Introduction

The connection between the legal duty to report a cyber breach and exposure to liability claims arising from cyberattacks is common knowledge. There have been several developments in Israeli law in the past year that have increased the duty to notify a cyber breach and thus the exposure to liability claims.

Until May 2018, Israeli law did not include a general duty to notify a party whose personal information was exposed during a cyber breach. Nonetheless, a limited duty to notify a cyber event was set out in the directives which apply to banks and financial institutions and require them to notify the regulator in case of a cyber breach.

Privacy Protection Regulations

The Privacy Protection Regulations 2017 came into force in May 2018. The new regulations included a duty to report a "severe security event" to the Privacy Protection Authority. The Privacy Protection Authority has been given the power, after consultation with the National Cyber Protection Authority, to instruct database owners that have been attacked to notify the parties whose information was exposed in said attack.

The term 'severe security event' is defined in the regulation as follows:

In a database which is subject to a high level of security – a cyber event in which information included in the database was used or damaged; In a database which is subject to a medium level of security – a cyber event in which a significant part of the database was used or damaged.

The level of security required from a database is determined in the regulation according to:

  • the number of people whose information is included therein (generally, a database with information regarding more than 100,000 people requires a high level of security);
  • the number of people who have authorised access to a database (generally, a database with more than 100 authorised parties requires a high level of security); and
  • the nature of the information held in the database.

On 21 October 2018 the Israeli Securities Authority (ISA) published a position statement, according to which, in cases of significant cyberattack, public companies must examine the need to issue an immediate report to the investors notifying them of the attack. According to the position statement, an immediate report is required in cases where:

  • a company could not operate for some time as a result of a cyberattack;
  • a cyberattack influences a company's activity (where a hacked database is protected under the privacy laws this must be referenced);
  • a company's computer system is damaged in such a way that it has a material effect on its activities;
  • a company must pay a significant amount as ransom due to a cyberattack;
  • a company discovers that its computer systems have been exposed to hostile parties; and
  • a vulnerability was discovered in products supplied/manufactured by the company.

Comment

While the ISA's position statement was meant only to clarify its view regarding the law and not to change the legal situation, it highlights the challenges involved in dealing with cyber events. An immediate report regarding a cyber event in a public company increases the risk of liability claims against it as well as derivative actions against its management.

For further information on this topic please contact Yael Navon at Levitan, Sharon & Co by telephone (+972 3 688 6768) or email ([email protected]). The Levitan, Sharon & Co website can be accessed at www.israelinsurancelaw.com.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.