A first legislative step in the fight against cyber threats: New data security regulations
The Israel Law, Information and Technology Authority (ILITA) within the Justice Ministry, trusted with implementing and enforcing privacy protection laws and the security of personal information in Israel, has formulated new data security regulations. The new regulations are to be debated and approved in the Knesset, based on an agreement between ILITA and the Justice Ministry’s counseling and legislation department.
A draft of the regulations was published by ILITA in February 2010. Since then, ILITA has presented the draft in various professional conferences and seminars. After receiving extra input and commentary from the public, agents in the business and from professional circles, and after implementing the lessons learned from data security events associated with the notorious “Saudi hacker” security breach in 2012, ILITA published a second, updated draft in June 2012.
Approval of these regulations will mark a first and important step by ILITA toward regulating the obligations of organizations in Israel that manage or retain personal data, and in the fight against possible cyber threats, while maintaining the principal goal of reducing the threat of the misuse of data stored by these organizations, thus minimizing the threat of a data security breach and maximizing data protection abilities.
The new regulations strive to remove the vagueness regarding data security in the current laws and regulations, which are simply not compatible with current technological advancements. A primary innovation of the regulations is the obligation of organizations whose databases of personal information might have been exposed to report to ILITA any serious cyber-attack. Furthermore, the regulations compel database owners to notify the data objects regarding breach events.
On top of that, the new regulations aspire to prepare organizational procedures for dealing with various data security events, and also to clarify organizations’ duties and the individual responsibilities of the various authorized personnel within the organizations that have access to sensitive data.
On one hand, the purpose of the regulations is to protect the organizations themselves from possible criminal, civil or administrative ramifications of data privacy breaches, and on the other to create a uniform market, based on global data protection standards and especially the stringent European standard, to assist all parties in cooperating on and dealing with mutual security threats such as the aforementioned “Saudi hacker” case.
The draft regulations include a long list of actions organizations must take to regularize internal data security. For example, organizations must make their head of data security a direct subordinate of a senior organization official. In addition, every database will be required to include an internal “road map” document containing a general description of the types of data within it, the data collection activity it acquires, the types of usage of the data, any transfer of the data out of the country, etc. Risk surveys must be regularly conducted, procedures established regarding compartmentalization and monitoring of data usage and access, and much more.
Finally, the draft imposes on a duty on database owners to annually reevaluate the organization’s protocols and procedures and update them if necessary, for example if there has been substantial alteration to the database’s systems or to the process of data processing, or if new technological threats have arisen might be relevant to the database’s systems.
While these welcome and necessary changes have not yet been officially approved by legislators, they reflect the current position of ILITA, based on existing laws and regulations, in the effort to enforce the legal directives within the organizations and bodies that manage Israelis’ data.
The author is the head of Dan Hay & Co. Legal Offices, which specializes in privacy, databases and cyber law.
(http://www.danhay.co.il)