattack'. In Israel, only cyberattacks which involve a breach of personal data are regarded as a breach of privacy and therefore the privacy legislation applies. If the cyberattack does not involve personal information (eg, trade secrets, formulas, business information), the privacy legislation does not apply. Cyber readiness certification should be implemented as an acceptable national or international standard to maintain readiness and awareness of cyber threats.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.