It was reported last week that Israel introduced mandatory data security and breach notification requirements into its law books. The law is expected to go into full effect next year.
Business of all types – be they global, multinational companies or the barber shop down the street – will be affected by the new regulations. But not equally.
At mondaq.com, an expert notes that there will be four “security level” categories which appear to be divided either by the number of people who can access the information or by the nature of the business itself. For example, the aforementioned barbershop’s data security requirements would be different from data brokers (and even these are subdivided by the number of records that are stored).
Of the four security levels, the lowest one (that is, the least onerous one to a business) is the sub-basic level:
up to 3 persons with access permission –mild requirements, including a database description document, annual review of redundant data, basic physical security, reasonable means to prevent unauthorized access, keep records of data breaches, appropriate measures with portable devices (e.g. encryption) and secured internet communications. (my emphasis)
The higher security levels build on top of this. And while encryption is given as an example (not as a requirement) pertaining to “appropriate” security measures for portable devices, it’s pretty obvious that it doesn’t stray too far from being a requirement.
Indeed, on the internet, it actually is a requirement. The law stipulates that “secured internet communications” must be used, and the only way to secure the to and fro of data flows on the internet is via an encrypted connection. Or, if an encrypted connection is not possible or available, by encrypting data before it’s being sent out (e.g., cryptographically securing an attachment before sending it via email).
Breach Notifications Where Appropriate
Data breach notifications to the government will be mandatory, but only if one pertains to the mid- or high-security level. And even then, the former only needs to report “substantial breaches” whereas the latter will need to report every breach they encounter.
The government may force a business to get in touch with clients who were affected by the data breach, if it is deemed necessary and appropriate.
Overall, it’s a little different from what people are used to in the US when it comes to data privacy and breach notification laws. However, if you’re doing a lot of business with Israeli companies, you will have to follow it.
Which is not a particularly bad proposition since it will possibly allow you to meet EU requirements as well: Per bna.com, the passing of the Israeli law coincides with the European Union’s own privacy laws that go into effect in 2018.
Related Articles and Sites: