Last review date: January 24, 2025

Yes.

☒        general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

According to Section 17 to the PPL, the owner of a database (data controller), the holder of a database (data processor) and the manager of a database are each responsible for the information security in the database. Section 7 to the PPL defines "information security" as protection of the integrity of the data, or protection of the data from being exposed, used or copied, without lawful permission.

☒        obligation to take specific security measures e.g., encryption

The Data Security Regulations set out information security controls and measures that owners, holders and managers of computerized databases must apply, depending on the classification of the security level of the database which is assigned on the basis of certain criteria: number of data subjects, number individuals with access rights and sensitivity of the data included in the database. These include controls and measures relating to physical and environmental security, performance of information security risk surveys and penetration tests for the database systems, access permissions management, security event documentation, use of mobile devices, communication security, outsourcing to third parties, backup and recovery of data security logs, periodic audits, etc.

☒        requirement to undertake third party due diligence (security assessment of third party providers)

Last review date: January 24, 2025

☒      public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒      network information security requirements (broader than telecommunications)

☒      health regulatory requirements

☒      financial services requirements

☒      telecommunication requirements

☒      providers of critical infrastructure

☒       digital or connected (IoT) products ^[1]

☒      other: banks, financial institutions (by virtue of specific sector-specific guidelines issued by applicable sectorial regulators)

[1] On 14 November 2023, the PPA issued a guiding document addressing the privacy risks associated with smart home systems and home IoT products, which collect and process significant amounts of sensitive personal data and introduce surveillance capabilities into private spaces, raising privacy concerns. The PPA provided recommendations for companies offering smart home products and services, as well as for users, including: restricting sensitive areas for mobile IoT devices like robotic vacuums; changing default device passwords to strong, unique ones and updating them regularly; securing home networks with strong passwords and avoiding sharing them; refraining from using easily guessable passwords; avoiding linking smart home systems to social media accounts; keeping IoT devices updated with the latest software; turning off devices when not in use; considering offline-capable IoT products; limiting remote control functionality; installing antivirus software on IoT devices where applicable; and exercising the right to review and correct personal data stored by smart home service providers.

☒      Data privacy

☒      financial services

☒      critical infrastructure

Last review date: January 24, 2025

Yes.

The Data Security Regulations impose a notification requirement in case of a personal data breach (with respect to which the notification requirements apply) which is classified as a "Severe Security Incident", defined as any of the following: (1) in a database subject to a high security level - an event where data from the database was used without or in breach of an authorization or where harm was caused to the integrity of the data; (2) in a database subject to a medium security level - an event where a material part of the database was used without or in breach of an authorization or where harm was caused to the integrity of the data in respect of a material part of the database.

In addition, according to the Emergency Regulations (Iron Swords) (Dealing with Severe Cyber Attacks in the Digital Services and Hosting Services Sector), 2023, in case of a cyber-attack notified to a supplier of hosting or digital services by the qualified cybersecurity authorities, and if instructed to do so, the supplier is required to notify the authorities on the actions taken to detect, prevent, or contain the attack or, alternatively, to submit a statement demonstrating its compliance with the NIST 800-53 standard (the cyber-security standard of the US National Institute of Standards).

Last review date: January 24, 2025

☒        data protection authorities

Regulation 11(d)(1) of the Data Security Regulations provides that in case of a Severe Security Incident, the owner of the database must immediately notify the PPA of the Severe Security Incident, and shall also send a report to the PPA with respect to the steps taken as a result of the event.

According to the PPA's guidelines regarding the implementation of the Data Security Regulations, in general, the notification to the PPA shall take place immediately after becoming aware of the Severe Security Incident.

☒       cybersecurity authorities

☒        affected individuals

According to Regulations 11(d)(2) to the Data Security Regulations, following notification of a Severe Security Incident to the PPA, the PPA may, after having consulted with the head of the INCD, order the owner of the database to notify the affected data subjects that are likely to be harmed by the data breach event. Certain databases, such as those owned by the Israeli security authorities (Israeli Police, Prisons, etc.) or the tax authorities are exempt from this requirement.

Last review date: January 24, 2025

☒        controller/ owner

The Data Security Regulations do not directly impose on processors an obligation to notify controllers regarding data security incidents. However, under the Data Security Regulations, a controller who provides access to personal data to a third party processor must engage in a written agreement with such processor, which will oblige the processor to, inter alia, notify the controller of the occurrence of any data security incident.

☒       data protection authorities

The Data Security Regulations apply, mutatis mutandis, with respect to processors as well. Therefore, the notification requirements set out above with respect to owners of databases apply also to holders of databases (i.e., processors). However, in accordance with the PPA's guidelines with respect to the implementation of the Data Security Regulations, a single notification is sufficient in order to fulfil the notification obligation for both the controller and the processor (i.e., if the controller notified the PPA with respect to the Severe Security Incident, the processor is not required to notify the PPA of such incident as well).

☒      cybersecurity authorities

☒       affected individuals

See above with respect to the application of the notification requirements to data processors as well.

Last review date: January 24, 2025

Yes.

☒        public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)
☒        cybersecurity authorities
☒        health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒        financial services requirements
☒        telecommunication requirements
☒        providers of critical infrastructure
☒        other

The Israeli Securities Authority - Public companies are subject to disclosure requirements regarding cyber-related issues and cyber-attacks (which should be disclosed in the immediate/ periodic reports of the reporting entity). In addition, according to the Securities Regulations (Trading Platform to its own Account), 2014, a trading platform company is required to report (publicly) on any event or matter that has or is likely to have a significant influence on the company, on the company's clients, or on trading in the trading platform, as well as to report to the Israeli Securities Authority (not publicly) any material event relating to the management of the information technology.

Institutional Companies - Institutional companies (e.g., insurance companies, pension funds management companies, etc.) must report to the Commissioner of Capital Markets, Insurance and Savings, as soon as possible, any substantial cyber event, as detailed in the 'Reporting on Cyber Events and Technological Malfunction' Circular dated 23 May 2022.

Financial Service Providers – Financial Service Providers (entities licenses to provide financial service, such as credit and deposit services) must report to the Supervisor on Financial Service Providers about any material cyber event, as detailed in the 'Cyber Risks Management in Financial Service Providers' Circular dated 29 May 2022.   

Banking - Banking entities are obliged to report to the Supervisor of the Banks of any cyber event, as defined in the Bank of Israel Directive 366 titled "Reporting on Technological Failure Events and Cyber Events".

Health Organizations – According to the 'Fundamental Regulation for Cyber Defense in the Israeli Health System', dated 13 March 2022, medical institution will report to the Cyber Sectorial Committee in the Israeli Health Ministry regarding cyber events or any suspected cyber event.

Telecommunication companies – according to a cyber management protocol (which was issued by the Israeli Ministry of Telecommunication by way of amending telecommunication companies' licenses), a license holder shall report to the Ministry of Telecommunication regarding any severe cyber incident (e.g. harm to the continuance of the service, infiltration to sensitive systems or infrastructure, leakage of sensitive information of subscribers, etc.) as soon as possible following the event.