2.1
Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Israel
Answer ... Cyber-related civil issues concerning personal information and data security breach are the responsibility of the Israeli Privacy Protection Authority (PPA). The Privacy Protection Regulations (Data Security), 2017 impose a mandatory requirement to notify the PPA of any personal data breach. The PPA is authorised by law to initiate enforcement and supervision of any organisation which must register its databases in Israel by law. The PPA has the legal means and justification, under the Privacy Protection Law and its regulations, to impose administrative fines and entry and search orders, which it executes in some cases. The PPA enforces the legal requirement to register any database as defined by law. On the database registration application form, the applicant must provide full details of:
- the data owner (equivalent to a data controller); and
- the personal details of the registered database manager who has legal personal liability. The manager is legally liable if it fails to supervise the organisation’s data control.
National civil cyber threats are monitored by the Israel National Cyber Directorate to improve Israel’s defence and create a common base of civil knowledge on protecting data through the Israeli Cyber Emergency Response Team. The National Cyber Directorate has no enforcement authorisation.
National and international cybersecurity issues are actively addressed and enforced through the Cyber Authority and other government agencies. These entities have unlimited authority to take any steps necessary to prevent national or international security risks.
The Israeli police force has established a cybercrime central unit to address criminal acts conducted on virtual platforms, such as paedophilia, drug trafficking, credit card fraud and identity theft. The cybercrime unit has investigation and prosecution authorisation.
Other government-supervised entities, such as banks and insurers, have implemented cyber-related guidelines and procedures to match international standards.
Excluding homeland security matters, none of the above authorities or government entities has exterritorial powers over companies which are not established in Israel and have no local representation (including subsidiaries and related companies).
Israel
Answer ... Private parties have the legal right to take several actions in case of a cyber breach or data leak.
A private party can file a complaint with the PPA, which may initiate an investigation or issue an inspection order requiring full discovery of a personal data collection. The unauthorised collection of personal data is considered a privacy breach and a private party can submit a claim to the civil courts for up to NIS 50,000 in statutory damages. If the privacy breach was intentionally initiated and executed, the court may award damages of up to double of the sum awarded as statutory damages.
Israel
Answer ... The best defence is to demonstrate full compliance with the Privacy Protection Regulations (Data Security), 2017 – for example, by providing documents and guidelines issued by the company with regard to:
- data control;
- the implementation of internal procedures and policies to comply with the regulations; and
- the appointment of personnel to ensure compliance.
The company must prove that:
- it took all necessary steps to protect the data; and
- the data breach could not have been expected by a reasonable manager.
Civil cyber incidents, such as ransomware and denial of service attacks, are subject to the privacy protection legislation, but only where personal data is involved. Commercial information breaches which do not involve a personal data breach are not subject to the privacy protection legislation. Therefore, another potential defence is to challenge the legal definition of a data breach by arguing that the specific case does not fall under the legal requirement to register a database (the Database Registrar operates under the PPA), and that thus no registered database has been breached or compromised and the incident is not subject to the privacy protection legislation.